Why do I have multiple HKEY_USERS but only one account?

[BillyG]

I have:

..DEFAULT
S-1-5-18
S-1-5-19
S-1-5-19-Classes
S-1-5-20
S-1-5-20-Classes
S-1-5-21-1004336348-117609710-839522115-1004
S-1-5-21-1004336348-117609710-839522115-1004-Classes

but I only have the one Admin User Account and a Guest account (that is
disabled and I doubt I've ever even enabled it) on my Control Panel
User Accounts panel.

I read online that this is common due to Services that are added, but
the article was dated, albeit from Microsoft. I am currently using the
added UPHClean and one or two others, and have used Apache,
FolderSize(?), and prolly one or two others in the past which add
services to XP, but it appears that they never get deleted.

Fishing around within the user keys, I wasn't able to differentiate one
"user" from another, hence my reason for being here. Is there a way to
do this? TIA.

 

[mhc]

I have:

.DEFAULT
S-1-5-18
S-1-5-19
S-1-5-19-Classes
S-1-5-20
S-1-5-20-Classes
S-1-5-21-1004336348-117609710-839522115-1004
S-1-5-21-1004336348-117609710-839522115-1004-Classes

but I only have the one Admin User Account and a Guest account (that is
disabled and I doubt I've ever even enabled it) on my Control Panel
User Accounts panel.

I read online that this is common due to Services that are added, but
the article was dated, albeit from Microsoft. I am currently using the
added UPHClean and one or two others, and have used Apache,
FolderSize(?), and prolly one or two others in the past which add
services to XP, but it appears that they never get deleted.

Fishing around within the user keys, I wasn't able to differentiate one
"user" from another, hence my reason for being here. Is there a way to
do this? TIA.

The S-1-5-19 and S-1-5-20 accounts are indeed related to services, and
the two accounts are named LocalService and NetworkService. You will
also find hidden folders with these names in your Documents and Settings
folder.

On a single-user system such as the one you have, neither account is
necessary, and in fact the use of these accounts is affecting system
performance. Let me know if you want the procedure to remove them, and
I'll post it in a reply.

mhc

 

[BillyG]

The S-1-5-19 and S-1-5-20 accounts are indeed related to services, and
the two accounts are named LocalService and NetworkService. You will
also find hidden folders with these names in your Documents and Settings
folder.

On a single-user system such as the one you have, neither account is
necessary, and in fact the use of these accounts is affecting system
performance. Let me know if you want the procedure to remove them, and
I'll post it in a reply.

mhc

Yes, that would be great, thanks.

 

[Lawrence J. Gardner]

Yes, please remove those accounts and destroy your system. Here is the
break-down:

..DEFAULT - the default user account used when creating a new user account

S-1-5-18 - the backup systemprofile account, also used when creating a new
user account file/folder structure (e.g.,
%systemroot%\system32\config\systemprofile)

S-1-5-19 - LocalService account used in Services when creating processes at
startup (e.g., %SystemDrive%\Documents and Settings\LocalService)
S-1-5-19-Classes - Classes associated with LocalService account

S-1-5-20 - NetworkService account used in Services when creating network
processes (e.g., %SystemDrive%\Documents and Settings\NetworkService)
S-1-5-20-Classes - Classes associated with NetworkService account

S-1-5-21-1004336348-117609710-839522115-1004 - currently loaded User
account - linked to HKEY_CURRENT_USER - more than likely you.
S-1-5-21-1004336348-117609710-839522115-1004-Classes - Classes associated
with above account.

Check out the following key for explanation of accounts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

 

[BillyG]

Yes, please remove those accounts and destroy your system. Here is the
break-down:

.DEFAULT - the default user account used when creating a new user account

S-1-5-18 - the backup systemprofile account, also used when creating a new
user account file/folder structure (e.g.,
%systemroot%\system32\config\systemprofile)

S-1-5-19 - LocalService account used in Services when creating processes at
startup (e.g., %SystemDrive%\Documents and Settings\LocalService)
S-1-5-19-Classes - Classes associated with LocalService account

S-1-5-20 - NetworkService account used in Services when creating network
processes (e.g., %SystemDrive%\Documents and Settings\NetworkService)
S-1-5-20-Classes - Classes associated with NetworkService account

S-1-5-21-1004336348-117609710-839522115-1004 - currently loaded User
account - linked to HKEY_CURRENT_USER - more than likely you.
S-1-5-21-1004336348-117609710-839522115-1004-Classes - Classes associated
with above account.

Check out the following key for explanation of accounts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

Thanks Lawrence!

 

[Wesley Vogel]

A little more info.

From Small Potato.
<quote>
Just for more information, Local Service and Network Service accounts
are created for security reasons.

In Windows 2000/NT, system services are launched with "Local System"
credential, which has system-wide privilege as Administrator. So if the
service was attacked, attackers gain the privilege of Local System can
perform system-wide attack.

So Windows XP introduced Local Service and Network Service accounts for
system services. Both run with unprivileged "Limited Users" credential
instead of having full system rights, but Local Service access Windows
network using null sessions, i.e., it uses anonymous credential, while
Network Service access Windows network with the computer account, just
like Local System.

