List Members of a Windows Group

A registry viewer and a hex editor suffice to enumerate the members of a group during post-mortem analysis of a Microsoft Windows installation.

An analysis of a Windows installation wouldn't be complete without a close inspecion of group memberships, especially of the local Administrators group.

Microsoft Windows stores information about local user accounts and groups in the Securiry Account Manager's database (also known as SAM). This database is part of the registry. It can be found at HKEY_LOCAL_MACHINE\SAM.

On a running system a user won't see much at this location, because access to the SAM requires SYSTEM privileges. Beeing an administrator one could easily elevate his privileges with the help of the scheduler or several other services executed at the SYSTEM level.

In a forensic analysis I usually access the registry offline. The SAM's data is kept in the file %SystemRoot%\system32\config\SAM. Open this file with EnCase or any other registry viewer and navigate to the SAM.

Local groups are kept below SAM\SAM\Domains\Builtin\Aliases followed by the (hexadecimal) number of the group. For example, this number will be 220 for the local Administrators group. The "C" value contains some information about the group. At its very end a trained eye immediately recognizes some Security IDs (SIDs). They identify the members of the group.

SID of the group's members form the end of the group information record.

A hex editor will help you during a thorough examination. For this, first save all the data from the "C" value as a binary file. Then open this file in a hex editor of your choice. At a first glance you'll recognize two UNICODE strings, the group's name and it's description.

The group's name and description are clearly visible.

The structure starts with the numerical ID of that group. It is followed by offset and length pairs for the Security Descriptor, the name and the description. At last there's the offset and length of the memory region keeping the member's SIDs as well as the member count:

uint32		GroupID;
uint32		OfsSD;
uint32		LenSD;
FSkip(4);			// unused, always 0
uint32		OfsName;
uint32		LenName;
FSkip(4);			// unused, always 0
uint32		OfsDesc;
uint32		LenDesc;
FSkip(4);			// unused, always 0
uint32		OfsMember;
uint32		LenMember;
uint32		CntMember;

This structure can be turned into a template for the 010 Editor with ease. The template will clearly display group members and the complex security descriptor. Creating such a template should also be possible for Hex Workshop and WinHex, which are two other well-known hex editors.

A template for the 010 translates SIDs and the security descriptor.

Update 02/17/2006: Harlan Carvey just posted an article on the same matter.



This blog is a project of:
Andreas Schuster
Im Äuelchen 45
D-53177 Bonn

Copyright © 2005-2012 by
Andreas Schuster
All rights reserved.
Powered by Movable Type 5.12