Exploring Installations and Security Identifiers

With a shared computer you can get into a situation where one user installed a program and a different user wants to uninstall it. The trouble is that the program may not be listed in Add or Remove Programs when the second user logs in. You need to log in as the original user to view the program as an installed program in the list. So how do you discover who originally installed the program so that you can chase them down?

Search the HKEY_USERS hive in the registry for the name of the product. Chances are you will find it in a location something like this:

HKEY_USERS\<SID>\Software\Microsoft\Installer\Products\<Id>

<SID> is the security identifier (SID) for the user that installed the program. The next step is to look up the SID to determine the friendly name of the account. A SID is made of a number of components:

S-R-I-S-S-...

The first S simply identifies the string as a SID. The R is the revision level which is almost always 1. I is the universal authority of which there are only a few such as the World (1) and NT (5) authorities. The remaining S components are relative identifiers identifying sub authorities and ultimately the relative identifier of the account.

For example S-1-5-20 refers to the Network Service account (SECURITY_NETWORK_SERVICE_RID) that belongs to the NT authority (SECURITY_NT_AUTHORITY). This is a well-known account and will have the same SID on all machines.

Windows provides the ConvertStringSidToSid function to convert a string-formatted SID into a binary SID structure. Once you have a pointer to a SID structure, you can use the LookupAccountSid function to look up the display name of the authority and principal defined by the SID. This function takes care of connecting to the required authority or domain controller to determine the account name.

To automate this process I wrote a simple tool that takes a SID string and displays the account information for it. You can download the source and binary for it here. Here is an example of its use:

C:\>LookupSid.exe S-1-5-20
LookupSid 1.0
Copyright (C) 2004 by Kenny Kerr
http://www.kennyandkarin.com/Kenny/

  Authority: NT AUTHORITY
  Principal: NETWORK SERVICE
       Type: Well-known group

There are probably a lot of tools out there that can do this. It's really not hard once you know how. Incidentally you can also use the SID strings defined for the security descriptor definition language (SDDL):

C:\>LookupSid.exe BA
LookupSid 1.0
Copyright (C) 2004 by Kenny Kerr
http://www.kennyandkarin.com/Kenny/

  Authority: BUILTIN
  Principal: Administrators
       Type: Alias

 


© 2004 Kenny Kerr

No Comments