SID (Security Identifier)

From Bauman National Library
This page was last modified on 18 June 2016, at 15:02.
SID (Security Identifier)
Developer(s) Microsoft Windows
Repository {{#property:P1324}}
Written in C++
Operating system Windows
Type Security Identifier
Website Official

Security identifier (SID) — a unique option of variable length, which determines the account and stored in the Windows NT security information. At the beginning of each session, once the user is identified in the system, its SID is extracted from the database and placed in the token [1] Further, this value is used by the operating system for all user actions with the protected objects.

Use Identifiers protection

Windows security uses SIDs in the following security elements:

  1. In security descriptors to identify the owner of an object and primary group [2]
  2. In access control entries, to identify the trustee for whom access is allowed, denied, or audited[3]
  3. In access tokens, to identify the user and the groups to which the user belongs[4]

Types of security identifiers

  1. NULL - S-1-0-0 - SID group, which does not include users. Used only when the SID is unknown;
  2. World - S-1-1-0 - a group that includes all users;
  3. Local - S-1-2-0 - users with direct, physical access to the system;
  4. Creator Owner ID - S-1-3-0 - SID, which is replaced by the user SID that created the object. This SID is used for the inherited ACE.
  5. Creator Group ID - S-1-3-1 - the value of replacing the primary SID of the group to which the user belongs to, who created the object. This the SID, like the previous one, is used for the inherited ACE.


If you do need to work with SIDs, do not manipulate them directly. Instead, use the following functions.

Function Description
Allocates and initializes a SID with the specified number of subauthorities.
Converts a SID to a string format suitable for display, storage, or transport.
Converts a string-format SID to a valid, functional SID.
Copies a source SID to a buffer.
Tests two SID prefix values for equality. A SID prefix is the entire SID except for the last subauthority value.
Tests two SIDs for equality. They must match exactly to be considered equal.
Frees a previously allocated SID by using the AllocateAndInitializeSid function.
Retrieves the length of a SID.
Retrieves a pointer to the identifier authority for a SID.
Retrieves the size of the buffer required to store a SID with a specified number of subauthorities.
Retrieves a pointer to a specified subauthority in a SID.
Retrieves the number of subauthorities in a SID.
Initializes a SID structure.
Tests the validity of a SID by verifying that the revision number is within a known range and that the number of subauthorities is less than the maximum.
Retrieves the SID that corresponds to a specified account name.
Retrieves the account name that corresponds to a specified SID.


Cite error: Invalid <references> tag; parameter "group" is allowed only.

Use <references />, or <references group="..." />


  1. More information about the access token
  2. More about security descriptors
  3. Details on the application of access control entries
  4. Read more about the application in the access token