What Is WDAGUtilityAccount in Windows 10 and Windows 11?
WDAGUtilityAccount is a predefined local account created and managed by Microsoft Windows. Its name comes from Windows Defender Application Guard, a security feature that used hardware-based isolation to open untrusted websites and files in a protected container.
Windows uses this account inside the isolated Application Guard environment. It is not intended to be your everyday user account, it should not be used for normal sign-in, and it does not replace your personal administrator or Microsoft account.
net user, Local Users and Groups, or another account-management tool does not mean that your computer has been hacked.
Windows-managed
The operating system creates and controls the account as part of its application-isolation architecture.
Disabled by default
On a normal installation, the account remains disabled unless a compatible Application Guard configuration needs it.
Standard user context
It is designed to run inside an isolated container with limited rights, not as your main administrator account.
Not malware
The genuine built-in account is a normal Windows component and should usually be left unchanged.
What Is WDAGUtilityAccount Used For?
Application Guard creates a separate virtualized environment between potentially unsafe content and the main Windows installation. WDAGUtilityAccount provides a restricted user identity inside that container so isolated applications do not run with your normal desktop identity and permissions.
When Application Guard is active on a supported version of Windows, the account can be used to sign in to the container as a standard user. Windows assigns and manages a random password automatically. You do not need to know that password or use the account manually.
| Account Property | Expected Behavior |
|---|---|
| Account type | Predefined local Windows account |
| Main purpose | Provides a restricted identity inside an Application Guard container |
| Default status | Disabled unless the related isolation feature needs it |
| Password | Random and managed automatically by Windows |
| Normal sign-in account | No |
| Malicious by default | No |
Why Does WDAGUtilityAccount Appear on My Computer?
Many Windows account-management tools show all local accounts, including hidden, disabled, and system-managed accounts. Therefore, commands such as net user can display WDAGUtilityAccount alongside your real user account, the built-in Administrator account, Guest, and DefaultAccount.
You may notice WDAGUtilityAccount in any of the following places:
- The output of the
net usercommand - PowerShell output from
Get-LocalUser - Computer Management under Local Users and Groups
- Advanced permissions or security dialogs
- Third-party system-information or account-auditing utilities
net user shows accounts that exist on the computer. It does not show which account is currently signed in, and it does not mean that every listed account has administrator rights.
Check Which Account You Are Using
Open Command Prompt and run:
Command Promptwhoami
To display the current user name without the computer or domain prefix, run:
Command Promptecho %USERNAME%
Is WDAGUtilityAccount Safe, or Is It a Virus?
The genuine WDAGUtilityAccount is safe. Microsoft documents it as a predefined local Windows account associated with Windows Defender Application Guard. Its presence alone is not evidence of malware, remote access, or another person secretly using your PC.
However, an attacker or unwanted program could theoretically create another local account with a similar-looking name. For that reason, you should check the account status and security identifier if its behavior appears unusual.
â Normal signs
- The exact name is
WDAGUtilityAccount - The account is disabled
- Its SID ends in
-504 - It is not a member of the Administrators group
- It does not appear as a normal sign-in choice
â Warning signs
- A similarly named account has a different SID
- The account is enabled without a known reason
- It belongs to Administrators or another privileged group
- There are unknown recent logons associated with it
- Security software reports other suspicious activity
504, so its full local SID normally ends with -504.
How to Verify That WDAGUtilityAccount Is Genuine
Method 1: Check the Account with Command Prompt
- Open Command Prompt or Windows Terminal.
- Run the following command:
Command Promptnet user WDAGUtilityAccount
Look at the Account active line. On a typical PC where Application Guard is not active, it should show No. The command may also show that Windows manages password-related settings for the account.
Method 2: Check the SID and Enabled Status with PowerShell
Open PowerShell and run:
PowerShellGet-LocalUser -Name "WDAGUtilityAccount" |
Select-Object Name, Enabled, SID, PasswordRequired, UserMayChangePassword
The expected result should show the exact account name and a SID ending in -504.
Method 3: Confirm That It Is Not an Administrator
Run this command in Command Prompt:
Command Promptnet localgroup Administrators
WDAGUtilityAccount should not normally appear in the Administrators group. On non-English Windows editions, the local group name is translated, so PowerShell may be easier:
PowerShellGet-LocalGroupMember -Group "Administrators"
Get-LocalUser and Get-LocalGroupMember commands are part of the Microsoft.PowerShell.LocalAccounts module. They may be unavailable in 32-bit PowerShell on a 64-bit Windows installation.
Is WDAGUtilityAccount an Administrator Account?
No, not by default. WDAGUtilityAccount is designed as a restricted standard-user identity for an isolated container. Microsoft states that the predefined account does not belong to any local groups by default.
Seeing the account in the output of net user does not mean it is the administrator of your PC. The command lists all local accounts in columns; it does not display account roles or indicate which account owns Windows.
| Question | Answer |
|---|---|
| Is WDAGUtilityAccount my current account? | No. Use whoami to identify the signed-in account. |
| Does it own my computer? | No. It is a system-managed local account for isolation tasks. |
| Is it a member of Administrators? | It should not be a member by default. |
| Can I use it for normal sign-in? | No. It is not intended for interactive everyday use. |
| Should I promote it to administrator? | No. Doing so would weaken the intended security model. |
Should You Disable or Delete WDAGUtilityAccount?
In normal circumstances, you should leave WDAGUtilityAccount unchanged. It is a predefined system account, and deleting, renaming, manually enabling, changing its password, or modifying its group membership can interfere with Windows security features or produce unexpected permission problems.
Leave the account as it is
If it is disabled and has the expected SID, no action is necessary.
Safest optionReturn it to disabled state
After checking for active Application Guard use, disable the account and investigate why its state changed.
