SOVLED! HKEY_USERS S-1-5-21 Virus

In discussions about malware on Windows, it’s not uncommon to see people mentioning HKEY_USERS S-1-5-21 virus from time to time. You also come across HKEY_USERS S-1-5-21 in Registry Editor and don’t know whether it’s a virus? Then it’s strongly recommended that you take a look at this article. Down below is everything you must know about HKEY_USERS S-1-5-21 as well as Windows malware.

An Analysis Of The Situation

In layman’s terms, once it comes to HKEY_USERS S-1-5-21 virus, there is no need to panic as your PC is not at risk. HKEY_USERS S-1-5-21 consists of two parts: HKEY_USERS and Security Identifiers (SID).

  • HKEY_USERS, also known as HKU, is a part of Windows Registry that contains user-specific settings for all active users. That includes the user account currently logged in as well as those who have logged in previously then changed accounts. Each registry key under HKEY_USERS is associated with a user account and is named after that corresponding account’s Security Identifier.
  • You could think of Security Identifiers as a unique string of code used to identify a user, a user group and so on. A user account and all of its properties only have one SID regardless of the name changes. For instance, you may change your username from “User1” to “James” and retain previously configured settings as your SID stays the same.

Common SIDs On Windows: Compilation

According to Microsoft, a number of SIDs could show up in Registry Editor and they include:

  • SID: S-1-5-18

Name: Local System
Description: A service account that is used by the operating system.

  • SID: S-1-5-19

Name: NT Authority
Description: Local Service

  • SID: S-1-5-20

Name: NT Authority
Description: Network Service

Note: Those sure resemble the registry key, don’t they? It is noteworthy that all SIDs that contain S-1-5-21 deal with users. The last numbers of the SID determine what type of user account it is:

  • 500: Administrator account.
  • 501: Guest account.
  • 1001,1002,1003, etc: Local user accounts.

Here is an example: If you see HKEY_USERS\S-1-5-21-1960408961-1604221776-682003330-1003, it’s a local user account.

Frequently Asked Questions

How can I tell which SID belongs to which user account?

  • Step 1: Step 1: Go to Search bar, type Regedit and press Enter to open Registry Editor.
  • Step 2: Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList. All of the SIDs on your PC should be visible. Expand each SID to check the value of ProfileImagePath which should say something like C:\Users\<username>.
  • Step 3: Close Registry Editor.

Alternatively, you can make use of third-party tools to translate SIDs into their respective usernames. For good measure, you should stick to popular tools SidToName and PsGetSid.

Why do I see more user account SIDs than the number of user accounts on the computer?

While that does sound suspicious, it is most likely nothing to worry about. Occasionally, some SIDs will show up without being associated with user accounts. These SIDs are referred to as orphaned SIDs and they appear in the following scenarios:

  • Object was deleted.
  • Lost trust or domain.
  • A computer has left the domain and cannot find a DC for owning domain.

What should I do if I find suspicious keys within HKEY_USERS?

Since the Registry is a sensitive part of the system, it’s ill-advised to remove keys at whim. If your antivirus program and firewall do not raise alarms, leave the keys alone.

Note that some programs do not remove all of their registry entries upon installation, which can explain why you see some keys you do not recognize. Furthermore, some applications may be installed using a different language (e.g Chinese, Japanese, etc). While it may be difficult to identify what they are without knowing the language in question, try to recall if you have installed a program with that language in mind.

Whether you attempt to remove the keys in question yourself is up to your discretion, though you should back up your Registry beforehand using the Export feature of Registry Editor.

 

Leave a Comment