This is a discussion on Application of Security Identifiers (SIDs) within the Operating systems forums, part of the Tutorials category; Application of Security Identifiers (SIDs) Each service’s process token includes the NT AUTHORITY\SERVICE SID (S-1-5-6) . Looking for the presence ...
Application of Security Identifiers (SIDs)
Each service’s process token includes the NT AUTHORITY\SERVICE SID (S-1-5-6). Looking for the presence of this SID on a running process is one quick way to determine whether the process is a service or just an application.
Starting with Windows Vista and Windows Server 2008, each service can also be assigned a service-specific SID based on its name. (In other words, services with the same name will have identical SIDs on different systems.) A service-specific SID allows services to be directly assigned permissions on any securable object. It can also be used to control the service in other ways, such as opening ports in the Windows Firewall and IPsec.
You can view the SID of any service, including ones you do not even have yet, by using the Sc.exe command with the showsid command-line parameter. The syntax is:
sc.exe showsid [servicename]
A service’s SID is computed by taking the service’s Unicode name (in all uppercase letters) and running it through a SHA-1 hash function and adding the hash result to S-1-5-80-. For example, the SID of the W32Time service is: S-1-5-80-4267341169-2882910712-659946508- 2704364837-2204554466. This SID will be identical across all Windows Vista and Windows Server 2008 systems.
If you add a service-specific SID to a service, you must add it before the service is started, and you cannot change it while the service is running. When a service-specific SID is used, it is added to the service’s process token along with the service’s log-on account SID. If a shared service process (such as Svchost.exe) has several services with service-specific SIDs, all SIDs are added to the service’s process token and can be used by all services in the shared service process. If a service-specific SID is not enabled, the service log-on account’s SID will still be added to the service’s process token.