Tom Gueth
asked on
What is S-1-5-90-2?
I have server that was hacked. I have removed all hacker accounts and thought I had the hackers blocked.
However, every few days, a user account is logging in with SID S-1-5-90-2. I am unable to find this account either in the registry or in Active Directory. Does anyone know what this account is?
After this SID S-1-5-90-2 logs in (apparently with Administrator rights), it creates a new account and adds it to Administrators and Remote Desktop Users. Is it possible that this is an hidden task on a timer? But then, how does this logon without its SID being in AD?
What am I missing in my logic?
However, every few days, a user account is logging in with SID S-1-5-90-2. I am unable to find this account either in the registry or in Active Directory. Does anyone know what this account is?
After this SID S-1-5-90-2 logs in (apparently with Administrator rights), it creates a new account and adds it to Administrators and Remote Desktop Users. Is it possible that this is an hidden task on a timer? But then, how does this logon without its SID being in AD?
What am I missing in my logic?
All I can tell is that SIDs with that length are integrated accounts, like LocalSystem.
Not a well known security SID (https://support.microsoft.com/en-us/kb/243330) under the SECURITY_NT_AUTHORITY (S-1-5) predefined identifier authority which is managed by the NT security subsystem. The "90" is probably one of the many sub-authorities. Other example include such as "BUILTIN" which is represented by "32" (https://msdn.microsoft.com/en-us/library/windows/desktop/aa379649(v=vs.85).aspx). Maybe can try on the machine running through the list of SID with whoami /user (or whoami /all). Seems to be more of a service than a user account specific
These SIDs for Window Manager.
S-1-5-90-0
S-1-5-90-1
S-1-5-90-2
For whatever reason, Microsoft has chosen not to document the SIDs...
https://technet.microsoft.com/en-us/library/dn617202%28v=ws.11%29.aspx#BKMK_WindowManager
S-1-5-90-0
S-1-5-90-1
S-1-5-90-2
$objSID = New-Object System.Security.Principal.SecurityIdentifier ("S-1-5-90-2")
$objUser = $objSID.Translate( [System.Security.Principal.NTAccount])
$objUser.Value
This should come out as Window Manager\DWM-2.For whatever reason, Microsoft has chosen not to document the SIDs...
https://technet.microsoft.com/en-us/library/dn617202%28v=ws.11%29.aspx#BKMK_WindowManager
Ok, so we agree it is an integrated account doing something. But "it creates a new account" etc. sounds very suspicious.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Have scanned the server with no running or found existing viruses at this time.
Have used ProcessExplorer but nothing obvious found.
I have enabled viewing all hidden and system files, but again nothing obvious. But I will try getting a list of folders.
No strange network activity.
Event logs shows the process of the logon with the SID and the subsequent creation of the account and raising of priviliges.
Can Desktop Windows Manager be disabled or turned off without affecting access to server?
Have used ProcessExplorer but nothing obvious found.
I have enabled viewing all hidden and system files, but again nothing obvious. But I will try getting a list of folders.
No strange network activity.
Event logs shows the process of the logon with the SID and the subsequent creation of the account and raising of priviliges.
Can Desktop Windows Manager be disabled or turned off without affecting access to server?
Yes, you can disable it. It is responsible for added layout features like round edges, transparency in window elements etc.. But I don't think it would help.
ASKER
So, the issue than is that the account 90-2 is still active so remote login with these credentials would still work, correct?
So now my question is, how does an account without RDP credentials perform a remote login?
Or is fact the 90-2 is a system SID, that means it has Administrator rights, which would give it remote login capability?
So now my question is, how does an account without RDP credentials perform a remote login?
Or is fact the 90-2 is a system SID, that means it has Administrator rights, which would give it remote login capability?
You should be able to find it under services list and look for Desktop Window Manager Session Manager. You can check for dwm.exe process to confirm. See
There are no functionality related side effects except some minor UI ones like, you won't be getting Thumbnail previews in the taskbar. Aero peek will be disabled(You have to click instead of just pointing). You won't be able to change Taskbar color and stuff like that.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I have tried these and didn't make a change. He still got me Monday. Any other thoughts?
If the scanners tried has no finding, you may want to consider rebooting and monitor. Maybe good to even refurnish machine and use its backup server during downtime. Change your admin password.
ASKER
Thanks. I reboot, delete the created accounts and 8-36 hours later, account is magically created again.
Looks like scheduled task if there is no login by amy specific user or admin. Probably has to turn on audit log for account changes
ASKER
I think I have finally isolated the hacker out although not sure what exactly worked. Continuing to monitor.
Thanks for suggestions
Thanks for suggestions
Noted we will hear more then. Thanks.