If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Rate Thread | Display Modes |
#1
|
|||
|
|||
Strange SIDs in Recycle Bin
Hey all.
I happened to have a look in my laptop's recycle bin (on D drive) the other day and found this: S-1-5-21-2265441378-2741054020-2359651104-500 S-1-5-21-31222XXXXX-XXXXX1122-8669XXXXX-1000 S-1-5-21-31222XXXXX-XXXXX1122-8669XXXXX-1004 S-1-5-21-31222XXXXX-XXXXX1122-8669XXXXX-1005 S-1-5-21-31222XXXXX-XXXXX1122-8669XXXXX-500 S-1-5-21-3159447838-1600927929-3177602736-1000 S-1-5-21-3159447838-1600927929-3177602736-1004 S-1-5-21-3159447838-1600927929-3177602736-1005 S-1-5-21-3159447838-1600927929-3177602736-500 S-1-5-21-943402231-1081043167-4124935001-1000 S-1-5-21-943402231-1081043167-4124935001-500 The SIDs with the X's are my laptop's current SID's, everything else I have no idea where it comes from. Even with my laptop's SIDs, I do not have -1004 and -1005 users. The laptop has always been in a Workgroup, not a domain, and my other computers do not have those SIDs. I also do not recall re-installing Windows 7 from scratch (if I did, I did it only once, ever, but I think I used an image of my early system partition, I don't think I started from scratch). So where do all these SIDs come from? C:\ drive is fine, but D:\ drive is a mystery. Any ideas? I guess some could come from WinPE-booted DVDs, but -1004 or -1005? I doubt WinPE has more than a single user... Thank you. Regards, -- ! _\|/_ Sylvain / ! (o o) Memberavid-Suzuki-Fdn/EFF/Red+Cross/SPCA/Planetary-Society oO-( )-Oo Why doesn't the glue stick to the inside of the bottle? |
Ads |
#2
|
|||
|
|||
Strange SIDs in Recycle Bin
B00ze wrote:
I happened to have a look in my laptop's recycle bin (on D drive) the other day and found this: S-1-5-21-2265441378-2741054020-2359651104-500 S-1-5-21-31222XXXXX-XXXXX1122-8669XXXXX-1000 S-1-5-21-31222XXXXX-XXXXX1122-8669XXXXX-1004 S-1-5-21-31222XXXXX-XXXXX1122-8669XXXXX-1005 S-1-5-21-31222XXXXX-XXXXX1122-8669XXXXX-500 S-1-5-21-3159447838-1600927929-3177602736-1000 S-1-5-21-3159447838-1600927929-3177602736-1004 S-1-5-21-3159447838-1600927929-3177602736-1005 S-1-5-21-3159447838-1600927929-3177602736-500 S-1-5-21-943402231-1081043167-4124935001-1000 S-1-5-21-943402231-1081043167-4124935001-500 The SIDs with the X's are my laptop's current SID's, everything else I have no idea where it comes from. Even with my laptop's SIDs, I do not have -1004 and -1005 users. The laptop has always been in a Workgroup, not a domain, and my other computers do not have those SIDs. I also do not recall re-installing Windows 7 from scratch (if I did, I did it only once, ever, but I think I used an image of my early system partition, I don't think I started from scratch). So where do all these SIDs come from? C:\ drive is fine, but D:\ drive is a mystery. Any ideas? I guess some could come from WinPE-booted DVDs, but -1004 or -1005? I doubt WinPE has more than a single user... Shortcuts are .lnk files with attributes pointing to a target executable file and other options. Not all that appear as shortcuts are .lnk files. For example, an object can be added to the desktop which looks like a shortcut; however, right-clicking on it does not present you with a context menu where you can select to see a normal Properties dialog. For example, when you right-click on the desktop's Network shortcut, Properties will take you to that object's wizard dialog. Those shortcut-like objects are references to registry entries. When you delete them, the reference gets deleted. After deletion and while they still reside in the Recycle Bin, are any of those SIDs still defined in the registry? |
#3
|
|||
|
|||
Strange SIDs in Recycle Bin
B00ze wrote:
