dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
3582
share rss forum feed


red2

@fastwebnet.it

File Properties/Security lists "Account Unknown"

I've recently noticed a change and I don't understand what provoked it.

When I download files to my Downloads folder under my Administrator account, each time File Properties lists my admin profile, system profile, Users profile (with restricted rights) PLUS a "Account Unknown(S-1-5-21...) with elevated privileges. When I download files under my limited user profile, this "Account Unknown" profile is not listed under file properties.

I don't remember ever seeing this in the past so I'd like to understand what provoked this "Account Unknown". Is this somehow related to an update to my AV (Avast) or to something else and is there a potential security risk, particularly since I don't know what created it?

dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
Reviews:
·Verizon FiOS

1 recommendation

Those don't cause elevated access; it is simply a list of who can do what to the object, thus "access control list".

In other words, it does not matter if a non-existent account has access to a file, because it's a non-existent account.

The access control list on a file is generally (absent specific program action to the contrary) inherited from the parent directory. Thus I infer that the inheritable part of the access control list on Users/YOURADMIN/Downloads differs from that on Users/YOURUSER/Downloads.

As it happens, my own account directory (not Downloads) has such an unknown ACE. The SID is S-1-5-21--1001, which makes it the second user account created on my system (first is 1000). No idea how it got there, but I imagine I did it.

Do you ever delete accounts?


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to red2
Like dave said and where it came from if you have deleted an account in the past or...

»www.vistax64.com/vista-account-a···unt.html

»www.sevenforums.com/general-disc···own.html
--
Gladiator Security Forum
»www.gladiator-antivirus.com/


red2

@fastwebnet.it
Thank you for both of those replies. Forgot to mention that I'm running XP SP3.

What concerned me was that I had not noticed this in the past. I have not deleted accounts, but this is a drive that was based on an image from my other notebook. But since that was done months ago, I would have checked file properties on new files several times and surely would have noticed it.

I didn't think that the account caused elevated access but rather that it could be a malicious account that had elevated privileges, surprising since I run as a limited user.

So if this account name refers to a SID, I should be able to check it on the original notebook. I did change the SIDs when I imaged to the new notebook so perhaps it was there all along and I didn't notice it.

dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
OK, all valid stuff. Checking against the original notebook is a good idea.


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to red2
Yes most likely when you did that..and makes no difference if it was XP SP3. all works the same.

and could be

»social.technet.microsoft.com/For···77c3bece
--
Gladiator Security Forum
»www.gladiator-antivirus.com/


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

1 edit
reply to red2
If you go to System Properties, Advanced, User Profiles, Settings. Do you see any account unknown in there ?

I don't think you will...but

»social.technet.microsoft.com/For···1605b62e
»social.technet.microsoft.com/For···28fc9f7c

--
Gladiator Security Forum
»www.gladiator-antivirus.com/


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to red2
You might even find more if you try this for a look.but I would not resurrect any...

Resurrecting “Account Unknown” Profiles from the Dead!

»memphistech.net/?p=60
--
Gladiator Security Forum
»www.gladiator-antivirus.com/

OZO
Premium
join:2003-01-17
kudos:2
reply to red2
Just highlight that account in Security tab and click on Remove button. Obviously you don't need it on the list.
--
Keep it simple, it'll become complex by itself...


red2

@fastwebnet.it
Thanks again for the suggestions.

I followed the directions in one of the articles and checked under Run "Control UserPasswords2". It only lists the same accounts that I find under the User Profile settings.

said by Name Game:

If you go to System Properties, Advanced, User Profiles, Settings. Do you see any account unknown in there ?

No, just my admin, limited user account and one named "ASP.NET Machine A" as a limited user account. (I have no idea what this last one is.)

said by OZO:

Just highlight that account in Security tab and click on Remove button. Obviously you don't need it on the list.

Yes, of course, but since it occurs on EVERY file that I download, that woul get tiresome pretty quickly.

dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
Reviews:
·Verizon FiOS
said by red2 :

TI followed the directions in one of the articles and checked under Run "Control UserPasswords2". It only lists the same accounts that I find under the User Profile settings.

It won't exist there, because it's an "unknown account". Or more correct it's an unknown SID - a security id for which no translation exists, because there's no matching account.

said by red2 :

Yes, of course, but since it occurs on EVERY file that I download, that woul get tiresome pretty quickly.

It exists on some parent and is inherited down the tree. Remove it from the parent and it won't be there to be inherited by future files. You want to make sure it's absent from 'Downloads' and the 'your user name' folder.


red2

@fastwebnet.it
dave, thank you for that clarification. That makes perfect sense. However, something doesn't add up.

I download all files to a folder named "Downloads" in C. The file properties for that Downloads folder does NOT indicate the "unknown account". But every file that is downloaded to that folder lists that account. So where is it being inherited from? That is why I questioned whether this could be malware related, created by my AV or even something in the registry.


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to red2
The link I posted above which was for winXP Sp3 ..
»social.technet.microsoft.com/For···77c3bece

Suggested:
Unknown user usually refers to an account that a security (AV, etc. ) has created. but, they dont show up in control panel usually, just as a registry entry

That makes sense to me..especially if one installs a security program under limited user profile where many programs even ask permission to install for all users.
--
Gladiator Security Forum
»www.gladiator-antivirus.com/

redwolfe_98
Premium
join:2001-06-11
kudos:1
reply to red2
red2, i will add my 2 cents.. i think that installing MS's "NETFramework", maybe just NETFramework 1, can create a user-account.. i think that issue came up in the past..


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

OZO
Premium
join:2003-01-17
kudos:2
reply to dave
Usually files get downloaded into a temporary location and then are moved to destination folder. I don't think that NTFS participates in this dance (changes permissions, lists, etc. on the fly). So, may be that temporary folder has the user account in question listed. Where is that temporary folder for @red2 to check?
--
Keep it simple, it'll become complex by itself...


red2

@fastwebnet.it
I wondered if it was AV related as it only happened on one of my notebooks, and the sole one I run Avast on. All notebooks have various NetFramework versions and all are based on the same image from my original notebook. They all have a temp folder for Downloads and that folder has no usual user profiles showing. However, any file downloaded to that folder on one machine (with Avast) gets tagged with this "Account Unknown".

The only other explanation I can think of is if I cloned an image for this drive but forget to change the SID beforehand and ran NewSid afterwards. That's possible and given your explanations, it sounds like that could have resulted in this unknown account for this Downloads folder. Though I'd think it would tag every folder that way. Have to check that...

Is there an easy way to check the SIDs on a unit? I only discovered what they were by running NewSid.