Jump to content

Account 'S-1-5-18' was found


Mi Ke
 Share

Recommended Posts

Hi,

 

We use  Passwordstate v8.5 (Build 8556) and after runinng a Windows Dependency Accounts Discovery job we get a lot of error messages like:

 

An account called 'S-1-5-18' was found for the Dependency Type of 'Scheduled Task' and Dependency Name called 'Microsoft\Windows\RemovalTools\MRT_ERROR_HB', but it could not be determined if the account was a Domain or Local account. Please refer to KB Article in User Manual called 'Unknown Windows Dependency Accounts Discovered'.

 

Discovered OS: Windows Server 2016
SID "S-1-5-18": Local Windows Account "System"
Task "MRT_ERROR_HB": Seems to be a part of Windows Malicious Software Removal Tool and will be automatically created by the tool.

 

To change the scheduled task account from "SYSTEM" to "NT AUTHORITY\SYSTEM" or "<Hostname>\SYSTEM" like descripted in the KB Article make no difference. I think it's because there is no additional popup which asks for a password and it's a local system account.

 

In our case we have daily a lot of error messages after the discovery job and it's annoying to find the relevant ones. Do you have a solution for this? Is ist possibly to add this account to a "blacklist"?

 

Thanks for your support.

Regards, Mike

MRT_ERROR_HB.jpg

Link to comment
Share on other sites

Hi Mike,

 

Thanks for the information, and we'll do some testing to see if we can replicate this, and then ignore the account in our Discovery PowerShell script. I will let you know what we find, and provide you with an updated script you can use prior to it being available in the next release.


Regards

Click Studios

Link to comment
Share on other sites

  • 4 weeks later...

Hi Mi Ke,

 

We are very sorry, we did actually forget to follow this up.  I've taken a look at this today and here's some information to consider:

 

In our discovery job, we are excluding the discovery of "System" as per screenshot below, but we cannot understand why on your systems this isn't working:

2019-02-07_10-11-12.png

 

We found out that the Profile of the System Account has the unique profile registry key as S-1-5-18

2019-02-07_10-05-34.png

 

So we've now added this to our exclusions in the Account Dependency Script, tested this and it seems to be working:

2019-02-07_10-13-26.png

 

 

For this to work for you, can you please do the following on your Passswordstate web server?

 

1. On your Passwordstate web server, download this file:  Get-Dependencies.ps1

2. Place it in C:\inetpub\Passwordstate\setup\scripts, and overwrite the existing file

3. In Passwordstate, go to Administration -> Powershell Scripts -> Account Discovery Scripts and restore the default Windows Account Dependency script from the Actions Menu:

2019-02-07_10-14-02.png

 

Now try your Discovery Dependency again, does this fix the issue?  If it does, we'll include this new script in the next build of Passwordstate we release.

 

Regards,

Support

 

Link to comment
Share on other sites

Hi,

It doesn't work and I think in this case it's because the script gets the user "S-1-5-18" from the task xml-file. So the filter on the output of "schtasks.exe" make no difference. Let me explain:

 

I have made the following script based on your original script:

Quote

$schtask = schtasks.exe /query /V /FO CSV | ConvertFrom-Csv
if ($schtask)
{
    foreach ($sch in $schtask)
       {
        if ($sch.TaskName -eq '\Microsoft\Windows\RemovalTools\MRT_ERROR_HB')
        {
         write-output $sch
        }
    }
}


In the output of the script the key "Run As User" has sometimes a value "Disabled", "n/a" or something else  instead a username or SID.  I think the problem is the special character "," in the task Argument:

/EHB /HeartbeatFailure "ErrorStack,Previous=SubmitHeartbeatReportData,Hr=0x80072f0d" /HeartbeatError "0x80072f0d"

 

The command "ConvertFrom-Csv" splits the string on the wrong place.


Script Output

Quote

HostName                             : ****
TaskName                             : \Microsoft\Windows\RemovalTools\MRT_ERROR_HB
Next Run Time                        : 07.02.2019 19:13:36
Status                               : Ready
Logon Mode                           : Interactive/Background
Last Run Time                        : 30.11.1999 00:00:00
Last Result                          : 267011
Author                               : Microsoft
Task To Run                          : C:\Windows\system32\MRT.exe /EHB /HeartbeatFailure ErrorStack
Start In                             : Previous=ErrorStack
Comment                              : Previous=SubmitHeartbeatReportData
Scheduled Task State                 : Hr=0x80072f0d
Idle Time                            : Hr=0x80072f0d" /HeartbeatError "0x80072f0d""

Power Management                     : C:\Windows\system32
Run As User                          : N/A
Delete Task If Not Rescheduled       : Enabled
Stop Task If Runs X Hours and X Mins : Disabled
Schedule                             : 
Schedule Type                        : SYSTEM
Start Time                           : Disabled
Start Date                           : 00:30:00
End Date                             : Scheduling data is not available in this format.
Days                                 : One Time Only, Hourly 
Months                               : N/A
Repeat: Every                        : N/A
Repeat: Until: Time                  : N/A
Repeat: Until: Duration              : N/A
Repeat: Stop If Still Running        : N/A


