Menu
Home Explore People Places Arts History Plants & Animals Science Life & Culture Technology
On this page
Security Identifier
ID number used for user accounts and groups in Microsoft Windows

Security Identifier (SID) is a unique, immutable identifier of a user account, user group, or other security principal in the Windows NT family of operating systems. A security principal has a single SID for life (in a given Windows domain), and all properties of the principal, including its name, are associated with the SID. This design allows a principal to be renamed (for example, from "Jane Smith" to "Jane Jones") without affecting the security attributes of objects that refer to the principal.

We don't have any images related to Security Identifier yet.
We don't have any YouTube videos related to Security Identifier yet.
We don't have any PDF documents related to Security Identifier yet.
We don't have any Books related to Security Identifier yet.
We don't have any archived web articles related to Security Identifier yet.

Overview

Windows grants privileges and access to resources based on access control lists (ACLs). Each entry on the list defines one SID and a set of permissions for that SID. When a user logs into a PC, Windows generates an access token that contains the user SID, the group SIDs to which the user account belongs, and the user privilege level. When a user requests access to a resource, its ACL is checked against the user's access token to permit or deny particular action on a particular object.

Structure

The human-readable representation of a SID is a string that starts with "S-" and consists of several dash-separated numbers. For example, "S-1-5-21-3623811015-3361044348-30300820-1013" could be a user account's SID. The following table explains the components of this example SID.

Anatomy of a SID
ComponentExampleExplanation
HeaderSIdentifies the string as a SID
Revision level1The version number of the SID specification. As of 2025, "1" is the only valid number.
Authority5See below
Subauthorities21-3623811015-3361044348-30300820In this example, "21" indicates a "domain" subauthority. The following 96-bit ID is a domain identifier.
Relative ID (RID)1013Uniquely identifies the principal within its subauthority group. In the context of domain accounts (which is the focus of our example), RIDs greater than 1000 indicate an admin-defined principal (as opposed to a predefined, built-in, or special-purpose generic principal).

Originally, SIDs were supposed to allow arbitrarily deep nesting, with each level allowed to create sub-authorities underneath itself. However, that goal was abandoned early in Windows NT development, when it was decided that it would be too unmanageable in practice; by then, however, the SID format had already been finalized and was in heavy use in the Windows code.1

Identifier authority

Identifier authorities are formally defined as six-byte (48-bit) quantities. The identifier authority is expressed in decimal if its value is less than 232, otherwise in hexadecimal.23 However, while this is the behavior formally defined by Microsoft, and implemented by the relevant Windows APIs (e.g. RtlConvertSidToUnicodeString),4 hexadecimal identifier authorities appear to have never been used in practice. All known values fit in the least significant byte, and the other 5 bytes are always zero. Identifier authorities are stored in big-endian format, even on little-endian CPU architectures.

Valid identifier authority values56
AuthorityFormal nameFirst introducedNotes
0Null Authoritye.g., "Nobody" (S-1-0-0)
1World Authoritye.g., well-known groups such as "Everyone". (S-1-1-0)
2Local Authoritye.g., flag SIDs like "CONSOLE LOGON"
3Creator Authority
4Non-unique Authority
5NT AuthorityManaged by the NT security subsystem. There are many sub-authorities such as "BUILTIN" and every Active Directory Domain
678Site Server AuthorityWindows XP
7910Internet Site AuthorityWindows XP
8111213Exchange AuthorityWindows XP
9141516Resource Manager AuthorityWindows Server 2003
1017Passport Authority
1118Microsoft Account AuthorityWindows 8
12Azure Active DirectoryWindows 10
15192021App Package Authority (Capability SIDs)Windows Server 2012All capability SIDs begin at S-1-15-3. By design, a capability SID does not resolve to a friendly name. The most commonly used capability SID is S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681
1622Mandatory Label AuthorityWindows VistaUsed as part of Mandatory Integrity Control
1723Scoped Policy ID Authority
1824Authentication Authority
1925Process Trust Authority

Subauthority

S-1-5 subauthority values262728
DecimalNameFirst introducedFormat and purpose
829ProxyWindows Server 2003S-1-5-8 is the SID of the "SECURITY_NT_AUTHORITY" proxy.30
18LocalSystemWindows NT 3.1S-1-5-18 is the SID of the LocalSystem account on all Windows machines.
19LocalServiceS-1-5-19 is the SID of the LocalService account on all Windows machines.
20NetworkServiceS-1-5-20 is the SID of the NetworkService account on all Windows machines.
21DomainS-1-5-21-<Domain ID>-<RID>, where <Domain ID> is in the form of <32-bit>-<32-bit>-<32-bit>. See below for details.
32UsersWindows 7S-1-5-32-<RID>. Example: S-1-5-32-544 (the built-in Administrators group).

