312-50V9 · Question #547
What did the following commands determine? C: user2sid \earth guest S-1-5-21-343818398-789336058-1343024091-501 C:sid2user 5 21 343818398 789336058 1343024091 500 Name is Joe Domain is EARTH
The correct answer is D. That the true administrator is Joe. The sid2user command resolved the SID ending in RID 500 to the name Joe, revealing that Joe is the built-in Administrator account regardless of any display name change.
Question
What did the following commands determine? C: user2sid \earth guest S-1-5-21-343818398-789336058-1343024091-501 C:sid2user 5 21 343818398 789336058 1343024091 500 Name is Joe Domain is EARTH
Options
- AThat the Joe account has a SID of 500
- BThese commands demonstrate that the guest account has NOT been disabled
- CThese commands demonstrate that the guest account has been disabled
- DThat the true administrator is Joe
- EIssued alone, these commands prove nothing
How the community answered
(65 responses)- A2% (1)
- B5% (3)
- C9% (6)
- D83% (54)
- E2% (1)
Why each option
The sid2user command resolved the SID ending in RID 500 to the name Joe, revealing that Joe is the built-in Administrator account regardless of any display name change.
The SID ending in 501 - returned by user2sid for the guest account - belongs to Guest, not Joe; Joe's SID ends in 500 which is the Administrator RID.
Neither command queries or returns account status such as enabled or disabled; they only perform username-to-SID and SID-to-username translations.
These commands have no mechanism to check whether an account is enabled or disabled, so no conclusion about the guest account's status can be drawn.
In Windows, every built-in Administrator account is assigned a fixed Relative Identifier (RID) of 500 appended to the domain SID. The sid2user command was passed the domain SID components plus RID 500 and returned the name Joe, conclusively proving that Joe is the true built-in Administrator. This technique is commonly used in penetration testing to unmask renamed administrator accounts by querying the well-known RID directly.
Used together, the commands do prove a specific and meaningful fact - that the account holding the built-in Administrator RID 500 is named Joe.
Concept tested: Windows built-in Administrator RID 500 identification via SID tools
Source: https://learn.microsoft.com/en-us/windows/security/identity-protection/access-control/security-identifiers
Topics
Community Discussion
No community discussion yet for this question.