Task ""MRT_ERROR_HB.xml"

Quote

<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
  <RegistrationInfo>
    <Author>Microsoft</Author>
    <URI>\Microsoft\Windows\RemovalTools\MRT_ERROR_HB</URI>
  </RegistrationInfo>
  <Triggers>
    <TimeTrigger id="MRT_ERROR_HB">
      <Repetition>
        <Interval>PT5H</Interval>
        <StopAtDurationEnd>false</StopAtDurationEnd>
      </Repetition>
      <StartBoundary>2019-02-07T13:13:31Z</StartBoundary>
      <EndBoundary>2019-04-08T13:13:31Z</EndBoundary>
      <Enabled>true</Enabled>
    </TimeTrigger>
  </Triggers>
  <Principals>
    <Principal id="LocalSystem">
      <UserId>S-1-5-18</UserId>
      <RunLevel>HighestAvailable</RunLevel>
    </Principal>
  </Principals>
  <Settings>
    <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
    <AllowHardTerminate>true</AllowHardTerminate>
    <StartWhenAvailable>false</StartWhenAvailable>
    <RunOnlyIfNetworkAvailable>true</RunOnlyIfNetworkAvailable>
    <IdleSettings>
      <Duration>PT10M</Duration>
      <WaitTimeout>PT1H</WaitTimeout>
      <StopOnIdleEnd>true</StopOnIdleEnd>
      <RestartOnIdle>false</RestartOnIdle>
    </IdleSettings>
    <AllowStartOnDemand>true</AllowStartOnDemand>
    <Enabled>true</Enabled>
    <Hidden>false</Hidden>
    <RunOnlyIfIdle>false</RunOnlyIfIdle>
    <WakeToRun>false</WakeToRun>
    <ExecutionTimeLimit>PT30M</ExecutionTimeLimit>
    <Priority>7</Priority>
  </Settings>
  <Actions Context="LocalSystem">
    <Exec>
      <Command>C:\Windows\system32\MRT.exe</Command>
      <Arguments>/EHB /HeartbeatFailure "ErrorStack,Previous=SubmitHeartbeatReportData,Hr=0x80072f0d" /HeartbeatError "0x80072f0d"</Arguments>
      <WorkingDirectory>C:\Windows\system32</WorkingDirectory>
    </Exec>
  </Actions>
</Task>

 

Because the value of the key "Run As User" is not a known keyword to ignore your original script Looks then into the "MRT_ERROR_HB.xml" file and reads the key  "<UserId>S-1-5-18</UserId>".

 

I hope that makes sense.

Regards, Mike
 

Link to comment
Share on other sites

Hi,

 

Unfortunately, adjusting the uppercase and lowercase characters in the SID in the new script makes no difference. Like I have tried to descripe I think the problems are the commas "," in the column "Task To Run" of the command output (or "arguments" in the task xml). The following command "ConvertFrom-Csv" splits this string on every single comma regardless the comma is part of a value or not.

 

Have a look to the original output of the command:

Quote

 

schtasks.exe /query /V /FO CSV /TN "\Microsoft\Windows\RemovalTools\MRT_ERROR_HB"

"HostName","TaskName","Next Run Time","Status","Logon Mode","Last Run Time","Last Result","Author","Task To Run","Start In","Comment","Scheduled Task State","Idle Time","Power Management","Run As User","Delete Task If Not Rescheduled","Stop Task If Runs X Hours and X Mins","Schedule","Schedule Type","Start Time","Start Date","End Date","Days","Months","Repeat: Every","Repeat: Until: Time","Repeat: Until: Duration","Repeat: Stop If Still Running"
"myhostname","\Microsoft\Windows\RemovalTools\MRT_ERROR_HB","08.02.2019 10:13:46","Ready","Interactive/Background","30.11.1999 00:00:00","267011","Microsoft","C:\Windows\system32\MRT.exe /EHB /HeartbeatFailure "ErrorStack,Previous=ErrorStack,Previous=ErrorStack,Previous=ErrorStack,Previous=ErrorStack,Previous=SubmitHeartbeatReportData,Hr=0x80072f0d,Hr=0x80072f0d,Hr=0x80072f0d,Hr=0x80072f0d,Hr=0x80072f0d" /Hea","C:\Windows\system32","N/A","Enabled","Disabled","","SYSTEM","Disabled","00:30:00","Scheduling data is not available in this format.","One Time Only, Hourly ","N/A","N/A","N/A","N/A","N/A","5 Hour(s), 0 Minute(s)","None","Disabled","Disabled"

 


The Command "ConvertFrom-Csv" splits the value of “Task To Run” into multiple parts. This is wrong and all the following values shift to x columns.

image.thumb.png.07803849d6cba8ec376bc040e0560744.png

 

I hope that explains more exactly what I tried to explain yesterday.

