Recently a friend of mine asked about an unknown user account associated with all files, new or old, with an unknown SID (security identifier) attached. I noted that this is common when local machines have had accounts that have since been removed. However, he then asked about the structure of that number so I figured I’d provide a brief overview of the structure and generation.
We can see that when displayed as a string the SID holds an S prefix followed by the revision number (1), the identifier authority value (5), which is the Windows Security Authority; and four subauthority values followed by an RID (1001).
Once I saw this SID for the account of concern I noticed the RID is 1001, which means that it was the second account that may have been present, demoted, or removed on the local machine. RIDs for user accounts and groups start at the value 1000 and increment by 1 for each new user or group, which means this account was likely an account he has since removed. He asked if it was the local admin account, to which I said “no.” Administrator accounts have an RID of 500 appended to the end.
It’s important to note that not all SIDs are structured like the one shown above. There are a few well-known groups that a represented by standard SIDs. Here’s a table of the well-known SIDs are standard groups on Windows computers:
SID | Group |
---|---|
S-1-0-0
|
Unknown
|
S-1-1-0
|
Everyone
|
S-1-2-0
|
Local
|
S-1-3-0
|
Creator Owner ID
|
S-1-3-1
|
Creator Group ID
|
S-1-9-0
|
Resource Manager
|
The conclusion I came to regarding that Account Unknown shown in the picture was that it was a former account he had since removed that was a system administrator account which by default had full control over the system. (S-1-5-21 = root system administrator).
If you’d like more information on SIDs and their purpose check out the MSDN article linked at the top.
Any comments, feedback, or questions are welcome.