Hidden Accounts In XP PRO
Page 1 of 3 123 LastLast
Results 1 to 10 of 26

Thread: Hidden Accounts In XP PRO

  1. #1
    Member
    Join Date
    Sep 2001
    Posts
    37

    Hidden Accounts In XP PRO

    Hi all,

    I've just installed Windows XP Professional on my laptop. At the command prompt, if I type in the NET USERS command XP reports the existance of two accounts that are not of my making. They are "HelpAssistant" and "SUPPORT_388945a0". I guess that they are service accounts created by Windows for automatic update and the like, although they seem to be undocumented. Also, the "User Accounts" applet in control panel does not report these accounts. Does anyone actually know what these accounts do? Are can they be exploited in any way?

    Regards,

    Alan Mott

  2. #2
    Banned
    Join Date
    Jun 2003
    Posts
    927
    I don't really know what those two are but i know once you start your computer and you get to the login screen there is a button combination...ctrl+alt+something i dont remember...anyways it lets a window pup-up which lets you sign in as the administrator and some other accounts...this may be related to your topic
    peace

    /scriptkiddie18

  3. #3
    HeadShot Master N1nja Cybr1d's Avatar
    Join Date
    Jul 2003
    Location
    Boston, MA
    Posts
    1,840
    I believe those two accounts are used by M$ when they're helping you out with your computer. I.E. Troubleshooting when u call them with issues. I think every winxp has them and deleting them is strongly NOT recommended. If you notice any new accounts, that could be a sign of intruders. I'm not in my home computer right now but if any of you is, check if you have those accounts too. If not, and you have the same version of xp as alanmott, then he could be infected with a backdoor which would create an account for the attacker to access (I doubt its that though).

    cheers,

  4. #4
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    AlanMott, have you installed any applications like AV software, accounting software, etc?


    [edit]

    http://www.giac.org/practical/GSEC/D...rader_GSEC.pdf <-- the following link might provide more insight as it refers to how to create hidden accounts in XP. These may in fact be accounts to be used by MS Tech Support and/or other applications (like certain accounting software).
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  5. #5
    Senior Member DeadAddict's Avatar
    Join Date
    Jun 2003
    Posts
    2,583
    Several new accounts are created as part of the default installation. As these accounts are well known they may represent prime attack targets. To help prevent attacks using the well-known accounts the following accounts should be disabled—HelpAssistant, Guest, Support_388945a0, and Administrator.

    ***Before disabling the default Administrator account, ensure that another account with administrative privileges exists or the ability to administer the machine will be lost***

  6. #6
    Member
    Join Date
    Sep 2001
    Posts
    37
    I have Norton's Security Suite installed for both AV and Firewall.

    My real reason for posting this query is that it appears to be "feature" of XP that I cannot find any reference to on the web, and I think its about time some information about these accounts apeared in the public domain.

    Cheers all.

  7. #7
    Senior Member
    Join Date
    Dec 2002
    Posts
    134
    those two accounts are defently a built in part of XP, i`ve just done a fresh install on a machine and they are their.
    I do agree though that its a bit funny they are undocumented and do not appear in the user accounts applet.

  8. #8
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884
    think every winxp has them and deleting them is strongly NOT recommended.
    Yes, this is correct but *disabling* them is recommended. Especially since you may never need to use them.

    This link will explain how these accounts are used for remote assistance.
    http://www.microsoft.com/windowsxp/p...st/default.asp

    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  9. #9
    Senior Member Wazz's Avatar
    Join Date
    Apr 2003
    Posts
    288
    DeadAddict and thehorse13 are correct....disable them.
    "It is a shame that stupidity is not painful" - Anton LaVey

  10. #10
    Yes, that's my CC number! 576869746568617's Avatar
    Join Date
    Dec 2003
    Location
    Earth
    Posts
    397
    Yep, they are M$ default accounts for troubleshooting. "SUPPORT_388945a0" is the account for a M$ support rep and "Help Assistant" is for Remote Assistance. I would do like thehorse and DeadAddict said, except that I would rename the "Administrator" account and equip it with a strong password with strong restrictions (1 incorrect logon attempt, account lockout duration 30 min) rather than disable it.

    Even another administrative account doesn't have the power of M$'s default god account. When something bad happens (system compromised or otherwise) and your other admin level accounts can't access resourses the hacker locked down, the default Administrator account will be able to access them, because of the kernel privelages assigned to its SID. If it's disabled and you can't enable it, then your screwed.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •