Windows Installer is transactional, but combined with NTFS and installer processes is not fully: do more C:\Config.msi vulnerabilities exist? (plus a truckload of information on Windows SIDs)
Posted by jpluimers on 2025/04/10
Over the last years a few C:\Windows.msi vulnerabilities have been discovered (and fixed), of which some are linked below.
The core is that the Windows Installer tries to be transactional, and NTFS is, but the combination with installer processes isn’t.
That leads into vulnerabilities where you can insert malicious Roll Back Scripts (.rbs files) and Roll Back Files (.rbf files), and I wonder if by now more have been discovered.
So this post is a kind of reminder to myself (:
Oh, and I learned much more about whoami on Windows, as there whoami /groups shows very detailed SID information. From that, I learned more on the internals of SIDs too!
- 2022:
- [Wayback/Archive] Wh04m1001/IFaultrepElevatedDataCollectionUAC
PoC for UAC bypass using arbitrary file delete in auto-elevated IFaultrepElevatedDataCollection COM object. Arbitrary file delete is abused to get SYSTEM shell using method described here
- [Wayback/Archive] PoC/FilesystemEoPs at master · thezdi/PoC (which embeds a video showing the exploit which taught me about
whoami /groups, see below) - [Wayback/Archive] How can I develop my .rbs file? · Issue #1 · Wh04m1001/IFaultrepElevatedDataCollectionUAC
I used Advanced Installer to create MSI and RBS file. You may want to change Execute=”deferred” to Execute=”rollback”? I didnt use wix so not very familiar with it.
- [Wayback/Archive] Wh04m1001/IFaultrepElevatedDataCollectionUAC
- 2019:
- [Wayback/Archive] Fools Of Security | Windows Installer Bypass using Rollback Script (RBS and RBF) – Race Condition
- [Wayback/Archive] umarfarook882/Windows-InstallerBypass: Windows Installer Bypass using Rollback Script .rbs and .rbf – Race Condition
- [Wayback/Archive] Windows InstallerBypass using Rollback Script (msiexec.exe) – 0 Day – YouTube
Via [Wayback/Archive] Nicolas Krassas on Twitter: “PoC for UAC bypass using arbitrary file delete in auto-elevated IFaultrepElevatedDataCollection COM object. Arbitrary file delete is abused to get SYSTEM shell using method described here …”.
whoami /groups
I never knew that whoami had parameters, so I was glad the above links taught me about whomai /groups which not only shows you the groups, but also their SIDs (security identifiers).
On my system, these are distinctly different from a normal user, an administrator user without an elevation token and an administrative user with an elevation token.
The full lists are further on and contain any of these groups sorted by SID:
Group Name Type SID Attributes ============================================================= ================ ============ =============================================================== Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\REMOTE INTERACTIVE LOGON Well-known group S-1-5-14 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Local account Well-known group S-1-5-113 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Local account and member of Administrators group Well-known group S-1-5-114 Mandatory group, Enabled by default, Enabled group/Group used for deny only NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner/Group used for deny only BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group BUILTIN\Remote Desktop Users Alias S-1-5-32-555 Mandatory group, Enabled by default, Enabled group Mandatory Label\Medium Mandatory Level Label S-1-16-8192 Mandatory Label\High Mandatory Level Label S-1-16-12288 ============================================================= ================ ============ ===============================================================
I did this sorting because it makes more clear that the SIDs are divided into groups (or types) which are explained in these articles:
- [Wayback/Archive] SID Components – Win32 apps | Microsoft Learn
A SID value includes components that provide information about the SID structure and components that uniquely identify a trustee. A SID consists of the following components:
- The revision level of the SID structure
- A 48-bit identifier authority value that identifies the authority that issued the SID
- A variable number of subauthority or relative identifier (RID) values that uniquely identify the trustee relative to the authority that issued the SID
… visualize their components:
S-R-I-S…In this notation, the literal character “S” identifies the series of digits as a SID, R is the revision level, I is the identifier-authority value, and S… is one or more subauthority values.
The following example uses this notation to display the well-known domain-relative SID of the local Administrators group:
S-1-5-32-544In this example, the SID has the following components. The constants in parentheses are well-known identifier authority and RID values defined in Winnt.h:
- A
revisionlevel of1 - An
identifier-authorityvalue of5(SECURITY_NT_AUTHORITY) - A first
subauthorityvalue of32(SECURITY_BUILTIN_DOMAIN_RID) - A second
subauthorityvalue of544(DOMAIN_ALIAS_RID_ADMINS)
- [Wayback/Archive] SID (winnt.h) – Win32 apps | Microsoft Learn
typedef struct _SID { BYTE Revision; BYTE SubAuthorityCount; SID_IDENTIFIER_AUTHORITY IdentifierAuthority; #if ... DWORD *SubAuthority[]; #else DWORD SubAuthority[ANYSIZE_ARRAY]; #endif } SID, *PISID; - [Wayback/Archive] Well-known SIDs – Win32 apps | Microsoft Learn
Well-known security identifiers (SIDs) identify generic groups and generic users. For example, there are well-known SIDs to identify the following groups and users:
- Everyone or World, which is a group that includes all users.
