Structure of Security Identifiers

Recently a friend of mine asked about an unknown user account associated with all files, new or old, with an unknown SID (security identifier) attached. I noted that this is common when local machines have had accounts that have since been removed. However, he then asked about the structure of that number so I figured I’d provide a brief overview of the structure and generation.

In Windows, 10 specifically, SIDs are used by the Security Reference Monitor security model for local and domain groups, as well as local computers and services. SIDs are variable-length numeric values that are constructed from an SID structure revision number, a 48-bit authority identifier, and an arbitrary number of 32-bit subauthority values and a relative identifier value. Relative identifiers (RID) are primarily taken advantage of so that Windows can create unique SIDs with truly unique values.
Let’s break down this SID (given in the screenshot) to give you a better idea of what these values mean.

We can see that when displayed as a string the SID holds an S prefix followed by the revision number (1), the identifier authority value (5), which is the Windows Security Authority; and four subauthority values followed by an RID (1001).

Once I saw this SID for the account of concern I noticed the RID is 1001, which means that it was the second account that may have been present, demoted, or removed on the local machine. RIDs for user accounts and groups start at the value 1000 and increment by 1 for each new user or group, which means this account was likely an account he has since removed. He asked if it was the local admin account, to which I said “no.” Administrator accounts have an RID of 500 appended to the end.

It’s important to note that not all SIDs are structured like the one shown above. There are a few well-known groups that a represented by standard SIDs. Here’s a table of the well-known SIDs are standard groups on Windows computers:

 

 

SID Group
S-1-0-0
Unknown
S-1-1-0
Everyone
S-1-2-0
Local
S-1-3-0
Creator Owner ID
S-1-3-1
Creator Group ID
S-1-9-0
Resource Manager

 

The conclusion I came to regarding that Account Unknown shown in the picture was that it was a former account he had since removed that was a system administrator account which by default had full control over the system. (S-1-5-21 = root system administrator).

If you’d like more information on SIDs and their purpose check out the MSDN article linked at the top.

Any comments, feedback, or questions are welcome.

Leave a Reply