none
New mutant SIDs appear in local accounts on Creator's Update hosts. RRS feed

  • Question

  • Got an annoying one here. I support a product that needs to save, construct and map SIDs to their names in order to authenticate/map access to remote servers... On a VM created with the current Creator's Update ISO's, 3 "Mystery SIDs" appear that cannot be mapped using LookupAccountSID. This causes issues with the product on -- and only on -- the creators update. Using domain accounts does not show this issue at all. No "special" SIDS. But how long will that be true?

    The SIDs (which will be displayed below) have 2 issues:

    1) they are a lot longer than "normal" (this breaks the legacy AllocateAndInitializeSID() call which is in most of your examples...) So we already know that we need to figure out an internal storage change. This would have been nice to know beforehand. Maybe in a "security changes in the Creators update" document... It also looks like we need to move off the legacy API, which I'm sure is documented somewhere...

    2) They do not seem to map to any valid name. This leads to other errors within my product, because it assumes that the inability to look up a SID is an error condition.

    I wrote a tool to take the current process token and dump the group SIDs and names associated with the groups, and toward the end I see this:

    Group  13
            SID: S-1-5-64-10
            Name: NT AUTHORITY\NTLM Authentication
            Attributes: 00000007:SE_GROUP_MANDATORY, SE_GROUP_ENABLED_BY_DEFAULT, SE_GROUP_ENABLED
    Group  14
            SID: S-1-5-32-4028125388-2803578072-1053907958-341417128-2434011155-477421480-740873757-3973419746
            Name: **NOT MAPPED**\**NOT MAPPED**
            Attributes: 00000007:SE_GROUP_MANDATORY, SE_GROUP_ENABLED_BY_DEFAULT, SE_GROUP_ENABLED
    Group  15
            SID: S-1-5-32-2745667521-2937320506-1424439867-4164262144-2333007343-2599685697-2993844191-2003921822
            Name: **NOT MAPPED**\**NOT MAPPED**
            Attributes: 00000007:SE_GROUP_MANDATORY, SE_GROUP_ENABLED_BY_DEFAULT, SE_GROUP_ENABLED
    Group  16
            SID: S-1-5-32-1034403361-4122601751-838272506-684212390-1217345422-475792769-1698384238-1075311541
            Name: **NOT MAPPED**\**NOT MAPPED**
            Attributes: 00000007:SE_GROUP_MANDATORY, SE_GROUP_ENABLED_BY_DEFAULT, SE_GROUP_ENABLED
    Group  17
            SID: S-1-16-8192
            Name: Mandatory Label\Medium Mandatory Level
            Attributes: 00000060:SE_GROUP_INTEGRITY, SE_GROUP_INTEGRITY_ENABLED


    The code in question is essentially a hash of 2-3 different API examples:

    // ProcessSidDump.cpp : Defines the entry point for the console application.
    //
    #define _CRT_SECURE_NO_WARNINGS
    #define MAX_NAME 1024
    
    #include "stdafx.h"
    #include "windows.h"
    #include "Sddl.h"
    
    char *DecodeSIDAttributes(char buff[], size_t buffsize, DWORD attributes);
    // Removed for readability.
    
    int main()
    {
    	HANDLE hCurrProc;
    	HANDLE hProcToken;
    	PTOKEN_GROUPS pProcGroups;
    	DWORD dwResult;
    	char buff[1024];
    	LPWSTR sidstr = L"";
    	int groupidx;
    	hCurrProc = GetCurrentProcess();
    	if (OpenProcessToken(hCurrProc, TOKEN_QUERY, &hProcToken) != 0) {
    		DWORD bufflen;
    		// How big? Shamelessly stolen from the MS web page.
    		if (!GetTokenInformation(hProcToken, TokenGroups, NULL, 0, &bufflen))
    		{
    			dwResult = GetLastError();
    			if (dwResult != ERROR_INSUFFICIENT_BUFFER) {
    				printf("GetTokenInformation 1 Error %u:%s\n", dwResult,strerror(dwResult));
    				return FALSE;
    			}
    		}
    
