Security Identifier
Identifier used for user accounts and groups in Microsoft Windows
title: "Security Identifier" type: doc version: 1 created: 2026-02-28 author: "Wikipedia contributors" status: active scope: public tags: ["identifiers", "microsoft-windows-security-technology", "unique-identifiers", "windows-nt-architecture"] description: "Identifier used for user accounts and groups in Microsoft Windows" topic_path: "technology/operating-systems" source: "https://en.wikipedia.org/wiki/Security_Identifier" license: "CC BY-SA 4.0" wikipedia_page_id: 0 wikipedia_revision_id: 0
::summary Identifier used for user accounts and groups in Microsoft Windows ::
Security Identifier (SID) is a unique, immutable identifier of a user account, user group, or other security principal in the Windows NT family of operating systems. A security principal has a single SID for life (in a given Windows domain), and all properties of the principal, including its name, are associated with the SID. This design allows a principal to be renamed (for example, from "Jane Smith" to "Jane Jones") without affecting the security attributes of objects that refer to the principal.
Overview
Windows grants privileges and access to resources based on access control lists (ACLs). Each entry on the list defines one SID and a set of permissions for that SID. When a user logs into a PC, Windows generates an access token that contains the user SID, the group SIDs to which the user account belongs, and the user privilege level. When a user requests access to a resource, its ACL is checked against the user's access token to permit or deny particular action on a particular object.
Structure
The human-readable representation of a SID is a string that starts with "S-" and consists of several dash-separated numbers. For example, "S-1-5-21-3623811015-3361044348-30300820-1013" could be a user account's SID. The following table explains the components of this example SID.
::data[format=table title="Anatomy of a SID"]
| Component | Example | Explanation | Header | Revision level | Authority | Subauthorities | Relative ID (RID) |
|---|---|---|---|---|---|---|---|
| S | Identifies the string as a SID | ||||||
| 1 | The version number of the SID specification. , "1" is the only valid number. | ||||||
| 5 | See below | ||||||
| 21-3623811015-3361044348-30300820 | In this example, "21" indicates a "domain" subauthority. The following 96-bit ID is a domain identifier. | ||||||
| 1013 | Uniquely identifies the principal within its subauthority group. In the context of domain accounts (which is the focus of our example), RIDs greater than 1000 indicate an admin-defined principal (as opposed to a predefined, built-in, or special-purpose generic principal). | ||||||
| :: |
Originally, SIDs were supposed to allow arbitrarily deep nesting, with each level allowed to create sub-authorities underneath itself. However, that goal was abandoned early in Windows NT development, when it was decided that it would be too unmanageable in practice; by then, however, the SID format had already been finalized and was in heavy use in the Windows code.
Identifier authority
Identifier authorities are formally defined as six-byte (48-bit) quantities. The identifier authority is expressed in decimal if its value is less than 232, otherwise in hexadecimal. However, while this is the behavior formally defined by Microsoft, and implemented by the relevant Windows APIs (e.g. RtlConvertSidToUnicodeString), hexadecimal identifier authorities appear to have never been used in practice. All known values fit in the least significant byte, and the other 5 bytes are always zero. Identifier authorities are stored in big-endian format, even on little-endian CPU architectures.
