Security Identifier

Last updated February 12, 2024

In the context of the Microsoft Windows NT line of operating systems, a Security Identifier (SID) is a unique, immutable identifier of a user, user group, or other security principal. A security principal has a single SID for life (in a given domain), and all properties of the principal, including its name, are associated with the SID. This design allows a principal to be renamed (for example, from "Jane Smith" to "Jane Jones") without affecting the security attributes of objects that refer to the principal.

Overview

Windows grants or denies access and privileges to resources based on access control lists (ACLs), which use SIDs to uniquely identify users and their group memberships. When a user logs into a computer, an access token is generated that contains user and group SIDs and user privilege level. When a user requests access to a resource, the access token is checked against the ACL to permit or deny particular action on a particular object.

SIDs are useful for troubleshooting issues with security audits, Windows server and domain migrations.

The format of a SID can be illustrated using the following example: "S-1-5-21-3623811015-3361044348-30300820-1013":

S	1	5	21-3623811015-3361044348-30300820	1013
The string is an SID.	The revision level (the version of the SID specification).	The identifier authority value.	The subauthority value. In this case, a domain (21) with a unique 96 bit identifier. There may be more than one subauthority to encode values larger than 32 bits like in this example	A Relative ID (RID). Any group or user that is not created by default will have a Relative ID of 1000 or greater.

Identifier Authority Values

Identifier Authority Value

Known identifier authority values are:^[1]^[2]


Decimal	Name	Display Name	First Introduced	References	Notes
0	Null Authority				e.g. "Nobody" (S-1-0-0)
1	World Authority	(not shown)			e.g. well known groups such as "Everyone". (S-1-1-0)
2	Local Authority	(not shown)			e.g. flag SIDs like "CONSOLE LOGON"
3	Creator Authority
4	Non-unique Authority
5	NT Authority	NT AUTHORITY\			Managed by the NT security subsystem. There are many sub-authorities such as "BUILTIN" and every Active Directory Domain
7	Internet$	Internet$\	Windows 7
9	Resource Manager Authority		Windows Server 2003	^[3]^[4]
11	Microsoft Account Authority	MicrosoftAccount\	Windows 8	^[5]
12	Azure Active Directory	AzureAD\	Windows 10
15	Capability SIDs		Windows 8 Windows Server 2012	^[6]^[7]^[8]	All capability SIDs begin at S-1-15-3 By design, a capability SID does not resolve to a friendly name. The most commonly used capability SID is the following: S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681
16		Mandatory Label\	Windows Vista		Used as part of Mandatory Integrity Control
18		Asserted Identity

Identifying a capability SID:

If a user finds the SID in the registry data, then it is a capability SID. By design, it will not resolve into a friendly name.
If the user does not find the SID in the registry data, then it is not a known capability SID. It can still be troubleshooted as a normal unresolved SID. There is a small chance that the SID could be a third-party capability SID, in which case it will not resolve into a friendly name.

Per Microsoft Support:^[7]Important - DO NOT DELETE capability SIDS from either the Registry or file system permissions. Removing a capability SID from file system permissions or registry permissions may cause a feature or application to function incorrectly. After you remove a capability SID, you cannot use the UI to add it back.

S-1-5 Subauthority Values^[6]^[9]^[10]

Decimal	Name	Display Name	First Introduced	Notes
18	LocalSystem	LocalSystem	NT 3.x	Ex: S-1-5-18 is the well-known-sid for LocalSystem
19	LocalService	Local Service		S-1-5-19 is the well-known SID for LocalService
20	NetworkService	Network Service		S-1-5-20 is the well-known SID for NetworkService
21	Domain
32	Users		Windows 7	Ex: S-1-5-32-568 is the group ID for IIS_IUSRS
64	Authentication			10 - NTLM 14 - SChannel 21 - Digest
80	NT Service	NT SERVICE\	Windows Vista	Can be "Virtual Account NT Service" such as for SQL Server installations S-1-5-80-0 corresponds to "NT SERVICE\ALL SERVICES"
82	IIS AppPool	AppPoolIdentity\	Windows 7
83	Virtual Machines	NT VIRTUAL MACHINE\	Windows 7	"NT Virtual Machine\{guid}" where {guid} is the GUID of the Hyper-V VM S-1-5-83-0 is the group ID for "NT VIRTUAL MACHINE\Virtual Machines"
90	Window Manager	Windows Manager Group (DWM)	Windows 7	Window manager class
96	Font Driver		Windows 7	Font Driver Host\UMFD-1

Virtual Accounts are defined for a fixed set of class names, but the account name isn't defined. There are a nearly infinite number of accounts available within a Virtual Account. The names work like "Account Class\Account Name" so "AppPoolIdentity\Default App Pool". The SID is based on a SHA-1 hash of the lower-case name. Virtual Accounts can each be given permissions separately as each maps to a distinct SID. This prevents the "cross-sharing permissions" problem where each service is assigned to the same NT AUTHORITY class (such as "NT AUTHORITY\Network Service").

