Delete default0 ghost telemetry user

[MPeti1]

There the script in the "Privacy cleanup" folder named "Delete default0 ghost telemetry user". I've taken a look at what it does, and for some reason I wanted to list the users on my system so I ran net user. What I see is that there's no defaultuser0, but there is a defaultuser1.

Could the 2 be related, or is defaultuser1 something different?

[MPeti1]

Also, why do you think that it's for telemetry? Wasn't able to find anything with a quick search

[undergroundwires]

Hi @MPeti1 , thanks for starting the discussion and your attention to the script that I was really not sure of.

It's a controversial user discussed often in context of a backdoor in Windows 10. It's is created by an update and there has never been any official information of its purpose/reason of creation from Microsoft. It gives access to your computer without your control / access so I decided to add it to privacy.sexy. It's however safe to delete 1, 2. As it's safe to delete and only, and it's so controversial I decided to add it to the list.

It was added after a suggestion from a fellow computer forensics contributor:

If somebody is on LTSC 2019 then DefaultUser0 Account is by default created on Installation as telemetry account.
Hence it must be removed . if by default this account is not found on other builds of win10 then it will not affect any functionality of OS & will ignore it
source: github issue

More information:

• Is Windows ​10’s ‘Hidden Administrator Account’ a security risk?
• Conspiracy theories regarding NSA collecting data using the user on Microsoft community

Nobody knows exactly why this account is being created or how users can prevent its creation
source: windowsreport.com

Best practice to disable the Administrator account when possible to make it more difficult for malicious users to gain access to the server or client computer.
source: docs.microsoft.com

[MPeti1]

Thank you! It now makes sense I think.

I've read a bit, and it seems to be an error that hasn't been fixed for a long time.
The defaultuser0 account has this very long SID: S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681
It (that's invalid to be for a user, if I understand correctly) is actually the SID for an AppContainer capability, readRegistry.
It usually appears in dcom errors in the event log, because this SID is added to a lot of registry objects as a user having permissions (all permissions) (again, if I understand correctly).
It seems that it's not a user, just a capability for uwp apps (mostly), but for some reason it's treated as one.

Microsoft seems to know about the problem, they promised a fix at least 2 times, but on both occasions the communication has been dropped, it seems.
Here are 2 links that contain some information about this:
https://answers.microsoft.com/en-us/windows/forum/all/defaultuser0-created-on-clean-install-of/e2333e94-ef5f-4932-8754-fd4ce27ae33b?page=13
https://social.technet.microsoft.com/Forums/en-US/3e7d85e3-d0e1-4e79-8141-0bbf8faf3644/windows-10-anniversary-update-the-case-of-the-mysterious-account-sid-causing-the-flood-of-dcom
Both of these are archived to archive.is

Note: the second link may require log in to your MS account (???), but if you use a temporary container in Firefox (there's a plugin to simplify it), then it will work normally. It could also work with just creating a temporary profile in about:profiles too

Well, I think it's best to leave this script available. It's so big of a mistery, that I would say your concern is grounded

[MPeti1]

At the same time, what do you think about defaultuser1? I only have this. Do you have information about that one?
Edit: if it helps, it's SID is this: S-1-5-21-80563116-3206155393-223495591-1028

[undergroundwires]

I actually have no idea. But asked the question to the forensic ghost friend. Forwarding is response:

• defaultuser1 account is not created by default in any scenario
• its user heavily tweaked OS with many tools that's why its created
• if user wants to take a close look then he must be sure which tool has done that
• possible that its an account which will forward logs of user to an attacker according to my consent in this scenario.

His suggestion is to do a clean install from same ISO to same machine & then cross check if that defaultuser1 account still created. He's pretty sure it won't be found. He also recommends to not use many tools but just use a trusted one like privacy.sexy, this way one can work privacy friendly without any doubt that his or her logs of activities are been sent anywhere without his consent.