::data[format=table title="Valid identifier authority values{{cite web |title=Well-known security identifiers in Windows operating systems |url=https://support.microsoft.com/en-hk/help/243330/well-known-security-identifiers-in-windows-operating-systems |website=support.microsoft.com |accessdate=12 December 2019}}{{Cite web|last=openspecs-office|title=[MS-DTYP]: Well-Known SID Structures|url=https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/81d92bba-d22b-4a8c-908a-554ab29148ab|access-date=2020-09-03|website=docs.microsoft.com|language=en-us}}"]
| Authority | Formal name | First introduced | Notes |
|---|---|---|---|
| 0 | Null Authority | e.g., "Nobody" (S-1-0-0) | |
| 1 | World Authority | e.g., well-known groups such as "Everyone". (S-1-1-0) | |
| 2 | Local Authority | e.g., flag SIDs like "CONSOLE LOGON" | |
| 3 | Creator Authority | ||
| 4 | Non-unique Authority | ||
| 5 | NT Authority | Managed by the NT security subsystem. There are many sub-authorities such as "BUILTIN" and every Active Directory Domain | |
| last=Honeycutt | first=Jerry | url=https://books.google.com/books?id=y4pGAAAAYAAJ&pg=PA11 | title=Microsoft Windows Registry Guide |
| date=2023-06-28 | title=[MS-PAC]: SID Filtering and Claims Transformation | url=https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-pac/55fc19f2-55ba-4251-8a6a-103dd7c66280 | access-date=2024-12-29 |
| title=Outlook2007CodeSamples/SampleWrappedPSTStoreProvider/WrapPST/EdkMdb.h at 10edfa1ce7e6895a4788ad7c766b9120bec0128d · microsoft/Outlook2007CodeSamples | url=https://github.com/microsoft/Outlook2007CodeSamples/blob/10edfa1ce7e6895a4788ad7c766b9120bec0128d/SampleWrappedPSTStoreProvider/WrapPST/EdkMdb.h#L1183 | access-date=2024-12-29 | website=GitHub |
| url=http://blogs.msdn.com/larryosterman/archive/2004/09/01/224051.aspx | title=Larry Osterman's WebLog | date=17 July 2020 }} | Resource Manager Authority |
| 10 | Passport Authority | ||
| 11 | Microsoft Account Authority | Windows 8 | |
| 12 | Azure Active Directory | Windows 10 | |
| url=https://support.microsoft.com/en-us/help/243330/well-known-security-identifiers-in-windows-operating-systems | access-date=2020-09-02 | title=Security identifiers | date=28 August 2021 |
| 16 | Mandatory Label Authority | Windows Vista | Used as part of Mandatory Integrity Control |
| date=2020-10-30 | title=[MS-DTYP]: SID_IDENTIFIER_AUTHORITY | url=https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/c6ce4275-3d90-4890-ab3a-514745e4637e | access-date=2024-12-29 |
| 18 | Authentication Authority | ||
| 19 | Process Trust Authority | ||
| :: |
Subauthority
::data[format=table title="S-1-5 subauthority values{{Cite web|last=|first=|date=2020-09-02|title=IIS AppPool Identity SIDs|url=https://winterdom.com/2014/05/16/iis-apppool-identity-sids|archive-url=|archive-date=|access-date=|website=winterdom}}"]
| Decimal | Name | First introduced | Format and purpose |
|---|---|---|---|
| 1 | Dial-up Login | S-1-5-1. | |
| 2 | Network Login | S-1-5-2. | |
| 3 | Batch Login | S-1-5-3. | |
| 4 | Interactive Login | S-1-5-4. | |
| 6 | Service Login | S-1-5-6. | |
| 7 | Anonymous Login | S-1-5-7. | |
| 8 | Proxy Login | Windows Server 2003 | S-1-5-8 is the SID of the "SECURITY_NT_AUTHORITY" proxy. |
| 9 | Enterprise Domain Controllers | S-1-5-9. | |
| 10 | Principal Self | S-1-5-10. | |
| 11 | Authenticated Users | Windows NT 4.0 | S-1-5-11. |
| 12 | Restricted Code | Windows 2000 | S-1-5-12. |
| 13 | Terminal Server User | S-1-5-13. | |
