Missing SID

I'm tryng to duplicate a fault on a user's machine....
What appears to be the problem is that the Network Service User has been demolished

The S-1-5-20 Key is completely missing from HKU.
I've tried removing it from my VM, and although I can delete the content of the Key, I cannot delete the Key itself
I've also deleted the reference in the ProfileList to no effect.

Since I'm doing this by forum/email I can't actually get hold of the machine itself - and so far, all I've seen is results from selected REG QUERY commands.
I'm having them look using Regedit on this exchange of data - but would appreciate advice as to how to completely remove the HKU\S-1-5-20 Key to check the results I get.


Any offers?

Try right clicking on the key. Select Permissions. Select Advanced. In Permissions, select the "user", Edit and full control.

I assume you're going to back up the registry before trying to delete it.

wither 3 said:

Try right clicking on the key. Select Permissions. Select Advanced. In Permissions, select the "user", Edit and full control..

Click to expand...

Been there and done that - about 20 times - and tried it from the command line.

The permissions are totally locked on the HKU\S-1-5-20 key itself, but the Owner is Administrators, and Admins have Full Control permissions, so I can only assume that it's pretty hard-coded somewhere else.

There's no need to back it up - it's a VM
If I can work out how to delete it, I can work out how to restore it

Sorry about missing the VM.

On my pc, I can change the Permissions. I'm logged in as the administrator (normal).

Don't know what else to tell you.

You can 'seem' to change them - but go back and look again, and they have reverted

I'll have to look tomorrow. I'm on my Win 7 machine right now.

Nope. They didn't revert.

Odd - maybe it's an artefact with the VM?
Having said that, the slient attempted to create the Key on their bare-metal install, and got an Access Denied using REG ADD HKU\S-1-5-20 (and yes they were apparently using an Elevated Command Prompt)

Nope - happens on a bare-metal install as well (I just trashed mine- stopped responding when I tried to restore the subkeys!)

The permissions do seem to hold - but I cannot delete the Key itself.
On the bare-metal, I had to go well down the branch to access a certificate's permissions, because it's owner wasn't recognised, change ownership, and then permissions.I could then cler the Key content, but not the Key.

Now to see if I can restore the registry using LKGC....

[phew - it worked!]

I just checked again this morning since I changed one other user to Full Control last night and it's still there. Note that I haven't rebooted since I made any of these changes and, I also didn't try deleting it.

I don't know what "bare metal" is. You're probably light years more knowledgeable about all this stuff than I am.

Bare metal = a real machine, rather than a Virtual one
It's the deletion which is the problem - everything I do, I end up with 'Access Denied' or a variation on that. I can delete the entire content without any problem - but the Key itself appears to be immortal.

I suppose I could do it by remote editing of the registry - but that almost certainly wouldn't help with recreating the Key as far as a non-savvy user is concerned.
If I can just find out how to delte and recreate the Key, I can get it repopulated with a .REG file.

Since the key is empty, it shouldn't be necessary to delete it to trouble shoot the problem. Whatever uses it would shoot up an error message or wouldn't work since it needs the data and values.

Like I said, I could repopulate it with basic data - if I could create the Key in the first place

Using REG ADD HKU\S-1-5-20 only give a 'Parameter is Incorrect' error - as if the Key itself doen't make sense (try using say REG ADD HKU\S-1-5-46 in your own installation).
It's not better in Regedit - yu're not allowed to create Keys there, AFAICT.

Maybe I could craft a Scheduled task to run under the SYSTEM account at boot, and do it that way?
Hmmmm....

NoelDP said:

Like I said, I could repopulate it with basic data - if I could create the Key in the first place

Using REG ADD HKU\S-1-5-20 only give a 'Parameter is Incorrect' error - as if the Key itself doen't make sense (try using say REG ADD HKU\S-1-5-46 in your own installation).
It's not better in Regedit - yu're not allowed to create Keys there, AFAICT.

Maybe I could craft a Scheduled task to run under the SYSTEM account at boot, and do it that way?
Hmmmm....

Click to expand...

The reason is actually quite simple, but not obvious. HKEY_USERS is NOT a hive in its own right. It is completely and utterly virtual, and is only a visual representation in regedit.

Now, I do not mean volatile. I am not confusing my terms. The Hardware hive is volatile, and is re-created every boot, and is not saved. HKEY_USERS simply doesn't exist.

A hive is a portion of the registry contained within a single file, mostly in C:\Windows\System32\config. A subhive is a portion of the registry contained in a separate file, but within a hive. Every part of HKLM is actually a sub-hive (this is debatable, HKLM itself has no file (again, debatable), so how can it be a hive, therefore its subhives are hives, etc. etc. Let's not get bogged down in technicalities)

But as you see, HKLM is only a container for other hives.

So is HKEY_USERS. It is not a hive in its own right (defining hive as having its own file), only a container. To create a "key" in it, you need to create an entirely new hive file, and then add it to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist)

There is so much more I could say. At some point, people think that they understand the registry. As soon as you start to comprehend hives, suddenly things become so much more complicated. I have massively oversimplified here. If you think that this is all there is to know about the registry, looking harder or ask me later! However, I do not claim to know all its secrets. I am only just brushing the surface here.

"Those who a good at a subject understand that they can never know everything about their subject."

Just looking at the thread title, "Missing SID", look in the hivelist key, and look for a whole missing hive file.

Richard

Finally, someone in the know responds. I thought you guys were going to leave me out here hanging by my thumbs. :D

niemiro said:

But as you see, HKLM is only a container for other hives.

So is HKEY_USERS. It is not a hive in its own right (defining hive as having its own file), only a container. To create a "key" in it, you need to create an entirely new hive file, and then add it to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist)

Click to expand...

Many thanks, Richard!

I'm asking the client for the data now - and playing with the VM to see what I can do about it.

NoelDP said:

niemiro said:

But as you see, HKLM is only a container for other hives.

So is HKEY_USERS. It is not a hive in its own right (defining hive as having its own file), only a container. To create a "key" in it, you need to create an entirely new hive file, and then add it to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist)

Click to expand...

Many thanks, Richard!

I'm asking the client for the data now - and playing with the VM to see what I can do about it.

Click to expand...

I am hoping that I am remembering correctly. It is quite a while since I last investigated the registry, and I was posting from school where I couldn't research on the internet. I think I got the registry key, and hive information, correct...I hope. It is all too easy to forget registry keys I rarely use.

Good luck!

Well, one result so far is that I can repro the problem at last, by removing access permissions to the NetworkService\NTUSER.DAT file - I'm awaiting the results of resetting the ACLs on that whole folder.....
(I doubt that this is the only problem - I may have to delete the file completely in the end, by booting to RE and renaming it. The system then appears to build a new, default one.)

A corrupted NTUSER.DAT file will also cause the symptom - simply renaming it within windows, and rebooting, allows windows to rebuild the file and the Key
Simple once you know how!!

NoelDP said:

A corrupted NTUSER.DAT file will also cause the symptom - simply renaming it within windows, and rebooting, allows windows to rebuild the file and the Key
Simple once you know how!!

Click to expand...

I read that your client's problem is now fixed. Very well done

As a general rule, when fiddling with the registry, if it spits back an odd error at me, I generally take a step back, and work on the assumption that I am misunderstanding something about this key, and this almost always stems from hives! There is so much to know about the registry, and I constantly strive to know more. And yet every time I investigate some inner part of it, I seem to unravel some new mystery I never even knew existed. It is like a never ending cavern of fascinating discoveries for those who spend the time unlocking it.