This tool is a great tool to have for network administrators and people
who use domain controllers or active directory. It allows you to lookup
the SID to and from users accounts,computers,groups and more. It will
tell you if that object has been deleted. You can use it on computers
when the computer is having problems accessing the domain. It will give
you a nice error message about accessing(if any error occurs). Try our
example batch file that opens the tool up to get the SID from the
SYSTEM account. This tool I believe should work on non-administrator
accounts. This tool is an OK tool for anyone at your working place can
use. This tool doesnt hack, it just gives information on the account
being looked up.
for example lets say you want to lookup the account dmack from the
domain PTHS. To do so you can call the following commands
findsid null PTHS\dmack
findsid null dmack
The first one tells it to always use the domain PTHS and the second one
checks the computer running findsid for it, and if it can’t find it, it
will check the domain that the computer is part of. And by having the
first parameter set to the word null it will have the systemname
pointer(memory address in programming) set to nil on the lookup API
commands so it will search for it the default way otherwise the first
parameter is a IP address or hostname of a domain controller.
How to find a certain user registry key under HKEY_USERS?
In registry editor under the HKEY_USERS there is subkeys named by their
SID just replace SID_HERE with the SID you would like to lookup.
findsid null SID_HERE /SID
By adding /SID as the last parameter will tell the object name isn’t a
name it’s a SID of a object you want to lookup.
What to do when a computer is having problems accessing the domain
controller?
You would open findsid from the command prompt, using the follow command
where PTHSDC is the server name of the domain controller and akrause is
a user account, it doesnt have to be a user account, it can be a user
account,usergroup or computername that is part of that domain.
So the command in this example will look like
findsid PTHSDC PTHS\akrause
if the domain controller is working it should give you information about
the object akrause. Otherwise you may get an error like this:
LookupErr:The RPC server is unavailable
ConvertSidToStr:The security ID structure is invalid
program findsid; {$APPTYPE Console} {$RESOURCE findsid32.res} uses SysUtils, windows, Classes; function ConvertSidToStringSidA(sid:pointer;var lpStr:pchar):bool;stdcall; external 'advapi32.dll'; function ConvertStringSidToSidA(lpStr:pchar;var sid:pointer):bool;stdcall; external 'advapi32.dll'; var sidarray:array[0..2048]of byte; lookuperror,cbSid,cbDomain,cbaccount,siduse:dword; sidtype:string; b:boolean; sid:pointer; domain,account:array[0..255]of char; i:integer; paccount:pchar; begin cbsid:=2049; cbaccount:=256; cbdomain:=256; sid:=@sidarray; if paramcount=0then begin writeln('This tool looks up a SID from a server and account name'); writeln('Usage: ',ExtractFilename(paramstr(0)),' servername account [/SID]'); writeln('Commandline switch /SID means that the account is a SID instead of a account name'); writeln('You can type NULL for the default servername'); exitprocess(0); end; if stricomp(pchar(paramstr(3)),'/SID')=0 then begin if not convertstringsidtosidA(pchar(Paramstr(2)),sid)then begin writeln('ConvertStrToSid:',Syserrormessage(getlasterror)); exitprocess(getlasterror); end; if stricomp(pchar(paramstr(1)),'NULL')=0 then b:=lookupaccountsid(nil,sid,account,cbaccount,domain,cbdomain,siduse) else b:=lookupaccountsid(pchar(paramstr(1)),sid,account,cbaccount,domain,cbdomain,siduse); lookuperror:=getlasterror; convertsidtostringsida(sid,paccount); end else begin if stricomp(pchar(paramstr(1)),'NULL')=0then b:=lookupaccountname(nil,pchar(paramstr(2)),@sidarray,cbSid,domain,cbdomain,siduse)else b:=lookupaccountname(pchar(paramstr(1)),pchar(paramstr(2)),@sidarray,cbSid, domain,cbdomain,siduse); lookuperror:=getlasterror; if not ConvertSidToStringSidA(@sidarray,paccount) then begin writeln('LookupErr:',syserrormessage(lookuperror)); writeln('ConvertSidToStr:',SysErrorMessage(getlasterror)); exitprocess(getlasterror); end; end; if not b then begin writeln('LookupErr:',syserrormessage(getlasterror)); exitprocess(getlasterror); end; case siduse of SidTypeUser:sidtype:='User'; sidtypegroup:sidtype:='Group'; sidtypealias:sidtype:='Alias'; sidtypewellknowngroup:sidtype:='Well Known Group'; sidtypedeletedaccount:Sidtype:='Deleted Account'; sidtypeinvalid:sidtype:='Invalid Object'; sidtypeunknown:sidtype:='Unknown Object'; 9:sidtype:='Computer'; 10:sidtype:='Label'; else sidtype:='Unknown '+inttostr(siduse); end; if strpas(account)<>''then writeln('Object Name:',account); writeln('Object SID:',paccount); writeln('Object Type:',sidtype); Writeln('Domain:',domain); writeln('SID Size:',GetLengthSid(sid),' bytes'); copymemory(@sidarray,sid,getlengthsid(sid)); write('SID data(in hex):'); for i:=0 to getlengthsid(sid)-1 do write(Inttohex(sidarray[i],2)); exitprocess(0); end.