Machine SIDs

The machine SID (S-1-5-21) is stored in the SECURITY registry hive located at SECURITY\SAM\Domains\Account, this key has two values F and V. The V value is a binary value that has the computer SID embedded within it at the end of its data (last 96 bits).^[11] (Some sources state that it is stored in the SAM hive instead.) A backup is located at SECURITY\Policy\PolAcDmS\@.

NewSID ensures that this SID is in a standard NT 4.0 format (3 32-bit subauthorities preceded by three 32-bit authority fields). Next, NewSID generates a new random SID for the computer. NewSID's generation takes great pains to create a truly random 96-bit value, which replaces the 96-bits of the 3 subauthority values that make up a computer SID.
— NewSID readme

The machine SID subauthority format is used for domain SIDs too. A machine is considered its own local domain in this case.

Decoding Machine SID

The machine SID is stored in a raw-bytes form in the registry. To convert it into the more common numeric form, one interprets it as three little endian 32-bit integers, converts them to decimal, and add hyphens between them.

Example	2E,43,AC,40,C0,85,38,5D,07,E5,3B,2B
1) Divide the bytes into 3 sections:	2E,43,AC,40 - C0,85,38,5D - 07,E5,3B,2B
2) Reverse the order of bytes in each section:	40,AC,43,2E - 5D,38,85,C0 - 2B,3B,E5,07
3) Convert each section into decimal:	1085031214 - 1563985344 - 725345543
4) Add the machine SID prefix:	S-1-5-21-1085031214-1563985344-725345543

Other Uses

The machine SID is also used by some free-trial programs, such as Start8, to identify the computer so that it cannot restart the trial.^{[ citation needed ]}

Service SIDs

Service SIDs are a feature of service isolation, a security feature introduced in Windows Vista and Windows Server 2008.^[12] Any service with the "unrestricted" SID-type property will have a service-specific SID added to the access token of the service host process. The purpose of Service SIDs is to allow permissions for a single service to be managed without necessitating the creation of service accounts, an administrative overhead.

Each service SID is a local, machine-level SID generated from the service name using the following formula:

S-1-5-80-{SHA-1(service name in upper case encoded as UTF-16)}

The sc.exe command can be used to generate an arbitrary service SID:

The service can also be referred to as NT SERVICE\<service_name> (e.g. "NT SERVICE\dnscache").

Duplicated SIDs

In a Workgroup of computers running Windows NT/2K/XP, it is possible for a user to have unexpected access to shared files or files stored on a removable storage. This can be prevented by setting access control lists on a susceptible file, such that the effective permissions is determined by the user SID. If this user SID is duplicated on another computer, a user of a second computer having the same SID could have access to the files that the user of a first computer has protected. This can often happen when machine SIDs are duplicated by a disk clone, common for pirate copies. The user SIDs are built based on the machine SID and a sequential relative ID.

When the computers are joined into a domain (Active Directory or NT domain for instance), each computer is provided a unique Domain SID which is recomputed each time a computer enters a domain. This SID is similar to the machine SID. As a result, there are typically no significant problems with duplicate SIDs when the computers are members of a domain, especially if local user accounts are not used. If local user accounts are used, there is a potential security issue similar to the one described above, but the issue is limited to the files and resources protected by local users, as opposed to by domain users.

Duplicated SIDs are usually not a problem with Microsoft Windows systems, although other programs that detect SIDs might have problems with its security.

Microsoft used to provide Mark Russinovich's "NewSID" utility as a part of Sysinternals to change a machine SID.^[13] It was retired and removed from download on November 2, 2009. Russinovich's explanation is that neither him nor the Windows security team could think of any situation where duplicate SIDs could cause any problems at all, because machine SIDs are never responsible for gating any network access.^[14]

At present, the only supported mechanism for duplicating disks for Windows operating systems is through use of SysPrep, which generates new SIDs.

Related Research Articles

Active Directory (AD) is a directory service developed by Microsoft for Windows domain networks. Windows Server operating systems include it as a set of processes and services. Originally, only centralized domain management used Active Directory. However, it ultimately became an umbrella title for various directory-based identity-related services.

Windows 2000 is a major release of the Windows NT operating system developed by Microsoft and designed for businesses. It was the direct successor to Windows NT 4.0, and was released to manufacturing on December 15, 1999, and was officially released to retail on February 17, 2000 and September 26, 2000 for Windows 2000 Datacenter Server. It was Microsoft's business operating system until the introduction of Windows XP Professional in 2001.

