No, it is not a verbatim re-post of my older work.
GetCurrentSID
and
EnumerateLoggedOnSIDs
are functions that utilize a bit different method from the one I am about to describe. What they all do is guessing, accurate guessing. This function enumerates user profiles' SIDs with lesser uncertainty factor than the former.
EnumerateProfileSids retrieves SIDs from the
ProfileList registry key. I have worked out two variants, and chose the faster (because both are good and give the same results) one.
First, I am going to present the slower variant. What does it do? It retrieves
Sid values from
ProfileList subkeys,
explodes long hex values properly so that they can later be converted to decimal, thus to concatenate the decimal values into a valid SID.
This slow script also demonstrates a basic cache. When a newly encountered DWORD is converted, it is saved to a variable which is an array. When it encounters a DWORD that had already been converted, it gets the previously converted decimal form of the matching DWORD from that array. This cache takes only three biggest "parts" of an SID into account, because conversion of the latest DWORD (Relative ID) is very fast, hence it is not necessary for it to be saved.
@echo off
call:EnumerateProfileSids var
for %%A in (%var%) do (
for /f "tokens=1,2,3,4 delims=+" %%B in (%%A) do (
echo.
echo SID : %%B
echo Logged in : %%C
echo Possible username : %%D
echo Profile storage path : %%E
)
)
pause
goto:eof
:EnumerateProfileSids
setlocal
set key=HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
set pow16_0_=0;0;0;0;0;0;0;0&set pow16_1_=16;256;4096;65536;1048576;16777216;268435456;4294967296
set pow16_2_=32;512;8192;131072;2097152;33554432;536870912;8589934592&set pow16_3_=48;768;12288;196608;3145728;50331648;805306368;12884901888
set pow16_4_=64;1024;16384;262144;4194304;67108864;1073741824;17179869184&set pow16_5_=80;1280;20480;327680;5242880;83886080;1342177280;21474836480
set pow16_6_=96;1536;24576;393216;6291456;100663296;1610612736;25769803776&set pow16_7_=112;1792;28672;458752;7340032;117440512;1879048192;30064771072
set pow16_8_=128;2048;32768;524288;8388608;134217728;2147483648;34359738368&set pow16_9_=144;2304;36864;589824;9437184;150994944;2415919104;38654705664
set pow16_10_=160;2560;40960;655360;10485760;167772160;2684354560;42949672960&set pow16_11_=176;2816;45056;720896;11534336;184549376;2952790016;47244640256
set pow16_12_=192;3072;49152;786432;12582912;201326592;3221225472;51539607552&set pow16_13_=208;3328;53248;851968;13631488;218103808;3489660928;55834574848
set pow16_14_=224;3584;57344;917504;14680064;234881024;3758096384;60129542144&set pow16_15_=240;3840;61440;983040;15728640;251658240;4026531840;64424509440
for /f "tokens=7 delims=\" %%A in ('reg query "%key%"') do (for /f "tokens=1,2,3,4,5,6,7,8,9 delims=.-" %%B in ("%%A") do (if not "%%B"=="" (if not "%%C"=="" (if not "%%D"=="" (if not "%%E"=="" (if not "%%F"=="" (if not "%%G"=="" (if not "%%H"=="" (if not "%%I"=="" (if "%%J"=="" (for /f "tokens=3 skip=2" %%K in ('reg query "%key%\%%A" /v "Sid"') do (call:process_sid %%K))))))))))))
endlocal&set %1=%sids%&exit/b0
:process_sid
set sid=%1
set sid_0=%sid:~-42,2%&set sid_1=%sid:~-40,2%&set sid_2=%sid:~-26,2%%sid:~-28,2%%sid:~-30,2%%sid:~-32,2%&set sid_3=%sid:~-18,2%%sid:~-20,2%%sid:~-22,2%%sid:~-24,2%&set sid_4=%sid:~-10,2%%sid:~-12,2%%sid:~-14,2%%sid:~-16,2%&set sid_5=%sid:~-2,2%%sid:~-4,2%%sid:~-6,2%%sid:~-8,2%
:sid5
if "%sid_5:~0,1%"=="0" (set sid_5=%sid_5:~1%&goto sid5)
set/a iter+=1
set/a sid_0=0x%sid_0%*1
set/a sid_1=0x%sid_1%*1
set sid_2_0=%sid_2%
set sid_3_0=%sid_3%
set sid_4_0=%sid_4%
if defined tokenchain (call:checkifalreadycvted)
if "%sid_2_0%"=="%sid_2%" (call:sid16_10 %sid_2% sid_2)
if "%sid_3_0%"=="%sid_3%" (call:sid16_10 %sid_3% sid_3)
if "%sid_4_0%"=="%sid_4%" (call:sid16_10 %sid_4% sid_4)
if defined tokenchain (
call:addtoken2ifnotinthetokenlist&call:addtoken3ifnotinthetokenlist&call:addtoken4ifnotinthetokenlist
) else (set tokenchain=%sid_2_0%+%sid_2%;%sid_3_0%+%sid_3%;%sid_4_0%+%sid_4%)
set/a sid_5=0x%sid_5%*1
set sid=S-1-%sid_0%-%sid_1%-%sid_2%-%sid_3%-%sid_4%-%sid_5%
for /f "tokens=3*" %%A in ('reg query "%key%\%sid%" /v "ProfileImagePath"') do (if not "%%B"=="" (set ProfileImagePath=%%A %%B) else (set ProfileImagePath=%%A))
