Understanding Windows SIDs

by Barry Dysert
(last updated May 19, 2014)

1

Every user account on your system has a Windows SID (Security Identifier) automatically assigned to it. SIDs are used for all entities used within the computer system, i.e., a SID is assigned to the machine, domain accounts, users, and security groups. The human-readable names that correspond to SIDs are there to make things easier when it comes to system administration. For example, you can change a user's name, but the SID doesn't change. Therefore you don't have to worry about going through the various access control lists to update them for the new name, as the underlying SID hasn't changed.

SIDs are numeric values of varying lengths. They consist of a structure revision number, an identifier authority value, and a variable number of subauthority values. The subauthority values provide the means whereby Windows can create unique SIDs based on a common base SID.

There is a nice free tool from Sysinternals called PsGetSid, which can be obtained from this site:

http://technet.microsoft.com/en-us/sysinternals/bb897417.aspx

When you run PsGetSid with no parameters you'll get the SID of the current computer:

C:\>PsGetSid

PsGetSid v1.44 - Translates SIDs to names and vice versa
Copyright (C) 1999-2008 Mark Russinovich
Sysinternals - www.sysinternals.com

SID for \\DYSERT-PC:
S-1-5-21-205299875-3125232665-432278398

From the number displayed you can determine the various parts of the SID; they are separated by dashes. In this case, the SID begins with "S-1-5", which indicates the structure revision number (1) and the identifier authority value (5). The remaining numbers—again, each separated by dashes—are the subauthority values.

Windows ships with some built-in accounts, so these have SIDs already assigned to them before a user account is ever added. Among the built-in accounts are those for Administrator and Guest. Running PsGetSid against each of these reveals the following assignments:

C:\>PsGetSid Administrator

PsGetSid v1.44 - Translates SIDs to names and vice versa
Copyright (C) 1999-2008 Mark Russinovich
Sysinternals - www.sysinternals.com

SID for Dysert-PC\Administrator:
S-1-5-21-205299875-3125232665-432278398-500

C:\>PsGetSid Guest

PsGetSid v1.44 - Translates SIDs to names and vice versa
Copyright (C) 1999-2008 Mark Russinovich
Sysinternals - www.sysinternals.com

SID for Dysert-PC\Guest:
S-1-5-21-205299875-3125232665-432278398-501

As you can see, Windows appended a number to each of the account's SIDs (500 and 501) to ensure their uniqueness. These unique suffixes are called Relative Identifiers (RIDs). As new accounts are added, the RIDs start at 1000 and are incremented as needed. So running PsGetSid on the "Dysert" account yields this:

C:\>PsGetSid Dysert

PsGetSid v1.44 - Translates SIDs to names and vice versa
Copyright (C) 1999-2008 Mark Russinovich
Sysinternals - www.sysinternals.com

SID for Dysert-PC\Dysert:
S-1-5-21-205299875-3125232665-432278398-1000

To verify that this SID is associated with my logon, I can use another Sysinternals tool called LogonSession, available here:

http://technet.microsoft.com/en-us/sysinternals/bb896769.aspx

Here is the output produced by the tool:

C:\LogonSessions

Logonsesions v1.21
Copyright (C) 2004-2010 Bryce Cogswell and Mark Russinovich
Sysinternals - wwww.sysinternals.com

[6] Logon session 00000000:00468835:
    User name:    Dysert-PC\Dysert
    Auth package: NTLM
    Logon type:   Interactive
    Session:      1
    Sid:          S-1-5-21-205299875-3125232665-432278398-1000
    Logon time:   4/11/2014 3:20:29 AM
    Logon server: DYSERT-PC
    DNS Domain:
    UPN:

SIDs are also assigned to groups. The SID assigned to the Administrators group can be obtained in this manner:

C:\>PsGetSid \Administrators

PsGetSid v1.44 - Translates SIDs to names and vice versa
Copyright (C) 1999-2008 Mark Russinovich
Sysinternals - www.sysinternals.com

SID for \Administrators:
S-1-5-32-544

If, for some reason, you don't want to use the PsGetSid tool, you can still get SID information from the built-in utility, wmic. From the command line, type "wmic useraccount get name,sid" (without the quotes). The following output will appear:

C:\wmic useraccount get name,sid
Name           SID
Administrator  S-1-5-21-205299875-3125232665-432278398-500
ASPNET         S-1-5-21-205299875-3125232665-432278398-1003
Dysert         S-1-5-21-205299875-3125232665-432278398-1000
Guest          S-1-5-21-205299875-3125232665-432278398-501
SQLDebugger    S-1-5-21-205299875-3125232665-432278398-1007

 This tip (13106) applies to Windows 7 and 8.

Author Bio

Barry Dysert

Barry has been a computer professional for over 30 years, working in different positions such as technical team leader, project manager, and software developer.  He is currently a senior software engineer with an emphasis on developing custom applications under Microsoft Windows. ...

MORE FROM BARRY

Controlling the Display of System Icons in the Notification Area

A sometimes overlooked area of Windows customization is the notification area. This tip explains how you can control the ...

Discover More

Setting a Restore Point

Restore Points let you go "back in time" to a point before you made system changes that could prove harmful to your system. ...

Discover More

Using Windows with a Projector

If you want to show what's on your computer screen through a projector so that others can see it, the process is about as ...

Discover More
More WindowsTips

Understanding Data Execution Prevention

Windows has many malware-prevention features. One of these is Data Execution Prevention. This tip provides an explanation of ...

Discover More

Logging In with Local vs. Microsoft Credentials

In Windows 10, you can choose to login using your local account or by using your Microsoft credentials. How to switch back ...

Discover More

Changing User Permissions for an Entire Drive

All objects on your computer (e.g., disk drives) have permissions that allow or deny various types of access. This tip shows ...

Discover More
Subscribe

FREE SERVICE: Get tips like this every week in WindowsTips, a free productivity newsletter. Enter your address and click "Subscribe."

View most recent newsletter.

Comments

If you would like to add an image to your comment (not an avatar, but an image to help in making the point of your comment), include the characters [{fig}] in your comment text. You’ll be prompted to upload your image when you submit the comment. Images larger than 600px wide or 1000px tall will be reduced. Up to three images may be included in a comment. All images are subject to review. Commenting privileges may be curtailed if inappropriate images are posted.

What is nine minus 5?

2014-05-19 10:00:54

PFL

Super info; this is the stuff that is so difficult to find without insider experience. Thanks and keep it up!


Newest Tips
Subscribe

FREE SERVICE: Get tips like this every week in WindowsTips, a free productivity newsletter. Enter your address and click "Subscribe."

(Your e-mail address is not shared with anyone, ever.)

View the most recent newsletter.