- CREATOR_OWNER, which is used as a placeholder in an inheritable ACE. When the ACE is inherited, the system replaces the CREATOR_OWNER SID with the SID of the object’s creator.
- The Administrators group for the built-in domain on the local computer.
There are universal well-known SIDs, which are meaningful on all secure systems using this security model, including operating systems other than Windows. In addition, there are well-known SIDs that are meaningful only on Windows systems.
…
The Windows API defines a set of constants for well-known identifier authority and relative identifier (RID) values. You can use these constants to create well-known SIDs. The following example combines the
SECURITY_WORLD_SID_AUTHORITYandSECURITY_WORLD_RIDconstants to show the universal well-known SID for the special group representing all users (Everyone or World):S-1-1-0This example uses the string notation for SIDs in which S identifies the string as a SID, the first
1is the revision level of the SID, and the remaining two digits are theSECURITY_WORLD_SID_AUTHORITYandSECURITY_WORLD_RIDconstants.…
The remainder of this section contains tables of well-known SIDs and tables of identifier authority and subauthority constants that you can use to build well-known SIDs.
…
Following the above is a set of tables that explain the various subsets under
S-1-1-(World orSECURITY_WORLD_SID_AUTHORITY),S-1-2-(Local orSECURITY_LOCAL_SID_AUTHORITY),S-1-5-(SECURITY_NT_AUTHORITY), andS-1-16-(Mandatory Label). The latter is used for elevation tokens including from UAC user account control elevation from a regular token to administrative token, and usually is in multiples of 4096 decimal (I added the decimal values in parenthesis in this table):The following RIDs are used to specify mandatory integrity level.
RID Value Identifies SECURITY_MANDATORY_UNTRUSTED_RID0x00000000(0)Untrusted. SECURITY_MANDATORY_LOW_RID0x00001000(4096)Low integrity. SECURITY_MANDATORY_MEDIUM_RID0x00002000(8192)Medium integrity. SECURITY_MANDATORY_MEDIUM_PLUS_RIDSECURITY_MANDATORY_MEDIUM_RID+0x100(8448)Medium high integrity. SECURITY_MANDATORY_HIGH_RID0X00003000(12288)High integrity. SECURITY_MANDATORY_SYSTEM_RID0x00004000(16384)System integrity. SECURITY_MANDATORY_PROTECTED_PROCESS_RID0x00005000(20480)Protected process. From there, you can understand that a regular user has
S-1-16-8192(Mandatory Label\High Mandatory), and an elevate user hasS-1-16-12288(Mandatory Label\High Mandatory).There is one missing entry in this table for
S-1-16-28672(SECURITY_MANDATORY_SECURE_PROCESS_RIDorML_SECURE_PROCESS) with value0x00007000(skipping0x00006000!) of this which the latter is documented in the last link in this list. It seems to have been introduced in Windows 10, but I have no idea which Windows processes actually uses it.At the time of writing, [Wayback/Archive] SECURITY_MANDATORY_SECURE_PROCESS_RID – Google Search returns just two links
-
- [Wayback/Archive] operating system objects. Part 3: Level of Integrity
But with the release of Windows 10, another level of integrity appeared – Secure Process (the highest at the moment).
What it is? In a nutshell, it is a virtual machine consisting of Core Isolation and Memory Integrity.
Windows uses hardware virtualization features to create a protected area of system memory that is isolated from the normal operating system.
This protects the operating system processes from unauthorized access to anything outside the secure zone.
Even if the malware uses an exploit that should allow these Windows processes to be compromised, virtualization is an additional layer of protection that isolates them from attacks.
Memory integrity is a feature that is a subset of kernel isolation.
Windows typically requires digital signatures for device drivers and other code that runs in low-level OS kernel mode.
When Memory Integrity is enabled, the Code Integrity Service in Windows runs inside a hypervisor-protected container created by kernel isolation.
This should make it nearly impossible for malware to gain access to the OS kernel.
In Windows 10 and newer operating systems, the virtual machine has its own separate kernel – securekernel.exe (located in the System32 folder),
as well as an initialization host – secinit.exe (like wininit.exe for session 0, and winlogon.exe->userinit .exe for session 1),
and its code integrity module – skci.dll (as ci.dll for a normal kernel).