    		// Allocate the buffer.
    
    		pProcGroups = (PTOKEN_GROUPS)GlobalAlloc(GPTR, bufflen);
    
    		// Call GetTokenInformation again to get the group information.
    
    		if (!GetTokenInformation(hProcToken, TokenGroups, pProcGroups,
    			bufflen, &bufflen))
    		{
    			printf("GetTokenInformation Error 2 %u\n", GetLastError());
    			return FALSE;
    		}
    
    		printf("\tCurrent process a member of %d groups\n", pProcGroups->GroupCount);
    
    		for (groupidx = 0; groupidx < pProcGroups->GroupCount; groupidx++) {
    			DWORD dwLength;
    			PSID ppsid;
    			DWORD dwNameLen, dwDomainName;
    			WCHAR domainstr[MAX_NAME] = L"";
    			WCHAR namestr[MAX_NAME] = L"";
    
    			SID_NAME_USE sidType;
    			dwLength = GetLengthSid(pProcGroups->Groups[groupidx].Sid);
    			ppsid = (PSID)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, dwLength);
    			if (!CopySid(dwLength, ppsid, pProcGroups->Groups[groupidx].Sid))
    			{
    				wprintf(L"Failed to copy the SID, error %u\n", GetLastError());
    				HeapFree(GetProcessHeap(), 0, (LPVOID)ppsid);
    				return -1;
    			}
    			// Get a string SID.
    			if (!(ConvertSidToStringSid(
    				ppsid,  // Pointer to the SID structure to be converted
    				&sidstr))) // Pointer to variable that receives the null-terminated SID string
    			{
    				wprintf(L"ConvertSidToStringSid() failed, error %u\n", GetLastError());
    				return -1;
    			}
    			// Get the name
    			dwNameLen = MAX_NAME;
    			dwDomainName = MAX_NAME;
    			if (!LookupAccountSid(NULL, ppsid, namestr, &dwNameLen, domainstr, &dwDomainName, &sidType))
    			{
    				dwResult = GetLastError();
    				if (dwResult != ERROR_NONE_MAPPED) {
    					printf("LookupAccountSid 1 Error %u:%s\n", dwResult, strerror(dwResult));
    					return FALSE;
    				}
    				else {
    					lstrcpyW(namestr, L"**NOT MAPPED**");
    					lstrcpyW(domainstr, L"**NOT MAPPED**");
    				}
    			}
    			// release the memory used by the SID object.
    			HeapFree(GetProcessHeap(), 0, (LPVOID)ppsid);
    			wprintf(L"Group %3d\n\tSID: %s\n\tName: %s\\%s\n", groupidx, sidstr, domainstr,namestr);
    			printf("\tAttributes: %08x:%s\n", pProcGroups->Groups[groupidx].Attributes,DecodeSIDAttributes(buff,sizeof(buff), pProcGroups->Groups[groupidx].Attributes));
    		}
    
    	}
    	else {
    		printf("Could not retrieve current Process Token. Error: %s\n", strerror(GetLastError()));
    		return -1;
    	}
        return 0;
    }
    
    

    I see that LookupAccountSID can take a "systemname" argument to use to resolve on a remote system, but I don't think that's the right way to handle this.

    My questions are:

    1) What are these infernal SIDs?

    2) How do I map them to names, or should I?

    Monday, July 17, 2017 7:13 PM

All replies

  • Hi, 

    I consider Some SIDs without any mapped user name could be the one has removed from the domain or computers incompletely. 

    Please find the SID on the computer it get from and see if such issue persists.

    In addition, to know more about the coding to get account information, I have to say that it's out of our scope in this forum. 

    Please submit new case onto https://social.msdn.microsoft.com/Forums/en-US/home?category=windowsdesktopdev

    The reason why we recommend posting appropriately is you will get the most qualified pool of respondents, and other partners who read the forums regularly can either share their knowledge or learn from your interaction with us.  Thank you for your understanding.


