List of Hidden / Virtual Windows User Accounts

Solution 1:

I don't think there is an ultimate list of all possible accounts.

There are different types of names you can use in the user input-field such as in permissions dialogs.

First up are standard Win32_Accounts, to get a full list open a PowerShell session and run:

get-wmiobject -class "win32_account" -namespace "root\cimv2" | sort caption | format-table caption, __CLASS, FullName

These are the usual users, groups and the builtin accounts.

Since Vista, there is a new class of accounts, called virtual accounts, because they do not show up in the usual management tools. There are sometimes called service accounts as well, and there are at least three different types of these:

  • Windows Service Accounts

Since Vista every windows service has an virtual account associated with it, even it it runs under a different user account and even if it does not run at all. It looks like NT Service\MSSQLSERVER

To get a list of those use:

get-service | foreach {Write-Host NT Service\$($_.Name)}
  • IIS Application Pools

Each IIS application pool that runs under the ApplicationPoolIdentity runs under a special account called IIS APPPOOL\NameOfThePool

Assuming you have the IIS Management scripting tools installed, you can run:

Get-WebConfiguration system.applicationHost/applicationPools/* /* | where {$_.ProcessModel.identitytype -eq 'ApplicationPoolIdentity'} | foreach {Write-Host IIS APPPOOL\$($_.Name)}
  • Hyper-V Virtual Machines

On Server 2008+ and Windows 8+ you have Hyper-V, each virtual machine creates it own virtual account, which looks like: NT VIRTUAL MACHINE\1043F032-2199-4DEA-8E69-72031FAA50C5

to get a list use:

get-vm | foreach {Write-Host NT VIRTUAL MACHINE\$($_.Id) - $($_.VMName)}

Ever though these accounts are not accepted in the permissions dialog, you can use them with icacls.exe to set permissions.

There is also a special group NT Virtual Machine\Virtual Machines, which doesn't show up elsewhere. All of the virtual machine accounts are members of this group, so you can use this to set permissions for all VM files.

These names are language specific, e.g. in German it is named NT Virtual Machine\Virtuelle Computer

  • Desktop Window Manager

The dvm.exe process (Desktop Window Manager) runs under a user Windows Manager\DWM-1

Again you can not use this type of users in the permissions dialogs. It is not really possible to enumerate these either because one exists for each 'Desktop session', so when using two RDP sessions, you also have DWM-2 and DWM-3 in addition to DVM-1. So there are as many as there are desktops available.

  • Computer Names

In certain cases you can also use computer names in the permissions dialog, usually when being part of an Active Directory domain.

  • Windows Remoting Virtual Users

When using PowerShell and 'JEA (Just enough Administration)' and connect to a server with a PS remote session, a temporary virtual user may be created.

these have the following format:

winrm virtual users\winrm va_x_computername_username

and an SID that starts with S-1-5-94-

the 'x' is an integer number.

These accounts can be used when assigning NTFS permissions, but I don't know how to list all these possible virtual users.

While in a JEA session you can use whoami to find out the current account name.

  • finally:

Even these lists don't give you every possible account.

For example, you can create an application pool FooBarPool then delete it again, you can still use IIS APPPOOL\FooBarPool in the permissions dialog, so there must be an internal list somewhere.

Solution 2:

This is because TrustedInstaller is a service and not a "user" object. With Vista, Services are now security principals and can be assigned permissions.

http://technet.microsoft.com/en-us/magazine/2007.06.acl.aspx

Solution 3:

  1. Go to any file on your hard drive, right-click, and select properties.
  2. Go to the security tab and click Edit

    edit security settings

  3. Click Add...
  4. Click Advanced...

    select users or groups

  5. Click Object Types... and uncheck Groups, then click OK

    object types

  6. Click Find Now. This will list all regular users and built-in system users ("built in security principles", as Windows calls them).

    find now

Note that not all accounts that appear on this page can be used in a Run-As command, though they can all be used in a permissions dialog.

Solution 4:

From Windows Vista on, services are treated as users. That is, a Security Identifier (SID) is assigned to every service. This is not specific to TrustedInstaller service. You can view the SID assigned to any service using the sc showsid command:

USAGE: sc showsid [name]

DESCRIPTION: Displays the service SID string corresponding to an arbitrary name. The name can be that of an existing or non-existent service.

Note that there is no need for the service to exist on the system. Examples:

C:\> sc showsid TrustedInstaller
NAME: TrustedInstaller
SERVICE SID: S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464

or, for the service Windows Management Instrumentation (Winmgmt):

C:\> sc showsid Winmgmt
NAME: Winmgmt
SERVICE SID: S-1-5-80-3750560858-172214265-3889451188-1914796615-4100997547

and, finally, for a fake service:

C:\> sc showsid FakeService
NAME: FakeService
SERVICE SID: S-1-5-80-3664595232-2741676599-416037805-3299632516-2952235698

Note that all SIDs start with S-1-5-80, where 80 is assigned to SECURITY_SERVICE_ID_BASE_RID sub-authority. Moreover, this assignment is deterministic: No RIDs are used, and the SID will be the same across all systems (see the references at the end of this post for more information).

As an example, I will assign the NT Service\Winmgmt service, write permission to some file:

enter image description here

Windows underlines the name Winmgmt, confirming that it's a valid identity:

enter image description here

Now, click OK, and then assign the write permission:

enter image description here

This confirms that any service name can be used as a user identity. Therefore, I wouldn't call them "supper-hidden" accounts :D

For more information, please read the following articles:

  • New ACLs Improve Security in Windows Vista
  • WS2008: Windows Service Hardening
  • SID Components
  • Well-known SIDs
  • Well-known security identifiers in Windows operating systems