Windows 10 Could Break If Capability SIDs Are Removed From Permissions

Posted by & filed under Security Alerts.

Microsoft issued a warning yesterday stating that removing Windows account security identifiers (SIDS) that do not have a “friendly” name from security permissions could cause problems in Windows and installed applications.

Starting with Windows 2012 and Windows 8, Microsoft introduced a new type of security identifier called capability SIDs that grants a Windows component or UWP app access to particular resources on a computer. These resources could be files, folders, Registry entries, or even devices.

When these types of SIDs are shown in a security access list, they will not be resolved to a friendly name such as TrustedInstaller or System. Instead they are shown as a long unfriendly and hard to remember series of numbers and characters as shown below.

Capability SID in Folder Permissions

 

According to Microsoft, Windows 10 version 1809 uses more than 300 capability SIDs, with the most commonly used being:

S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681

Removing capability SIDs cause undesirable effects

In a support bulletin posted today, Microsoft has stated that when diagnosing a strange SID in Windows access control lists, you should make sure they are not a capability SID before removing it. This is because removing the SID could cause the application or Windows feature to no longer have access to a resource it requires to properly run.

DO NOT DELETE capability SIDS from either the Registry or file system permissions. Removing a capability SID from file system permissions or registry permissions may cause a feature or application to function incorrectly. After you remove a capability SID, you cannot use the UI to add it back.

This issue affects Windows 10, Windows 8.1, Windows 8, Windows Server 2016, Windows Server 2012 R2, and Windows Server 2012.

Instead, Microsoft suggests you open the Registry Editor to extract the list of used capability SIDs and search that list for the SID you are investigating. If it is found in the list of capability SIDs, you should not remove it.

To do this, open Registry Editor and go to the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses

Under that key is a value called AllCachedCapabilities. Double-click on this value to see a list of all currently used capability SIDs.

List of used capability SIDs

Now copy the contents of the value data into a Notepad and search the list of SIDs for the one you are investigating. If this SID is found, do not remove it or it can cause Windows or an app to no longer work properly.

 

The information contained in this website is for general information purposes only. The information is gathered from Bleeping Computer while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.