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, July 19, 2017 8:03 AM
    Owner
  • Hi Tronmech,

    Thank you for your post.

    According to your description, I suggest that you could post the issue to the Script forum. You will get the most qualified pool of respondents, and other partners who read the forums regularly can either share their knowledge or learn from your interaction with us.

    https://social.technet.microsoft.com/Forums/scriptcenter/en-US/home?category=scripting

    Hope it will be helpful to you


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, July 19, 2017 9:14 AM
    Moderator
  • This is a FRESH virtual machine with NO domain associations. These mystery SIDs appear when attached to ANY new local account -- on Windows version 1703 ONLY. My Windows-Security-Related concerns are: 1) Why did the process token change in the 1703 release to add these mystery SIDs to it? 2) What in the heck ARE these SIDs. I can extract them successfully, but translating them to user names seems to not work. My best guess is that these are new -- UNDOCUMENTED -- "well known security identifiers." I suspect, and can test shortly, that these security ID's will appear on Windows 1607 local accounts if I associate a Microsoft account with them. Which places us right back to this being a Windows security related issue.
    Wednesday, July 19, 2017 5:10 PM
  • Pulling this further out of the "It's an API usage issue" is this output from whoami /groups, which ALSO can't decode the groups:

    PS C:\Users\testuser> whoami /groups
    
    GROUP INFORMATION
    -----------------
    
    Group Name                                                    Type             SID
                                                            Attributes
    ============================================================= ================ =========================================
    ======================================================= ==================================================
    Everyone                                                      Well-known group S-1-1-0
                                                            Mandatory group, Enabled by default, Enabled group
    NT AUTHORITY\Local account and member of Administrators group Well-known group S-1-5-114
                                                            Group used for deny only
    BUILTIN\Administrators                                        Alias            S-1-5-32-544
                                                            Group used for deny only
    BUILTIN\Users                                                 Alias            S-1-5-32-545
                                                            Mandatory group, Enabled by default, Enabled group
    NT AUTHORITY\INTERACTIVE                                      Well-known group S-1-5-4
                                                            Mandatory group, Enabled by default, Enabled group
    CONSOLE LOGON                                                 Well-known group S-1-2-1
                                                            Mandatory group, Enabled by default, Enabled group
    NT AUTHORITY\Authenticated Users                              Well-known group S-1-5-11
                                                            Mandatory group, Enabled by default, Enabled group
    NT AUTHORITY\This Organization                                Well-known group S-1-5-15
                                                            Mandatory group, Enabled by default, Enabled group
    NT AUTHORITY\Local account                                    Well-known group S-1-5-113
                                                            Mandatory group, Enabled by default, Enabled group
    LOCAL                                                         Well-known group S-1-2-0
                                                            Mandatory group, Enabled by default, Enabled group
    NT AUTHORITY\NTLM Authentication                              Well-known group S-1-5-64-10
                                                            Mandatory group, Enabled by default, Enabled group
                                                                  Unknown SID type S-1-5-32-4028125388-2803578072-1053907958
    -341417128-2434011155-477421480-740873757-3973419746    Mandatory group, Enabled by default, Enabled group
                                                                  Unknown SID type S-1-5-32-2745667521-2937320506-1424439867
    -4164262144-2333007343-2599685697-2993844191-2003921822 Mandatory group, Enabled by default, Enabled group
                                                                  Unknown SID type S-1-5-32-1034403361-4122601751-838272506-
    684212390-1217345422-475792769-1698384238-1075311541    Mandatory group, Enabled by default, Enabled group
    Mandatory Label\Medium Mandatory Level                        Label            S-1-16-8192

    So, can we please get some information about these mystery SIDs? Associating a Microsoft Account does not make whoami resolve the groups...


    • Edited by Tronmech Wednesday, July 19, 2017 6:44 PM Add more info
    Wednesday, July 19, 2017 6:27 PM