A very good article about a new type of HyperGuard protection (just the very core securekernel.exe) was published on January 1st.
Those who are interested can read
[Wayback/Archive] HyperGuard – Secure Kernel Patch Guard: Part 1 – SKPG Initialization
[Wayback/Archive] HyperGuard – Secure Kernel Patch Guard: Part 2 – SKPG Extents
[Wayback/Archive] HyperGuard – Secure Kernel Patch Guard: Part 3 – More SKPG ExtentsThe Secure Process integrity level looks like this:
The code:SID: S-1-16-28672 Value: 0x00007000L Symbol: ML_SECURE_PROCESS RID Label: SECURITY_MANDATORY_SECURE_PROCESS_RID Description: A secure process integrity level Usage: Included in a token for protected processes, new for Windows 10
The logic of the Integrity Level is as follows: a process with a smaller RID cannot access the ACL of a process with a larger RID.
Processes started by a normal user (including an administrator) receive a medium integrity level (S-1-16-8192).
And processes launched through UAC with administrator rights – high integrity level (S-1-16-12288).
One interesting rule that Microsoft left in order to control the OS should be mentioned here (after all, without access to the system, control over the OS will be completely lost).
As you can see, RID rises in increments of 0x1000. This step must be increased evenly.But here’s what’s unusual: SID S-1-16-28672 is defined as 0x7000 and with respect to SID S-1-16-20480 it’s two steps.
Here, either there is some kind of SID hidden from prying eyes, or Microsoft has deliberately prohibited absolutely any access to safe processes. - [Wayback/Archive] Windows Security Monitoring: Scenarios and Patterns – Andrei Miroshnikov – Google Books
Table 12-3: Windows Process Integrity Labels
SID NAME USE EXAMPLE S-1-16-
0SECURITY_MANDATORY_UNTRUSTED_RID
(Mandatory Label Untrusted Mandatory Level)Processes started by Anonymous account S-1-16-
4096SECURITY_MANDATORY_LOW_RID
(Mandatory Label Low Mandatory Level)Internet Explorer Protected Mode process or
AppContainer processS-1-16-
8192SECURITY_MANDATORY_MEDIUM_RID
(Mandatory Label\Medium Mandatory Level)Process for regular applications with enabled
UACS-1-16-
8448SECURITY_MANDATORY_MEDIUM_PLUS_RIDCan be used as a priority between medium and
highS-1-16-
12288SECURITY_MANDATORY_HIGH_RID
(Mandatory Label\High Mandatory Level)Applications executed with UAC elevation S-1-16-
16384SECURITY_MANDATORY_SYSTEM_RID
(Mandatory Label System Mandatory Level)Services or system applications, such as
Winlogon and WininitS-1-16-
20480SECURITY_MANDATORY_PROTECTED_PROCESS_RIDIncluded in a token for protected processes S-1-16-
28672SECURITY_MANDATORY_SECURE_PROCESS_RIDIncluded in a token for protected processes, new
for Windows 10
- [Wayback/Archive] operating system objects. Part 3: Level of Integrity
Then it continues with a large table with
RIDs(like545or0x00000221) to buildNT_AUTHORITYSIDs(likeS-1-5-32-545). - At the time of writing, like
SECURITY_MANDATORY_SECURE_PROCESS_RID, also [Wayback/Archive] “ML_SECURE_PROCESS” – Google Search returns few results, of which the just two Microsoft documentation pages:- [Wayback/Archive] [MS-DTYP]: Well-Known SID Structures | Microsoft Learn has the most comprehensive table of SID values, including
ML_SECURE_PROCESSS-1-16-28672A secure process integrity level.<36> - [Wayback/Archive] [MS-DTYP]: Appendix B: Product Behavior | Microsoft Learn which includes
<36> Section 2.4.2.4: The ML_SECURE_PROCESS SID is not supported in Windows NT, Windows 2000, Windows XP, or Windows Server 2003.
