安全标识符 (SID)(Security Identifier (SID))是可变长度的唯一值,用于标识Windows操作系统中的安全主体(例如安全组) 。识别通用用户或通用组的SID(SIDs)尤其广为人知。它们的值在所有操作系统中保持不变。在这篇文章中,我们将尝试了解为什么某些SID(SIDs)不解析为友好名称,然后推荐可以采取哪些措施将任何SID解析为友好名称(如果可能)。
此信息对于解决涉及安全的问题很有用。它还有助于解决 Windows访问控制列表( ACL ) 编辑器中的显示问题。Windows通过其(Windows)SID跟踪安全主体。为了在ACL编辑器中显示安全主体,Windows将(Windows)SID解析为其关联的安全主体名称。
在Windows UI的某些地方,如上图所示。您会看到无法解析为友好名称的Windows 帐户安全标识符 ( SIDS )。这些地方包括:
- 文件管理器
- 安全审计报告
- 注册表编辑(Registry Editor)器中的访问控制列表 ( ACL ) 编辑 器
这些未解析的SID(SIDs)之所以如此,是因为Windows Server 2012和Windows 8引入了一种称为能力 SID的(capability SID)SID。按照设计,功能SID不会解析为友好名称。
最常用的能力SID如下:
S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681
Windows 10 版本 1809 使用 300 多个功能SID(SIDs)。
SID 显示而不是用户名
当您对无法解析为友好名称的SID(SIDs)进行故障排除时,请确保它不是功能SID。
注意:不要(DO NOT DELETE)从注册表(Registry)或文件系统权限中删除功能SID 。(SIDs)从文件系统权限或注册表权限中删除功能SID可能会导致功能或应用程序无法正常运行。删除功能SID后,您无法使用 UI 将其重新添加。
要获取Windows记录的所有功能(Windows)SID(SIDs)的列表,请执行以下步骤:
按 Windows 键 + R.
在“运行”对话框中,键入regedit并按 Enter打开注册表编辑器(open Registry Editor)。
导航或跳转到下面的注册表项路径:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\
在右窗格中,双击AllCachedCapabilities条目。
复制数值数据(Value data)框中的所有数据并将其粘贴到您选择的文本编辑器中,您(text editor of your choice)可以在其中搜索数据。
此值可能不包括第三方应用程序使用的所有功能SID 。(SIDs)
搜索您正在排除故障的SID的数据。(SID)
如果您在注册表数据中找到 SID,那么它就是一个能力SID。按照设计,它不会解析为友好名称。如果您在注册表数据中没有找到SID,则它不是已知的能力SID。您可以作为正常的未解析SID继续对其进行故障排除。请记住,SID可能是第三方功能SID的可能性很小,在这种情况下,它不会解析为友好名称。
能力 SID(Capability SIDs)
能力 SID(Capability SIDs)唯一且不变地标识能力。在这种情况下,能力是一种不可伪造的授权令牌,它授予Windows组件或通用Windows 应用程序(Windows Application) 对文档、相机、位置等资源的访问权限。“具有”能力的应用程序被授予访问与该能力相关联的资源的权限。“没有”能力的应用程序被拒绝访问相关资源。
SID shows instead of Username or friendly name in Windows 10
A Security Identifier (SID) is a unique value of variable length that is used to identify a security principal (such as a security group) in Windows operating systems. SIDs that identify generic users or generic groups are particularly well-known. Their values remain constant across all operating systems. In this post, we will attempt to understand why some SIDs do not resolve to friendly names and then recommend what can be done to resolve any SID to a friendly name if possible.
This information is useful for troubleshooting issues that involve security. It is also useful for troubleshooting display issues in the Windows access control list (ACL) editor. Windows tracks a security principal by its SID. To display the security principal in the ACL editor, Windows resolves the SID to its associated security principal name.
In some places in the Windows UI, as shown in the image above. you see Windows account security identifiers (SIDS) that do not resolve to friendly names. These places include the following:
- File Explorer
- Security Audit reports
- The access control list (ACL) editor in Registry Editor
These unresolved SIDs are so because Windows Server 2012 and Windows 8 introduced a type of SID that is known as a capability SID. By design, a capability SID does not resolve to a friendly name.
The most commonly used capability SID is the following:
S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681
Windows 10, version 1809 uses more than 300 capability SIDs.
SID shows instead of Username
When you are troubleshooting SIDs that do not resolve to friendly names, make sure that it is not a capability SID.
Caution: DO NOT DELETE capability SIDs from either the Registry or file system permissions. Removing a capability SID from file system permissions or registry permissions may cause a feature or application to function incorrectly. After you remove a capability SID, you cannot use the UI to add it back.
To get a list of all of the capability SIDs that Windows has a record of, follow these steps:
Press Windows key + R.
In the Run dialog box, type regedit and press Enter to open Registry Editor.
Navigate or jump to the registry key path below:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\
On the right pane, double-click the AllCachedCapabilities entry.
Copy all the data in Value data box and paste it into a text editor of your choice where you can search the data.
This value may not include all capability SIDs that third-party applications use.
Search the data for the SID that you are troubleshooting.
If you find the SID in the registry data, then it is a capability SID. By design, it will not resolve into a friendly name. If you do not find the SID in the registry data, then it is not a known capability SID. You can continue to troubleshoot it as a normal unresolved SID. Keep in mind that there is a small chance that the SID could be a third-party capability SID, in which case it will not resolve into a friendly name.
Capability SIDs
Capability SIDs uniquely and immutably identify capabilities. In this context, a capability is an un-forgeable token of authority that grants a Windows component or a Universal Windows Application access to resources such as documents, cameras, locations, and so forth. An application that “has” a capability is granted access to the resource that is associated with the capability. An application that “does not have” a capability is denied access to the associated resource.