There are 4 main SIDs that I know of:
- Local User
- Service
- Domain (AD user)
- Microsoft User (Part of Windows 8/10) – Users authenticate against Microsoft servers.
To Find them on the local machine you need to go to Regedit and find:
- HKLCM
- SOFTWARE
- Microsoft
- Windows NT
- Current Version
- Profile List
- Current Version
- Windows NT
- Microsoft
- SOFTWARE
In “Profile List”, you will find the SIDs of the computer.
SIDs can have two “looks”. Many people call them:
- Short SIDs
- Long SIDs
The short SIDs tend to be for local users and services whereas the long ones are used for Domains and Windows Users.
If you look at the “ProfileImagePath” you can figure out what user or service the SID resolves to. In the screenshot above:
- S-1-5-18 -> “SystemProfile”
- S-1-5-19 -> “Local Service”
- S-1-5-20 -> “Network Service”
- S-1-5-21 – [Long SID] -> My account.
