windows-8 : Certain process running under username "DWM-1" and "ANONYMOUS LOGON"
The DWM-# user is new in Windows 8; it's a system user that is used only for the Desktop Window Manager process.
The other user is NT AUTHORITY\ANONYMOUS LOGON which is also a system user.
Related
- Microsoft TechNet Forums: Why Desktop Windows Manager states DWM-2,DWM3,DWM-1 in task manager
Related videos on Youtube
03 : 02
04 : 30
02 : 05
01 : 31
14 : 22
curious_kid
Updated on September 18, 2022Comments
-
curious_kid over 1 year
I have window-8 installed on checking the taskmanager I found the following details :
dwm(Desktop Window Manager) was running under username "DWM-1".
"SandboxieDcomLaunch.exe", "SandboxieRpcSs.exe" and application running inside sandboxie are running under username "ANONYMOUS LOGON".
.
On checking the security logs in the eventviewer I found the following information :
An account was successfully logged on. Subject: Security ID: **NULL SID** Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Impersonation Level: Impersonation New Logon: Security ID: ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x1F481 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0
On running following command in the Powershell, I found "ANONYMOUS LOGON" listed in the win32_system_account list.
get-wmiobject -class "win32_account" -namespace "root\cimv2" | sort caption | format-table caption, __CLASS, FullName
caption __CLASS FullName ------- ------- -------- PCX\Access Control Assistance Opera... Win32_Group pcx\Administrator Win32_UserAccount PCX\Administrators Win32_Group **PCX\ANONYMOUS LOGON** Win32_SystemAccount PCX\Authenticated Users Win32_SystemAccount PCX\Backup Operators Win32_Group PCX\BATCH Win32_SystemAccount PCX\BUILTIN Win32_SystemAccount PCX\CREATOR GROUP Win32_SystemAccount PCX\CREATOR GROUP SERVER Win32_SystemAccount PCX\CREATOR OWNER Win32_SystemAccount PCX\CREATOR OWNER SERVER Win32_SystemAccount PCX\Cryptographic Operators Win32_Group PCX\DIALUP Win32_SystemAccount PCX\Distributed COM Users Win32_Group PCX\ENTERPRISE DOMAIN CONTROLLERS Win32_SystemAccount PCX\Event Log Readers Win32_Group PCX\Everyone Win32_SystemAccount pcx\Guest Win32_UserAccount PCX\Guests Win32_Group PCX\Hyper-V Administrators Win32_Group PCX\IIS_IUSRS Win32_Group PCX\INTERACTIVE Win32_SystemAccount PCX\IUSR Win32_SystemAccount PCX\LOCAL Win32_SystemAccount PCX\LOCAL SERVICE Win32_SystemAccount PCX\NETWORK Win32_SystemAccount PCX\Network Configuration Operators Win32_Group PCX\NETWORK SERVICE Win32_SystemAccount PCX\OWNER RIGHTS Win32_SystemAccount PCX\Performance Log Users Win32_Group PCX\Performance Monitor Users Win32_Group PCX\Power Users Win32_Group PCX\PROXY Win32_SystemAccount PCX\Remote Desktop Users Win32_Group PCX\REMOTE INTERACTIVE LOGON Win32_SystemAccount PCX\Remote Management Users Win32_Group PCX\Replicator Win32_Group PCX\RESTRICTED Win32_SystemAccount PCX\SELF Win32_SystemAccount PCX\SERVICE Win32_SystemAccount PCX\SYSTEM Win32_SystemAccount pcx/CYBORG Win32_UserAccount PCX\TERMINAL SERVER USER Win32_SystemAccount PCX\Users Win32_Group PCX\WinRMRemoteWMIUsers__ Win32_Group
Can somebody explain me what going around ? what "DWM-1" and "ANONYMOUS LOGON" are , I have never seen process running under such usernames.
-
curious_kid over 10 yearsI goggled a lot but didn't found any good explanation . Anyway thanks for the help.
-
mbx over 8 yearsany source for that claim?