Hey all. I happened to have a look in my laptop's recycle bin (on D drive) the other day and found this: S-1-5-21-2265441378-2741054020-2359651104-500 S-1-5-21-31222XXXXX-XXXXX1122-8669XXXXX-1000 S-1-5-21-31222XXXXX-XXXXX1122-8669XXXXX-1004 S-1-5-21-31222XXXXX-XXXXX1122-8669XXXXX-1005 S-1-5-21-31222XXXXX-XXXXX1122-8669XXXXX-500 S-1-5-21-3159447838-1600927929-3177602736-1000 S-1-5-21-3159447838-1600927929-3177602736-1004 S-1-5-21-3159447838-1600927929-3177602736-1005 S-1-5-21-3159447838-1600927929-3177602736-500 S-1-5-21-943402231-1081043167-4124935001-1000 S-1-5-21-943402231-1081043167-4124935001-500 The SIDs with the X's are my laptop's current SID's, everything else I have no idea where it comes from. Even with my laptop's SIDs, I do not have -1004 and -1005 users. The laptop has always been in a Workgroup, not a domain, and my other computers do not have those SIDs. I also do not recall re-installing Windows 7 from scratch (if I did, I did it only once, ever, but I think I used an image of my early system partition, I don't think I started from scratch). So where do all these SIDs come from? C:\ drive is fine, but D:\ drive is a mystery. Any ideas? I guess some could come from WinPE-booted DVDs, but -1004 or -1005? I doubt WinPE has more than a single user... Thank you. Regards, So you know that four OSes were involved at some point in time. Which is where the first three large groups of digits come from. The 500 is administrator. User accounts start at 1000. And yes, 1004 and 1005 are strange. Especially as two OSes have the same pattern. If the XXXXX are Windows 7, is it possible the laptop got updated to Windows 10, and the SID portion changed to the 3159447838 number ? That makes it easier to understand how the account number on the end got duplicated. Maybe this portion is all from the laptop. S-1-5-21-31222XXXXX-XXXXX1122-8669XXXXX-1000 S-1-5-21-31222XXXXX-XXXXX1122-8669XXXXX-1004 S-1-5-21-31222XXXXX-XXXXX1122-8669XXXXX-1005 S-1-5-21-31222XXXXX-XXXXX1122-8669XXXXX-500 S-1-5-21-3159447838-1600927929-3177602736-1000 S-1-5-21-3159447838-1600927929-3177602736-1004 S-1-5-21-3159447838-1600927929-3177602736-1005 S-1-5-21-3159447838-1600927929-3177602736-500 Another possible source of leakage might be a USB stick. Do they leave a residue like that too ? What about the "updatus" account that the NVidia driver creates ? It doesn't have a home directory, but perhaps it still needs a SID. I don't know if Intel, AMD, and Nvidia do that, or it's just an Nvidia thing. ******* I can see I have more accounts than I thought. I have an NVidia card, but no "updatus" account ? I'm also curious where "1001" got to :-) Is it on vacation this week ? Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. wmic useraccount get name,sid Name SID Administrator S-1-5-21-448539723-1275210071-1417001333-500 ASPNET S-1-5-21-448539723-1275210071-1417001333-1004 User Name S-1-5-21-448539723-1275210071-1417001333-1003 Guest S-1-5-21-448539723-1275210071-1417001333-501 HelpAssistant S-1-5-21-448539723-1275210071-1417001333-1000 SUPPORT_388945a0 S-1-5-21-448539723-1275210071-1417001333-1002 https://www.askvg.com/tip-what-is-up...dows-explorer/ Paul |
#4
|
|||
|
|||
Strange SIDs in Recycle Bin
On 2018-02-20 03:10, Paul wrote:
B00ze wrote: Hey all. I happened to have a look in my laptop's recycle bin (on D drive) the other day and found this: S-1-5-21-2265441378-2741054020-2359651104-500 S-1-5-21-31222XXXXX-XXXXX1122-8669XXXXX-1000 S-1-5-21-31222XXXXX-XXXXX1122-8669XXXXX-1004 S-1-5-21-31222XXXXX-XXXXX1122-8669XXXXX-1005 S-1-5-21-31222XXXXX-XXXXX1122-8669XXXXX-500 S-1-5-21-3159447838-1600927929-3177602736-1000 S-1-5-21-3159447838-1600927929-3177602736-1004 S-1-5-21-3159447838-1600927929-3177602736-1005 S-1-5-21-3159447838-1600927929-3177602736-500 S-1-5-21-943402231-1081043167-4124935001-1000 S-1-5-21-943402231-1081043167-4124935001-500 The SIDs with the X's are my laptop's current SID's, everything else I have no idea where it comes from. Even with my laptop's SIDs, I do not have -1004 and -1005 users. The laptop has