Windows 10 - 4 separate machines showing Account Unknown S-1-5-21-*-*-1000

[tj11111]

I have just noticed, that every program in

C:\ProgramData\Microsoft\Windows\StartMenu\Programs

has following account listed under Security tab

Account Unknown S-1-5-21---1000

This account has only Special permissions, i have checked my main Windows 10 machine, my Windows 10 laptop, all have latest versions and everything updated. My 2 friends have Windows 10 too and have the same issue, only with different SID. We both have Kaspersky antivirus, if that might be the reason.

Also, i only use only one account, there is no other account and never was, the same applies for my friend. No domains, no AD.


I have also ran

wmic useraccount get name,sid

and got result back, my user account has exactly the same SID except the end, there is not -1000, but -1001.


In registry, HKEY_USERS, i have found only 2 s-1-5-21 entries. Both same, but one ends with _classes. These entries have identical SID as my account - ending with -1001, so it's my account. However i do not know, why there is an unknown account with -1000 ending.

So it seems that this Unknown account has been created before my account, which is the only account that has been created ever.

What this could be? Could this be something malicious?

 

[davehc]

My immediate comment is that it is most certainly not malicious!
Microsoft has said,repeatedly since Windows 7 at least, NOT to delete something called a Windows account security identifier (SID) (Called an Unknown Account)"
It is a part of the Windows system for identifying users, accounts, and groups and deciding whether one has permission to access the other.
When you set up a user, Windows identifies the account using a unique SID. This allows the legitimate user to change their name as often as wished, but the SID in the Uknown user account identifies it to Windows always staying the same -

 

[tj11111]

My immediate comment is that it is most certainly not malicious!
Microsoft has said,repeatedly since Windows 7 at least, NOT to delete something called a Windows account security identifier (SID) (Called an Unknown Account)"
It is a part of the Windows system for identifying users, accounts, and groups and deciding whether one has permission to access the other.
When you set up a user, Windows identifies the account using a unique SID. This allows the legitimate user to change their name as often as wished, but the SID in the Uknown user account identifies it to Windows always staying the same -

I just checked and i have found the same unknown user on another Windows computer.

The thing is that what you are reffering to is called capabilities. These are however listed in register and i was not able to find match.

Other important thing is that the end, RID, is 1000, 1000 and greater are not created by Windows. Weird fact is that the Unknown account has lower RID than my main, which basically means that it was created before my account. The same applies for all separate machines (6) i have checked.

 

[davehc]

1. It was , for reasons stated, created before your account!
2. It would, for reasons stated, be on ANY machine.!
3. It WAS created by Windows!
The remainder of your post , I regret, I do not understand, but hopefully you can figure something out.

 

[tj11111]

1. It was , for reasons stated, created before your account!
2. It would, for reasons stated, be on ANY machine.!
3. It WAS created by Windows!
The remainder of your post , I regret, I do not understand, but hopefully you can figure something out.

I am thinking it might be the defaultuser0.

 

[tj11111]

Yes, indeed it might be the defaultuser0, it's already deleted, only folder remains in C Users, the same Unknown account SID has permission to that folder. Am i correct?