- [Wayback/Archive] [MS-DTYP]: Well-Known SID Structures | Microsoft Learn has the most comprehensive table of SID values, including
The summary able of users, local/remote and non-elevated/elevated permutations is this:
Non-elevated Elevated Local regular Group Name Type SID Attributes ====================================== ================ ============ ================================================== Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Local account Well-known group S-1-5-113 Mandatory group, Enabled by default, Enabled group LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group Mandatory Label\Medium Mandatory Level Label S-1-16-8192Local administrator Group Name Type SID Attributes ============================================================= ================ ============ ================================================== Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Local account and member of Administrators group Well-known group S-1-5-114 Group used for deny only BUILTIN\Administrators Alias S-1-5-32-544 Group used for deny only BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Local account Well-known group S-1-5-113 Mandatory group, Enabled by default, Enabled group LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group Mandatory Label\Medium Mandatory Level Label S-1-16-8192Group Name Type SID Attributes ============================================================= ================ ============ =============================================================== Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Local account and member of Administrators group Well-known group S-1-5-114 Mandatory group, Enabled by default, Enabled group BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Local account Well-known group S-1-5-113 Mandatory group, Enabled by default, Enabled group LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group Mandatory Label\High Mandatory Level Label S-1-16-12288Remote regular Group Name Type SID Attributes ====================================== ================ ============ ================================================== Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group BUILTIN\Remote Desktop Users Alias S-1-5-32-555 Mandatory group, Enabled by default, Enabled group BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\REMOTE INTERACTIVE LOGON Well-known group S-1-5-14 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Local account Well-known group S-1-5-113 Mandatory group, Enabled by default, Enabled group LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group Mandatory Label\Medium Mandatory Level Label S-1-16-8192Remote administrator Group Name Type SID Attributes ============================================================= ================ ============ ================================================== Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Local account and member of Administrators group Well-known group S-1-5-114 Group used for deny only BUILTIN\Administrators Alias S-1-5-32-544 Group used for deny only BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\REMOTE INTERACTIVE LOGON Well-known group S-1-5-14 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Local account Well-known group S-1-5-113 Mandatory group, Enabled by default, Enabled group LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group Mandatory Label\Medium Mandatory Level Label S-1-16-8192Group Name Type SID Attributes ============================================================= ================ ============ =============================================================== Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Local account and member of Administrators group Well-known group S-1-5-114 Mandatory group, Enabled by default, Enabled group BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\REMOTE INTERACTIVE LOGON Well-known group S-1-5-14 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Local account Well-known group S-1-5-113 Mandatory group, Enabled by default, Enabled group LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group Mandatory Label\High Mandatory Level Label S-1-16-12288
- Normal user logged in locally through the console
GROUP INFORMATION ----------------- Group Name Type SID Attributes ====================================== ================ ============ ================================================== Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Local account Well-known group S-1-5-113 Mandatory group, Enabled by default, Enabled group LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group Mandatory Label\Medium Mandatory Level Label S-1-16-8192 - Normal user logged in remotely
GROUP INFORMATION ----------------- Group Name Type SID Attributes ====================================== ================ ============ ================================================== Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group BUILTIN\Remote Desktop Users Alias S-1-5-32-555 Mandatory group, Enabled by default, Enabled group BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\REMOTE INTERACTIVE LOGON Well-known group S-1-5-14 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Local account Well-known group S-1-5-113 Mandatory group, Enabled by default, Enabled group LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group Mandatory Label\Medium Mandatory Level Label S-1-16-8192 - Administrative user logged on locally through the console without elevation token
GROUP INFORMATION ----------------- Group Name Type SID Attributes ============================================================= ================ ============ ================================================== Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Local account and member of Administrators group Well-known group S-1-5-114 Group used for deny only BUILTIN\Administrators Alias S-1-5-32-544 Group used for deny only BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Local account Well-known group S-1-5-113 Mandatory group, Enabled by default, Enabled group LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group Mandatory Label\Medium Mandatory Level Label S-1-16-8192 - Administrative user logged on locally through the console with elevation token
GROUP INFORMATION ----------------- Group Name Type SID Attributes ============================================================= ================ ============ =============================================================== Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Local account and member of Administrators group Well-known group S-1-5-114 Mandatory group, Enabled by default, Enabled group BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Local account Well-known group S-1-5-113 Mandatory group, Enabled by default, Enabled group LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group Mandatory Label\High Mandatory Level Label S-1-16-12288 - Administrative user logged on remotely without elevation token
GROUP INFORMATION ----------------- Group Name Type SID Attributes ============================================================= ================ ============ ================================================== Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Local account and member of Administrators group Well-known group S-1-5-114 Group used for deny only BUILTIN\Administrators Alias S-1-5-32-544 Group used for deny only BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\REMOTE INTERACTIVE LOGON Well-known group S-1-5-14 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Local account Well-known group S-1-5-113 Mandatory group, Enabled by default, Enabled group LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group Mandatory Label\Medium Mandatory Level Label S-1-16-8192 - Administrative user logged on remotely with elevation token
GROUP INFORMATION ----------------- Group Name Type SID Attributes ============================================================= ================ ============ =============================================================== Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Local account and member of Administrators group Well-known group S-1-5-114 Mandatory group, Enabled by default, Enabled group BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\REMOTE INTERACTIVE LOGON Well-known group S-1-5-14 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Local account Well-known group S-1-5-113 Mandatory group, Enabled by default, Enabled group LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group Mandatory Label\High Mandatory Level Label S-1-16-12288
--jeroen
The Wiert Corner - irregular stream of stuff 
Leave a comment