The resulting SID pertains a predefined, special-purpose user group, and is valid on all Windows machines. RID could only be one the predefined ones.

64AuthenticationS-1-5-64-<RID>, where <RID> is one of the following:
  • 10: NTLM
  • 14: SChannel
  • 21: Digest
80NT ServiceWindows VistaS-1-5-80-<RID>, where <RID> is a service identifier. "0" (zero) is reserved for the ALL SERVICES group (hence, S-1-5-80-0's fully qualified name is NT SERVICE\ALL SERVICES).
82IIS AppPoolWindows 7
83-0Virtual MachinesWindows 7S-1-5-83-0 is the SID of the "NT VIRTUAL MACHINE\Virtual Machines" group, which maintains a list of all Hyper-V virtual machines.
83-1Virtual machineWindows 7S-1-5-83-1-<ID1>-<ID2>-<ID3>-<ID4>.

The resulting SID pertains a Hyper-V virtual machine.

9031Windows ManagerWindows 7S-1-5-90-0 is the SID of the "Windows Manager Group", a built-in group that maintains all virtual accounts of the Desktop Windows Manager (DWM).

S-1-5-90-0-<RID>, where <RID> is a number, is the SID format of a DWM virtual account. For example, S-1-5-90-0-1 pertains DWM-1.

96User-Mode Driver FrameworkWindows 7S-1-5-96-0-<RID>, where <RID> is a number, is the SID format of a User-Mode Driver Framework (UMDF) virtual account. For example, S-1-5-96-0-1 pertains UMDF-1. The User-mode Font Driver Host (fontdrvhost.exe) runs in the context of a UMDF account.

Domain SIDs

SIDs that start with "S-1-5-21" are noticeably longer than most other SIDs (with the notable exception of service SIDs). Their general format is: S-1-5-21-<Domain ID>-<RID>, where <Domain ID> is in the form of <32-bit>-<32-bit>-<32-bit>.

The Domain ID uniquely identifies a Windows domain. The RID specifies a principal (user account, group account, or computer account) within that domain.

If the RID portion is greater than 1000, the resulting SID pertains an admin-defined user account, user group, or computer account, e.g., S-1-5-21-3361044348-303008203623811015-1001. The name of this account could be anything, e.g., Domain.local\JaneDoe.

If the RID portion is smaller than 1000, the resulting SID pertains a predefined (built-in) user account or user group. For example, RID 500 identifies the controversial "Administrator" user account while RID 512 pertains the "Domain Admins" group.

Machine SIDs

Machine SIDs are variety of domain SIDs (S-1-5-21) with a 96-bit domain ID (a machine is considered its own local domain) but no RID. Their general format is: S-1-5-21-<Machine ID>, where <Machine ID> is in the form of <32-bit>-<32-bit>-<32-bit>.

The machine SID is stored in the SECURITY hive of the Windows Registry, more specifically at HKEY_LOCAL_MACHINE\SECURITY\SAM\Domains\Account. This key has two values: F and V. The latter is a raw binary value that has the machine SID embedded within it at the end of its data (last 96 bits).32 (Some sources[example needed] state that it is stored in the SAM hive instead.) A backup is located at SECURITY\Policy\PolAcDmS\@.

NewSID ensures that this SID is in a standard NT 4.0 format (3 32-bit subauthorities preceded by three 32-bit authority fields). Next, NewSID generates a new random SID for the computer. NewSID's generation takes great pains to create a truly random 96-bit value, which replaces the 96-bits of the 3 subauthority values that make up a computer SID.

— NewSID readme33

The machine SID is stored in a raw-bytes form in the registry. To convert it into the more common numeric form, one interprets it as three, little endian, 32-bit integers, converts them to decimal, and add hyphens between them.

Example of decoding machine SID
Raw form (hexadecimal representation)2E,43,AC,40,C0,85,38,5D,07,E5,3B,2B
Split the bytes into 3 groups of four octets2E,43,AC,40 - C0,85,38,5D - 07,E5,3B,2B
Reverse the order of bytes in each group40,AC,43,2E - 5D,38,85,C0 - 2B,3B,E5,07
Convert each group into decimal1085031214 - 1563985344 - 725345543
Add the machine SID prefixS-1-5-21-1085031214-1563985344-725345543

Service SIDs

Service SIDs are a feature of service isolation, introduced in Windows Vista and Windows Server 2008.34 Any service with the "unrestricted" SID-type property will have a service-specific SID added to the access token of the service host process, allowing permissions for a single service to be managed without necessitating the creation of service accounts.

