Search notes:

Windows security identifiers (SID)

A SID is a variable length binary value that is used to identify entities (security principals) that somehow act in a Windows system. Such entities include
With their identifying property, SIDs are fundamental for Windows security, for example in Access Control Entries (ACEs) in Access Control Lists (ACLs).
In theory (and practice?), SIDs are supposed to be unique.

Uniqe SIDs and well known SIDs

Whenever a user account or a group is created, they are assigned a unique SID to be able to identify them. No two users or groups have the same SIDs.
In addition, there are well known SIDs whose values are constant and used to identify generic users and groups.

Friendly names for SIDs

Most SIDs are associated with a «friendly name», which is just a more readable representation of a SID. A notable exception are capability SIDs.
Because such names are not necessarily unique, Windows internally works with SIDs rather than their corresponding names.
The Sysinternal tool PsGetSid is able to translate between SIDs and names.

Textual representation of SIDs

Typically, a textual representation of a SID might look like this: S-1-5-21-2761044393-2226150802-3019316526-1224 although shorter ones are possible, like S-1-5-18.
A textual representation of a SID always starts with S-1-. The S stands for SID and the 1 is the structure revision number. There is only one revision: 1.

Security Authority

The third part represents the identifier authority which identifies the agent that issued and owns the SID: The possible values are:
0 SECURITY_NULL_SID_AUTHORITY the owner of the null account SID and manages one SID: S-1-0-0.
1 SECURITY_WORLD_SID_AUTHORITY everyone group, also has one SID only: S-1-1-0.
2 SECURITY_LOCAL_SID_AUTHORITY local group also has one SID only: S-1-2-0.
3 SECURITY_CREATOR_SID_AUTHORITY SIDs S-1-3-0 through S-1-3-5
4 SECURITY_NON_UNIQUE_AUTHORITY is not used
5 SECURITY_NT_AUTHORITY owns accounts that are managed by the NT security subsystem.
9 SECURITY_RESOURCE_MANAGER_AUTHORITY
16 SECURITY_MANDATORY_LABEL_AUTHORITY see process integrity levels

Subauthority identifiers

The following numbers, if present, are subauthority idientifiers.
The last subauthority identifier is a relative identifier (RID)
The subauthority identifiers except the relative identifier identify a domain.

Relative identifier (RID)

The RID is the last value in the sequence of subauthority identifiers. It is used to distinguish one account or group within a domain from one another.
Some given RIDs are
winnt.h has the following note concerning RIDs:
the relative identifier values (RIDs) determine which security boundaries the SID is allowed to cross. Before adding new RIDs, a determination needs to be made regarding which range they should be added to in order to ensure proper SID filtering

User accounts etc.

The SIDs of user accounts always start with S-1-5-21-… and has an RID that is greater or equal to 1000.
These SIDs are found in the registry under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-SID
A user can query her SID on the command line with
whoami /user
The SID for a given user name can be queried like so:
wmic useraccount where name='melanie' get sid
The RID for the administrator account is 500 and for the guest account is 501.

Well known SIDs

Each user's SIDs is unique across all Windows installations.
That said, some SIDs are well known and equal on all systems or start with a well known prefix.
Here are a few of them
S-1-0-0 The null/nobody SID (used when SID is unknown) Everyone (German: Jeder)
S-1-1-0 World, which is the group that all (except anonymous) users belong to.
S-1-2-0 Local LOCAL
S-1-2-1 Console Logon CONSOLE LOGON (German: KONSOLENANMELDUNG)
S-1-3-0 Creator owner id CREATOR OWNER
S-1-3-1 Creator group id CREATOR GROUP
S-1-3-2 Creator owner server id CREATOR OWNER SERVER
S-1-3-3 Creator owner group id CREATOR GROUP SERVER
S-1-3-4 Owner rights OWNER RIGHTS
S-1-5-1 Dialup DIALUP
S-1-5-2 The Network group, which represents users who have logged on to a machine from the network. NETWORK
S-1-5-3 Batch BATCH
S-1-5-4 Interactive NT AUTHORITY\INTERACTIVE (german: NT AUTORITÄT\INTERAKTIV)
S-1-5-5-x-y is a logon SID which identifies logon session. This SID can be queried using whoami.exe /logonid
S-1-5-6 Service (compare with S-1-5-80…) SERVICE
S-1-5-7 Anonymous logon ANONYMOUS LOGON
S-1-5-8 Proxy PROXY
S-1-5-9 Enterprice DC (EDC), aka domain controller account ENTERPRISE DOMAIN CONTROLLERS
S-1-5-10 self SELF
S-1-5-11 User that is authenticated somewhere NT AUTHORITY\Authenticated Users (German: NT-AUTORITÄT\Authentifizierte Benutzer)
S-1-5-12 Running rectricted code NT AUTHORITY\RESTRICTED
S-1-5-13 Running on Terminal Server TERMINAL SERVER USER
S-1-5-14 Remote logon NT AUTHORITY\Authenticated Users (Or REMOTE INTERACTIVE LOGON?)
S-1-5-15 This organization NT AUTHORITY\This Organization
S-1-5-17 IUser NT AUTHORITY\IUSR
S-1-5-18 Local System (the SID for the local system account). NT AUTHORITY\SYSTEM, sometimes also referred to as SYSTEM or Local System.
S-1-5-19 Local Service NT AUTHORITY\LOCAL SERVICE
S-1-5-20 Network Service NT AUTHORITY\NETWORK SERVICE
S-1-5-21-… User accounts (and also domains?)
S-1-5-21-do-ma-in-500 (local?) Administrator
S-1-5-21-do-ma-in-501 A domain's guest accoutn which allows users that don't have a domain account to log in
S-1-5-21-do-ma-in-503 The Default Account (aka Default System Managed Account)
S-1-5-21-do-ma-in-504
S-1-5-32 The built-in domain, it contains groups that define roles on a local machine. BUILTIN
S-1-5-32-544 BUILTIN\Administrators
S-1-5-32-545 Users BUILTIN\Users
S-1-5-32-546 The Guests group BUILTIN\Guests
S-1-5-32-547 Power Users
S-1-5-32-551 Backup Operators
S-1-5-32-552 Replicator
S-1-5-32-555 Remote Desktop Users
S-1-5-32-558 Performance Monitor Users
S-1-5-32-559 Performance Log Users
S-1-5-32-568 IIS_IUSRS
S-1-5-32-569 Cryptographic Operators
S-1-5-32-573 Event Log Readers
S-1-5-32-578 Hyper-V Administrators
S-1-5-32-579 Access Control Assistance Operators
S-1-5-32-581 System Managed Accounts Group
S-1-5-32-583 Device Owners
S-1-5-64-10 NTLM Authentication
S-1-5-80 all services
S-1-5-80-…-…-…-…-… The SID of a particular service NT SERVICE\…
S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464 Trusted installer NT SERVICE\TrustedInstaller
S-1-5-94-… Windows Remoting Virtual Users
S-1-5-113 Local account
S-1-5-114 Local account and member of Adminstrators group German: NT-AUTORITÄT\Lokales Konto und Mitglied der Gruppse "Administratoren"
S-1-15-2-1 All applications running in an app package context. APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES
S-1-15-3-… All capability SIDs start with S-1-15-3.
S-1-16-… … Mandatory Level See processes: integrity levels
S-1-18-1 Authentication authority asserted identity
See also the System.Security.Principal.WellKnownSidType enum.

Capability SIDs

A capability SID grants access to a specific resource. Such resources include documents, cameras, locations etc.
In order for an application to access a given resource, it needs to have the associated capability SID, otherwise, the requested access is denied.
Capability SIDs start with S-1-15-3-….
Capability SIDs that the system is aware of are stored in the Registry value AllCachedCapabilities under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses.
Capability SIDs don't resolve into friendly names.

.NET classes

In .NET, a SID is represented by System.Security.Principal.SecurityIdentifier class, a friendly name by a System.Security.Principal.NTAccount class.
These classes both derive from System.Security.Principal.IdentityReference which provides a Translate() method to convert from one type to the other.
The following PowerShell example tries to demonstrate how a SID's friendly name can be determined:
PS C:\> $sid          = new-object System.Security.Principal.SecurityIdentifier("S-1-5-18")
PS C:\> $friendlyName = $sid.Translate([System.Security.Principal.NTAccount])
PS C:\> write-output $friendlyName.Value
NT AUTHORITY\SYSTEM
«My» SID can be determined like so:
PS C:\> [System.Security.Principal.WindowsIdentity]::GetCurrent().User.Value
System.Security.Principal.WellKnownSidType is an enum of well known SIDs.

TODO

Alias

whoami.exe reports some SIDs to be Aliases, for example BUILTIN\Administrators.
As per this serverfault.com answer, such aliases seem to be groups in the built-in (or domain-local) domain.

SERVICE_SID_INFO

Apparently, a service security identifyer is represented by the SERVICE_SID_INFO structure.

sc showsid

sc.exe can be used to return the service sid of a service (actually, of any arbitrary string):
C:\> sc showsid trustedInstaller
SERVICE SID: S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464
STATUS: Active

See also

The computer's SID is stored in the registry under HKEY_LOCAL_MACHINE\SECURITY\SAM\Domains\Account
SIDs are found in the registry in
The authority 16 identifies a process's integrity level.
winnt.h
When a user logs on to Windows, the System creates an access token that contains (among other information) the user's SID.
S-1-5-18, S-1-5-19 and S-1-5-20
wmic sysaccount and wmic group.

Index