Unknown user account now showing up in managment console - trojan?

Posted on 2004-04-03
Last Modified: 2013-12-03
Here is a picture

I just noticed this today.  I go to the computer managment console but there is no such user listed under users or groups.  Whatever it is, it doesn't look good and I want it gone.  Any ideas?  I'm running windows 2k btw.
Question by:S0ulEdge
  • 2
  • 2
  • 2
  • +1
LVL 16

Accepted Solution

mdiglio earned 50 total points
ID: 10750263
This is the guest user account.
To remove this entry you must click the check box in your picture that says
"allow inheritable permissions..." >> click copy >>then you can remove it.

To verify that this user was from your domain or local workstation (whichever may be the case)
you can run this script. Copy and paste into nnotepad and save it with a .vbs extension

'!!!Begin Copy
strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set colItems = objWMIService.ExecQuery("Select * from Win32_UserAccount where name = 'administrator'", , 48)
For Each objItem In colItems

    wscript.echo  objItem.SID
'!!!End copy

This will give you a message box with the sid of your administrator.
Compare this output to the one in your picture.
They should be exactly the same except for the last 3 digits

good luck


Author Comment

ID: 10750422
Thanks for the script.  I ran it but I found but only the first 5 digits matched.  The rest are all different.  What does this mean?  The guest account is still disabled on the local machine under computer managment.
LVL 16

Expert Comment

ID: 10750561
When a sid ends in 501 that means it is a guest account.
If the 1st set of numbers do not match that means that user is not from your
domain or your local workstation. So this guest suer is not your current guest user

I cannot say why in your case this has happened.
I would recommend doing a virus scan just in case.

If you do not have anti-virus software you can perform an online scane here:

You can also check for spyware. I don't know of any spyware that can
do anything like this, but its always a good idea to do so.
You can download adware here
Be sure to click the update option before you run it

The most likely cause for this problem is from a formatting/upgrading/reloading W2K issue...
not from your computer being compromised. I just gave you the links above
to follow best practice guidelines

Were you able to get rid of the user on your albums folder?
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.


Expert Comment

ID: 10750682
This may be *a* guest account, and not necessarily *the* guest account.

Whatever the case, this is likely to be an account which was deleted from your system before you removed its rights in NTFS.  I see this all the time.  

For example: If you modify the permissions of the Albums folder (or its parent) so that Heywood Jablomi specifically has Read permissions, then delete his account, the folder Albums still has an ACL in NTFS referring to his account.  Since it uses his SID as reference, and it can't match that up to a valid account, it's showing you the SID with a question mark next to the user symbol because it has no idea who owns that SID.  

Remove the SID from the ACL at the top-level folder where it appears.

Author Comment

ID: 10752714
I have 2 partitions C & D, windows 2k is installed on the D partition.  That sid was only showing up on folders on the C drive.  I selected all the top level folders on the C drive (about a dozen) and went to the security tab.  It said that permissions were different from folder to folder and asked me if I wanted to reset them all.  I said yes and removed all the users except the admin (me).  I have Norton antivirus with the latest updates and use ad-aware on a regular basis.  I did have some of my folders such as the "albums" folder mapped as network drives on other computers on my home network.  Is it possible that this is where that sid came from?  Either way, it is gone now.  Thanks for the responses.

Expert Comment

ID: 10752979
Well, it's not a virus or a trojan.  It's just an orphaned SID for an object that no longer exists.

Expert Comment

ID: 11717683
I have experienced the same situation with a removable USB hard drive after reinstalling windows xp on my laptop.  I'm not sure if you had a similar problem; in my case the orphaned SID did not show up for the drive root -- only for all of it's subfolders.  I recursively took ownership of all the files on the drive (using the drive root), removed the 'CREATOR OWNER' entry on the ACL on the drive root, then re-added 'CREATOR OWNER' with permissions set to full control.  Not sure if this will work for you however it worked for me.  Hope this helps.


Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
There are many Password Managers (PM) out there to choose from. PM's can help with your password habits and routines, but they should not be a crutch you rely on too heavily. I also have an article for company/enterprise PM's.
This Micro Tutorial will give you a basic overview how to record your screen with Microsoft Expression Encoder. This program is still free and open for the public to download. This will be demonstrated using Microsoft Expression Encoder 4.
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

861 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now