Skip to content
Naked Security Naked Security

Don’t break Windows 10 by deleting SID, Microsoft warns

Sometimes it's best not to tinker under the hood - especially when it comes to security IDs.

Microsoft has reminded admins and users not to delete something called a Windows account security identifier (SID) ‘capability’ in case they inadvertently break applications.

It’s not clear what prompted Microsoft to issue the caution for a type of SID that has been part of its OS since Windows 8 and Windows Server 2012, but the implication is that a lack of awareness has been causing support problems.

A bit like the Unix UID, SIDS are a fundamental part of the Windows system for identifying users, accounts, and groups and deciding whether one has permission to access the other.

If a Windows user (Alice, let’s say) sets up an account on her computer in her name, Windows identifies the account using a unique SID. Alice can change her account name as often as she wants (to AliceB or even Jeff), but the underlying SID that identifies it to Windows will always stay the same.

The 2012 overhaul expanded SIDS to cover things like file access, drive locations, access to certificates, cameras, removable storage etc. Each one became a ‘capability’ that a user or application could have, or not have, the rights to access.

According to Microsoft, Windows 10 1809 can use more than 300 of these, one of the most commonly encountered of which looks like this:

S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681

It’s not hard to see why this might confuse anyone who delves into their Registry using the editor (Start > Run > regedt32.exe) where it appears as ‘account unknown’ with full read access.

After research, it seems that this might be something Windows itself needs to restart after a reboot, a sort of global SID.

That means that anyone who deletes it without understanding this purpose could break Windows itself. As Microsoft’s warning states:

DO NOT DELETE capability SIDS from either the Registry or file system permissions. Removing a capability SID from file system permissions or registry permissions may cause a feature or application to function incorrectly. After you remove a capability SID, you cannot use the UI to add it back.

A further search reveals users asking support forums for advice on this SID, unaware that it is legitimate, plus examples where admins have deleted it and live to regret the decision.

‘Unfriendly’ names

So how do admins resolve which of these are legit SIDS and which might be suspicious?

Microsoft admits that capability IDs are not ‘friendly” (i.e. easy to understand) so using these on their own won’t be much help.  It even notes:

By design, a capability SID does not resolve to a friendly name.

The answer is that all capability SIDS should appear in the registry – Start > Run > regedt32.exe, and navigate to the following registry entry:

 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities.

If it doesn’t appear in this list then it warrants further investigation, bearing in mind that it might still be a legitimate third-party capability.

31 Comments

Broke Win10 good once because removed an “unknown account” from registry editor permissions. lol Thanks, ms, you’re great! haha

> By design, a capability SID does not resolve to a friendly name

What would motivate the “by design” aspect here? Security-through-obscurity?

If finding it needs Regedit, won’t admins discover and remove it during security audits? What’s wrong with labeling it “System Capability (do not delete)” in addition to the 90 random digits? I can see myself removing it if I don’t know where it came from.

Granted, OS architects can’t be expected to plan a comprehensive, preemptive response for every facet of a monolithic operating system (the world’s longest and most boring Choose Your Own Adventure story), but this seems like it would be found often.

Uh, If your admin deletes a SID without knowing exactly what that SID does, they shouldn’t be an admin.

Fair point–and you’re right.
However it doesn’t justify MS declining to identify the SID. One of the big reasons I continue to move off Windows as much as possible is that Redmond seems to be systematically making it more cumbersome to administer, and less user-friendly.

In the early days of WinXP I never used AV and never got terminally infected. Part of that was good browsing sense, but I also was able to navigate the command line, search all the hot spots, remove anything fishy. Between Task Manager, msconfig, and regedit, I could reliably clean my machine of any issues in ten or fifteen minutes, and I had a great track record (~75%) of resurrecting PCs for friends, some of which appeared at first to be hopeless.

Most of this was done on the command line with PS Tools, UnxUtils, and a handful of .bat scripts (just to expedite stuff like change attributes then delete).

Win7 began to close those handy mechanisms. There seems to be a bottomless treasure trove of ways the badguys put stuff in the same spots, but permission denied errors and ever-hidden file locations increase as I try to remediate. Win8 brought us a nearly-useless task manager (OMG, that’s high detail?!), completely disabling the only useful part of msconfig, and Win10 only continues the trend of closing all the front doors, while leaving the back doors & windows swinging wide open.

Three Dead Trolls in a Baggie were correct when they sang “Every OS Sucks,” but some more so than others.

Um, i’m the admin of my own little neckwork of 1 and I have to read through a bunch of technical junk just to use facebook or play a game? Not everybody is a techie

I was thinking the exact same thing, Donna! Although, I could probably get one of my Grandchildren to sit down for a few hours and get my laptops and my desktop set back up for me, I have to figure some of this technical stuff out on my own. I’m just finally getting the chance to search about why/how this unknown users had control over my files and folders and that worried me on my older laptop, so of course I decided to delete it!
At least now I know why it’s not booting up when I turn it on. Oh well, that saves me from having to purchase Windows 10 for it.

MICROSOFT…..Please quit leaving some of us in the dust! We’re not all cut out to keep up with this stuff, be more user friendly with the possibility of an added feature to give information about everything by right clicking on it or something! OR, maybe highlight a critical item if it shouldn’t be deleted!

