Windows 10 useraccount-SID exists without user - preventing sysprep

0

1

While trying to sysprep my OS to move to a new hardware structure I stumbled upon the error described in this Microsoft support article. Trying to get rid of it I set up a Windows 10 Version 1703 VM and copied the MiracastView folder from there which didn't solve the issue.
On further investigation I found that there seems to be a user-SID which I cannot find connected to any actual account. Using Get-AppxPackage -AllUsers *mira* produces the following output:

PS C:\WINDOWS\system32> Get-AppxPackage -AllUsers *mira*  


Name                   : Windows.MiracastView  
Publisher              : CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US  
Architecture           : Neutral  
ResourceId             : neutral  
Version                : 6.3.0.0  
PackageFullName        : Windows.MiracastView_6.3.0.0_neutral_neutral_cw5n1h2txyewy  
InstallLocation        : C:\Windows\MiracastView  
IsFramework            : False  
PackageFamilyName      : Windows.MiracastView_cw5n1h2txyewy  
PublisherId            : cw5n1h2txyewy  
PackageUserInformation : {S-1-5-21-1989392932-2341005969-1285330504-1000 [MyMainUseraccount]: Installed,  
                         S-1-5-21-1989392932-2341005969-1285330504-1010  
                         [S-1-5-21-1989392932-2341005969-1285330504-1010]: Installed(pending removal)}  
IsResourcePackage      : False  
IsBundle               : False  
IsDevelopmentMode      : False  
IsPartiallyStaged      : False  
SignatureKind          : System  
Status                 : Ok

However using wmic useraccount get name,sid shows this:

C:\WINDOWS\system32>wmic useraccount get name, sid
Name                SID
Administrator       S-1-5-21-1989392932-2341005969-1285330504-500
DefaultAccount      S-1-5-21-1989392932-2341005969-1285330504-503
Gast                S-1-5-21-1989392932-2341005969-1285330504-501
HomeGroupUser$      S-1-5-21-1989392932-2341005969-1285330504-1005
MyMainUseraccount   S-1-5-21-1989392932-2341005969-1285330504-1000
WDAGUtilityAccount  S-1-5-21-1989392932-2341005969-1285330504-504

missing the entry ending on 1010 seen in the output of the other command.

I chose to take a look in the registry to see where that sid showed up and these are some of the first paths that were found:

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\UserManager\Users\1044476
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\DownlevelInstalled\S-1-5-21-1989392932-2341005969-1285330504-1010
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\EndOfLife\S-1-5-21-1989392932-2341005969-1285330504-1010
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{D6886603-9D2F-4EB2-B667-1971041FA96B}\S-1-5-21-1989392932-2341005969-1285330504-1010
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\Creative\S-1-5-21-1989392932-2341005969-1285330504-1010
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\UserTile
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\NetCache\PurgeAtNextLogoff
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SystemProtectedUserData\S-1-5-21-1989392932-2341005969-1285330504-1010
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Sites\{S-1-5-21-1989392932-2341005969-1285330504-1010}
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Search\Gather\Windows\SystemIndex\Sites\{S-1-5-21-1989392932-2341005969-1285330504-1010}
Computer\HKEY_LOCAL_MACHINE\SYSTEM\Setup\Upgrade\Appx\AppxAllUserStore\EndOfLife\S-1-5-21-1989392932-2341005969-1285330504-1010

but the SID didn't show up under the keys HKU nor Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList.

By now I am completely lost where that key could come from, how I can remove it or whether it is safe to do so at all. Any hint in any direction would be highly appreciated!

geisterfurz007

Posted 2018-06-19T08:23:31.863

Reputation: 103

After manually running the update to 1803 today, the SID doesn't show up in the registry anymore. However it still shows up for another problematic Appx-Package. If anyone knows the origin of that mysterious SID, I will gladly accept that as answer. – geisterfurz007 – 2018-06-20T08:43:01.550

Another update: ... It's back. At least two packages are installed for that user and won't uninstall because of that. I cannot log in as that user because it doesn't really exist. A new user I created for testing has SID 1012 in the end. In the registry it shows up as essentially a new account with a good amount of Microsoft Software installed as Appx-Packages. – geisterfurz007 – 2018-06-20T11:17:02.670

Answers

-1

Here is an article that provides more detail to address the problem. Here are the steps from the article here:

Steps:

  1. Open ProcessHacker as Admin
  2. Select one of the vshost.exe processes -> Misc -> Run as this user
  3. Choose DB Browser’s .exe file
  4. Open file with DB Browser: C:\ProgramData\Microsoft\Windows\AppRepository\StateRepository-Machine.srd
  5. Open tab “Brows data”, then select table Package
  6. Look for the apps to be removed, then delete the whole line(s) (button)
  7. Finally, let DB Browser write the changes to the file

Eric

Posted 2018-06-19T08:23:31.863

Reputation: 1

I already forgot that I had this question up here. And indeed, tempering with one of the systems databases at least partially helped. I never got a perfect sysprep through but I reached a point where I would just put my SSD on the new hardware and prayed (which worked). If you could post some more detail from that link, I will gladly accept your answer! – geisterfurz007 – 2018-08-29T21:43:31.323

Asked: 2018-06-19T08:23:31.863

Viewed: 685 times

Active: 2018-08-29T23:33:48.297