Windows Users like “Window Manager\DWM-3” are virtual users
Posted by jpluimers on 2021/03/15
Having seen logon failures from user Window Manager\DWM-3 while on a public WiFi network, I did a quick search on [WayBack] “Window Manager\DWM-3” – Google Search.
It appeared somebody trying a dictionary attack on the RDP port of my Windows VM which was on the host Bridged Network (see [Archive.is] Help – VMware Fusion 6 Documentation Center).
This is a virtual user that is part of a series of users that the Desktop Window Manager started using from Windows 8 and up.
The first user always exist, DWM-2 and up are created for new dwm.exe processes (by winlogon.exe) when users start logging on through RDP connections to a Windows machine:
Window Manager\DWM-1Window Manager\DWM-2Window Manager\DWM-3Window Manager\DWM-4
In addition to logging on as a new user, as of Windows 8, these also are created when shutting down and starting up (which Windows fools you by actually doing a kind of hibernate): [Wayback] windows 8 – What is winlogon.exe -SpecialSession? – Super User
Related:
- [WayBack] Standard Processes in Windows 10 | Forensic Focus – Articles
- [WayBack] Why Desktop Windows Manager states DWM-2,DWM3,DWM-1 in task manager
- [WayBack] Accounts Everywhere: part 1, Virtual Accounts – 1E
- [WayBack] Accounts Everywhere, part 2: Managed Service Accounts
- [Archive.is] Google Translate: Is it possible to find out if the remote connection was in a user session?
- [WayBack] Failure of LDAP lookup on Desktop Windows Manager logged on account causes “Server is Busy” and ASC Failure errors
- [WayBack] Multiple failed logon attempts from “Windows Manager\DWM-#”
- [Wayback] Will Windows ever change DWM.exe? : Windows10
–jeroen
The Wiert Corner - irregular stream of stuff 
Leave a Reply