always been in a Workgroup, not a domain, and my other computers do not have those SIDs. I also do not recall re-installing Windows 7 from scratch (if I did, I did it only once, ever, but I think I used an image of my early system partition, I don't think I started from scratch). So where do all these SIDs come from? C:\ drive is fine, but D:\ drive is a mystery. Any ideas? I guess some could come from WinPE-booted DVDs, but -1004 or -1005? I doubt WinPE has more than a single user... Thank you. Regards, So you know that four OSes were involved at some point in time. Which is where the first three large groups of digits come from. Yup, but I only have the one Windows 7 boot partition, that disk never booted anything else (besides WinPE and Linux optical disks) AND I never re-installed Windows, as far as I can remember; it's always had the same SID. So where the hell does the completely different SID (the OTHER one with 1004/1005) come from? This is really early too - if I look at folder the dates; I don't know exactly when I purchased that laptop, but those other SIDs pre-date my first ever image of the system partition by 5 months. Maybe something at the factory? The 500 is administrator. User accounts start at 1000. And yes, 1004 and 1005 are strange. Especially as two OSes have the same pattern. It could be temporary users, like for .NET optimization or something like that. I'd have to create a new user to see where the counter is at; if the new user gets 1006 then we know I had a 1004 and 1005 at some point (I do not have them right now). If the XXXXX are Windows 7, is it possible the laptop got updated to Windows 10, and the SID portion changed to the 3159447838 number ? That makes it easier to understand how the account number on the end got duplicated. Maybe this portion is all from the laptop. Lol, nope, still running Win 7 and as far as I know, still running the first ever image of it. Ah hell, maybe I did run the laptop for some months before I re-started from scratch and THEN started taking system images. It's like 5 years ago, I don't really remember... S-1-5-21-31222XXXXX-XXXXX1122-8669XXXXX-1000 S-1-5-21-31222XXXXX-XXXXX1122-8669XXXXX-1004 S-1-5-21-31222XXXXX-XXXXX1122-8669XXXXX-1005 S-1-5-21-31222XXXXX-XXXXX1122-8669XXXXX-500 S-1-5-21-3159447838-1600927929-3177602736-1000 S-1-5-21-3159447838-1600927929-3177602736-1004 S-1-5-21-3159447838-1600927929-3177602736-1005 S-1-5-21-3159447838-1600927929-3177602736-500 Another possible source of leakage might be a USB stick. Do they leave a residue like that too ? Nope, unless you boot WinPE with them, but then they would never leave a 1004/1005 user folder behind... What about the "updatus" account that the NVidia driver creates ? It doesn't have a home directory, but perhaps it still needs a SID. I don't know if Intel, AMD, and Nvidia do that, or it's just an Nvidia thing. Yeah, that's what I'm thinking is the source of those 1004/1005 folders; some Microsoft update created a user to run whatever, then deleted them; the users are long gone by now... I can see I have more accounts than I thought. I have an NVidia card, but no "updatus" account ? I'm also curious where "1001" got to :-) Is it on vacation this week ? Lol, did you never delete a user? wmic useraccount get name,sid Name SID Administrator S-1-5-21-448539723-1275210071-1417001333-500 ASPNET S-1-5-21-448539723-1275210071-1417001333-1004 User Name S-1-5-21-448539723-1275210071-1417001333-1003 Guest S-1-5-21-448539723-1275210071-1417001333-501 HelpAssistant S-1-5-21-448539723-1275210071-1417001333-1000 SUPPORT_388945a0 S-1-5-21-448539723-1275210071-1417001333-1002 Best Regards, -- ! _\|/_ Sylvain / ! (o o) Memberavid-Suzuki-Fdn/EFF/Red+Cross/SPCA/Planetary-Society oO-( )-Oo "I am the scourge that pecks at your nightmares!" -Darkwing |
Thread Tools | |
Display Modes | Rate This Thread |
|
|