January 5th, 2004, 03:47 PM
Hidden Accounts In XP PRO
I've just installed Windows XP Professional on my laptop. At the command prompt, if I type in the NET USERS command XP reports the existance of two accounts that are not of my making. They are "HelpAssistant" and "SUPPORT_388945a0". I guess that they are service accounts created by Windows for automatic update and the like, although they seem to be undocumented. Also, the "User Accounts" applet in control panel does not report these accounts. Does anyone actually know what these accounts do? Are can they be exploited in any way?
January 5th, 2004, 03:54 PM
I don't really know what those two are but i know once you start your computer and you get to the login screen there is a button combination...ctrl+alt+something i dont remember...anyways it lets a window pup-up which lets you sign in as the administrator and some other accounts...this may be related to your topic
January 5th, 2004, 03:58 PM
I believe those two accounts are used by M$ when they're helping you out with your computer. I.E. Troubleshooting when u call them with issues. I think every winxp has them and deleting them is strongly NOT recommended. If you notice any new accounts, that could be a sign of intruders. I'm not in my home computer right now but if any of you is, check if you have those accounts too. If not, and you have the same version of xp as alanmott, then he could be infected with a backdoor which would create an account for the attacker to access (I doubt its that though).
January 5th, 2004, 04:01 PM
AlanMott, have you installed any applications like AV software, accounting software, etc?
http://www.giac.org/practical/GSEC/D...rader_GSEC.pdf <-- the following link might provide more insight as it refers to how to create hidden accounts in XP. These may in fact be accounts to be used by MS Tech Support and/or other applications (like certain accounting software).
January 5th, 2004, 04:06 PM
Several new accounts are created as part of the default installation. As these accounts are well known they may represent prime attack targets. To help prevent attacks using the well-known accounts the following accounts should be disabled—HelpAssistant, Guest, Support_388945a0, and Administrator.
***Before disabling the default Administrator account, ensure that another account with administrative privileges exists or the ability to administer the machine will be lost***
January 5th, 2004, 04:08 PM
I have Norton's Security Suite installed for both AV and Firewall.
My real reason for posting this query is that it appears to be "feature" of XP that I cannot find any reference to on the web, and I think its about time some information about these accounts apeared in the public domain.
January 5th, 2004, 04:45 PM
those two accounts are defently a built in part of XP, i`ve just done a fresh install on a machine and they are their.
I do agree though that its a bit funny they are undocumented and do not appear in the user accounts applet.
January 5th, 2004, 05:44 PM
Yes, this is correct but *disabling* them is recommended. Especially since you may never need to use them.
think every winxp has them and deleting them is strongly NOT recommended.
This link will explain how these accounts are used for remote assistance.
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
January 6th, 2004, 02:39 AM
DeadAddict and thehorse13 are correct....disable them.
"It is a shame that stupidity is not painful" - Anton LaVey
January 6th, 2004, 05:58 AM
Yep, they are M$ default accounts for troubleshooting. "SUPPORT_388945a0" is the account for a M$ support rep and "Help Assistant" is for Remote Assistance. I would do like thehorse and DeadAddict said, except that I would rename the "Administrator" account and equip it with a strong password with strong restrictions (1 incorrect logon attempt, account lockout duration 30 min) rather than disable it.
Even another administrative account doesn't have the power of M$'s default god account. When something bad happens (system compromised or otherwise) and your other admin level accounts can't access resourses the hacker locked down, the default Administrator account will be able to access them, because of the kernel privelages assigned to its SID. If it's disabled and you can't enable it, then your screwed.