master
Raw Download raw file

date: “2016-12-01” draft: false title: “SID & RID”

SID Components

  1. Prefix (S)
  2. A revision level,
  3. An identifier-authority value,
  4. One or more subauthority values, and
  5. A Relative ID (RID).

Example SID Decode

S 1 5 21-3623811015-3361044348-30300820 1013
The string is a SID. The revision level (the version of the SID specification). The identifier authority value. Domain or local computer identifier A Relative ID (RID). Any group or user that is not created by default will have a Relative ID of 1000 or greater.

Identifier Authorities

Decimal Name
0 Null Authority
1 World Authority
2 Local Authority
3 Creator Authority
4 Non-unique Authority
5 NT Authority
9 Resource Manager Authority
11 Microsoft Account Authority

source

Well Known RID’s

Well-Known Entity RID Type Essential
Domain Administrator 500 User No
Domain Guest 501 User No
Domain KRBTGT 502 User No
Domain Admins 512 Group Yes
Domain Users 513 Group Yes
Domain Guests 514 Group Yes
Domain Computers 515 Group No
Domain Controllers 516 Group No
Domain Certificate Admins 517 Group No
Domain Schema Admins 518 Group No
Domain Enterprise Admins 519 Group No
Domain Policy Admins 520 Group No
Builtin Admins 544 Alias No
Builtin users 545 Alias No
Builtin Guests 546 Alias No
Builtin Power Users 547 Alias No
Builtin Account Operators 548 Alias No
Builtin System Operators 549 Alias No
Builtin Print Operators 550 Alias No
Builtin Backup Operators 551 Alias No
Builtin Replicator 552 Alias No
Builtin RAS Servers 553 Alias No

source

SID from V

Steps Values
HKLM\SAM\SAM\Domains\Account\V 2E,43,AC,40,C0,85,38,5D,07,E5,3B,2B
Divide the bytes into 3 sections: 2E,43,AC,40 - C0,85,38,5D - 07,E5,3B,2B
Reverse the order of bytes in each section: 40,AC,43,2E - 5D,38,85,C0 - 2B,3B,E5,07
Convert each section into decimal: 1085031214 - 1563985344 - 725345543
Add the machine SID prefix: S-1-5-21-1085031214-1563985344-725345543

Recovery

If the SAM file is missing at startup, a backup is retrieved in hexadecimal form here:

  • regedit.exe: \HKEY_LOCAL_MACHINE\SECURITY\Policy\PolAcDmS@ (last 12 bytes)
  • explorer.exe: %windir%\system32\config\SECURITY

Get a users SID:psgetsid wmic useraccount where name=’’ get sid wmic useraccount where name=’%username%’ get sid - gets SID of current logged on user wmic useraccount where (name=‘administrator’ and domain=’%computername%’ - gets SID of local administrator wmic useraccount get name,sid - gets all SIDs req query hku - this will give you all user SIDs psgetsid ‘gci registry::hku Get a user name from a SID: wmic useraccount where sid=‘S-1-3-12-1234525106-3567804255-30012867-1437’ get name psgetsid

Decode a machine SID: reg query HKLM\SAM\SAM\Domains\Account /v V Copy the last 12 bytes from the entry 75B97554D805B44DF09C85F Divide into 3 sections 75B97554 D805B44D F094C85F Reverse the order of of each group 54 75 B9 75 4D B4 05 D8 5F C8 94 F0 Convert each section into decimal 1417001333 1303643608 1606980848 That is the machine SID

Find the next available RID: reg query HKLM\SAM\SAM\Domains\Account /v F Count to offset 0x48 (72 in decimal) next 4 bytes i.e. EF 03 reverse bytes 03EF, convert to decimal 1007