Each service SID is a local, machine-level SID that has the general form of S-1-5-80-<Service ID>. To generate <Service ID>, Windows copies the service name (in UTF-16 encoding), converts all characters to uppercase, and calculates the SHA-1 digest of said uppercase name. This digest becomes the <Service ID>. The sc.exe command can be used to generate this special SID value; for example, given the "dnscache" service:

C:\>sc query NAME: dnscache SERVICE SID: S-1-5-80-859482183-879914841-863379149-1145462774-2388618682

Therefore, the "dnscache" service can be referred to as either NT SERVICE\dnscache or S-1-5-80-859482183-879914841-863379149-1145462774-2388618682. Since a Service SID is determined exclusively by the service name, the value of the SID for a given service is always the same across all machines wherever the service runs.

Duplicated SIDs

A common method of mass-producing Windows PCs is to install Windows on a template machine, and duplicate its disk sector by sector to other identical machines. As a result, these mass-produced machines are identical in every respect, including their SIDs.35

Microsoft engineer Mark Russinovich is the creator of a utility called NewSID, the purpose of which is to solve "The SID Duplication Problem."36 Microsoft has retired the utility on November 2, 2009, because, Mark and the Windows security team have concluded that duplicate SIDs do not pose any problem whatsoever.37

See also

Footnotes

References

  1. "[MS-AZOD]: Security Identifiers (SIDs)". learn.microsoft.com. 2022-06-14. Retrieved 2024-12-29. https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-azod/ecc7dfba-77e1-4e03-ab99-114b349c7164

  2. "[MS-DTYP]: SID String Format Syntax". learn.microsoft.com. 2023-12-12. Retrieved 2024-12-29. https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/c92a27b1-c772-4fa7-a432-15df5f1b66a1

  3. "RtlConvertSidToUnicodeString function (ntifs.h) - Windows drivers". learn.microsoft.com. 2022-11-04. Retrieved 2024-12-29. https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-rtlconvertsidtounicodestring

  4. "RtlConvertSidToUnicodeString function (ntifs.h) - Windows drivers". learn.microsoft.com. 2022-11-04. Retrieved 2024-12-29. https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-rtlconvertsidtounicodestring

  5. "Well-known security identifiers in Windows operating systems". support.microsoft.com. Retrieved 12 December 2019. https://support.microsoft.com/en-hk/help/243330/well-known-security-identifiers-in-windows-operating-systems

  6. openspecs-office. "[MS-DTYP]: Well-Known SID Structures". docs.microsoft.com. Retrieved 2020-09-03. https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/81d92bba-d22b-4a8c-908a-554ab29148ab

  7. "[MS-PAC]: SID Filtering and Claims Transformation". learn.microsoft.com. 2023-06-28. Retrieved 2024-12-29. https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-pac/55fc19f2-55ba-4251-8a6a-103dd7c66280

  8. Honeycutt, Jerry (2005). Microsoft Windows Registry Guide. Microsoft Press. p. 11. ISBN 978-0-7356-2218-0. 978-0-7356-2218-0

  9. "[MS-PAC]: SID Filtering and Claims Transformation". learn.microsoft.com. 2023-06-28. Retrieved 2024-12-29. https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-pac/55fc19f2-55ba-4251-8a6a-103dd7c66280

  10. Honeycutt, Jerry (2005). Microsoft Windows Registry Guide. Microsoft Press. p. 11. ISBN 978-0-7356-2218-0. 978-0-7356-2218-0

  11. "[MS-PAC]: SID Filtering and Claims Transformation". learn.microsoft.com. 2023-06-28. Retrieved 2024-12-29. https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-pac/55fc19f2-55ba-4251-8a6a-103dd7c66280

  12. Honeycutt, Jerry (2005). Microsoft Windows Registry Guide. Microsoft Press. p. 11. ISBN 978-0-7356-2218-0. 978-0-7356-2218-0

  13. "Outlook2007CodeSamples/SampleWrappedPSTStoreProvider/WrapPST/EdkMdb.h at 10edfa1ce7e6895a4788ad7c766b9120bec0128d · microsoft/Outlook2007CodeSamples". GitHub. Retrieved 2024-12-29. https://github.com/microsoft/Outlook2007CodeSamples/blob/10edfa1ce7e6895a4788ad7c766b9120bec0128d/SampleWrappedPSTStoreProvider/WrapPST/EdkMdb.h#L1183

  14. Honeycutt, Jerry (2005). Microsoft Windows Registry Guide. Microsoft Press. p. 11. ISBN 978-0-7356-2218-0. 978-0-7356-2218-0

  15. See "Custom Principals" section on https://msdn.microsoft.com/en-us/library/aa480244.aspx https://msdn.microsoft.com/en-us/library/aa480244.aspx

