Any official MS documentation for SID S-1-15-3-65536-1888954469-739942743-1668119174-2468466756-4239452838-1296943325-355587736-700089176?

old.reddit.com / @/u/Bondler-Scholndorf, https://old.reddit.com/user/Bondler-Scholndorf

I'm going through permissions on our Windows 11 machines, and ran into this SID having the following permissions on the %SystemDrive%:

  • Read
  • Traverse folder/Execute file
  • List folder/Read data
  • Synchronize

I assume that it is an app capabilities SID unique to Windows 11, and it is OK for this SID to have these permissions. Can anyone point me to something from MS either saying what this specific SID is or how to decode the SID? For example, what's up with the 65536 in S-1-15-3-65536-x1-x2-x3-x4-x5-x6-x7-x8? I assume it is a bitmask setting the 15th LSb to 1, but that's a wild guess and doesn't tell me what flag that is supposed to represent.

Some investigation I've done is below,

It appears to be similar to a capability SID because it begins with S-1-15-3.

The only thing I've been able to find that comes close to official guidance from MS is here: https://devblogs.microsoft.com/oldnewthing/20220503-00/?p=106557

SID Description
Explicitly assigned
S-1-15-3-1 internetClient
S-1-15-3-2 internetClientServer
S-1-15-3-3 privateNetworkClientServer
S-1-15-3-4 picturesLibrary
S-1-15-3-5 videosLibrary
S-1-15-3-6 musicLibrary
S-1-15-3-7 documentsLibrary
S-1-15-3-8 enterpriseAuthentication
S-1-15-3-9 sharedUserCertificates
S-1-15-3-10 removableStorage
S-1-15-3-11 appointments
S-1-15-3-12 contacts
S-1-15-3-4096 internetExplorer
Autogenerated
S-1-15-3-x1-x2-x3-x4 device capability
S-1-15-3-1024-x1-x2-x3-x4-x5-x6-x7-x8 app capability

For those app capability SIDs that start with S-1-15-3-1024, "...the eight 32-bit decimal numbers represent the 32 bytes of the SHA256 hash of the capability name. You can programmatically generate these app capability SIDs by calling Derive­Capability­Sids­From­Name."

I cannot find any documentation from MS for SIDs starting with S-1-15-3-65536, but it follows the format of the SIDs that start with S-1-5-3-1024

According to https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/sids-not-resolve-into-friendly-names, the list of SIDs like this are stored here: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities

This SID is there, but I don't think that tells me much more than a process registered the SID there.

I do see a few other SIDs that start with S-1-15-3-65536:

  • S-1-15-3-65536-4045685566-1323397456-4055816110-285687253-194181-4019357623-1925838800-191844675
  • S-1-15-3-65536-1683377966-140338-1592318436-1629742377-1825994449-940391111-2274003474-4026619131
  • S-1-15-3-65536-599108337-2355189375-1353122160-3480128286-3345335107-485756383-4087318168-230526575

With the last one immediately before the one in the title suggesting that they might have been added at the same time.

Thanks!

submitted by /u/Bondler-Scholndorf
[link] [comments]

published about 1 month ago


Previous

Compliance Software
published about 1 month ago

Next

FedRAMP Email Security
published about 1 month ago
See all items from the same source