XPe tip #13: SID issues

We all know about possible issues that duplicated SIDs can create in your system setup and open a security hole on the network [ok, if you don't, read this]. Probably the best explanation to these issues were given by Mark Russinovich and Bryce Cogswell on the documentation page for NewSID tool.

Anyway, I am not writing this to start another thread on the SID duplication problem (if you Google for it, there are tons of similar discussion on the subject). I have recently answered a question in the newsgroup where the poster was surprised by not seeing the SIDs under HKEY_USERS key. It appeared that he was looking for long GUID-like subkeys but was playing with Minlogon based image. Here is the thread. As you may read, the poster was looking for actually Admin or User account SID which is not supported by Minlogon.

User SID duplication is not much an issue in Minlogon environment. However, there is still computer SID. You can find that SID somewhere in SAM hive (HKLM\SECURITY\SAM), typically listed in the list of Members keys. Much easier way to find out that SID though is to run PsGetSid utility from sysinternals.com. Here is where you can download it as a part of PsTools package.

Here is a list of well-known SIDs defined by Microsoft.
The one you're definitely going to catch with Minlogon image is S-1-5-18, a special account used by the operating system (aka LocalSystem account).

For Administrator account you would be looking for something like S-1-5-21-191058668-193157475-1542849698-500 on Winlogon images only. The only bolded part is machine dependent and generated randomly. All user accounts on the same system are going to have incrementally increased four last digits of the SID shown above. (1000, 1001, etc. instead of 500).
You can see the list of SIDs assigned to the user accounts on your system by exploring subkeys under [HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList] key.

And last, the good intro into what SID is on MSDN.