Ownership of all files on hard drive suddenly changed

Posted: 01-07-2008, 06:49 AM
Hello Everyone,
I noticed that when I explored an external USB drive that I couldn't see
folders I had been able to see earlier this evening. I checked the ownership
and found that the owner had been set to

S-1-5-21-2311030268-158868070-3690016334-1008

I looked through the Registry for this and found nothing. So, I reset the
ownership of all files on that drive to my account (I am the "real"
administrator).

Just out of curiosity I checked the ownership of some files on my C: drive.
All of my personal folders were now owned by that long ID string above. Now
I am setting the owner back to my account.

Folders like "Program Files" and "Windows" are owned by TrustedInstaller,
which is what they had been set to earlier today. It looks like all of my
personal folders on all hard drives have been hit.

What the.....????? Does anyone know what this means?

Thanks for your time,
Big Al Mintaka


Ownership of all files on hard drive suddenly changed


Responses to "Ownership of all files on hard drive suddenly changed"

Jesper
Guest
Posts: n/a
 
RE: Ownership of all files on hard drive suddenly changed
Posted: 01-07-2008, 05:20 PM
S-1-5-21-2311030268-158868070-3690016334-1008 is a security identifier, a
SID. It is the internal identifier for a user account. The part before 1008
is the computer's or domain's SID. 1008 is called the Relative Identifier and
identifies the unique user account in that computer or domain. Even if you
change the name of the user account the SID always stays the same.

There are two typical scenarios when you see the SID instead of the user
account. Both of them stem from the fact that the computer is unable to
resolve the SID to a username.

The first is when you have used this drive on a different computer and an
account from that computer has been given permissions to, or ownership of,
data. You can tell whether this is the case by retrieving the computer SID
for the computer where you have the problem. There are a few ways to do that.
Without installing additional software, and assuming your account is not a
domain account, you can open a command prompt and typing "whoami /user". It
will show your own SID. If everything before the last number (1008 in this
case) matches between your account and the mystery one then the mystery SID
is for a local account. That means you have case 2.

Case 2 is where an account has been deleted. Ownership and permissions are
not reassigned when accounts are deleted. However, since the account no
longer exists, the computer is unable to find the username for it and shows
you the SID instead.

In your case, since it is an external drive, I would be willing to bet that
you used this drive in a different computer and changed ownership on
everything on the drive. If you log on to that computer with whatever account
you used and run whoami /user you should find that SID.

If you care to explore SIDs a bit more, psgetsid is a nice little tool that
can resolve them back and forth:
http://www.microsoft.com/technet/sys.../psgetsid.mspx. If
you want to learn more about them, there is quite technical documentation at
http://technet2.microsoft.com/window....mspx?mfr=true,
and in the forthcoming Windows Server 2008 Security Resource Kit.
---
Your question may already be answered in Windows Vista Security:
http://www.amazon.com/gp/product/047...otectyourwi-20


"Big Al Mintaka" wrote:
> Hello Everyone,
> I noticed that when I explored an external USB drive that I couldn't see
> folders I had been able to see earlier this evening. I checked the ownership
> and found that the owner had been set to
>
> S-1-5-21-2311030268-158868070-3690016334-1008
>
> I looked through the Registry for this and found nothing. So, I reset the
> ownership of all files on that drive to my account (I am the "real"
> administrator).
>
> Just out of curiosity I checked the ownership of some files on my C: drive.
> All of my personal folders were now owned by that long ID string above. Now
> I am setting the owner back to my account.
>
> Folders like "Program Files" and "Windows" are owned by TrustedInstaller,
> which is what they had been set to earlier today. It looks like all of my
> personal folders on all hard drives have been hit.
>
> What the.....????? Does anyone know what this means?
>
> Thanks for your time,
> Big Al Mintaka
>
>
 
LinkBack Thread Tools Display Modes
 


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On
Forum Jump


Similar Threads
Thread Thread Starter Forum Replies Last Post
Taking Ownership of a 2nd Hard Drive Rohan Windows Vista Security 1 12-09-2007 10:35 AM
Drive Letters Changed (After hard drive swap) ChrisOfTheOT Windows XP Configuration & Management 6 10-25-2007 03:55 PM
Entire Hard Drive Suddenly Write-Protected: WHY?! Andrew Hammel Windows XP Setup 1 10-12-2003 07:06 PM
New hard drive, product key changed Rick \Nutcase\ Rogers Windows XP Basics 0 09-01-2003 06:42 PM
Hard drive suddenly not readable steve Hutch Windows XP Hardware 2 07-10-2003 07:56 PM