question

Jesse-8915 avatar image
0 Votes"
Jesse-8915 asked Jesse-8915 commented

Computer Account Keeps Creating Local User Account

Hello

I have had a problem for a while in my network. Several computer accounts keep creating local user accounts and deleting them in a matter of minutes. This occurs in several devices in my environment.

Could this be a service?

windows-10-securitywindows-10-networkwindows-server-securityazure-ad-domain-services
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

vipulsparsh-MSFT avatar image
0 Votes"
vipulsparsh-MSFT answered Jesse-8915 commented

@Jesse-8915 You can track that activity to find who created the local user account and then check on that particular server/machine to see what kind of processes are running there. they might or might not have the need for that. normally any service account created by any process would not get deleted and should have valid reason for its existence, I would start from this event logs : https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720

121507-image.png

Where Account Name [Type = UnicodeString]: the name of the account that requested the “create user account” operation.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.



image.png (128.9 KiB)
· 6
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @vipulsparsh-MSFT

Thank you for your response.

The new local user account is being created by a computer account (computer-name$), and this account is being deleted within the same minute. The activity has been occurring for over a month now.

0 Votes 0 ·

@Jesse-8915 For deeper investigation you can use a process explorer like procmon to see which process on that computer is generating the account and after finding that you can take a decision if that's a valid process. Read more about process monitor here : https://docs.microsoft.com/en-us/sysinternals/downloads/procmon

0 Votes 0 ·

Hello @vipulsparsh-MSFT,

Thanks again for your response.

So, I carried out an investigation and discovered that before the user account creation and deletion on the hosts, a service (advapi) logged in to the computer using the computer account (computer-account$). But how do I know the particular service using advapi process.

0 Votes 0 ·
Show more comments