Hello
I have had a problem for a while in my network. Several computer accounts keep creating local user accounts and deleting them in a matter of minutes. This occurs in several devices in my environment.
Could this be a service?
Hello
I have had a problem for a while in my network. Several computer accounts keep creating local user accounts and deleting them in a matter of minutes. This occurs in several devices in my environment.
Could this be a service?
@Jesse-8915 You can track that activity to find who created the local user account and then check on that particular server/machine to see what kind of processes are running there. they might or might not have the need for that. normally any service account created by any process would not get deleted and should have valid reason for its existence, I would start from this event logs : https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720

Where Account Name [Type = UnicodeString]: the name of the account that requested the “create user account” operation.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Hello @vipulsparsh-MSFT
Thank you for your response.
The new local user account is being created by a computer account (computer-name$), and this account is being deleted within the same minute. The activity has been occurring for over a month now.
@Jesse-8915 For deeper investigation you can use a process explorer like procmon to see which process on that computer is generating the account and after finding that you can take a decision if that's a valid process. Read more about process monitor here : https://docs.microsoft.com/en-us/sysinternals/downloads/procmon
Hello @vipulsparsh-MSFT,
Thanks again for your response.
So, I carried out an investigation and discovered that before the user account creation and deletion on the hosts, a service (advapi) logged in to the computer using the computer account (computer-account$). But how do I know the particular service using advapi process.
8 people are following this question.