How do I remove the unknown account (S-1-15-3-4096)?

Original title : Account Unknown (S-1-15-3-4096)


What is Account Unknown (S-1-15-3-4096) and how can it be removed!!



Security principle "S-1-15-3-4096" is a built in account.  Microsoft should give it a name, description and explain better.  Obscurity is not good security.

Windows, starting with Vista, defines four integrity levels: Low (SID: S-1-16-4096), Medium (SID: S-1-16-8192), High (SID: S-1-16-12288), and System (SID: S-1-16-16384).

From my experience having security principle (S-1-16-4096) with rights to Favorites allows a low integrity process "IE" in protected mode to add favorites.  (Adding the integrity principles to folders to allow access should be carefully considered.)

Otherwise you have to do one of these to add a favorite from the Internet zone: 
- Launch IE as an admin
- set the site to something other than Internet zone
- turn off "Protected mode" in the Internet zone
All things I would recommend against as you loose some protections.

You can manually add the principle through file properties, use ICACLS, a VBScript or powershell.

Example of permissions from Windows 8 system:
Favorites S-1-15-3-4096:(OI)(CI)(RX,W,DC)
          Mandatory Label\Low Mandatory Level:(OI)(CI)(NW)

Here are ICACLS commands:  (added)

How to add for Windows 7 system:
icacls [C:\Path\Favorites] /setintegritylevel (CI)(OI)Low /T

How to add for Windows 8 system :
icacls [C:\Path\Favorites] /grant *S-1-15-3-4096:(OI)(CI)(RX,W,DC) /setintegritylevel (CI)(OI)Low /T

Win 8 has some UAC changes, I suspect that is driving adding the Security Principle.

24 people found this reply helpful


Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.


Question Info

Last updated March 28, 2021 Views 28,282 Applies to: