PDA

View Full Version : look at this user id



amtbcn
2005-11-01, 16:19
Yesterday i find a new user in a fold on my workstation(win xp) F disk(ntfs),the attribute of this fold show an stranger who has no name but only user id (S-1-5-21-1306191170-1508548728-530408632-1015).I formatted F disk and arranged access right of users few days ago and i am sure that there is not this id before.
can i be certain of it's an attacker?

Rosenfeld
2005-11-01, 20:59
Maybe something like this?

http://www.dslreports.com/forum/remark,14637731
especially the posts by SvS and psloss offer advice on what to check.

If it is not the SID of any of the proper user accounts, as listed in
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
and its subkeys,

then I would either disable it, and if nothing breaks, delete it.

Do yopu have XP home, or Pro?

amtbcn
2005-11-02, 16:34
Thanks for your reply, it's very helpful.
I will check it tomorrow. My workstation is running win xp pro.
by the way ,i can't access Internet in company So that i can't reply rapidly:(

amtbcn
2005-11-04, 04:34
Thanks Rosenfeld again!
I read the link you gave carefully and check my Registry entries of ProfileList and made trials of adding/deleting users.
So i find the SID i posted is a local user and it's an orphaned sid.But I don't think it's a leftover which be used to install OS because of i'm sure it does not exist before. I figured out there was an user got access rights of the fold (i set the access of this fold strictly,only one person be permissible to read it)and the user was deleted by someone afterwards. So it is an attacker id if I am certain of my memory.

Now can i find out more specific of this SID on my machine, How?


By the way ,i find a ProfileList entry in Registry for a deleted user will be reserved when delete user with Computer Management Console, and when we delete user with 'User Accounts' the entry of profilelist will be deleted too.