SIDs

by Wayne Maples [Published on 20 April 2004 / Last Updated on 20 April 2004]

Open Windows NT Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
SID values are typically displayed in format:
S-1-5-d1-d2-d3-rid where
  • S-1-5 is the SID revision level.
  • d1-d2-d3 identifies the domain.
  • rid Relative ID for user.
    • 500 automatically created Administrator account
    • 501 automatically created Guest account
    • 1001 First user account created
    • 1002 Second user account created
The RID starts at a fixed value, and is incremented by one for each account created. SIDs are unique unless one uses cloning. If you clone a workstation, the user accounts on the two workstations will have the same SIDs. The first user accounts will be identical, the second, ... In workgroup environments, security is based on local account SIDs giving the duplicate accounts (re: SID), identical access rights. What one has access to, so does the other.

Since the builtin administrator account is the account with RID=500, it can not be obscured successfully. There are baby hacker tools which will tell you which account has RID=500.

There is are freeware utilities user2sid and sid2user, which will tell you the sid for any account or the user for a particular sid. Should the user2sid page go offline, the author made the utilities and source code available to ntbugtraq.

Mark Russinovich and Bryce Cogswell have written the freeware newSID which will generate a new randomSID for a cloned PC or SID-synchronized with PDC so one can move a BDC from one domain to another. As icing on the cake, Russinovich and Cogswell provide the source code for educational purposes,

I am not absolutely convinced but if I had to do, I would give this a try.

See Also

Featured Links