Zombie account

  • Thread starter Thread starter FM
  • Start date Start date
F

FM

I've got a 1/2 created login: it does not show up visibly, cannot be
deleted because it does not exist, cannot be created because it already
exists. ( ! )

= net user <name> says "The user name could not be found." (helpmsg 2221)
= net user <name> /ADD says "The account already exists." (helpmsg 2224)
= net user <name> ?DELETE says "The user name could not be found."
(helpmsg 2221)

The login does not appear on the logon screen, nor does TweakUI show it
in the list of controllable accounts. It does not show up in Control
Panel's "User Accounts" application. It does not appear in Administrator
Tools "Computer Management" User Accounts section.

This is Windows XP Pro. Not in a domain, nor is the computer networked
in a LAN.

I'm concerned about cleaning this up, also worried about any security
issues of a 1/2 existing account. Also, I really do want to create an
account of the given username.

Thanks!

--FM
 
FM said:
I've got a 1/2 created login: it does not show up visibly, cannot be
deleted because it does not exist, cannot be created because it already
exists. ( ! )

= net user <name> says "The user name could not be found." (helpmsg 2221)
= net user <name> /ADD says "The account already exists." (helpmsg 2224)
= net user <name> ?DELETE says "The user name could not be found."
(helpmsg 2221)

The login does not appear on the logon screen, nor does TweakUI show it
in the list of controllable accounts. It does not show up in Control
Panel's "User Accounts" application. It does not appear in Administrator
Tools "Computer Management" User Accounts section.

This is Windows XP Pro. Not in a domain, nor is the computer networked
in a LAN.

I'm concerned about cleaning this up, also worried about any security
issues of a 1/2 existing account. Also, I really do want to create an
account of the given username.

Thanks!

--FM
Click to expand...


What is the name you're trying to use for this account? There are
hidden user accounts (such as the built-in "Administrator" (which also
cannot be deleted), and/or words reserved for OS use that cannot be
assigned to user accounts. Also, if I remember correctly, WinXP will
not permit a user account with the same name as the computer.


--

Bruce Chambers

Help us help you:


http://support.microsoft.com/default.aspx/kb/555375

They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. ~Benjamin Franklin

Many people would rather die than think; in fact, most do. ~Bertrand Russell

The philosopher has never killed any priests, whereas the priest has
killed a great many philosophers.
~ Denis Diderot
 
Bruce said:
What is the name you're trying to use for this account? There are
hidden user accounts (such as the built-in "Administrator" (which also
cannot be deleted), and/or words reserved for OS use that cannot be
assigned to user accounts. Also, if I remember correctly, WinXP will
not permit a user account with the same name as the computer.
Click to expand...
User name we're talking about here is "Dialup". Which is not the
computer's name.

Um... the built-in Administrator is not hidden. Why did you say it is
hidden? Or, um... did you miss my mention that this is Professional XP
(not the Home edition). (FWIW, I've long ago renamed the built-in
Administrator to a different name.)

I forgot to mention previously that I got an error when first trying to
create the account "Dialup". I was using the "Users" section of
"Computer Management" from Administrative Tools when trying to create
the account. Although I had Computer Management running as the
Administrator, I got a pop up error while trying to create it, to the
effect that the Administrator did not have sufficient permissions for
the operation. Furthermore, I've not had that error recur (either when
again trying to add "Dialup", or when working with other accounts,
including successfully adding them).

The above is my reason for guessing that the account was *partially*
created. I theorize that the error occurred partway through the account
creation process, and that some record of the account now exists, albeit
all the things that make it a fully created logon do not.

I'm curious now: Is there a public reference that you know of for those
"reserved" names? (Google did not help me with this, it hit upon
thousands of "all rights reserved" web pages.)

--FM /)`
 
FM said:
User name we're talking about here is "Dialup". Which is not the
computer's name.

Um... the built-in Administrator is not hidden. Why did you say it is
hidden?
Click to expand...


I spoke imprecisely, and that was a mistake. While the Administrator
account isn't really hidden, it's also not readily visible to the
average user, as it doesn't normally appear on the Welcome Screen or
from the Control Panel's Users applet. Hence, it's "hidden" from 95% of
WinXP users. Over the years, there have been literally dozens of posts
in these newsgroups from people asking why they can't create an account
"Administrator," when there clearly isn't any such account on the
Welcome Screen or within the Control Panel applet.

Or, um... did you miss my mention that this is Professional XP
(not the Home edition).
Click to expand...


No, but that wasn't relevant.

(FWIW, I've long ago renamed the built-in
Administrator to a different name.)
Click to expand...


That is a good thing. Since the days of WinNT, it's been one of the
most basic security precautions one should take, but so very few people
do so that I had no reason to think you might have been the rare
exception. I commend your foresight.

I forgot to mention previously that I got an error when first trying to
create the account "Dialup". I was using the "Users" section of
"Computer Management" from Administrative Tools when trying to create
the account. Although I had Computer Management running as the
Administrator, I got a pop up error while trying to create it, to the
effect that the Administrator did not have sufficient permissions for
the operation. Furthermore, I've not had that error recur (either when
again trying to add "Dialup", or when working with other accounts,
including successfully adding them).
Click to expand...


That, along with the user name, would have been a useful bit of
information to have had in your original post. It would have saved time
and prevented replies based upon anyone having to make a "best guess" as
to what was occurring.

The above is my reason for guessing that the account was *partially*
created. I theorize that the error occurred partway through the account
creation process, and that some record of the account now exists, albeit
all the things that make it a fully created logon do not.
Click to expand...

You may be right, as sometimes things do go awry at the most
inconvenient times, but I don't know how you'd go about correcting such
an error. Have you tried searching the registry, particularly the
HKEY_USERS and HKEY_CURRENT_USER hives, for the word "Dialup?" Perhaps
there's a corrupted key left over from the original error that's causing
your issues.

