Unknown accounts

[borate]

On several fresh W10 (HOME and PRO) installations, while tweaking permissions, an "unknown account " is listed in addition to the usual Trusted Installer, Administrators, Users, System, etc.

It's understood that 'S' accounts are security descriptors, and most are shown as, simply, S-1-xx-x-xxxx and so forth. Here's an example of an "unknown" as copied from a permissions|advanced window...

Account Unknown(S1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-
4053264122-3456934681)

I don't believe that those are functional, and often they can be removed seemingly without negative consequences. 'Unknown' appears in many, but not all, permissions dialogs. Why are these entries created?

 

[Regedit32]

Hi borate,

Have you considered using one of Microsoft's Systernal tools to try and identify the unknown user in combination with the built in icacls tool?

From Systernals you can download this tool: AccessEnum
https://technet.microsoft.com/en-us/sysinternals/bb842062.aspx

If you open an elevated command prompt (i.e. Command Prompt (Admin) you can also make use of the icacls tool, for example, if say one of these unknowns was Install.ins located at c:\windows\temp you could use the command:

icacls "C:\Windows\Temp\Install.ins" /reset /t /c

Which resets the Access Control List and may allow you to see the actual owner which in most cases is likely to be a Microsoft AppContainer with low level access normally being granted higher access for certain situations.

Difficult to say for absolute certainty as you have not provided a specific file or process that has been assigned the unknown name status. So far as the SID you posted I would assume it opens S-1-15-3-1024, rather than S1, plus it appears to be missing the 3 to 4 digit key on the end which normally identifies the logged in user attempting to access X.

Anyway, I'll leave it there for now unless you offer up some more information there is not a lot more I can suggest for now, other than to mention if you have administrative privileges you could remove current users from the Advanced Security options for a particular file, then simply add yourself to the group, which would also reset the typical user members in this profile such as SYSTEM and TrustedInstaller, etcetera, and may reveal the mystery user which as I all ready noted is likely to be Microsoft, although it could also be some other third-party software distributor if you've been installing apps from outside of Microsoft Store, or other third-party programs.

Regards,

Regedit32

 

[borate]

Thanks for the feedback. This is more a curiosity than a problem, and the 'unknowns' are widely seen on both HOME and PRO here - fresh installs on different computers. The oddity has also been spotted in other posts that displayed images of various ADVANCE PERMISSIONS boxes So apparently it's indeed a Microsoft thing of little or no concern.

And I do vaguely recall seeing an 'unknown' vanish after performing some operations within the permissions interface.

 

[borate]

A related thread, implicating Defaultuser0. http://tinyurl.com/jsxr5gs

'Unkknowns' and Defaultuser0 appear to be benign issues that do not impact system performance. Likely best simply ignored.