Forums
Main Category
General (Technical,...
Interpretation of S...
 
Notifications
Clear all

Interpretation of SID values

 
General (Technical, Procedural, Software, Hardware etc.)
Last Post by Chris_Ed 13 years ago
5 Posts
5 Users
0 Reactions
1,052 Views
RSS
 wodarz
(@wodarz)
New Member
Joined: 16 years ago
Posts: 1
Topic starter 10/10/2012 6:48 pm  

If I have files on 2 external drives with the following SID values

S-1-5-21-2052111302-287218729-682003330-1003
S-1-5-21-602162358-1202660629-682003330-1003

What conclusions about the computer or computers that accessed those drives can be made?

I have found information on the parsing of SIDs that indicates that the accessing domain is shown in the
5,6 and 7 segment. The account is in the 8th segment.
I have not found anything on how the domain segments are determined except
that they come out of an entry in the registry.

So the question is if only some segments of the domain match what (if anything) does this tell us about the domains, network, machines etc?

DW


   
Quote
 twjolson
(@twjolson)
Honorable Member
Joined: 17 years ago
Posts: 417
10/10/2012 7:08 pm  

As far as I've ever heard, the 5-7 segments are unique to the computer/domain. They do not, however, encode anything about the machine into it, if that is what you are asking. They are a unique number much like the your car's license plate is unique. It doesn't actually encode any information about the car into the license plate number.

On possible tidbit of note is that the relative smallness of the RIDs (1003) makes me suspect these are standalone computers, not domain computers. On my computer, the RIDs are 1624 and 1619 (for a 4 person lab).

I am afraid that you won't really know more until/if you track down the originating computers.


   
ReplyQuote
 ludlowboy
(@ludlowboy)
Trusted Member
Joined: 15 years ago
Posts: 71
10/10/2012 7:34 pm  

There is quite a bit about SIDs on the Microsoft Support page.

http//support.microsoft.com/kb/243330

Hope this helps.


   
ReplyQuote
keydet89
 keydet89
(@keydet89)
Famed Member
Joined: 21 years ago
Posts: 3568
11/10/2012 3:08 am  

If I have files on 2 external drives with the following SID values

S-1-5-21-2052111302-287218729-682003330-1003
S-1-5-21-602162358-1202660629-682003330-1003

What conclusions about the computer or computers that accessed those drives can be made?

It depends.

When you say, "…I have files on 2 external drives with the following SID values", to what are you referring, specifically?

I have found information on the parsing of SIDs that indicates that the accessing domain is shown in the
5,6 and 7 segment. The account is in the 8th segment.
I have not found anything on how the domain segments are determined except
that they come out of an entry in the registry.

So the question is if only some segments of the domain match what (if anything) does this tell us about the domains, network, machines etc?

Generally, different SIDs would show access by different types (local, domain) of user accounts on a domain-connected system. But again, when all you say is, "…I have files…with the following SID values…", to what are you referring? Ownership? Security ACLs? Is this something in the files?


   
ReplyQuote
Chris_Ed
 Chris_Ed
(@chris_ed)
Reputable Member
Joined: 16 years ago
Posts: 314
11/10/2012 12:59 pm  

There is quite a bit about SIDs on the Microsoft Support page.

http//support.microsoft.com/kb/243330

Hope this helps.

That is a super-useful link. Bookmarked! D


   
ReplyQuote
Forum Jump:
  Previous Topic
Next Topic  
Share: