Recently while looking at the the security tab on a file I found there was a user that was an unknown account. It wasn’t registered with the Windows Vista System.
Looking around the system I found several more files, so I decided to figure out where this account came from.
An internet search about Account SID’s turned up a page on Wikipedia about Security identifier. This Box from the chart gave me the answer.
I needed to find the SID of the system I found in the file, but how ?
So Back to the internet search again. First I needed a way to easily get the information from the file, secondly I needed to get the SID of the system. The answer to that was to build 2 new programs.
In the screen shot above you see that the known accounts return the name only but the unknown returns the SID only.
GetFileSecurityInfo (above) and GetComputerSID (below)
I have a dual boot system (Windows Vista Ultimate x64 (my main) and Windows 7 Ultimate x64) also 2 VHD’s . Since I had only 4 systems to check it was just a matter of checking computer SID’s till one matched.
The SID turned out to belong to Windows 7 .
Now that we found the system where the SID comes from, that brings me to another 1 of 2 tools I built previously for getting the user SID of known users.
This one above called All User Account NFO or ,
the one below called User name Account Information
What we are looking for is to match the SID for the first section to the system SID, then the last 4 numbers will give us the user account on that system. These particular screen shots above are from the Vista VHD , which does not match the number in either section of the SID we are looking for. (See screen shot below to compare the numbers)
The User turned out to be my account on Windows 7.
So how did it get on the system to start with ?
While booted into the Windows 7 OS I navigated to the partition for the Windows Vista and had to click a box to allow the windows 7 access on that partition for the areas I needed to get access to. It is amazing how far the inheritance travels in a system.
Well, another mystery solved.
I have not tested if a deleted account on the same system would leave a Unknown Account on a file or not.
The Code basis for the GetComputerSID.exe was found at a MSDN Forum where I added my code to the page after the person that originally listed it. I had to convert what they had to VB then get it to work.
The Code basis for the GetFileSecurityInfo.exe was found at EGGHEADCAFE.com
To get the SID of the computer you can also use a command line tool called PsGetSid located on the Windows Sysinternals web site.
Remember to Check your references and imports in VB to get the code to work.
Edit: 09/04/2017 Removed Link to my website I no longer have.