In my answer to the Superuser.com question List of Hidden / Virtual Windows User Accounts
I am saying:
Even these lists don't give you every possible account. For example, you can create an application pool FooBarPool then delete it again, you can still use IIS APPPOOL\FooBarPool in the permissions dialog, so there must be an internal list somewhere.
I'm talking about accounts that can be used to set NTFS and other object permissions for.
In this post I'm going to answer the question where the orphaned accounts are stored.
If you create a new IIS Application Pool FooBarPool nothing really happens, but as soon as you run the AppPool for the first time by hitting a site using the pool a new virtual account IIS APPPOOL\FooBarPool is created with an SID of S-1-5-82-3350508232-2665999247-216229732-1971348742-544991869
You can see that SID in the Process Explorer properties for the w3wp.exe process.
This SID is always the same for all AppPools with the name FooBarPool on any computer.
All the IIS APPPOOL\* accounts have the prefix S-1-5-82- and the rest is a SHA-1 hash of then string foobarpool
This account is saved in the registry under:
HKEY_LOCAL_MACHINE\SECURITY\Policy\Accounts
which lists all accounts used on the local machine and is normally not accessible even to administrators, but you can use:
psexec -s -i regedit.exe
to look at that key.
Now deleting the AppPool FooBarPool doesn't delete the account created for it. Creating a new AppPool with the same name will use the existing account.
So when using:
icacls.exe C:\test /grant "IIS APPPOOL\FooBarPool:(OI)(CI)(M)"
The OS hashes the name to get the SID for that acount and finds it in the registry, even though the AppPool no longer exists.
So can we find out all the Application Pool names that these accounts were created for? I don't think so, only the SID is stored, and while it is easy to get the SID from the name of the pool, it should be impossible to get the name from the SID, because it is a one-way-hash.