TroubleshootingDelete or rename the account
This can break system assumptions and offers no meaningful performance or security benefit.
AvoidHow to Disable It If It Was Enabled Unexpectedly
First make sure that you are not using Application Guard on an older supported Windows build. Then open Command Prompt as administrator and run:
Command Prompt â Administratornet user WDAGUtilityAccount /active:no
PowerShell alternative:
PowerShell â AdministratorDisable-LocalUser -Name "WDAGUtilityAccount"
net user WDAGUtilityAccount /delete. Removing a predefined account is unsupported, unnecessary, and may not succeed because Windows protects or recreates system-managed components.
WDAGUtilityAccount in Windows 11 Version 24H2 and Later
Microsoft Defender Application Guard was deprecated and is no longer available starting with Windows 11, version 24H2. Therefore, users of current Windows 11 releases cannot enable the old Application Guard feature in the same way as on earlier supported versions.
Nevertheless, WDAGUtilityAccount can still appear in local account listings because it is a predefined Windows account and may remain registered even when the original feature is unavailable or inactive. The account's presence does not prove that Application Guard is currently installed or running.
| Windows Version | Application Guard Status | What WDAGUtilityAccount Means |
|---|---|---|
| Windows 10 | Available on compatible editions and hardware, but deprecated | May be used when Application Guard is enabled |
| Windows 11 23H2 and earlier | Available on compatible configurations, but deprecated | May be used by the isolation container |
| Windows 11 24H2 and later | No longer available | May remain visible as a predefined disabled account |
Win + R, type winver, and press Enter to see your Windows version and OS build.
What to Do If WDAGUtilityAccount Is Enabled or Looks Suspicious
If the account is enabled unexpectedly, belongs to a privileged group, or appears as a selectable sign-in account, do not delete it immediately. Use the following checklist to determine whether the problem is a configuration change, system corruption, or an unrelated malicious account using a similar name.
- Verify the SID. Use PowerShell and confirm that the genuine account SID ends in
-504. - Check whether the account is enabled. Run
net user WDAGUtilityAccountand review the Account active field. - Review local group membership. Confirm that the account is not in Administrators, Remote Desktop Users, or another privileged group.
- Disable it if no supported isolation feature needs it. Use
net user WDAGUtilityAccount /active:nofrom an elevated Command Prompt. - Run a full Microsoft Defender scan. Open Windows Security, select Virus & threat protection, and run a Full scan or Microsoft Defender Offline scan.
- Check recently created accounts. Compare the creation and modification history of unknown local users in Event Viewer or your security-auditing tools.
- Repair Windows system files. Run SFC and DISM if account settings or Windows security components appear corrupted.
Command Prompt â Administratorsfc /scannow
DISM /Online /Cleanup-Image /RestoreHealth
Check Local Account Events in Event Viewer
- Press
Win + R, typeeventvwr.msc, and press Enter. - Open Windows Logs â Security.
- Look for account-management events such as account creation, enabling, disabling, or group membership changes.
- Check the date, initiating account, and affected user name.
-504, has administrator privileges, accepts interactive sign-in, or appeared together with other signs of compromise.
Frequently Asked Questions About WDAGUtilityAccount
Q Why did WDAGUtilityAccount suddenly appear after a Windows update? âŧ
Windows updates can register, restore, or expose built-in account information that was already part of the operating system. The account may also become visible because you used a command or management tool that lists hidden and disabled users. Its appearance does not necessarily mean that the account was newly created or activated.
Q Is WDAGUtilityAccount connected to another person who used the PC? âŧ
No. The genuine account is created by Windows, not by a previous owner. On a used computer, you should still perform a clean Windows installation or a full reset if you do not trust the previous configuration, but WDAGUtilityAccount itself is not evidence of another person's access.
Q Why is WDAGUtilityAccount shown next to my user name in net user? âŧ
The net user command formats all local account names into columns. Accounts shown on the same row are not linked and do not share permissions. Use whoami to identify your current account and net localgroup Administrators to see which users actually have administrator rights.
Q Can WDAGUtilityAccount access my personal files? âŧ
The account is intended for a restricted isolated environment and is not a normal interactive user. It should not be used to browse your desktop profile. Application Guard policies could allow limited controlled data exchange with the host, but that is separate from ordinary local-file ownership and does not make the account your administrator.
Q Can I change the WDAGUtilityAccount password? âŧ
You should not change it. Windows generates and manages the password automatically for the isolated environment. Manually resetting the password provides no practical benefit and can interfere with the feature on systems where Application Guard is still supported.
Q Why does the account not appear on the Windows sign-in screen? âŧ
WDAGUtilityAccount is a system-managed account intended for container use, not normal interactive sign-in. Windows normally keeps it disabled and hidden from the sign-in interface.
Q Does deleting WDAGUtilityAccount make Windows faster or safer? âŧ
No. A disabled account does not consume meaningful CPU or memory, and removing a predefined Windows account does not improve performance. Keeping it disabled with its default permissions is safer than attempting to delete or modify it.
Q Is WDAGUtilityAccount used by Windows Sandbox? âŧ
Microsoft's account documentation specifically identifies WDAGUtilityAccount as the predefined account for Windows Defender Application Guard. Although both Application Guard and Windows Sandbox rely on virtualization-based isolation technologies, you should not assume that the account proves Windows Sandbox is installed or running.
Conclusion
WDAGUtilityAccount is a legitimate predefined Windows account associated with Windows Defender Application Guard. It normally remains disabled, uses a Windows-managed random password, has no group memberships by default, and is not intended for everyday sign-in.
If the account is disabled and its SID ends in -504, you can safely leave it alone. Do not delete it, rename it, reset its password, or grant it administrator rights. Investigate only when its status, SID, group membership, or sign-in behavior differs from the expected defaults.