Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: New User created without my permission? Doesn't exist in registry.

25 Feb 2013   #1
lczaplicki

Windows 7 Ultimate x64
 
 
New User created without my permission by "SYSTEM"

Hi All,

After a recent reboot last week I wound up at an unfamiliar "choose user" screen during the windows start-up process. I personally didn't create a user, and this user just appeared out of nowhere. So I thought nothing of it, logged on, deleted user from the management console and went on with my day. I rebooted within the next day or two and the user magically reappeared. I am now a little fed up, and a little worried.

I traced back to the first time the user was created in the windows security logs, and it turns out the user was created by the SYSTEM account after the SYSTEM account acquired new permissions. Maybe I am reading too far into this, but any help will be appreciated. Attached to this post is the error log. The Errors logged were in the middle of the night, and over a course of 30 minutes. As mentioned before, this user does not exist in the registry, or "control userpasswords2", but comes up in the management console and "users" menu in the control panel.




Attached Files
File Type: txt Windows Log.txt (9.2 KB, 9 views)
My System SpecsSystem Spec
.
25 Feb 2013   #2
lczaplicki

Windows 7 Ultimate x64
 
 

Anyone?
My System SpecsSystem Spec
26 Feb 2013   #3
Anak

Microsoft Community Contributor Award Recipient

Win 7 Home Premium 64bit Ver 6.1.7600 Build 7601 - SP1
 
 

Hi lczaplicki, welcome to 7F!

One item I could pick out was Primary Group ID: 513 , That means whatever is doing this is a Domain User.

Values for primaryGroupID :
513 Domain Users 514 Domain Guests
515 Domain Computers 516 Domain Controllers

Do you have the event ID and source?
My System SpecsSystem Spec
.

26 Feb 2013   #4
lczaplicki

Windows 7 Ultimate x64
 
 

Event ID's range 4672, 4720, 4728, 4724, 4738, 4722, 4732, 4717, 4725, 4762. I pulled it from the security auditing log. Funny thing is I do not belong to any domain, just a standalone desktop at home, used for school and work. Ok, and a few games.

Keep trying to delete the account, and it keeps coming back. I have not done any recent installs or uninstalls. Not picked up by Eset Smart Security, Malware-Bytes AntiMalware, or even HiJack-this. Didn't try logging in as this user though.
My System SpecsSystem Spec
26 Feb 2013   #5
UsernameIssues

W7 Pro SP1 64bit
 
 

ESET is probably creating the account - see this post:
TCP Flooding Attack
My System SpecsSystem Spec
26 Feb 2013   #6
Anak

Microsoft Community Contributor Award Recipient

Win 7 Home Premium 64bit Ver 6.1.7600 Build 7601 - SP1
 
 

Can you post something similar to this?

Code:
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID:  680
Date:  12/27/2003
Time:  7:49:48 AM
User:  NT AUTHORITY\SYSTEM
Computer: MYPENTIUM450
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account:  <Your user account>
Source Workstation: MYPENTIUM450
Error Code: 0xC000006E
With those ID's and this at the top of your .txt file:
Security ID: SYSTEM
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7

I'm thinking something to do with Microsoft phoning home because of a error reporting or updating feature they have for some of their programming.

You will need to see if there is a process associated with those event ID's.
See: What Is Logon ID 0x3e7 (Security Guidance)

That's possible UI, I just saw a similar posting on that the other day.
My System SpecsSystem Spec
26 Feb 2013   #7
lczaplicki

Windows 7 Ultimate x64
 
 

Now that does seem to be very possible. I did recently update ESET and sign up for their tracking. Thanks, this thread might just be solved.
My System SpecsSystem Spec
26 Feb 2013   #8
lczaplicki

Windows 7 Ultimate x64
 
 

I have attached a saved log in zip. But as UsernameIssues has already mentioned, I do suspect it may be the Anti-Theft feature by ESET. Will keep you posted.


Attached Files
File Type: zip Error Log.zip (3.5 KB, 2 views)
My System SpecsSystem Spec
26 Feb 2013   #9
Anak

Microsoft Community Contributor Award Recipient

Win 7 Home Premium 64bit Ver 6.1.7600 Build 7601 - SP1
 
 

You will need to see if ESET is the process associated with those event ID's.
My System SpecsSystem Spec
26 Feb 2013   #10
lczaplicki

Windows 7 Ultimate x64
 
 

As only one ID was associated with System32\Services.exe, I decided to go into ESET and try and configure the "Anti-Theft" tool they have provided with the most recent ESET Smart Security 6 Update. After removing the user, and rebooting, the ghost user hasn't come back. I will give it a day or two as I am going to call it a night for now, and I will post back if anything changes.

Overall I would like to thank you for your help!
My System SpecsSystem Spec
Reply

 New User created without my permission? Doesn't exist in registry.




Thread Tools Search this Thread
Search this Thread:

Advanced Search




Similar help and support threads
Thread Forum
Need help deleting file that doesn't exist.
Hello everybody, I'm new here and this will be my first post. Sorry for not so great introduction but I'm posting this in late night and am kinda sleepy. Anyways onto the problem, as title says I have a file that I can't delete because it doesn't exist. Story is that I had a folder with some...
General Discussion
Increaseuserva doesn't exist
In brief, I was trying to follow instructions to make a game stop crashing. I made it to step 4 but increaseuserva doesn't exist. Does that mean it was already deleted, my game still crashes though.
Gaming
Alert says file pathway doesn't exist, but it does?
I have been successfully using the Shortcuts button from the customized dropdown. However, I am having one problem with a specific app, WinRAR. I have the app's shortcut successfully loaded into the button's dropdown. When executed I get an error message that says proper pathway can't be...
General Discussion
Created admin User but can see on 'Switch User" cntrl/alt/del
Hello Interestingly on boot up I see "another user" but the picture is blank, with a frame around it (I can see through it to the boot wallpaper that I have changed to prove) .. Who is another user? Please help as I have been on the 2 days now:o
System Security
User accounts created but not able to logon - No user profile
I am a lab technician for Microsoft classes at a community college. One of our students somehow messed up his hard drive. The computer is running Windows 7 Enterprise SP1 64-bit. The system has two administrator accounts and one standard user account. I am still able to logon with those accounts...
General Discussion
Delete PC from homegroup that doesn't exist?
Hello, I changed the name of my laptop and now my homegroup sees both the new name and the old name. It can't find the computer with the old name because it no longer exists. How can I delete that connection all together? The only thing I could find was how to remove a computer from the...
Network & Sharing


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 05:22.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App