In computer security, an access-control list (ACL) is a list of permissions associated with a system resource. An ACL specifies which users or system processes are granted access to resources, as well as what operations are allowed on given resources. Each entry in a typical ACL specifies a subject and an operation. For instance,

Windows 9x is a generic term referring to a series of Microsoft Windows computer operating systems produced from 1995 to 2000, which were based on the Windows 95 kernel and its underlying foundation of MS-DOS, both of which were updated in subsequent versions. The first version in the 9x series was Windows 95, which was succeeded by Windows 98 and then Windows Me, which was the third and last version of Windows on the 9x line, until the series was superseded by Windows XP.

The Security Account Manager (SAM) is a database file in Windows XP, Windows Vista, Windows 7, 8.1, 10 and 11 that stores users' passwords. It can be used to authenticate local and remote users. Beginning with Windows 2000 SP4, Active Directory authenticates remote users. SAM uses cryptographic measures to prevent unauthenticated users accessing the system.

<span class="mw-page-title-main">Windows Registry</span> Database for Microsoft Windows

The Windows Registry is a hierarchical database that stores low-level settings for the Microsoft Windows operating system and for applications that opt to use the registry. The kernel, device drivers, services, Security Accounts Manager, and user interfaces can all use the registry. The registry also allows access to counters for profiling system performance.

Group Policy is a feature of the Microsoft Windows NT family of operating systems that controls the working environment of user accounts and computer accounts. Group Policy provides centralized management and configuration of operating systems, applications, and users' settings in an Active Directory environment. A set of Group Policy configurations is called a Group Policy Object (GPO). A version of Group Policy called Local Group Policy allows Group Policy Object management without Active Directory on standalone computers.

The architecture of Windows NT, a line of operating systems produced and sold by Microsoft, is a layered design that consists of two main components, user mode and kernel mode. It is a preemptive, reentrant multitasking operating system, which has been designed to work with uniprocessor and symmetrical multiprocessor (SMP)-based computers. To process input/output (I/O) requests, it uses packet-driven I/O, which utilizes I/O request packets (IRPs) and asynchronous I/O. Starting with Windows XP, Microsoft began making 64-bit versions of Windows available; before this, there were only 32-bit versions of these operating systems.

Sysprep is Microsoft's System Preparation Tool for Microsoft Windows operating system deployment.

Svchost.exe is a system process that can host one or more Windows services in the Windows NT family of operating systems. Svchost is essential in the implementation of shared service processes, where a number of services can share a process in order to reduce resource consumption. Grouping multiple services into a single process conserves computing resources, and this consideration was of particular concern to NT designers because creating Windows processes takes more time and consumes more memory than in other operating systems, e.g. in the Unix family. However, if one of the services causes an unhandled exception, the entire process may crash. In addition, identifying component services can be more difficult for end users. Problems with various hosted services, particularly with Windows Update, get reported by users as involving svchost.

Mark Eugene Russinovich is a Spanish-born American software engineer and author who serves as CTO of Microsoft Azure. He was a cofounder of software producers Winternals before Microsoft acquired it in 2006.

Windows Sysinternals is a website that offers technical resources and utilities to manage, diagnose, troubleshoot, and monitor a Microsoft Windows environment. Originally, the Sysinternals website was created in 1996 and was operated by the company Winternals Software LP, which was located in Austin, Texas. It was started by software developers Bryce Cogswell and Mark Russinovich. Microsoft acquired Winternals and its assets on July 18, 2006.

The booting process of Windows NT is the process run to start Windows NT. The process has been changed between releases, with the biggest changes being made with Windows Vista. In versions before Vista, the booting process begins when the BIOS loads the Windows NT bootloader, NTLDR. Starting with Vista, the booting process begins with either the BIOS or UEFI load the Windows Boot Manager, which replaces NTLDR as the bootloader. Next, the bootloader starts the kernel, which starts the session manager, which begins the login process. Once the user is logged in, File Explorer, the graphical user interface used by Windows NT, is started.

User Account Control (UAC) is a mandatory access control enforcement feature introduced with Microsoft's Windows Vista and Windows Server 2008 operating systems, with a more relaxed version also present in Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows 11. It aims to improve the security of Microsoft Windows by limiting application software to standard user privileges until an administrator authorises an increase or elevation. In this way, only applications trusted by the user may receive administrative privileges and malware are kept from compromising the operating system. In other words, a user account may have administrator privileges assigned to it, but applications that the user runs do not inherit those privileges unless they are approved beforehand or the user explicitly authorises it.

There are a number of security and safety features new to Windows Vista, most of which are not available in any prior Microsoft Windows operating system release.

Task Scheduler is a job scheduler in Microsoft Windows that launches computer programs or scripts at pre-defined times or after specified time intervals. Microsoft introduced this component in the Microsoft Plus! for Windows 95 as System Agent. Its core component is an eponymous Windows service. The Windows Task Scheduler infrastructure is the basis for the Windows PowerShell scheduled jobs feature introduced with PowerShell v3.