| 14 | Remote Interactive Login | S-1-5-14. | |
| 15 | This Organisation | S-1-5-15. | |
| 17 | IUSR | S-1-5-17. | |
| 18 | LocalSystem | Windows NT 3.1 | S-1-5-18 is the SID of the LocalSystem account on all Windows machines. |
| 19 | LocalService | Windows XP | S-1-5-19 is the SID of the LocalService account on all Windows machines. |
| 20 | NetworkService | Windows XP | S-1-5-20 is the SID of the NetworkService account on all Windows machines. |
| 21 | Domain | Windows NT 3.1 | S-1-5-21--, where `` is in the form of --. See below for details. |
| 32 | Builtin | Windows NT 3.1 | S-1-5-32-. Example: S-1-5-32-544 (the built-in Administrators group). |
| 33 | Write Restricted Code | Windows 7 | S-1-5-33. |
| 64 | Authentication | S-1-5-64-, where `` is one of the following: | |
| 80 | NT Service | Windows Vista | S-1-5-80-, where `` is a service identifier. "0" (zero) is reserved for the ALL SERVICES group (hence, S-1-5-80-0's fully qualified name is NT SERVICE\ALL SERVICES). |
| 82 | IIS AppPool | Windows 7 | |
| 83-0 | Virtual Machines | Windows 7 | S-1-5-83-0 is the SID of the "NT VIRTUAL MACHINE\Virtual Machines" group, which maintains a list of all Hyper-V virtual machines. |
| 83-1 | Virtual Machine | Windows 7 | S-1-5-83-1----. |
| 90 | Windows Manager | Windows 7 | S-1-5-90-0 is the SID of the "Windows Manager Group", a built-in group that maintains all virtual accounts of the Desktop Windows Manager (DWM). |
| 96 | User-Mode Driver Framework | Windows 7 | S-1-5-96-0-, where `` is a number, is the SID format of a User-Mode Driver Framework (UMDF) virtual account. For example, S-1-5-96-0-1 pertains UMDF-1. The User-mode Font Driver Host (fontdrvhost.exe) runs in the context of a UMDF account. |
| 113 | Local Account | S-1-5-113. | |
| 114 | Local Account & Administrator | S-1-5-114. | |
| 1000 | Other Organisation | S-1-5-1000. | |
| :: |
Domain SIDs
ALERT: The table above contains an inbound link to this table. In the even of editing the section heading, please ensure the link remains valid.
SIDs that start with "S-1-5-21" are noticeably longer than most other SIDs (with the notable exception of service SIDs). Their general format is: S-1-5-21--, where `` is in the form of --.
The Domain ID uniquely identifies a Windows domain. The RID specifies a principal (user account, group account, or computer account) within that domain.
If the RID portion is greater than 1000, the resulting SID pertains an admin-defined user account, user group, or computer account, e.g., S-1-5-21-3361044348-303008203623811015-1001. The name of this account could be anything, e.g., Domain.local\JaneDoe.
If the RID portion is smaller than 1000, the resulting SID pertains a predefined (built-in) user account or user group. For example, RID 500 identifies the controversial "Administrator" user account while RID 512 pertains the "Domain Admins" group.
Machine SIDs
Machine SIDs are variety of domain SIDs (S-1-5-21) with a 96-bit domain ID (a machine is considered its own local domain) but no RID. Their general format is: S-1-5-21-, where `` is in the form of --.
The machine SID is stored in the SECURITY hive of the Windows Registry, more specifically at HKEY_LOCAL_MACHINE\SECURITY\SAM\Domains\Account. This key has two values: F and V. The latter is a raw binary value that has the machine SID embedded within it at the end of its data (last 96 bits). (Some sources state that it is stored in the SAM hive instead.)
