Awesome

Get Windows SID Information Command-Line Utility

Dumps information about Windows Security Identifiers (SIDs) as JSON. Released under a MIT or LGPL license.

Learn about SIDs, this tool, and much more:

Features

• Command-line action!
• Dumps the results of the LookupAccountSid()/LookupAccountName() and NetUserGetInfo() Windows APIs as JSON. Easily consumed by most programming and scripting languages.
• Pre-built binaries using Visual Studio (statically linked C++ runtime, minimal file size of ~112K, direct Win32 API calls).
• Windows subsystem variant.
• Unicode support.
• Has a liberal open source license. MIT or LGPL, your choice.
• Sits on GitHub for all of that pull request and issue tracker goodness to easily submit changes and ideas respectively.

Useful Information

Running the command with the /? option will display the options:

(C) 2021 CubicleSoft.  All Rights Reserved.

Syntax:  getsidinfo.exe [options] SIDorAcct [SID2orAcct] [SID3orAcct] ...

Options:
        /v
        Verbose mode.

        /system=SystemName
                Retrieve information from the specified system.

        /file=OutputFile
                File to write the JSON output to instead of stdout.

Example usage:

C:\>wmic useraccount get name,sid
Name                SID
Administrator       S-1-5-21-1304824241-3403877634-2989090281-500
DefaultAccount      S-1-5-21-1304824241-3403877634-2989090281-503
Guest               S-1-5-21-1304824241-3403877634-2989090281-501
T2                  S-1-5-21-1304824241-3403877634-2989090281-1003
WDAGUtilityAccount  S-1-5-21-1304824241-3403877634-2989090281-504

C:\>getsidinfo S-1-5-21-1304824241-3403877634-2989090281-1003 S-1-5-32-544
{"S-1-5-21-1304824241-3403877634-2989090281-1003": {"success": true, "sid": "S-1-5-21-1304824241-3403877634-2989090281-1003", "domain": "MY-PC", "account": "T2", "type": 1, "net_info": {"full_name": "", "comment": "", "user_comment": "", "password_age": 5855194, "password_expired": 0, "bad_passwords": 0, "num_logons": 4, "priv_level": 1, "flags": 66081, "auth_flags": 0, "home_dir": "", "home_dir_drive": "", "profile": "", "script_path": "", "params": "", "workstations": "", "last_logon": 1612641291, "last_logoff": 0, "acct_expires": -1, "disk_quota": -1, "units_per_week": 168, "logon_hours": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", "logon_server": "\\\\*", "country_code": 0, "code_page": 0, "primary_group_id": 513, "internet_identity": false, "reg_profile_path": "C:\\Users\\T2"}},

"S-1-5-32-544": {"success": true, "sid": "S-1-5-32-544", "domain": "BUILTIN", "account": "Administrators", "type": 4}}

C:\>getsidinfo MY-PC\Guest
{"MY-PC\\Guest": {"success": true, "sid": "S-1-5-21-1304824241-3403877634-2989090281-501", "domain": "MY-PC", "account": "Guest", "type": 1, "net_info": {"full_name": "", "comment": "Built-in account for guest access to the computerdomain", "user_comment": "", "password_age": 0, "password_expired": 0, "bad_passwords": 0, "num_logons": 0, "priv_level": 0, "flags": 66147, "auth_flags": 0, "home_dir": "", "home_dir_drive": "", "profile": "", "script_path": "", "params": "", "workstations": "", "last_logon": 0, "last_logoff": 0, "acct_expires": -1, "disk_quota": -1, "units_per_week": 168, "logon_hours": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", "logon_server": "\\\\*", "country_code": 0, "code_page": 0, "primary_group_id": 513, "internet_identity": false}}}

The second command dumps information about two SIDs - one user account and the BUILTIN\Administrators group. The third command dumps information using an account name instead of SID.

Windows Subsystem Variant

While getsidinfo.exe is intended for use with console apps, getsidinfo-win.exe is intended for detached console and GUI applications. Starting getsidinfo.exe in certain situations will briefly flash a console window before displaying the error message. Calling getsidinfo-win.exe instead will no longer show the console window.

There is one additional option specifically for messagebox-win.exe called /attach which attempts to attach to the console of the parent process (if any).

More Information

The Windows registry also contains several SIDs not available using the 'wmic' tool and associated user profile paths on the local system:

C:\>reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList" /s /t REG_EXPAND_SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18
    ProfileImagePath    REG_EXPAND_SZ    %systemroot%\system32\config\systemprofile

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-19
    ProfileImagePath    REG_EXPAND_SZ    %systemroot%\ServiceProfiles\LocalService

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-20
    ProfileImagePath    REG_EXPAND_SZ    %systemroot%\ServiceProfiles\NetworkService

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1304824241-3403877634-2989090281-1003
    ProfileImagePath    REG_EXPAND_SZ    C:\Users\T2

SIDs, such as BUILTIN\Administrators (S-1-5-32-544), are known as "Well-Known SIDs." Microsoft publishes a mostly complete list of Well-Known SIDs.

Related Tools

• GetTokenInformation - Dumps information about Windows security tokens (SIDs, privileges, etc) as JSON.
• CreateProcess - A powerful Windows API command-line utility that can start processes with all sorts of options including custom user tokens.