目次

Windows Security Identifiers (SID) - セキュリティ識別子

S-1-1- ~ S-1-3-、S-1-5- (SECURITY_NT_AUTHORITY)

PS > Get-CimInstance -ClassName Win32_GroupUser
GroupComponent                                                        PartComponent                                                       PSComputerName
--------------                                                        -------------                                                       --------------
Win32_Group (Name = "Administrators", Domain = "CMON")                Win32_UserAccount (Name = "Administrator", Domain = "CMON")
Win32_Group (Name = "Administrators", Domain = "CMON")                Win32_UserAccount (Name = "tomoyan", Domain = "CMON")
Win32_Group (Name = "Guests", Domain = "CMON")                        Win32_UserAccount (Name = "Guest", Domain = "CMON")
Win32_Group (Name = "IIS_IUSRS", Domain = "CMON")                     Win32_SystemAccount (Name = "IUSR", Domain = "CMON")
Win32_Group (Name = "Performance Log Users", Domain = "CMON")         Win32_SystemAccount (Name = "INTERACTIVE", Domain = "CMON")
Win32_Group (Name = "Performance Log Users", Domain = "CMON")         Win32_UserAccount (Name = "tomoyan", Domain = "CMON")
Win32_Group (Name = "Remote Desktop Users", Domain = "CMON")          Win32_UserAccount (Name = "tomoyan", Domain = "CMON")
Win32_Group (Name = "System Managed Accounts Group", Domain = "CMON") Win32_UserAccount (Name = "DefaultAccount", Domain = "CMON")
Win32_Group (Name = "Users", Domain = "CMON")                         Win32_SystemAccount (Name = "INTERACTIVE", Domain = "CMON")
Win32_Group (Name = "Users", Domain = "CMON")                         Win32_SystemAccount (Name = "Authenticated Users", Domain = "CMON")
Win32_Group (Name = "Users", Domain = "CMON")                         Win32_UserAccount (Name = "tomoyan", Domain = "CMON")
Win32_Group (Name = "Debugger Users", Domain = "CMON")                Win32_UserAccount (Name = "tomoyan", Domain = "CMON")
PS > Get-CimInstance -ClassName Win32_SystemAccount | ft Name, SID
Name                          SID
----                          ---
Everyone                      S-1-1-0
LOCAL                         S-1-2-0
CREATOR OWNER                 S-1-3-0
CREATOR GROUP                 S-1-3-1
CREATOR OWNER SERVER          S-1-3-2
CREATOR GROUP SERVER          S-1-3-3
OWNER RIGHTS                  S-1-3-4
DIALUP                        S-1-5-1
NETWORK                       S-1-5-2
BATCH                         S-1-5-3
INTERACTIVE                   S-1-5-4
SERVICE                       S-1-5-6
ANONYMOUS LOGON               S-1-5-7
PROXY                         S-1-5-8
SYSTEM                        S-1-5-18
ENTERPRISE DOMAIN CONTROLLERS S-1-5-9
SELF                          S-1-5-10
Authenticated Users           S-1-5-11
RESTRICTED                    S-1-5-12
TERMINAL SERVER USER          S-1-5-13
REMOTE INTERACTIVE LOGON      S-1-5-14
IUSR                          S-1-5-17
LOCAL SERVICE                 S-1-5-19
NETWORK SERVICE               S-1-5-20
BUILTIN                       S-1-5-32
PS > Get-CimInstance -ClassName Win32_UserAccount | ft Name, SID
Name               SID
----               ---
Administrator      S-1-5-21-862093196-3552257265-3460289004-500
DefaultAccount     S-1-5-21-862093196-3552257265-3460289004-503
Guest              S-1-5-21-862093196-3552257265-3460289004-501
tomoyan            S-1-5-21-862093196-3552257265-3460289004-1001
WDAGUtilityAccount S-1-5-21-862093196-3552257265-3460289004-504
PS > Get-LocalGroup | ft Name, SID
Name                                SID
----                                ---
Debugger Users                      S-1-5-21-862093196-3552257265-3460289004-1002
Access Control Assistance Operators S-1-5-32-579
Administrators                      S-1-5-32-544
Backup Operators                    S-1-5-32-551
Cryptographic Operators             S-1-5-32-569
Device Owners                       S-1-5-32-583
Distributed COM Users               S-1-5-32-562
Event Log Readers                   S-1-5-32-573
Guests                              S-1-5-32-546
Hyper-V Administrators              S-1-5-32-578
IIS_IUSRS                           S-1-5-32-568
Network Configuration Operators     S-1-5-32-556
Performance Log Users               S-1-5-32-559
Performance Monitor Users           S-1-5-32-558
Power Users                         S-1-5-32-547
Remote Desktop Users                S-1-5-32-555
Remote Management Users             S-1-5-32-580
Replicator                          S-1-5-32-552
System Managed Accounts Group       S-1-5-32-581
Users                               S-1-5-32-545