Reagards,

Mike

Compare the output of the script and how it should be.pdf

Link to comment
Share on other sites

Hi Mike,

 

Sorry it's not fixed. It is quite difficult for us to test this sort of fix, when we cannot reproduce the issue ourselves.

 

This returns 'System' for us every time, and we're not sure how to replicate what you are seeing - would you have any ideas what we need to do to this scheduled task to replicate it?

Thanks

Click Studios

Link to comment
Share on other sites

Hi,

 

Thanks for your support. We will find a solution. :-) The reason seems to be the parameter of the task "MRT_ERROR_HB". I can reproduce the error on a Windows Server 2016 build 1607 by creating a new Basic Task.

 

I hope this works for you as well.

 

Regards, Mike

 

Create a basic task

image.png.bcc8f0a1dd304226e1ba9041f8cac8ff.png

 

image.png.a838cb3c00ec52d1b366d9da001cdebf.png

 

image.png.3268ac1eb001f70aadba8c0106c4c2ab.png

 

image.png.cdee5cc5f1c1e172d26b5647a159aeef.png

 

Use any program and add the parameter from the task "MRT_ERROR_HB":

/EHB /HeartbeatFailure "ErrorStack,Previous=SubmitHeartbeatReportData,Hr=0x80072f0d" /HeartbeatError "0x80072f0d"

 image.png.89060e984b52cbc117e93fa914200992.png

 

image.png.d83a27ab62cff7aa8748ae8591c4aa1a.png

Add the System account

image.png.fda773e32c6a205061a9be98a1f4e0af.png

 

Now in Passwordstate you can run the dicovery script. My output was:

image.png.765b593610ee6fe9c65ccf0148a08158.png

 

 

Link to comment
Share on other sites

  • 2 weeks later...

Sorry we took so long to get back to this. 

 

We have just tested this on 3 servers, 2 X Server 2016 version 1607, and the last server is Server 2019.  In all cases it returns as blank username, which is expected behaviour....

 

2019-02-25_13-26-39.png

 

Just confirming, when you search for "System" it finds the username as "NT AUTHORITY\SYSTEM", but shen you save the task it then shows up at "System like my screenshot below?

 

2019-02-25_13-28-26.png

 

And the only thing we didn't understand about your instructions was where you said Use any program and add the parameter from the task "MRT_ERROR_HB":

 

We did add this line of code below as an additional argument, is this what we were supposed to do?

 

/EHB /HeartbeatFailure "ErrorStack,Previous=SubmitHeartbeatReportData,Hr=0x80072f0d" /HeartbeatError "0x80072f0d"

 

2019-02-25_13-34-27.png

 

 

Not sure why we can't reproduce it at this stage:(

 

Regards,

Support

 

 

Link to comment
Share on other sites

  • 3 weeks later...

Hi,

 

I'm sorry for my delayed answer. I was not in the office for a few weeks.

 

To your questions:

Quote

Just confirming, when you search for "System" it finds the username as "NT AUTHORITY\SYSTEM", but shen you save the task it then shows up at "System like my screenshot below?

Yes, when I save the task it shows up "System" like in your screenshot.
  

Quote

And the only thing we didn't understand about your instructions was where you said Use any program and add the parameter from the task "MRT_ERROR_HB"

In my opinion only the parameter was nessesary to reproduce the error. The used program "notepad.exe" was only a placeholder for the task. But today I tried my own instructions on a different Windows 2016 host and I coudn't reproduce the behavior anymore.


Possible new solution to reproduce the problem on your System:
I have found an other Task on a different Windows Server 2016 (Version 1607) with the same behavior. After I have exported this task as XML and imported it on a different Windows Server 2016, Passwordstate will report the task on the new host with the same message "An account called 'S-1-5-18' was found for the Dependency Type...". 

 

Can you please import the XML "Wake on LAN.xml" on one of your Windows Server 2016 and see if the behavior occurs? I hope, this works.

 

Regards, Mike

Wake On LAN.xml

Link to comment
Share on other sites

Thanks very much Mike, and we've been able to replicate this now with the XML import, and have a fix for this in the next release - should be due next week.

 

Thanks again for all your help, and patience, whilst we worked through this issue - we really do appreciate it.

We'll let you know as soon as the new build is available.

Regards

Click Studios

Link to comment
Share on other sites

Hi Mike,

 

Today we have released Build 8650 of Passwordstate, which includes a fix for this issue.  In the end it was an easy fix, just took us a while to replicate it.  Thanks for your patience with this one and thanks for pointing us in the right direction:)

 

Regards,

Support

Link to comment
Share on other sites

Hi,

 

You'r welcome. :-) I have installed the new version and the error for the task "Wake On LAN" is gone. I hope this will fix the messages for the original task "MRT_ERROR_HB" of the MS Windows Malicious Software Removal Tool, too. I will keep watching.

 

Thanks again and regards,

Mike

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...