New
#31
The catroot2 folder looks healthier now than it did, anyhow.
A thought -
Please run the following commands and post the results......
REG QUERY HKU
WHOAMI /USER
The catroot2 folder looks healthier now than it did, anyhow.
A thought -
Please run the following commands and post the results......
REG QUERY HKU
WHOAMI /USER
Here they are
Is there something wrong?C:\Windows\System32\catroot2>REG QUERY HKU
HKEY_USERS\.DEFAULT
HKEY_USERS\S-1-5-19
HKEY_USERS\S-1-5-20
HKEY_USERS\S-1-5-21-1408468914-2965767387-1660694563-1000
HKEY_USERS\S-1-5-21-1408468914-2965767387-1660694563-1000_Classes
HKEY_USERS\S-1-5-21-1408468914-2965767387-1660694563-1018
HKEY_USERS\S-1-5-21-1408468914-2965767387-1660694563-1018_Classes
HKEY_USERS\S-1-5-18
C:\Windows\System32\catroot2>WHOAMI /USER
USER INFORMATION
----------------
User Name SID
========== ==============================================
eva\robbio S-1-5-21-1408468914-2965767387-1660694563-1000
C:\Windows\System32\catroot2>
The system has me and two other normal users.
thanks
There's only any sign of one other user?
The short GUIDs are for the NetworkService account, the System account, and the LocalService account.
Each user account has two GUIDs - the normal one, and the _Classes one.
You've obviously had a few other accounts on there - the other is #18!
Sorry....
The HKU Key is a list of all User accounts installed on the machine.
'Well-known' SIDs S-1-5-18/19/20 belong to the standard machine accounts
the User SIDs are more complex, and involve semi-random strings.
The first User account created ends in 1000 - that number increments with each user created (to prevent duplication of accounts
Each User account also has a _Classes account dependent on it
SID vs. GUID
Well-known SIDs (Windows)
Under control panel | user accounts there are four accounts:
- guest: is off.
- me: administrator.
- two normal users: time by time they access here and only here.
Now,
from the output of the command before there are only two User SIDs.
Instead, I'd have had (sorry, I don't know if the verb tense di correct) another two
items SIDs (normal + __Classes) in that list for the third user account.
- Am I right?
- Is there something wrong with user account configurations?
- Or, Is the system missing user accounts greater than -1000 and less than -1018?
Furthermore,
- Is the problem above involved in the WindowsUpdate process?
- Does WindowsUpdate feature need its own account?
Please explain.
Thank you very much.
From the end -
Windows Update doesn't need its own account (it does have its own SID though, I think).
User account corruption can cause problems in all sorts of unexpected places.
The terminal numbers in a User account SID are never re-used - a new (higher) one is created every time a new user is created.
The second one will end 1001
The third will end 1002
if the second is now deleted, then a fourth created, it will get 1003 (rather than 1001)
Testing on a VM here (in Vista, because I happen to have it open...)
Admin Account 1000 created 2 new accounts - one standard user and one Admin user
Booted to both to initialise them, then...
logged in to the Std user - I can only see the logged-in user 1002
logged in to the Admin user - I can only see the logged-in user in a normal CMD prompt or in an Elevated one.
logged into the original account, I can still only see the logged-in user.
So yes, there is something strange going on in your PC - I'm just not sure what.
Please log in to the other accounts if you can, and use WHOAMI /USER to find out what the account SID is.
Also run REG QUERY HKU to see whether the 1018 account is visible (or any other long SID)
It's always possible that this account is something created by one of your dev tools.
OK, this is my report:
1000 <-- it's me
.......<--- ?
1004 <--- it's user1
.......<--- ?
1008 <--- it's user2
.......<--- ?
1018 <---?
So,
probably in the past I deleted one or two account(s) while creating the two users above, but no more than those.
I installed full VisualStudio packages in the past and each one comes with it's own user account for the ASP.NET web server, if I don't wrong remember. So another three user accounts for VS2005/2008/2010 (VS2012 is the expression edition for desktop dev.).
I saw three SQLServer installed on my PC and probably they come with their own user accounts.
But I'm not able to reach 19 SIDs...
I imagine there is no way to know, as administrator, all SIDs created over the time and which one is actual active, right?
Doubt: I remember there was a tool or a web tool from Microsoft through which I could test consistency on my PC. It tests all stuff and protections on your PC. Actually I don't remember the name. Is it still available and valid for Seven?
Any other idea? :)
Thanks, you have a coffee offered by me!
There is no tool that can possibly test all registry configurations - or software configurations.
You may be thinking of something like MBSA, which checks that all security updates are configured properly.
Please run the following commands and we'll see a little more....
REG QUERY HKEY_USERS\S-1-5-21-1408468914-2965767387-1660694563-1018
REG QUERY HKEY_USERS\S-1-5-21-1408468914-2965767387-1660694563-1018\Environment
here they are
Thanks.Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>
REG QUERY HKEY_USERS\S-1-5-21-1408468914-2965767387-1660694563-1018
HKEY_USERS\S-1-5-21-1408468914-2965767387-1660694563-1018\AppEvents
HKEY_USERS\S-1-5-21-1408468914-2965767387-1660694563-1018\Console
HKEY_USERS\S-1-5-21-1408468914-2965767387-1660694563-1018\Control Panel
HKEY_USERS\S-1-5-21-1408468914-2965767387-1660694563-1018\Environment
HKEY_USERS\S-1-5-21-1408468914-2965767387-1660694563-1018\EUDC
HKEY_USERS\S-1-5-21-1408468914-2965767387-1660694563-1018\Keyboard Layout
HKEY_USERS\S-1-5-21-1408468914-2965767387-1660694563-1018\Network
HKEY_USERS\S-1-5-21-1408468914-2965767387-1660694563-1018\Printers
HKEY_USERS\S-1-5-21-1408468914-2965767387-1660694563-1018\Software
HKEY_USERS\S-1-5-21-1408468914-2965767387-1660694563-1018\System
C:\Windows\system32>
REG QUERY HKEY_USERS\S-1-5-21-1408468914-2965767387-1660694563-1018\Environment
HKEY_USERS\S-1-5-21-1408468914-2965767387-1660694563-1018\Environment
TEMP REG_EXPAND_SZ %USERPROFILE%\AppData\Local\Temp
TMP REG_EXPAND_SZ %USERPROFILE%\AppData\Local\Temp
C:\Windows\system32>