What Is A SID?

Security Identifiers, or SIDs for short, are used to uniquely identify user and group accounts in Windows. They can be found in tokens (WhatIsAToken), in ACLs (WhatIsAnAccessControlList), and in security account databases (WhatIsASecurityPrincipal). Most Windows programmers are already familiar with another unique ID, the GUID (or UUID), which is a 128-bit randomly generated identifier used extensively in COM programming. A GUID generated on any machine at any time will be unique from any other GUID because of the large random space from which GUIDs are generated.

The SID is conceptually similar to the GUID in that it also provides uniqueness in space and time. Uniqueness in space is achieved by a 96-bit machine identifier generated at the time the Windows OS is installed. Its value is tucked away in the registry and is combined with a persistent monotonically increasing counter to create new SIDs that are unique in space and time. However, this is where the similarity ends. SIDs are variable-length data structures, which makes using them more difficult for programmers (at least prior to version 2.0 of the .NET Framework, when there was no managed representation of a SID). On the flip side, SIDs allow more flexibility because they have structure that a programmer can depend on. A SID is composed of several parts, which combine to form a hierarchical naming structure that is quite useful in many cases at runtime.

This hierarchical structure becomes most apparent in the text form in which SIDs are often represented: S-R-I-SA-SA-SA, where S is the letter S, R is the revision number of the SID binary format (currently 1), I is a 48-bit identifier authority value, and SA is a 32-bit subauthority. For example, S-1-5-32-547 represents the Power Users group. The numbers 32 and 547 represent subauthority values that help make the SID unique.

The identifier authority represents the outermost scope of the name, and it identifies a unique namespace via a 48-bit identifier. One can only imagine the original intended use for this field; perhaps it was designed to allow 48-bit IEEE 802 addresses to be used to give any third-party vendor its own namespace. The vast majority of SIDs, however, are issued within the NT Authority namespace, whose value is 0x000005. Other interesting namespaces include World Authority (0x000001), which is used for the well-known SID S-1-1-0, more commonly known as Everyone. In certain specialized applications, you might find other values for the identifier authority, so don't make assumptions in your code about its value.

The identifier authority is then combined with either a well-known subauthority (such as the BUILTIN domain, which is present on all Windows machines) or a set of subauthorities determined from the unique machine ID assigned when Windows was installed on the machine. As examples, here are two well-known principals that are automatically created whenever you install Windows on a machine:

ΓÇó Administrator: S-1-5-21-XXXX-XXXX-XXXX-500

ΓÇó Guest: S-1-5-21-XXXX-XXXX-XXXX-501

In place of XXXX, you'll find the 32-bit subauthority values that comprise the 96-bit unique ID of the machine that generated the SID. This virtually guarantees that two machines wonΓÇÖt generate the same SIDs.¹ After the subauthority values that define a unique namespace, you'll find a number that identifies the principal within the namespace. In the above example, the number 500 identifies Administrator and the number 501 identifies Guest.

There is clearly a pattern that you can rely on here. For instance, the number 21 is used to prefix the three machine-specific subauthority values, and the number 501 always represents the special principal named Guest, no matter what machine you happen to be working on. Each of these well-known values is also called a RID (for Relative ID), and winnt.h includes definitions for the ones used by the core Windows OS. I've included a list of well-known SIDs in HowToProgramWithSIDs that you might find useful, and version 2.0 of the .NET Framework has an enumeration called WellKnownSidType that makes it easy to specify these SIDs in an ACL. This is important when writing internationalized code: Guest is not spelled the same way in German as it is in Japanese, so instead of referring to well-known principals by name, it's much safer (and more efficient) to form the SIDs programmatically (HowToProgramWithSIDs).

By the way, in case you've never looked, bring up your registry editor and drill down into HKEY_USERS. You'll see a bunch of registry hives here, named with user SIDs. For more info on what you're looking at, see WhatIsAUserProfile. This is yet another example of where you can find SIDs.

¹ Although if you've ever ghosted a machine, you know that it's important to run sysprep.exe to allow the machine identifier to be recalculated when the new image is first booted.

PortedBy RogerChang