Phantom NT 4.0 Account

\[Editor's Note: Share your security discoveries, comments, problems, solutions, and experiences with products. Email your contributions (500 words or less) to [email protected] We edit submissions for style, grammar, and length. If we print your submission, you'll get $100.\]

A while back, in my role as a systems administrator, I was running User Manager to view my Windows NT 4.0 accounts to see whether the account information was current. I noticed what appeared to be two group accounts named Administrators, and I wondered how two accounts could have the same name. On closer examination, I saw that one of the accounts was the built-in Administrators group account. The other account had an additional character appended to the account name—this character displayed as a black square after the account name's final letter.

Each time I tried to delete or otherwise manage the account with the invalid appended character, I received the error message The group properties cannot be edited or viewed at this time. At first, I thought an intruder might have added the account. But the Security event log showed that a local systems administrator had created the account. Although the account didn't seem to be serving any purpose, I couldn't figure out how to delete it.

A colleague directed me to the Microsoft article "Invalid Accounts Created with ADDUSERS.EXE" (, which suggests that the Microsoft Windows NT Server 4.0 Resource Kit's addusers.exe utility can handle invalid characters in a username. When I entered

addusers /?

at a command prompt, I received the syntax and information that Figure 1, page 15, shows.

First, I used the /d switch and piped the output to a text file containing all the users and groups in the domain. I then deleted all the lines in the text file except the line containing the account in question, which I saved as group.txt. I used debug.exe, from \winnt\system32\debug.exe, to examine this file and saw that the name administrators had a hexadecimal 09 at the end, as Figure 2 shows. This output confirmed my suspicion that the account name included an invalid character—that is, the hex 09. To delete the account, I opened a command prompt and entered addusers \\domainPDC /e group.txt.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.