S-1-1-0
From the installation log of the driver for a REINER SCT smart card reader:
Executing Process <C:\Program Files (x86)\REINER SCT\cyberJack\subinacl.exe> with </subdirectories "C:\ProgramData\REINER SCT\*" /grant="S-1-1-0"=F>
Um. Come again? S-1-1-0 is Everyone.
C:\ProgramData\REINER SCT\cyberJack Base Components>icacls ctf_bdr.rsct
ctf_bdr.rsct Everyone:(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Users:(I)(RX)
C:\ProgramData\REINER SCT\cyberJack Base Components>icacls .
. Everyone:(OI)(IO)(F)
Everyone:(CI)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
BUILTIN\Administrators:(I)(OI)(CI)(F)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(OI)(CI)(RX)
BUILTIN\Users:(I)(CI)(WD,AD,WEA,WA)
The files are “transfer files” according to the (rather pointless) file type registration. They look encrypted. I suspect they are some kind of firmware.
Why would anyone in their right mind set a directory full of firmware for a smart card reader to be world writable?
The next line in the log file is this:
Executing Process <C:\Program Files (x86)\REINER SCT\cyberJack\subinacl.exe> with </keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\Readers" /grant="S-1-5-19"=F>
NT AUTHORITY\LOCAL SERVICE. Probably also not a good idea; I think this is left from before there were virtual service accounts.
Time to ask the company.