Solved What's this? C Drive "Account Unknown" with about 100 characters in its name

Trying to learn · Saturday at 7:12 PM

Hi everyone. So I was looking around on my OEM Win 11 Home 23h2 computer a few minutes ago. I clicked to see the properties of my C drive. And I discovered that under the Security tab, under 'Group or user names', the very first thing listed was "Account Unknown(S-1-15-3-65536-.....)" It turned out to be a long string of number clusters with hyphens in between them, about 99 or 100 characters in total, including the hyphens. I have no idea what that would be. Do you have any idea? I don't recall ever seeing anything like that before.

(This is the computer that I only ever use for essential/sensitive stuff like logging on for online banking, doing paperwork or logging on to the government tax site for reporting tax info. I don't do anything else with it, no non-essential stuff, no visits to unnecessary sites. I'm very careful to keep it isolated and protected. It hardly ever gets turned on, really. I do non-essential things on my old Win8.1 computer instead.)

I was wondering if this 'account unknown' could be something related to device encryption or something. But I don't use device encryption and Bitlocker isn't supposed to be on this computer. When I search my system, the only mention of Bitlocker I can find is under settings > system > about, where under 'related' it says Bitlocker and clicking that only takes me to the microsoft store with an ad to upgrade to Pro. Any ideas?

SIW2 · Saturday at 7:15 PM

answers.microsoft.com-account-unknowns

Trying to learn · Saturday at 7:18 PM

SIW2 said:
answers.microsoft.com-account-unknowns

Oh thank you! I didn't know I could search like that. :)

pseymour · Saturday at 7:19 PM

That’s what is called a SID (security identifier). Generally, when you see one, it belongs to an account that no longer exists. That’s generally. If you want to show us the whole SID, it might be a well-known SID that’s common to all Windows installations.

antspants · Saturday at 7:20 PM

Trying to learn said:
I was wondering if this 'account unknown' could be something related to device encryption or something.

I know that you’re really worried about Device Encryption, try not to be, Brink has tutorials to sort it out, but cross that bridge when or more importantly, IF, you get to it.

The Windows 11 23H2 ISO I gave you shouldn’t encrypt your drives, especially that you created the install media using Rufus and ticked that box. Nor should it happen when you enter your Pro license key to upgrade.

As for the thread question, the guys above have your back.

Berton · Saturday at 7:21 PM

Check in Disk Management, the last 3 Notebooks I set up this year had Bitlocker enabled even though the Home version wasn't supposed to be and no prompt for a key or mention of a key given.

Levitate11 · Saturday at 7:35 PM

pseymour said:
That’s what is called a SID (security identifier). Generally, when you see one, it belongs to an account that no longer exists. That’s generally. If you want to show us the whole SID, it might be a well-known SID that’s common to all Windows installations.

Agreed. Whenever we saw this in the past it was because an account had been deleted but the permissions to something were still hanging around.

Reading through the first few pages of the MS link pointed to above, it sounds like MS is creating an account to accomplish something at boot time behind the scenes and giving it rights to the C: drive. Then MS then blows away said account, but the permissions are left. If I'm feeling ambitious, I'll read the rest of that thread and see if there's anything more specific about a "fix".

EDIT: After the first couple pages, that thread degrades into individual rants about MS, Security, and claims that this account had done all sorts of horrid things to people's systems (none supported even marginally by facts).

Trying to learn · Saturday at 7:43 PM

@pseymour Taking a pause from reading the thread that was given, to post the full name of it:
Account Unknown(S-1-15-3-65536-1888954469-739942743-1668119174-2468466756-4239452838-1296943325-355587736-700089176)

It has special permissions for the C drive, but I don't know how to find out what it can/can't do or if it's safe to remove... gonna try to read the rest of that thread in case I can understand anything more from that.

(Btw, I find it a little strange that I only clicked to look at it and never tried to change anything, yet the display of it has now changed in the C properties window so that the 'Account Unknown' part and the parantheses are now gone from its name... I only see them now if I highlight the number string and click the edit button. In the next window, the name appears fully as I first saw it in the original view of the properties box...)

Trying to learn · Saturday at 7:46 PM

Berton said:
Check in Disk Management, the last 3 Notebooks I set up this year had Bitlocker enabled even though the Home version wasn't supposed to be and no prompt for a key or mention of a key given.

Disk Management doesn't show any locks on the partitions, which I guess it would if bitlocker was there. I'm sorry that happened to you with your Notebooks. Not a great surprise if one isn't prepared for it, eh?

Trying to learn · Saturday at 7:50 PM

antspants said:
I know that you’re really worried about Device Encryption, try not to be, Brink has tutorials to sort it out, but cross that bridge when or more importantly, IF, you get to it.

The Windows 11 23H2 ISO I gave you shouldn’t encrypt your drives, especially that you created the install media using Rufus and ticked that box. Nor should it happen when you enter your Pro license key to upgrade.

As for the thread question, the guys above have your back.

Yeah, I've been trying to learn more about it tonight to ease my mind. I'm feeling less nervous now, thanks to your reassurances and the extra reading tonight, but still have a bit more reading to finish.

This 'Account Unknown' thing that I stumbled on was a surprise that interrupted the Bitlocker reading I was doing. And it had me wondering if it was encryption related, or if it could be malware somehow. Though I couldn't understand how it could be malware when I don't do jack with the OEM computer except going to bank, and governmental websites, usually. Only the essential stuff. With antivirus on the system too.