S-1-15- (Capability SID) - 機能SID

PS > Get-ItemPropertyValue -Path HKLM:\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses -Name AllCachedCapabilities
S-1-15-3-1024-955681297-3470559067-873149510-312866181-505149074-2965990245-3641224364-480676545
S-1-15-3-1024-3167453650-624722384-889205278-321484983-714554697-3592933102-807660695-1632717421
S-1-15-3-2105443330-1210154068-4021178019-2481794518
S-1-15-3-1024-3275915203-3073501320-309536135-1674744297-1740689076-4251230105-810187298-4091229748
S-1-15-3-1
S-1-15-3-1024-3996699186-3595629362-3480063212-3905085333-2276303035-3068169911-3004821721-4252886170
S-1-15-3-12
S-1-15-3-1024-1615643396-3082447698-3017968123-3374415059-2610093431-2583988378-2307023373-470284681
S-1-15-3-1024-3802075078-3056353928-831493480-1656114792-3017467262-3614159431-110502994-2980336225
S-1-15-3-1024-278763595-641296858-3665893476-2977301132-1926709684-2066268498-4151792040-2589241065
S-1-15-3-1024-1692970155-4054893335-185714091-3362601943-3526593181-1159816984-2199008581-497492991
S-1-15-3-1024-3804131010-705767314-2184915385-1233717497-4177653708-4048234552-2488388519-2361358067
S-1-15-3-1024-1023893147-235863880-425656572-4266519675-2590647553-3475379062-430000033-3360374247
S-1-15-3-1024-2035927579-283314533-3422103930-3587774809-765962649-3034203285-3544878962-607181067
S-1-15-3-1024-2263946659-221263054-3004297223-2509109377-4006057435-143953683-28675390-302247413
S-1-15-3-1024-2946685888-1412457410-1274547043-2288208346-1419295423-4263087484-1197735815-185032629
S-1-15-3-1024-4044835139-2658482041-3127973164-329287231-3865880861-1938685643-461067658-1087000422
S-1-15-3-1024-1631604711-3604716289-3767720303-698625756-2814662190-970047950-2326260488-1280393717
S-1-15-3-1024-724741592-1210917904-489960769-637019204-3345707629-3097053430-1727148295-85063603
S-1-15-3-1024-1727386112-3145810323-3431268083-3689970327-739836844-3616656621-880051228-1594631605
S-1-15-3-1024-4191902497-1978494743-2749246665-3072910927-102050379-1373940514-1865125746-920055924
S-1-15-3-1024-192337609-3775446108-269428844-3253752169-951748958-3578505117-3621846901-2918023745
S-1-15-3-1024-3190844328-4099963570-3870079217-2969588245-2822710570-1600598934-3576592281-2616761512
...

参考文献

Windows オペレーティング システムの既知のセキュリティ識別子
PowerShellでCIM cmdletを用いて対象PCのユーザーや所属するユーザーグループを調べる - tech.guitarrapc.cóm
非表示/仮想Windowsユーザーアカウントのリスト - 初心者向けチュートリアル

Windows 10 Could Break If Capability SIDs Are Removed From Permissions

オブジェクトを識別するSIDとは?:Tech TIPS - @IT
Well-known security identifiers in Windows operating systems
Security Identifiers Technical Reference | Microsoft Docs
Well-known SIDs - Win32 apps | Microsoft Docs
Windows security identifiers (SID)
Windows NTでアプリを実行するユーザーを制御する方法
SIDの形式 - eternalwindows