|text=NewSID ensures that this SID is in a standard NT 4.0 format (3 32-bit subauthorities preceded by three 32-bit authority fields). Next, NewSID generates a new random SID for the computer. NewSID's generation takes great pains to create a truly random 96-bit value, which replaces the 96-bits of the 3 subauthority values that make up a computer SID. |title=NewSID readme
The machine SID is stored in a raw-bytes form in the registry. To convert it into the more common numeric form, one interprets it as three, little endian, 32-bit integers, converts them to decimal, and add hyphens between them. ::data[format=table title="Example of decoding machine SID"]
| Raw form (hexadecimal representation) | Split the bytes into 3 groups of four octets | Reverse the order of bytes in each group | Convert each group into decimal | Add the machine SID prefix |
|---|---|---|---|---|
2E,43,AC,40,C0,85,38,5D,07,E5,3B,2B | ||||
2E,43,AC,40 - C0,85,38,5D - 07,E5,3B,2B | ||||
40,AC,43,2E - 5D,38,85,C0 - 2B,3B,E5,07 | ||||
1085031214 - 1563985344 - 725345543 | ||||
S-1-5-21-1085031214-1563985344-725345543 | ||||
| :: |
Service SIDs
Service SIDs are a feature of service isolation, introduced in Windows Vista and Windows Server 2008.{{cite web |url=http://www.windowsitpro.com/article/authentication/windows-service-isolation-143215 |title=Windows Service Isolation Feature |work=Article |publisher=Windows IT Pro |date=June 6, 2012 |accessdate=December 7, 2012
Each service SID is a local, machine-level SID that has the general form of S-1-5-80-. To generate , Windows copies the service name (in [UTF-16](utf-16) encoding), converts all characters to uppercase, and calculates the [SHA-1](sha-1) digest of said uppercase name. This digest becomes the . The [sc.exe](sc-command) command can be used to generate this special SID value; for example, given the "dnscache" service:
::code[lang=doscon] C:>sc query
NAME: dnscache SERVICE SID: S-1-5-80-859482183-879914841-863379149-1145462774-2388618682 ::
Therefore, the "dnscache" service can be referred to as either NT SERVICE\dnscache or S-1-5-80-859482183-879914841-863379149-1145462774-2388618682. Since a Service SID is determined exclusively by the service name, the value of the SID for a given service is always the same across all machines wherever the service runs.
Duplicated SIDs
A common method of mass-producing Windows PCs is to install Windows on a template machine, and duplicate its disk sector by sector to other identical machines. As a result, these mass-produced machines are identical in every respect, including their SIDs.
Microsoft engineer Mark Russinovich is the creator of a utility called NewSID, the purpose of which is to solve "The SID Duplication Problem." Microsoft has retired the utility on November 2, 2009, because, Mark and the Windows security team have concluded that duplicate SIDs do not pose any problem whatsoever.
Footnotes
References
References
- (2022-06-14). "[MS-AZOD]: Security Identifiers (SIDs)".
- (2023-12-12). "[MS-DTYP]: SID String Format Syntax".
- (2022-11-04). "RtlConvertSidToUnicodeString function (ntifs.h) - Windows drivers".
- "Well-known security identifiers in Windows operating systems".
- openspecs-office. "[MS-DTYP]: Well-Known SID Structures".
- Honeycutt, Jerry. (2005). "Microsoft Windows Registry Guide". Microsoft Press.
- (2023-06-28). "[MS-PAC]: SID Filtering and Claims Transformation".
- "Outlook2007CodeSamples/SampleWrappedPSTStoreProvider/WrapPST/EdkMdb.h at 10edfa1ce7e6895a4788ad7c766b9120bec0128d · microsoft/Outlook2007CodeSamples".
- See "Custom Principals" section on https://msdn.microsoft.com/en-us/library/aa480244.aspx
- (17 July 2020). "Larry Osterman's WebLog".
- (12 December 2014). "Example impact of Microsoft Accounts on Windows APIs in Windows 8/8.1 – Windows SDK Support Team Blog".
- (28 August 2021). "Security identifiers".
- (24 September 2021). "Some SIDs do not resolve into friendly names".
- "Capability SID Constants (Winnt.h) - Win32 apps".
- (2024-02-22). "SYSTEM_MANDATORY_LABEL_ACE (winnt.h) - Win32 apps".
- (2020-10-30). "[MS-DTYP]: SID_IDENTIFIER_AUTHORITY".
- (2023-02-21). "Sandboxing Antimalware Products for Fun and Profit — Elastic Security Labs".
- (2020-09-02). "IIS AppPool Identity SIDs".
- (November 1, 2006). "MS TechNet NewSID Utility - How It Works". [[Microsoft]].
- (2006-11-01). "NewSID v4.10". Microsoft.
- Russinovich, Mark. (2009-11-03). "The Machine SID Duplication Myth". Microsoft.
::callout[type=info title="Wikipedia Source"] This article was imported from Wikipedia and is available under the Creative Commons Attribution-ShareAlike 4.0 License. Content has been adapted to SurfDoc format. Original contributors can be found on the article history page. ::