Open Windows NT Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\ProfileList
SID values are typically displayed
in format:
S-1-5-d1-d2-d3-rid where
- S-1-5 is the SID revision level.
- d1-d2-d3 identifies the domain.
- rid Relative ID for user.
- 500 automatically created Administrator account
- 501 automatically created Guest account
- 1001 First user account created
- 1002 Second user account created
- 500 automatically created Administrator account
fixed value, and is incremented by one for each account created. SIDs are unique
unless one uses cloning. If you clone a workstation, the user accounts on the
two workstations will have the same SIDs. The first user accounts will be
identical, the second, … In workgroup environments, security is based on local
account SIDs giving the duplicate accounts (re: SID), identical access rights.
What one has access to, so does the other.
Since the builtin administrator account is the account with RID=500, it can
not be obscured successfully. There are baby hacker tools which will tell you
which account has RID=500.
There is are freeware utilities user2sid and sid2user, which will
tell you the sid for any account or the user for a particular sid. Should the
user2sid page go offline, the author made the utilities and source code
available to ntbugtraq.
Mark Russinovich and Bryce Cogswell have written the freeware newSID which will generate a new randomSID for a cloned PC or
SID-synchronized with PDC so one can move a BDC from one domain to another. As
icing on the cake, Russinovich and Cogswell provide the source code for
educational purposes,
I am not absolutely convinced but if I had to do, I would give this a try.
