Hogfly,
I checked my work computer this morning, which is part of a domain, and I have the Registry key you mentioned.
However, all of the entries are SIDs.
I'll keep the key in mind, and add it to my list, though…it could be useful in other scenarios.
Thanks,
Harlan
Thanks Harlan,
From what I see under the key hogfly mention (i'm on a domain
using windows xp pro) my groupmembership key contains
a unique SID for each of the twenty group entries (numbered 0-19).
I assume some are local groups that xp comes bundled with such as
power users, debugger user and helpservices groups (i have 9 local).
The rest I would guess, but can't be sure are SID's for the domain related groups…
With access to the domain controller that the windows image normally
logged on to you could probably get the "names" of the groups if need be.
Unfortunately I can't go poking around too much but if the above is correct then the SID in essence is the group…?
Andrew-
I checked my Xp Pro workstation and found registry entries mentioned by hogfly.
I grabbed one of the SIDs and resolved it by a utility called SidToName. It is a command line util.
The SID was resolved to a group name.
JACKPOT
Sidtoname can be downloaded from
http//
There is a list of well known sids published as part of the microsoft windows security resource kit.
A list of them is here
http//
It also appears that accessdata reg viewer will do the group SID translation for you if you load the SAM hive. Can others test this?
arashiryu,
The tool you mention uses a publicly available API to get the information from a live system…which, while useful in some ways, doesn't really answer my question.
Hogfly,
I'll see what I can do on my end…
Harlan
arashiryu,
The tool you mention uses a publicly available API to get the information from a live system…which, while useful in some ways, doesn't really answer my question.
.
I don't understand? Please explain? Do you mean, not forensically sound?
arashiryu,
I've been trying to find a way to determine the groups a user has membership in, using nothing more than an image, opened in ProDiscover.
I am not asking for methods to determine group membership from live systems.
Harlan
All,
I've been doing some limited testing this morning on a standalone (not networked, not part of a domain, etc) XP Pro SP 2 system.
I created a user via the GUI, and created another user via the 'net user' command. These are the only two user accounts on the system besides the Administrator. The Administrator is in the Administrators group only, and the other two users (ie, test and test2) are in the Users group only.
Looking at the SIDs in the Registry, all users have the same SID…the only difference is the RID.
Changing the group membership doesn't seem to change the SID at all.
Harlan
if you are using NTFS, my understanding is that users and groups SIR/RID are stored as part of file attributes used by the user. could that help in gleannig groups membership.
Obviously if some SID are domain based you would need to have access to the Domain controllerto map these SID to group names.
For pure user/group relationship (with no file association) this is defined in the Local SAM for local account and doamin SAM for Domain accounts.
where exatcly in the SAM these keys are is the crux of the matter. I would try to do my research and see what turns up.
I'm not sure that NTFS has a whole lot to do with it, as you're still able to assign users to groups on a FAT filesystem…you just don't get the security mechanisms inherent to NTFS.
I've done some research, running "net localgroup users" while running Regmon. I saw accesses to HKLM\SAM\SAM\Domains\Account\V and …\Builtin\V. Then I saw accesses to HKLM\SAM\SAM\Domains\Builtin\Aliases\00000221. I think this may be the alias within the SAM for the Users group. Afterward, I saw accesses to the V structures for HKLM\SAM\SAM\Domains\Account\Users\000003F0 and 000003F1…if I parse the V structures, I find the names for the two user's accounts (respectively) that are assigned to the Users group.
More testing needs to be done.
Harlan