They come in
the form S-[revision level]-[authority value]-[identifier]. For example:
??? SID: S-1-5-18 is the LocalSystem account. It??™s the same on every Windows machine.
??? SID: S-1-5-19 is the Local Service account on every XP and later system.
??? SID: S-1-5-20 is the Network Service account on every XP and later system.
SIDs also identify local groups and those SIDs look like this:
??? SID: S-1-5-32-544 is the built-in Administrators group.
??? SID: S-1-5-32-545 is the built-in Users group.
??? SID: S-1-5-32-550 is the built-in Print Operators group.
And SIDs can identify user accounts relative to a workstation or domain. Each of
those SIDs will include a string of numbers identifying the workstation or domain following
by a relative identifier (RID) that identifies the user or group within the universe
of that workstation or domain. The examples that follow are for my XP machine:
??? SID: S-1-5-21-1060284298-507921405-1606980848-500 is the local Administrator
account.
??? SID: S-1-5-21-1060284298-507921405-1606980848-501 is the local Guest
account.
??? SID: S-1-5-21-1060284298-507921405-1606980848-1004 is a local Workstation
account.
Chapter 16: Exploiting Windows Access Control Model for Local Elevation of Privilege
389
NOTE The RID of the original local Administrator account is always 500.
Pages:
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704