Author Topic: Windows 10 Could Break If Capability SIDs Are Removed From Permissions  (Read 287 times)

Offline javajolt

  • Administrator
  • Hero Member
  • *****
  • Posts: 35126
  • Gender: Male
  • I Do Windows
    • windows10newsinfo.com
Microsoft issued a warning yesterday stating that removing Windows account security identifiers (SIDS) that do not have a "friendly" name from security permissions could cause problems in Windows and installed applications.

Starting with Windows 2012 and Windows 8, Microsoft introduced a new type of security identifier called capability SIDs that grants a Windows component or UWP app access to particular resources on a computer. These resources could be files, folders, Registry entries, or even devices.

When these types of SIDs are shown in a security access list, they will not be resolved to a friendly name such as TrustedInstaller or System. Instead, they are shown as a long unfriendly and hard to remember a series of numbers and characters as shown below.


Example capability SID in Folder Permissions

According to Microsoft, Windows 10 version 1809 uses more than 300 capability SIDs, with the most commonly used being:

Quote
S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681

Some example of other capability SIDs can be found here.

Removing capability SIDs cause undesirable effects

In a support bulletin posted today, Microsoft has stated that when diagnosing a strange SID in Windows access control lists, you should make sure they are not a capability SID before removing it. This is because removing the SID could cause the application or Windows feature to no longer have access to a resource it requires to properly run.

Quote
DO NOT DELETE capability SIDS from either the Registry or file system permissions. Removing a capability SID from file system permissions or registry permissions may cause a feature or application to function incorrectly. After you remove a capability SID, you cannot use the UI to add it back.


This issue affects Windows 10, Windows 8.1, Windows 8, Windows Server 2016, Windows Server 2012 R2, and Windows Server 2012.

Instead, Microsoft suggests you open the Registry Editor to extract the list of used capability SIDs and search that list for the SID you are investigating. If it is found in the list of capability SIDs, you should not remove it.

To do this, open Registry Editor and go to the following key:

Quote
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses

Under that key is a value called AllCachedCapabilities. Double-click on this value to see a list of all currently used capability SIDs.


List of used capability SIDs

Now copy the contents of the value data into a Notepad and search the list of SIDs for the one you are investigating. If this SID is found, do not remove it or it can cause Windows or an app to no longer work properly.

source