  16. "Larry Osterman's WebLog". 17 July 2020. http://blogs.msdn.com/larryosterman/archive/2004/09/01/224051.aspx

  17. "[MS-PAC]: SID Filtering and Claims Transformation". learn.microsoft.com. 2023-06-28. Retrieved 2024-12-29. https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-pac/55fc19f2-55ba-4251-8a6a-103dd7c66280

  18. "Example impact of Microsoft Accounts on Windows APIs in Windows 8/8.1 – Windows SDK Support Team Blog". blogs.msdn.microsoft.com. 12 December 2014. https://blogs.msdn.microsoft.com/winsdk/2014/12/12/example-impact-of-microsoft-accounts-on-windows-apis-in-windows-88-1/

  19. "Security identifiers". support.microsoft.com. 28 August 2021. Retrieved 2020-09-02. https://support.microsoft.com/en-us/help/243330/well-known-security-identifiers-in-windows-operating-systems

  20. "Some SIDs do not resolve into friendly names". support.microsoft.com. 24 September 2021. Retrieved 2020-09-02. https://support.microsoft.com/en-us/help/4502539/some-sids-do-not-resolve-into-friendly-names

  21. "Capability SID Constants (Winnt.h) - Win32 apps". docs.microsoft.com. Retrieved 2020-09-02. https://docs.microsoft.com/en-us/windows/win32/secauthz/capability-sid-constants

  22. "SYSTEM_MANDATORY_LABEL_ACE (winnt.h) - Win32 apps". learn.microsoft.com. 2024-02-22. Retrieved 2024-12-29. https://learn.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-system_mandatory_label_ace

  23. "[MS-DTYP]: SID_IDENTIFIER_AUTHORITY". learn.microsoft.com. 2020-10-30. Retrieved 2024-12-29. https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/c6ce4275-3d90-4890-ab3a-514745e4637e

  24. "[MS-DTYP]: SID_IDENTIFIER_AUTHORITY". learn.microsoft.com. 2020-10-30. Retrieved 2024-12-29. https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/c6ce4275-3d90-4890-ab3a-514745e4637e

  25. "Sandboxing Antimalware Products for Fun and Profit — Elastic Security Labs". www.elastic.co. 2023-02-21. Retrieved 2024-12-29. https://www.elastic.co/security-labs/sandboxing-antimalware-products

  26. "Security identifiers". support.microsoft.com. 28 August 2021. Retrieved 2020-09-02. https://support.microsoft.com/en-us/help/243330/well-known-security-identifiers-in-windows-operating-systems

  27. "IIS AppPool Identity SIDs". winterdom. 2020-09-02. https://winterdom.com/2014/05/16/iis-apppool-identity-sids

  28. openspecs-office. "[MS-DTYP]: Well-Known SID Structures". docs.microsoft.com. Retrieved 2020-09-03. https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/81d92bba-d22b-4a8c-908a-554ab29148ab

  29. openspecs-office. "[MS-DTYP]: Well-Known SID Structures". docs.microsoft.com. Retrieved 2020-09-03. https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/81d92bba-d22b-4a8c-908a-554ab29148ab

  30. openspecs-office. "[MS-DTYP]: Well-Known SID Structures". docs.microsoft.com. Retrieved 2020-09-03. https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/81d92bba-d22b-4a8c-908a-554ab29148ab

  31. openspecs-office. "[MS-DTYP]: Well-Known SID Structures". docs.microsoft.com. Retrieved 2020-09-03. https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/81d92bba-d22b-4a8c-908a-554ab29148ab

  32. "MS TechNet NewSID Utility - How It Works". Knowledge Base. Microsoft. November 1, 2006. Retrieved 2008-08-05. https://technet.microsoft.com/en-us/sysinternals/bb897418.aspx

  33. "NewSID v4.10". Windows Sysinternals. Microsoft. 2006-11-01. https://learn.microsoft.com/en-us/sysinternals/downloads/newsid

  34. "Windows Service Isolation Feature". Article. Windows IT Pro. June 6, 2012. Retrieved December 7, 2012. http://www.windowsitpro.com/article/authentication/windows-service-isolation-143215

  35. "NewSID v4.10". Windows Sysinternals. Microsoft. 2006-11-01. https://learn.microsoft.com/en-us/sysinternals/downloads/newsid

  36. "NewSID v4.10". Windows Sysinternals. Microsoft. 2006-11-01. https://learn.microsoft.com/en-us/sysinternals/downloads/newsid

  37. Russinovich, Mark (2009-11-03). "The Machine SID Duplication Myth". Mark's Blog. Microsoft – via Microsoft Learn's blog archive. /wiki/Mark_Russinovich