Understanding Windows SIDs

by Barry Dysert
(last updated August 22, 2017)

1

Every user account on your system has a Windows SID (Security Identifier) automatically assigned to it. SIDs are used for all entities used within the computer system, i.e., a SID is assigned to the machine, domain accounts, users, and security groups. The human-readable names that correspond to SIDs are there to make things easier when it comes to system administration. For example, you can change a user's name, but the SID doesn't change. Therefore you don't have to worry about going through the various access control lists to update them for the new name, as the underlying SID hasn't changed.

SIDs are numeric values of varying lengths. They consist of a structure revision number, an identifier authority value, and a variable number of subauthority values. The subauthority values provide the means whereby Windows can create unique SIDs based on a common base SID.

There is a nice free tool from Sysinternals called PsGetSid, which can be obtained from this site:

http://technet.microsoft.com/en-us/sysinternals/bb897417.aspx

When you run PsGetSid with no parameters you'll get the SID of the current computer:

C:\>PsGetSid

PsGetSid v1.44 - Translates SIDs to names and vice versa
Copyright (C) 1999-2008 Mark Russinovich
Sysinternals - www.sysinternals.com

SID for \\DYSERT-PC:
S-1-5-21-205299875-3125232665-432278398

From the number displayed you can determine the various parts of the SID; they are separated by dashes. In this case, the SID begins with "S-1-5", which indicates the structure revision number (1) and the identifier authority value (5). The remaining numbers—again, each separated by dashes—are the subauthority values.

Windows ships with some built-in accounts, so these have SIDs already assigned to them before a user account is ever added. Among the built-in accounts are those for Administrator and Guest. Running PsGetSid against each of these reveals the following assignments:

C:\>PsGetSid Administrator

PsGetSid v1.44 - Translates SIDs to names and vice versa
Copyright (C) 1999-2008 Mark Russinovich
Sysinternals - www.sysinternals.com

SID for Dysert-PC\Administrator:
S-1-5-21-205299875-3125232665-432278398-500

C:\>PsGetSid Guest

PsGetSid v1.44 - Translates SIDs to names and vice versa
Copyright (C) 1999-2008 Mark Russinovich
Sysinternals - www.sysinternals.com

SID for Dysert-PC\Guest:
S-1-5-21-205299875-3125232665-432278398-501

As you can see, Windows appended a number to each of the account's SIDs (500 and 501) to ensure their uniqueness. These unique suffixes are called Relative Identifiers (RIDs). As new accounts are added, the RIDs start at 1000 and are incremented as needed. So running PsGetSid on the "Dysert" account yields this:

C:\>PsGetSid Dysert

PsGetSid v1.44 - Translates SIDs to names and vice versa
Copyright (C) 1999-2008 Mark Russinovich
Sysinternals - www.sysinternals.com

SID for Dysert-PC\Dysert:
S-1-5-21-205299875-3125232665-432278398-1000

To verify that this SID is associated with my logon, I can use another Sysinternals tool called LogonSession, available here:

http://technet.microsoft.com/en-us/sysinternals/bb896769.aspx

Here is the output produced by the tool:

C:\LogonSessions

Logonsesions v1.21
Copyright (C) 2004-2010 Bryce Cogswell and Mark Russinovich
Sysinternals - wwww.sysinternals.com

[6] Logon session 00000000:00468835:
    User name:    Dysert-PC\Dysert
    Auth package: NTLM
    Logon type:   Interactive
    Session:      1
    Sid:          S-1-5-21-205299875-3125232665-432278398-1000
    Logon time:   4/11/2014 3:20:29 AM
    Logon server: DYSERT-PC
    DNS Domain:
    UPN:

SIDs are also assigned to groups. The SID assigned to the Administrators group can be obtained in this manner:

C:\>PsGetSid \Administrators

PsGetSid v1.44 - Translates SIDs to names and vice versa
Copyright (C) 1999-2008 Mark Russinovich
Sysinternals - www.sysinternals.com

SID for \Administrators:
S-1-5-32-544

If, for some reason, you don't want to use the PsGetSid tool, you can still get SID information from the built-in utility, wmic. From the command line, type "wmic useraccount get name,sid" (without the quotes). The following output will appear:

C:\wmic useraccount get name,sid
Name           SID
Administrator  S-1-5-21-205299875-3125232665-432278398-500
ASPNET         S-1-5-21-205299875-3125232665-432278398-1003
Dysert         S-1-5-21-205299875-3125232665-432278398-1000
Guest          S-1-5-21-205299875-3125232665-432278398-501
SQLDebugger    S-1-5-21-205299875-3125232665-432278398-1007

 This tip (13106) applies to Windows 7, 8, and 10.

Author Bio

Barry Dysert

Barry has been a computer professional for over 30 years, working in different positions such as technical team leader, project manager, and software developer.  He is currently a senior software engineer with an emphasis on developing custom applications under Microsoft Windows. ...

MORE FROM BARRY

Deleting a Media Player Playlist

Most people like to keep their Windows Media Player organized. One way to maintain it is to keep track of the various ...

Discover More

Toggl

If you want a simple, unobtrusive time-tracking utility to keep track of time you spend on various tasks, Toggl is the ...

Discover More

Copying Files Using the Command Line

The copy command can be a timesaver over trying to do the similar sort of thing with Windows Explorer. You can copy hundreds ...

Discover More
More WindowsTips

Recovering a Forgotten Administrator Password

Forgetting your administrator password may be cause for panic because there is no supported way to discover it. Before you ...

Discover More

Limiting the Number of Login Attempts

You probably don't want to allow someone to continually attempt to login to your system until they finally guess your ...

Discover More

Understanding Action Center

Action Center provides you with a quick overview of security and maintenance issues and allows you to drill down to the ...

Discover More
Subscribe

FREE SERVICE: Get tips like this every week in WindowsTips, a free productivity newsletter. Enter your address and click "Subscribe."

View most recent newsletter.

Comments

If you would like to add an image to your comment (not an avatar, but an image to help in making the point of your comment), include the characters [{fig}] in your comment text. You’ll be prompted to upload your image when you submit the comment. Maximum image size is 8Mpixels. Images larger than 600px wide or 1000px tall will be reduced. Up to three images may be included in a comment. All images are subject to review. Commenting privileges may be curtailed if inappropriate images are posted.

What is 5 + 0?

2014-05-19 10:00:54

PFL

Super info; this is the stuff that is so difficult to find without insider experience. Thanks and keep it up!


Newest Tips
Subscribe

FREE SERVICE: Get tips like this every week in WindowsTips, a free productivity newsletter. Enter your address and click "Subscribe."

(Your e-mail address is not shared with anyone, ever.)

View the most recent newsletter.