Levitate11 · Saturday at 7:59 PM

Trying to learn said:
@pseymour Taking a pause from reading the thread that was given, to post the full name of it:
Account Unknown(S-1-15-3-65536-1888954469-739942743-1668119174-2468466756-4239452838-1296943325-355587736-700089176)

It has special permissions for the C drive, but I don't know how to find out what it can/can't do or if it's safe to remove... gonna try to read the rest of that thread in case I can understand anything more from that.

(Btw, I find it a little strange that I only clicked to look at it and never tried to change anything, yet the display of it has now changed in the C properties window so that the 'Account Unknown' part and the parantheses are now gone from its name... I only see them now if I highlight the number string and click the edit button. In the next window, the name appears fully as I first saw it in the original view of the properties box...)

Interesting... so it's a universal Unknown Account SID that's repetitively recreated. Perhaps MS only does half the creation process and never actually creates the "user" side of the account. All they need is the SID to get done whatever it is they are doing.

Trying to learn · Saturday at 8:03 PM

Levitate11 said:
Interesting... so it's a universal Unknown Account SID that's repetitively recreated. Perhaps MS only does half the creation process and never actually creates the "user" side of the account. All they need is the SID to get done whatever it is they are doing.

It's weird, isn't it, that the first part of its name disappeared after I clicked to look closer at it? I'm wondering what exactly it's doing and if I can delete or disable it. I don't like that there's an account with mysterious special permissions doing who knows what with my system. I'm trying not to be influenced into nervous, worried or conspiracy mode after reading that thread, but oh boy... that was quite a read...

pseymour · Saturday at 8:03 PM

That’s what is known as a capability SID. It’s basically how a UWP app (like we talked about the other day, regarding removing Store apps) has permissions to do “something.” That something could be accessing a folder, a camera, a mic, whatever.

Generally speaking, any SID starting with S-1-15-3 is a capability SID.

Trying to learn · Saturday at 8:10 PM

pseymour said:
That’s what is known as a capability SID. It’s basically how a UWP app (like we talked about the other day, regarding removing Store apps) has permissions to do “something.” That something could be accessing a folder, a camera, a mic, whatever.

Generally speaking, any SID starting with S-1-15-3 is a capability SID.

Is there no way to find out what exactly it's doing, so I can make an informed decision about whether I actually want it doing that?

Is it normal for its name to change like I mentioned above? (the first part of its name disappeared after I clicked to look closer at it even though I made absolutely no changes to anything)

Levitate11 · Saturday at 8:12 PM

Trying to learn said:
Is there no way to find out what exactly it's doing, so I can make an informed decision about whether I actually want it doing that?

Is it normal for its name to change like I mentioned above? (the first part of its name disappeared after I clicked to look closer at it even though I made absolutely no changes to anything)

I think it's clearly a core part of Windows that's using it. I get concerned about a lot of things... that would not be one of them.

Trying to learn · Saturday at 8:21 PM

pseymour said:
That’s what is known as a capability SID. It’s basically how a UWP app (like we talked about the other day, regarding removing Store apps) has permissions to do “something.” That something could be accessing a folder, a camera, a mic, whatever.

Generally speaking, any SID starting with S-1-15-3 is a capability SID.

When I click to try to read more about its special permissions, in the advanced permissions section it has 3 things enabled: traverse folder/execute file, list folder/read data, and read attributes.

Could this kind of SID be exploited by malware to execute something on my system or harvest data from it?

antspants · Saturday at 8:25 PM

Trying to learn said:
Is there no way to find out what exactly it's doing, so I can make an informed decision about whether I actually want it doing that?

To my knowledge, the short answer is that it’s just doing its job, whatever that may be

Most of us or at least many of us have it.

pseymour · Saturday at 8:27 PM

Trying to learn said:
Could this kind of SID be exploited by malware to execute something on my system or harvest data from it?

I suppose if it were running in the context of whatever that capability is assigned to. But that’s true for any app.

Trying to learn · Saturday at 8:28 PM

I was just looking at my old 8.1 computer's C drive properties. It has 4 things listed under 'group or user names' (Authenticated Users with special permissions enabled, system, administrators, and users). On the Win11 Home OEM, it has those, plus this 'account unknown' SID, plus a second 'authenticated users' which has these permissions: modify, read & execute, list folder contents, read, write. Is that a normal thing with Win11 that it would also make a second 'authenticated users' like that?

antspants · Saturday at 8:30 PM

Trying to learn said:
Disk Management doesn't show any locks on the partitions,

Check BitLocker Drive Encryption Status of Drive in Windows 11

This tutorial will show you how to check the current status if BitLocker Drive Encryption for a drive in Windows 10 and Windows 11. BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost...

www.elevenforum.com

Turn On or Off Device Encryption in Windows 11

This tutorial will show you how to turn on or off device encryption on a Windows 11 PC. Device encryption is a Windows feature that enables BitLocker encryption automatically for the Operating System drive and fixed drives. It’s particularly beneficial for everyday users who want to ensure...

www.elevenforum.com

… and many more

Solved What's this? C Drive "Account Unknown" with about 100 characters in its name

Member

My Computers

Well-known member

My Computers

Member

My Computers

doing another Win11 migration 🙄

My Computers

Like a rolling drone.

My Computers

Ret. ATC

My Computers

Active member

My Computer

Member

My Computers

Member

My Computers

Member

My Computers

Active member

My Computer

Member

My Computers

doing another Win11 migration 🙄

My Computers

Member

My Computers

Active member

My Computer

Member

My Computers

Like a rolling drone.

My Computers

doing another Win11 migration 🙄

My Computers

Member

My Computers

Like a rolling drone.

My Computers

Similar threads