Site icon Sophos News

Don’t break Windows 10 by deleting SID, Microsoft warns

Microsoft has reminded admins and users not to delete something called a Windows account security identifier (SID) ‘capability’ in case they inadvertently break applications.

It’s not clear what prompted Microsoft to issue the caution for a type of SID that has been part of its OS since Windows 8 and Windows Server 2012, but the implication is that a lack of awareness has been causing support problems.

A bit like the Unix UID, SIDS are a fundamental part of the Windows system for identifying users, accounts, and groups and deciding whether one has permission to access the other.

If a Windows user (Alice, let’s say) sets up an account on her computer in her name, Windows identifies the account using a unique SID. Alice can change her account name as often as she wants (to AliceB or even Jeff), but the underlying SID that identifies it to Windows will always stay the same.

The 2012 overhaul expanded SIDS to cover things like file access, drive locations, access to certificates, cameras, removable storage etc. Each one became a ‘capability’ that a user or application could have, or not have, the rights to access.

According to Microsoft, Windows 10 1809 can use more than 300 of these, one of the most commonly encountered of which looks like this:

S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681

It’s not hard to see why this might confuse anyone who delves into their Registry using the editor (Start > Run > regedt32.exe) where it appears as ‘account unknown’ with full read access.

After research, it seems that this might be something Windows itself needs to restart after a reboot, a sort of global SID.

That means that anyone who deletes it without understanding this purpose could break Windows itself. As Microsoft’s warning states:

DO NOT DELETE capability SIDS from either the Registry or file system permissions. Removing a capability SID from file system permissions or registry permissions may cause a feature or application to function incorrectly. After you remove a capability SID, you cannot use the UI to add it back.

A further search reveals users asking support forums for advice on this SID, unaware that it is legitimate, plus examples where admins have deleted it and live to regret the decision.

‘Unfriendly’ names

So how do admins resolve which of these are legit SIDS and which might be suspicious?

Microsoft admits that capability IDs are not ‘friendly” (i.e. easy to understand) so using these on their own won’t be much help.  It even notes:

By design, a capability SID does not resolve to a friendly name.

The answer is that all capability SIDS should appear in the registry – Start > Run > regedt32.exe, and navigate to the following registry entry:

 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities.

If it doesn’t appear in this list then it warrants further investigation, bearing in mind that it might still be a legitimate third-party capability.

Exit mobile version