Code Monkey home page Code Monkey logo

Comments (5)

undergroundwires avatar undergroundwires commented on May 19, 2024 2

Hi @MPeti1 , thanks for starting the discussion and your attention to the script that I was really not sure of.

It's a controversial user discussed often in context of a backdoor in Windows 10. It's is created by an update and there has never been any official information of its purpose/reason of creation from Microsoft. It gives access to your computer without your control / access so I decided to add it to privacy.sexy. It's however safe to delete 1, 2. As it's safe to delete and only, and it's so controversial I decided to add it to the list.

It was added after a suggestion from a fellow computer forensics contributor:

If somebody is on LTSC 2019 then DefaultUser0 Account is by default created on Installation as telemetry account.
Hence it must be removed . if by default this account is not found on other builds of win10 then it will not affect any functionality of OS & will ignore it
source: github issue

More information:

Nobody knows exactly why this account is being created or how users can prevent its creation
source: windowsreport.com

Best practice to disable the Administrator account when possible to make it more difficult for malicious users to gain access to the server or client computer.
source: docs.microsoft.com

from privacy.sexy.

MPeti1 avatar MPeti1 commented on May 19, 2024 1

Thank you! It now makes sense I think.

I've read a bit, and it seems to be an error that hasn't been fixed for a long time.
The defaultuser0 account has this very long SID: S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681
It (that's invalid to be for a user, if I understand correctly) is actually the SID for an AppContainer capability, readRegistry.
It usually appears in dcom errors in the event log, because this SID is added to a lot of registry objects as a user having permissions (all permissions) (again, if I understand correctly).
It seems that it's not a user, just a capability for uwp apps (mostly), but for some reason it's treated as one.

Microsoft seems to know about the problem, they promised a fix at least 2 times, but on both occasions the communication has been dropped, it seems.
Here are 2 links that contain some information about this:
https://answers.microsoft.com/en-us/windows/forum/all/defaultuser0-created-on-clean-install-of/e2333e94-ef5f-4932-8754-fd4ce27ae33b?page=13
https://social.technet.microsoft.com/Forums/en-US/3e7d85e3-d0e1-4e79-8141-0bbf8faf3644/windows-10-anniversary-update-the-case-of-the-mysterious-account-sid-causing-the-flood-of-dcom
Both of these are archived to archive.is

Note: the second link may require log in to your MS account (???), but if you use a temporary container in Firefox (there's a plugin to simplify it), then it will work normally. It could also work with just creating a temporary profile in about:profiles too

Well, I think it's best to leave this script available. It's so big of a mistery, that I would say your concern is grounded

from privacy.sexy.

undergroundwires avatar undergroundwires commented on May 19, 2024 1

I actually have no idea. But asked the question to the forensic ghost friend. Forwarding is response:

  • defaultuser1 account is not created by default in any scenario
  • its user heavily tweaked OS with many tools that's why its created
  • if user wants to take a close look then he must be sure which tool has done that
  • possible that its an account which will forward logs of user to an attacker according to my consent in this scenario.

His suggestion is to do a clean install from same ISO to same machine & then cross check if that defaultuser1 account still created. He's pretty sure it won't be found. He also recommends to not use many tools but just use a trusted one like privacy.sexy, this way one can work privacy friendly without any doubt that his or her logs of activities are been sent anywhere without his consent.

from privacy.sexy.

MPeti1 avatar MPeti1 commented on May 19, 2024

Also, why do you think that it's for telemetry? Wasn't able to find anything with a quick search

from privacy.sexy.

MPeti1 avatar MPeti1 commented on May 19, 2024

At the same time, what do you think about defaultuser1? I only have this. Do you have information about that one?
Edit: if it helps, it's SID is this: S-1-5-21-80563116-3206155393-223495591-1028

from privacy.sexy.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.