For more information, you may refer to this article:

The Services and Service Accounts Security Planning Guide
http://www.microsoft.com/technet/security/topics/serversecurity/serviceaccount/default.mspx
<quote>

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

 

[mhc]

My system has been running for three years without the LocalService and
NetworkService accounts. They are NOT NEEDED on single-user systems, and
in fact they negatively impact performance on such systems!

Isn't S-1-5-18 the normally-hidden Administrator account, the one you
can only access in safe mode?

mhc

 

[mhc]

Yes, that would be great, thanks.

Step Zero. BACK UP YOUR SYSTEM. We're talking about some major changes
to your system here, and if for some reason your system gets corrupted
during the modifications, you will be able to restore it. Just in case
you missed it: BACK UP YOUR SYSTEM!

To remove the LocalService and NetworkService accounts, click Start>Run
and type in SERVICES.MSC and press enter. Now, starting at the top of
the list of services, double-click on the first one that shows
LocalService or NetworkService in the "log on as" column. Then click on
the LOG ON button, set the log on type to Local System Account, and
click Apply. Repeat this with EVERY service that was set to LocalService
or NetworkService.

Once complete, reboot your system. At this point I'd suggest downloading
the DelProf utility from the Microsoft website, and using it to remove
the two now-dormant accounts. After running this utility, you can also
remove the (hidden) LocalService and NetworkService folders that are in
Documents and Settings folder.

mhc

 

[BillyG]

Step Zero. BACK UP YOUR SYSTEM. We're talking about some major changes
to your system here, and if for some reason your system gets corrupted
during the modifications, you will be able to restore it. Just in case
you missed it: BACK UP YOUR SYSTEM!

To remove the LocalService and NetworkService accounts, click Start>Run
and type in SERVICES.MSC and press enter. Now, starting at the top of
the list of services, double-click on the first one that shows
LocalService or NetworkService in the "log on as" column. Then click on
the LOG ON button, set the log on type to Local System Account, and
click Apply. Repeat this with EVERY service that was set to LocalService
or NetworkService.

Once complete, reboot your system. At this point I'd suggest downloading
the DelProf utility from the Microsoft website, and using it to remove
the two now-dormant accounts. After running this utility, you can also
remove the (hidden) LocalService and NetworkService folders that are in
Documents and Settings folder.

mhc

I appreciate all the responses. I will jump right on this ASAP. I'm
getting ready to go to my evening classes and then camping for the
weekend but I will be back Sunday afternoon.

I would really like to know if there is a way to decipher what one
HKEY_USER is from another; that would settle everything for me, since I
would know immediately whether or not I need them.

Besides those mentioned, I do have Apache and UPHClean loaded, so that
accounts for 2 more. I may be good... I had forgotten about the Local
and Network profiles, thanks again.

 

[Wesley Vogel]

Isn't S-1-5-18 the normally-hidden Administrator account, the one you

can only access in safe mode?

No.

SID: S-1-5-18
Name: Local System
Description: A service account that is used by the operating system.

SID: S-1-5-domain-500
Name: Administrator
Description: A user account for the system administrator. By default, it is
the only user account that is given full control over the system.
from...
Well-known security identifiers in Windows operating systems
http://support.microsoft.com/kb/243330

On my machine..
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\ProfileList\S-1-5-21-1708537768-1580436667-1202660629-500
ProfileImagePath
%SystemDrive%\Documents and Settings\Administrator

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\ProfileList\S-1-5-18
ProfileImagePath
%systemroot%\system32\config\systemprofile

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

 

[mhc]

SID: S-1-5-18
Name: Local System
Description: A service account that is used by the operating system.

SID: S-1-5-domain-500
Name: Administrator
Description: A user account for the system administrator. By default, it is
the only user account that is given full control over the system.
from...
Well-known security identifiers in Windows operating systems
http://support.microsoft.com/kb/243330

On my machine..
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\ProfileList\S-1-5-21-1708537768-1580436667-1202660629-500
ProfileImagePath
%SystemDrive%\Documents and Settings\Administrator

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\ProfileList\S-1-5-18
ProfileImagePath
%systemroot%\system32\config\systemprofile

Thanks for the info...and it makes a lot of sense. BTW, I don't have the
S-1-5-18 account in the key you listed above...I wonder if it's related
to my removing the S-1-5-19 and S-1-5-20 accounts?

mhc

 

[Wesley Vogel]

I have no idea.

If you paste the following line into Start | Run and click OK

%SystemDrive%\Documents and Settings\Administrator

does anything open?

Can you log onto the Administrator account?


--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

 

[Homer J. Simpson]

My system has been running for three years without the LocalService and

NetworkService accounts. They are NOT NEEDED on single-user systems,

While not "needed", what you've suggested to "BillyG" is to change every
service to run under the elevated LocalSystem account. That's a *terrible*
idea, as any compromised service will then run with full access to
everything. This is in no way different than suggesting Linux users should
run everything as root.

and in fact they negatively impact performance on such systems!

How are you quantifying that "fact"?