S-1-5-21-Domain-500 question

Discussion in 'other security issues & news' started by MacQibble, Mar 6, 2011.

Thread Status:
Not open for further replies.
  1. MacQibble

    MacQibble Registered Member

    Jan 1, 2011
    Please know I'm not expecting to be offered one-on-one tuition, but I'll take any advice I can get to learn. (Can't seem to find an obvious home for this stuff apart from here on Wilders).

    Per MrBrian and Wilders, have discovered the hidden fruits of AccessChk and AccessEnum.

    AccessEnum has thrown up many questions, but the most intriguing are four entries under 'C:\Windows\Performance\WinSAT' showing

    "Account Unknown(S-1-5-21-{X-Y-Z}-500)" with full control over some ShaderCache files.

    (I'm so paranoid i changed the actual numbers!)

    I know (I think) that WinSAT measures system's performance and capabilities and gives the WEI score. I've disabled this task. The folder also contains some WMP videos that came with the system. All seems tame enough to me.

    Thing is ... my understanding of S-1-5-21-Domain-500 is that it's the real Administrator and .. erm ... this SID certainly isn't my Real Administrator as listed in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList.

    The domain for the above is different to my three self-created accounts for Real Admin, Admin, and Standard user. I don't use the Real Admin. I only enabled it and gave it a pretty hefty strong password for belt and braces.

    So ... just wondering if I should be panicking? Right now I'd feel more stupid not asking. :(
  2. Sully

    Sully Registered Member

    Dec 23, 2005
    I am not sure exactly what you are asking. No problem though. That string you gave is part of the registry and part of .inf file syntax. The identifiers there are global identifiers, every computer might use one or another of them.

    The specific part that you fear to publish is unique as well, and unless someone crafts an exploit for you and that ID specifically, not much can be done with it. Besides that, if they do get the ID of a registry key, they still have to know the password.

    If you want to know more about that ID string and why it is such, how to use it, where it lives, you need to check out some Security Template information, especially on w2k and xp. There are a number of really good sites out there that will break down the .inf syntax in a security template. As it so happens, you used a security template when you installed the OS, usually defltwks.inf. You can examine that, and once you begin to comprehend the madness of .inf syntax, you can see exactly what rights are placed for objects and containers that are there on a default install, you can see the inheritance they give or get and why that effects things, and you can also see those GUIDs like the one you mentioned, and see how they play into the mix.

    This is hardcore geek land you are entering. Not a great abundance of information in one place, but scattered in many. I have gone to this land many times, and never have found the holy grail, only pieces along the way. I will tell you this though, if you can read a security template, you will gain a heaping amount of insight into how everything is restricted.

  3. katio

    katio Guest

    Same here, nothing out of ordinary.

    Theory: It's whatever user is on the DVD installer which runs the performance check prior you setting up any user accounts.
    Last edited by a moderator: Mar 6, 2011
  4. MacQibble

    MacQibble Registered Member

    Jan 1, 2011
    Two adages applies: A little knowledge is a dangerouis thing / Fools go where angels fear to tread :D

    Thanks for invaluable insights. By way of explanation for panic, found this article on "Well-known SIDs":



    SID: S-1-5-21-domain-500
    Name: Administrator
    Description: A user account for the system administrator. By default, it is the only user account that is given full control

    Misread and assumed I should only find one :oops:

    Given katio's post, logical that the installation process, prior to any user admin account set up, has to have full control. That'll do for me.

    Last edited: Mar 6, 2011
Thread Status:
Not open for further replies.