Windows SID

system · November 6, 2006, 6:49pm

(imported topic written by SystemAdmin)

Is anyone retrieving the machine SID through relevance?

BenKus · November 7, 2006, 7:53am

(imported comment written by BenKus)

Hey jnharry,

Take a look at the “OS Serial Number” at http://support.bigfix.com/bes/misc/retrievedproperties.html#OS

Is that what you were looking for?

Ben

system · November 7, 2006, 8:17pm

(imported comment written by rad.ricka91)

Jnharry,

I guess you’re after the locally set SID as retrieved by http://www.sysinternals.com/Utilities/PsGetSid.html, but I believe this isn’t exposed through wmi or any other “easy” interface (hence the sysinternals utility).

There’s a function LookupAccountName http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthz/security/lookupaccountname.asp that does this and one would probably have to pass it the computer name and make sure the result it the right type (SidTypeComputer in this enumeration http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthz/security/sid_name_use.asp).

I guess the question is what’s the benefit of retrieving the SID?

R.

system · November 7, 2006, 10:38pm

(imported comment written by SystemAdmin)

Ben Kus

Take a look at the “OS Serial Number” at http://support.bigfix.com/bes/misc/retrievedproperties.html#OS

Ben,

I liked this page and I was thinking it would be cool to have a resource like that were we the users can submit our own property relevance to make available for others to use.

Jim

BenKus · November 8, 2006, 9:35am

(imported comment written by BenKus)

Hey Jim,

That is a good idea. We don’t have anything in the works yet, but hopefully this forum will allow people to post all their properties and discuss them until we have a property-specific submission system.

Ben

system · October 20, 2009, 6:22pm

(imported comment written by SystemAdmin)

Sorry to resurrect a thread from the graveyard, but I was looking to do something similar today and had some input to provide. This value is stored in the registry under the HKLM\SECURITY\SAM\Domains\Account under the “V” value. It is encoded a bit, but if you are just concerned about getting rid of duplicate SIDs, you can just look at the last 24 characters of this value to see if any match. If they do, then you know you have duplicate SIDs. Here is the relevance I used:

last 24 of (value "V" of key "HKLM\SECURITY\SAM\Domains\Account" of registry as string)

Now if you really want to get fancy, you could try to actually figure out what the SID really is, but that exceeds the ability of my relevance-fu. To manually decipher the SID, you break down that hex string into three components, reverse the contents of each component, and then convert each component to decimial, and then append “S-1-5-21-” prefix. I got the information for this from this Wikipedia entry:

Hope this info helps someone.

Noah · October 20, 2009, 9:37pm

(imported comment written by NoahSalzman)

Just for fun, here is the first chunk of the example SID in the Wikipedia article:

Q: hexadecimal integer ((last 2 of it & (character 4 of it & character 5 of it & character 2 of it & character 3 of it) & first 2 of it) of ((first 8 of (concatenation of substrings separated by “,” of “2E,43,AC,40,C0,85,38,5D,07,E5,3B,2B”))))

A: 1085031214

Noah · October 20, 2009, 10:01pm

(imported comment written by NoahSalzman)

Gone this far… might as well just do the whole thing:

Q: “S-1-5-21” & “-” & hexadecimal integer ((concatenation of (characters (6;7;4;5;2;3;0;1) of it)) of ((first 8 of (concatenation of substrings separated by “,” of “2E,43,AC,40,C0,85,38,5D,07,E5,3B,2B”)))) as string & “-” & hexadecimal integer ((concatenation of (characters (6;7;4;5;2;3;0;1) of it)) of (last 8 of preceding text of position (length of it - 8) of (concatenation of substrings separated by “,” of “2E,43,AC,40,C0,85,38,5D,07,E5,3B,2B”))) as string & “-” & hexadecimal integer ((concatenation of (characters (6;7;4;5;2;3;0;1) of it)) of (last 8 of (concatenation of substrings separated by “,” of “2E,43,AC,40,C0,85,38,5D,07,E5,3B,2B”))) as string

A: S-1-5-21-1085031214-1563985344-725345543

system · November 9, 2009, 6:47pm

(imported comment written by SystemAdmin)

the relevence below works great for the Local Machine SID

“S-1-5-21” & “-” & hexadecimal integer ((concatenation of (characters (6;7;4;5;2;3;0;1) of it)) of ((first 8 of (concatenation of substrings separated by “,” of (last 24 of (value “V” of key “HKLM\SECURITY\SAM\Domains\Account” of registry as string)))))) as string & “-” & hexadecimal integer ((concatenation of (characters (6;7;4;5;2;3;0;1) of it)) of (last 8 of preceding text of position (length of it - 8) of (concatenation of substrings separated by “,” of (last 24 of (value “V” of key “HKLM\SECURITY\SAM\Domains\Account” of registry as string))))) as string & “-” & hexadecimal integer ((concatenation of (characters (6;7;4;5;2;3;0;1) of it)) of (last 8 of (concatenation of substrings separated by “,” of (last 24 of (value “V” of key “HKLM\SECURITY\SAM\Domains\Account” of registry as string))))) as string