Although third party sid’s could be any name, even something purposefully misleading … no name. ..

How about fixing Windows so it is possible to verify that permissions haven’t been tampered with again. Insanity.

But without backdoors how will the NSA be able to spy on all us people, foreign and domestic?

I actually sat up one night because I thought Microsoft had taken over my computer. Well, in a way they had. Installing dastardly upgrades like Clouds and Edge and Xbox and the phone thing that won’t delete.

Let’s go back to DOS, where there wasn’t a registry and SID’s and everything WORKED!

That is what I said when I used my first Macintosh circa 1984. Someone even wrote a program to “go to DOS” and type commands instead of using the GUI

2 Windows PCs bricked last year months apart, requiring intensive and extensive help from MS. The eternal reboot cycle. I hope I turned off forced upgrades on msconfig, but regardless, these units are going to be replaced down the road…by Macs. Who goes back to the restaurant that served you salmonella?

On a point of order in respect of jargon: “bricked” means that the device won’t boot *at all*, not even into a boot loop, and can’t be wiped or restored, even at the cost of losing all your data and reintalling. No amount of help, intensiveor extensive, can get the device to work again. The word comes from the days when network devices like routers or phones were about the size and weight of a housebrick. If you locked yourself out of *everything*, even inlcuding being able to do a firmware reset, the device was about as much use as a brick – useful for propping doors open.

TBH, after about a decade of OS X and then macOS, I have a contest with myself to get the latest update as soon as I can, rather than waiting for an automatic update. Never had anything break except crappy old third party open source software that hadn’t been updated for years and was easily replaced by something better anyway. That’s not an ad or an act of fanbuoyism (OK, maybe it is!) but it’s how my macOS life has played out…

bricked: as a doornail
Though I agree with you on that point, I’m tempted to cite evolution of language, coupled with the similarity here between diluted use of the the term “bricked” and how data‘s once exclusively-plural form of datum has also eroded with more common parlance.
But I wouldn’t nitpick ya like that buddy.
:,)

Appreciate the correction. I’m not a tech wiz so bricked to me means a useless piece of hardware. I avoided Apple products for years, thinking them over-priced and proprietary. But not having a PC for almost a month and allowing Microsoft techs to take over my computers for hours, and having to buy flash drives expressly to download a cure…I just wouldn’t go through that again. And Windows still seems to be having the same issues a year later.

Thanks – after publishing it I was worried it sounded a bit petty. My point was not so much a correction as advice about the term “bricked” in general, because it’s still easily misunderstood. It’s a bit like the word “punt”, which is an unexceptionable word, common even, but best avoided in technical writing because when used metaphorically it is effectively a contranym – a word that is also its own opposite, like “cleave”, which can mean both to chop in half and to stick together.

(In British English a punt is a wager, so to “take a punt” implies taking a bit of a risk. In American English it’s a defensive play in football and implies taking the safe option.)

Hahah, it’s interesting how innocuous terms can prompt someone on either side of the pond to exclaim,
“why won’t you just talk ENGLISH?!”
..and comical how idioms often don’t translate as obviously as we’d expect.
Cracking explanation, Duck
:,)

So people going into registry and removing things they don’t understand lol. What’s new?

@elmo
While your point is valid, this SID is similar to actual user accounts (and more importantly the builtin SID lacks a builtin plaintext descriptor to help administrator make an informed decision). Malware being as prevalent as it is, an admin removing superfluous and unknown accounts/permissions isn’t as renegade as you imply.
This isn’t the same as removing the WinNT registry key “because I’m already on Server 2012.“

Microsoft definitely needs to make these resolvable. In a domain environment, unresolvable SIDs are usually old deleted accounts and groups, so removing them is safe, and sometimes necessary, so that an old group or account isn’t restored and regranted access. When you have these special purpose SIDs that use the same full GUID format as a regular account, it makes cleanup that much harder. The old built-in SIDs would be short guids and had a defined name translation, so those were easy to avoid deleting from file permissions.

Why would anyone remove a SID from the registry without specifically knowing that it should be done? I have always used the practice of don’t remove anything unless there’s a good documented reason to do so.

I just dumped all my “capability SIDs” from the regkey in this article, got 174 of ’em, but all started “S-1-15-3-…” I also noticed a “normal” SID from my SAM account or from the domain started “S-1-15-21-…” Perhaps looking at that 3rd octet (4th octet?) in the SID can identify if it’s a capability SID? Just thinking out loud…

I didn’t find this through a RegEdit. This type of SID appears in the security pane of every file on my computer as: UNKNOWN ACCOUNT [S-1-5-21-2648399741-1442859083-2544380504-1004]. This is very disconcerting! the account has full permissions over every folder and file in Users, except Public. What is this account? For what is it used? When did this get created? Why does it have full, unrestricted access to all files in Users?

I found one of these without using regedit. It was in the Security tab of my printer properties. Attempting to guess my way around MS’s deliberate obscurity, I imagine it may have something to do with the fact that the printer is shared. Anyway, thanks for the article.

Well, whence the security breach has been made–under the ID of “UNKNOWN ACCOUNT [S-1-15-3-4096 …]”, then where is the discrimination going to be made which would stand that ‘SIDS’ apart from any and all legit ID’s? Appears to only a matter of time for the obscurity issue to become more of a loser for Win10 than it already is.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?