Re: Removed unauthorize user access!

From: Karl Levinson [x y] mvp (
Date: 12/15/02

From: "Karl Levinson [x y] mvp" <>
Date: Sun, 15 Dec 2002 10:06:43 -0500

Group permissions aren't exactly kept in the registry, at least not the part
you can see in Regedit.

Usually those SID numbers refer to a user that has been deleted from the
SAM. I'm not sure I would worry about that. AFAIK the only valid current
users are the ones that you see in the GUI.

Anonymous logons may be normal if you have other computers on your network
and are using NetBIOS / Windows networking for file sharing.

Try using the registry values RestrictAnonymous = 1 and RestrictAnonymousSAM
[ = 0, I think] for XP, search for RestrictAnonymousSam for
more information. Disable NetBIOS and/or the client for Microsoft Networks
and/or File and Print Sharing if these are not necessary.

Also, consider configuring Sygate to log all packets to see what if anything
from the internet is getting through. You want to be sure that TCP and UDP
135 - 139 and 445 are being blocked from the internet. For Sygate version
5, also check the checkboxes in the "advanced settings" area concerning
NetBIOS or Windows networking to see how it is set up. Support for Sygate
is free at Be sure the Windows XP ICF is disabled since who
knows how those two firewalls would work together:

"Thanh J" <> wrote in message
> I am having problem with unknow user or Ananymous Logon who has changed
> of my previlege ownership in my registry. I wonder if anyone can help me.
> My Operating System is Windows XP Home Edition and Personal Fire Wall
> ( But I am still having Attacker log on my System as
> With my curiosity, I download Baseline Security Analyzer from my Microsoft
> and test my system to find out any security leak on my system, and the
> report tells me there are more than 2 administrators were found on my pc:
> X Owner ( which is me)
> X S-1-5-21-3242847100-1439906313-590260106-1003 (Unknown)
> My question is how can I remove this SID user? This user does not appear
> Control Panel-User Accounts. I also searched through my registry and found
> and removed some of this SID was set as SPECIAL/Administrator. But after
> Scan through my system again with Baseline Security Analyzer. I still see
> the same results before changed registry.
> Any advice I would appreciate,

Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (
Version: 6.0.423 / Virus Database: 238 - Release Date: 11/25/2002