What is “Account Unknown” in the Security tab?

When you check the permissions for a drive, folder, or registry key, you may see the “Account Unknown” entry showing a bunch of random numbers. You wonder what the “Account Unknown” entry refers to.

capability SID - account unknown - security tab

The screenshot doesn’t show the full entry. For your convenience, I’m posting it below:

Account Unknown(S-1-15-3-65536-1888954469-739942743-1668119174-2468466756-4239452838-1296943325-355587736-700089176)

What is “Account Unknown” in the Security tab

The bunch of numbers that appear in the security tab is called the Security Identifier (SID).

The “Account Unknown” SID can mean one of the two things:

1] The SID is a “Capability SID”.

Capability SIDs uniquely and immutably identify capabilities. In this context, a capability is an unforgeable token of authority granting a Windows component or a Universal Windows Application access to resources such as documents, cameras, locations, etc. An application that “has” a capability is granted access to the resource that is associated with the capability. An application that “does not have” a capability is denied access to the associated resource.

tips bulb iconAll capability SIDs are prefixed by S-1-15-3.

Important: DO NOT DELETE capability SIDS from the Registry or file system permissions. Removing a capability SID from file system or registry permissions may cause a feature or application to function incorrectly. After you remove a capability SID, you cannot use the UI to add it back. 

All capability SIDs that the operating system is aware of are stored in the Windows Registry in the path:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities

The most commonly used capability SID is the following:

S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681

Capability SIDs should not be deleted.

(or)

2] The SID of an account no longer exists on this PC.

The “Account Unknown” SID could be the SID of an user account deleted from your computer.

For example, you configure the folder/registry permissions for a user account named “John”. The Security tab shows the friendly name (i.e., “John”) instead of its SID.

account unknown - user account exists
ACL entry for an existing user account named “John”

However, when the user account “John” is deleted from the system, the Access Control List (ACL) entry shows up as “Account Unknown”, followed by the deleted account’s SID.

account unknown - user account deleted
ACL showing the SID after deleting the “John” account

Each user account has a unique SID. The SID of deleted user accounts can be deleted from the Security tab.

tips bulb icon As the above SID is not prefixed by S-1-15-3, it’s not a Capability SID. Also, the SID shown in the screenshot is not a Well-Known SID. Hence, the orphaned ACL entry that points to a non-existent user account can be deleted.

References

Security identifiers | Microsoft Learn

Some SIDs do not resolve into friendly names – Microsoft Learn

One small request: If you liked this post, please share this?

One "tiny" share from you would seriously help a lot with the growth of this blog. Some great suggestions:
  • Pin it!
  • Share it to your favorite blog + Facebook, Reddit
  • Tweet it!
So thank you so much for your support. It won't take more than 10 seconds of your time. The share buttons are right below. :)

Ramesh Srinivasan is passionate about Microsoft technologies and he has been a consecutive ten-time recipient of the Microsoft Most Valuable Professional award in the Windows Shell/Desktop Experience category, from 2003 to 2012. He loves to troubleshoot and write about Windows. Ramesh founded Winhelponline.com in 2005.

...

Leave a Comment