Program Files is the directory name of a standard folder in Microsoft Windows operating systems in which applications that are not part of the operating system are conventionally installed. Typically, each application installed under the 'Program Files' directory will have a subdirectory for its application-specific resources. Shared resources, for example resources used by multiple applications from one company, are typically stored in the 'Common Files' directory.

Security descriptors are data structures of security information for securable Windows objects, that is objects that can be identified by a unique name. Security descriptors can be associated with any named objects, including files, folders, shares, registry keys, processes, threads, named pipes, services, job objects and other resources.

Mandatory Integrity Control (MIC) is a core security feature of Windows Vista and later that adds mandatory access control to running processes based on their Integrity Level (IL). The IL represents the level of trustworthiness of an object. This mechanism's goal is to restrict the access permissions for potentially less trustworthy contexts, compared with other contexts running under the same user account that are more trusted.

Service Control Manager (SCM) is a special system process under the Windows NT family of operating systems, which starts, stops and interacts with Windows service processes. It is located in the %SystemRoot%\System32\services.exe executable. Service processes interact with SCM through a well-defined API, and the same API is used internally by the interactive Windows service management tools such as the MMC snap-in Services.msc and the command-line Service Control utility sc.exe. Terminating this file is used as a method of causing the Blue Screen of Death.

References

↑ "Well-known security identifiers in Windows operating systems". support.microsoft.com. Retrieved 12 December 2019.
↑ openspecs-office. "[MS-DTYP]: Well-Known SID Structures". docs.microsoft.com. Retrieved 2020-09-03.
↑ See "Custom Principals" section on https://msdn.microsoft.com/en-us/library/aa480244.aspx
↑ "Larry Osterman's WebLog".
↑ "Example impact of Microsoft Accounts on Windows APIs in Windows 8/8.1 – Windows SDK Support Team Blog". blogs.msdn.microsoft.com.
1 2 "Security identifiers". support.microsoft.com. 28 August 2021. Retrieved 2020-09-02.
1 2 "Some SIDs do not resolve into friendly names". support.microsoft.com. 24 September 2021. Retrieved 2020-09-02.
↑ lastnameholiu. "Capability SID Constants (Winnt.h) - Win32 apps". docs.microsoft.com. Retrieved 2020-09-02.
↑ "Accounts Everywhere: part 1, Virtual Accounts". 1E. 2017-11-24. Retrieved 2020-09-02.
↑ "IIS AppPool Identity SIDs". winterdom. 2020-09-02.
↑ "MS TechNet NewSID Utility - How It Works". Knowledge Base. Microsoft. November 1, 2006. Retrieved 2008-08-05.
↑ "Windows Service Isolation Feature". Article. Windows IT Pro. June 6, 2012. Retrieved December 7, 2012.
↑ "NewSID v4.10". Windows Sysinternals. Microsoft. 2006-11-01.
↑ Russinovich, Mark (2009-11-03). "The Machine SID Duplication Myth". TechNet Blogs. Microsoft.

External links

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] "Well-known security identifiers in Windows operating systems". support.microsoft.com. Retrieved 12 December 2019.

[2] specs-office. "[MS-DTYP]: Well-Known SID Structures". docs.microsoft.com. Retrieved 2020-09-03.

[3] See "Custom Principals" section on https://msdn.microsoft.com/en-us/library/aa480244.aspx

[4] "Larry Osterman's WebLog".

[5] "Example impact of Microsoft Accounts on Windows APIs in Windows 8/8.1 – Windows SDK Support Team Blog". blogs.msdn.microsoft.com.

[:0-6] 1 2 "Security identifiers". support.microsoft.com. 28 August 2021. Retrieved 2020-09-02.

[:1-7] 1 2 "Some SIDs do not resolve into friendly names". support.microsoft.com. 24 September 2021. Retrieved 2020-09-02.

[8] stnameholiu. "Capability SID Constants (Winnt.h) - Win32 apps". docs.microsoft.com. Retrieved 2020-09-02.

[9] "Accounts Everywhere: part 1, Virtual Accounts". 1E. 2017-11-24. Retrieved 2020-09-02.

[10] "IIS AppPool Identity SIDs". winterdom. 2020-09-02.

[11] "MS TechNet NewSID Utility - How It Works". Knowledge Base. Microsoft. November 1, 2006. Retrieved 2008-08-05.

[12] "Windows Service Isolation Feature". Article. Windows IT Pro. June 6, 2012. Retrieved December 7, 2012.

[13] "NewSID v4.10". Windows Sysinternals. Microsoft. 2006-11-01.

[14] Russinovich, Mark (2009-11-03). "The Machine SID Duplication Myth". TechNet Blogs. Microsoft.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

Security Identifier

Contents

Overview