Link to home
Start Free TrialLog in
Avatar of Tom Gueth
Tom GuethFlag for United States of America

asked on

What is S-1-5-90-2?

I have server that was hacked.  I have removed all hacker accounts and thought I had the hackers blocked.

However, every few days, a user account is logging in with SID S-1-5-90-2.  I am unable to find this account either in the registry or in Active Directory.  Does anyone know what this account is?

After this SID S-1-5-90-2 logs in (apparently with Administrator rights), it creates a new account and adds it to Administrators and Remote Desktop Users.  Is it possible that this is an hidden task on a timer?  But then, how does this logon without its SID being in AD?

What am I missing in my logic?
Avatar of Qlemo
Qlemo
Flag of Germany image

All I can tell is that SIDs with that length are integrated accounts, like LocalSystem.
Avatar of btan
btan

Not a well known security SID (https://support.microsoft.com/en-us/kb/243330) under the  SECURITY_NT_AUTHORITY (S-1-5) predefined identifier authority which is managed by the NT security subsystem. The "90" is probably one of the many sub-authorities. Other example include  such as "BUILTIN" which is represented by "32"  (https://msdn.microsoft.com/en-us/library/windows/desktop/aa379649(v=vs.85).aspx). Maybe can try on the machine running through the list of SID with whoami /user   (or whoami /all). Seems to be more of a service than a user account specific
These SIDs for Window Manager.

S-1-5-90-0
S-1-5-90-1
S-1-5-90-2

$objSID = New-Object System.Security.Principal.SecurityIdentifier ("S-1-5-90-2")
$objUser = $objSID.Translate( [System.Security.Principal.NTAccount])
$objUser.Value

Open in new window

This should come out as Window Manager\DWM-2.

For whatever reason, Microsoft has chosen not to document the SIDs...

https://technet.microsoft.com/en-us/library/dn617202%28v=ws.11%29.aspx#BKMK_WindowManager
Ok, so we agree it is an integrated account doing something. But "it creates a new account" etc. sounds very suspicious.
SOLUTION
Avatar of btan
btan

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Tom Gueth

ASKER

Have scanned the server with no running or found existing viruses at this time.

Have used ProcessExplorer but nothing obvious found.

I have enabled viewing all hidden and system files, but again nothing obvious.  But I will try getting a list of folders.

No strange network activity.

Event logs shows the process of the logon with the SID and the subsequent creation of the account and raising of priviliges.

Can Desktop Windows Manager be disabled or turned off without affecting access to server?
Yes, you can disable it. It is responsible for added layout features like round edges, transparency in window elements etc.. But I don't think it would help.
So, the issue than is that the account 90-2 is still active so remote login with these credentials would still work, correct?

So now my question is, how does an account without RDP credentials perform a remote login?

Or is fact the 90-2 is a system SID, that means it has Administrator rights, which would give it remote login capability?
You should be able to find it under services list and look for Desktop Window Manager Session Manager. You can check for dwm.exe process to confirm. See
There are no functionality related side effects except some minor UI ones like, you won't be getting Thumbnail previews in the taskbar. Aero peek will be disabled(You have to click instead of just pointing). You won't be able to change Taskbar color and stuff like that.
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I have tried these and didn't make a change.  He still got me Monday.  Any other thoughts?
If the scanners tried has no finding, you may want to consider rebooting and monitor. Maybe good to even refurnish machine and use its backup server during downtime. Change your admin password.
Thanks.  I reboot, delete the created accounts and 8-36 hours later, account is magically created again.
Looks like scheduled task if there is no login by amy specific user or admin. Probably has to turn on audit log for account changes
I think I have finally isolated the hacker out although not sure what exactly worked.  Continuing to monitor.

Thanks for suggestions
Noted we will hear more then. Thanks.