I'm curious now: Is there a public reference that you know of for those
"reserved" names? (Google did not help me with this, it hit upon
thousands of "all rights reserved" web pages.)
Click to expand...


I was referring to the old DOS reserved device names, such as CON, PRN,
AUX, NUL, CLOCK$, COM1, COM2, COM3, COM4, COM5, COM6, COM7, COM8, COM9,
LPT1, LPT2, LPT3, LPT4, LPT5, LPT6, LPT7, LPT8, and LPT9.

I don't know if there's a single source that lists all of these,
though, but Wikipedia (Google is far too general) seemed a good starting
place:

http://en.wikipedia.org/wiki/Device_file_system

Also, according to Microsoft
(http://www.microsoft.com/technet/security/bulletin/fq00-017.mspx),
"It's not possible to compile an exhaustive list of all DOS device
names, because third-party application developers can create their own
device drivers and add their names to the reserved list."

While some of these are unlikely user account names, some of them could
easily have been hit upon accidentally if one were naming an account
after someone's initials. While these names aren't specifically
"prohibited" as user account names, the fact that one cannot create
files or folders using them might have caused problems partway through
account creation as the user profile folders were being identified.


--

Bruce Chambers

Help us help you:


http://support.microsoft.com/default.aspx/kb/555375

They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. ~Benjamin Franklin

Many people would rather die than think; in fact, most do. ~Bertrand Russell

The philosopher has never killed any priests, whereas the priest has
killed a great many philosophers.
~ Denis Diderot
 
Bruce said:
That, along with the user name, would have been a useful bit of
information to have had in your original post. It would have saved
time and prevented replies based upon anyone having to make a "best
guess" as to what was occurring.
Mea culpa.
You may be right, as sometimes things do go awry at the most
inconvenient times, but I don't know how you'd go about correcting
such an error. Have you tried searching the registry, particularly
the HKEY_USERS and HKEY_CURRENT_USER hives, for the word "Dialup?"
Perhaps there's a corrupted key left over from the original error
that's causing your issues.
Click to expand...
I've been through the registry. "Dialup" appears in a tiny number of
places which I can't think interact with this problem at all; plus it
appears in an MRU list, but I'm pretty sure that has to do with some
files containing that name I've been working on (everything else in that
MRU list was familiar). So I don't think there's a clue there.

For reference, I went through the registry looking at a different
account, which has been on my system for a while. Sadly I had to wade
through a lot of hits where that username was a substring of an audio
component's name. But the few hits I got that matched that user name
were in various MRU lists only (and I'm thinking mostly the match was on
file names, not the user name). I should mention this user name has
never been used through a shell (i.e., a profile has never been
created); it was only used a while ago for some file-sharing operations;
and the account currently marked disabled.

So the lack of registry hits, sadly, doesn't solve the current issue.
Nor seemingly shed any light. But like any scientific experiment, the
work has at least been done now.

*If* my theory about a partly-created account is correct, information
about the account is in some data store other than the registry. But
that's definitely getting to the point where I need more expertise than
my own.

Thanks for you efforts to help me.

--FM /)`
 
Bruce said:
What is the name you're trying to use for this account? There are
hidden user accounts (such as the built-in "Administrator" (which also
cannot be deleted), and/or words reserved for OS use that cannot be
assigned to user accounts. Also, if I remember correctly, WinXP will
not permit a user account with the same name as the computer.
Click to expand...

New information now. It *does* appear that the user name I was trying
to add is "reserved".

I was just working in Local Security Settings/User Rights/Deny Logon
Locally. I have found that if you try to Add to this policy, the GUI
lets you type in the name partially, and then check for all the names
that match that string.

Some of the names it will find are user accounts, which show up with a
one-head "user" icon. But other names show up having a two-head icon
(which in other contexts mean "group" but I don't know what the meaning
of this icon is in this case). The column in the "Multiple Names Found"
dialog that appears when doing this is titled "Name (RDN)", so I suppose
maybe they mean they are showing either a name or an RDN.

Since there are only 26 possible abbreviations to try, I decided to
enumerate these (are these what is referred to as RDN's? I don't know);
here's the list I got from my own system, shown with the upper/lower
case Microsoft displayed them:

ANONYMOUS LOGON
Authenticated Users
BATCH
CREATOR GROUP
CREATOR OWNER
DIALUP
Everyone
INTERACTIVE
LOCAL SERVICE
NETWORK
NETWORK SERVICE
REMOTE INTERACTIVE LOGON
SERVICE
SYSTEM
TERMINAL SERVICE USER

Finally, as an experiment, I've tried adding and deleting a user account
by the name "Everyone". I get the same inability to either add or
delete the user as I got with the user name "Dialup".

--FM /)`
 
FM said:
*If* my theory about a partly-created account is correct, information
about the account is in some data store other than the registry. But
that's definitely getting to the point where I need more expertise than
my own.
Click to expand...


Other than the registry, the only other data store I can think of that
might pertain to this issue would be the Security Access Manager (SAM)
database. This isn't easily accessible using native Windows tools, but
there are any number of Linux-based tools readily available on the
Internet that might allow you to look inside, and even modify, the SAM.

My personal favorite is Hirn's Boot CD
(http://www.hiren.info/pages/bootcd/). One of the Password tools may
well do the trick.


--

Bruce Chambers

Help us help you:


http://support.microsoft.com/default.aspx/kb/555375

They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. ~Benjamin Franklin

Many people would rather die than think; in fact, most do. ~Bertrand Russell

The philosopher has never killed any priests, whereas the priest has
killed a great many philosophers.
~ Denis Diderot
 
Back
Top