set LoggedIn=False
set reported_username=
reg query "HKU\%sid%\Volatile Environment">nul 2>&1&&set LoggedIn=True&® query "HKU\%sid%\Volatile Environment" /v "USERNAME">nul 2>&1&&for /f "tokens=3*" %%A in ('reg query "HKU\%sid%\Volatile Environment" /v "USERNAME"') do (if not "%%B"=="" (set reported_username=%%A %%B) else (set reported_username=%%A))
if "%ProfileImagePath:~-1,1%"=="\" (set ProfileImagePath=%ProfileImagePath:~0,-1%)
if not defined reported_username (call:extract_the_deepest_dir_from_path ProfileImagePath reported_username)
if not defined sids (
set sids="%sid%+%LoggedIn%+%reported_username%+%ProfileImagePath%"
) else (
set sids=%sids%;"%sid%+%LoggedIn%+%reported_username%+%ProfileImagePath%"
)
exit/b0
:extract_the_deepest_dir_from_path
::syntax: call:extract_the_deepest_dir_from_path path_var_name last_token_name
setlocal&set v1=&set v2=&set v0=%%%1%%&for /f "tokens=2 delims=^=" %%A in ('set v0') do (call set v0=%%A)
:etddfp_
set v1=[%v0:~-1,1%]
if not "%v1%"=="[\]" (set v2=%v1:~1,1%%v2%&set v0=%v0:~0,-1%&goto etddfp_) else (endlocal&set %2=%v2%&exit/b0)
:addtoken2ifnotinthetokenlist
for %%A in (%tokenchain%) do (for /f "tokens=1 delims=+" %%B in ("%%A") do (if "%%B"=="%sid_2_0%" (exit/b0)))
set tokenchain=%tokenchain%;%sid_2_0%+%sid_2%&exit/b0
:addtoken3ifnotinthetokenlist
for %%A in (%tokenchain%) do (for /f "tokens=1 delims=+" %%B in ("%%A") do (if "%%B"=="%sid_3_0%" (exit/b0)))
set tokenchain=%tokenchain%;%sid_3_0%+%sid_3%&exit/b0
:addtoken4ifnotinthetokenlist
for %%A in (%tokenchain%) do (for /f "tokens=1 delims=+" %%B in ("%%A") do (if "%%B"=="%sid_4_0%" (exit/b0)))
set tokenchain=%tokenchain%;%sid_4_0%+%sid_4%&exit/b0
:checkifalreadycvted
for /l %%A in (2,1,4) do (for /f "tokens=2 delims=^=" %%B in ('set sid_%%A_0') do (for %%C in (%tokenchain%) do (for /f "tokens=1,2 delims=+" %%D in ("%%C") do (if "%%D"=="%%B" (set sid_%%A=%%E)))))
exit/b0
:sid16_10
setlocal
set var=%1
set sum=0
set exp=-1
set base=16
:loop_
if not defined _var (
set _var=%var:~-1%
) else (
set _var=%_var%;%var:~-1%
)
set var=%var:~0,-1%
if defined var (goto loop_)
for %%A in (%_var%) do (call:loop %%A)
set n_=0
for %%A in (%chain%) do (set/a n_+=1)
if %n_% EQU 0 (goto:hextodec_out)
if %n_% LEQ 7 (call:sum_lesser&for /f "tokens=2* delims=^=" %%G in ('set component_') do (set sum=%%G)) else (call:sum_bigger)
:hextodec_out
endlocal&set %2=%sum%&exit/b0
:sum_bigger
call:sum_lesser
set chain=%component_%;%chain%
:sum_bigger_
for /f "tokens=1,2* delims=;" %%A in ("%chain%") do (set component=%%A&if "%%C" =="" (set chain=%%B) else (set chain=%%B;%%C))
if not "%component:~0,1%"=="0" (call:LargeInt_add sum component sum)
if defined chain (goto sum_bigger_)
exit/b0
:sum_lesser
for /f "tokens=1,2,3,4,5,6,7 delims=;" %%A in ("%chain%") do (call:sum_smaller_components %%A %%B %%C %%D %%E %%F %%G)
exit/b0
:sum_smaller_components
set/a component_+=%1
for /f "tokens=2* delims=;" %%H in ("%chain%") do (set chain=%%H;%%I)
shift
if not "%1"=="" (goto sum_smaller_components)
exit/b0
:loop
set num_=%1
if /i "%num_%"=="A" (set num_=10)
if /i "%num_%"=="B" (set num_=11)
if /i "%num_%"=="C" (set num_=12)
if /i "%num_%"=="D" (set num_=13)
if /i "%num_%"=="E" (set num_=14)
if /i "%num_%"=="F" (set num_=15)
set/a exp+=1
if %exp% GTR 0 (
for /f "tokens=2* delims=^=" %%A in ('set pow16_%num_%_') do (for /f "tokens=%exp% delims=;" %%C in ("%%A;%%B") do (set num=%%C))
) else (set num=%num_%)
if defined chain (
set chain=%chain%;%num%
) else (set chain=%num%)
exit/b0
:LargeInt_add
setlocal
set left=%% %1 %%
set left=%left: =%
call set left=%left%
set right=%% %2 %%
set right=%right: =%
call set right=%right%
if defined left (if defined right (goto lrgintadd))
set exitcode=1
goto lrgintadd_endproc
:lrgintadd
set buff=
set lastchar_l=
set lastchar_r=
if defined left (set lastchar_l=%left:~-1%)
if defined right (set lastchar_r=%right:~-1%)
if defined carry (set/a buff+=%carry%&set carry=)
if defined lastchar_l (set/a buff+=%lastchar_l%)
if defined lastchar_r (set/a buff+=%lastchar_r%)
if %buff% GTR 9 (
set outvar=%buff:~-1%%outvar%
set carry=%buff:~0,1%
) else (
set outvar=%buff%%outvar%
)
if defined left (set left=%left:~0,-1%)
if defined right (set right=%right:~0,-1%)
if not defined left (if not defined right (set outvar=%carry%%outvar%&goto lrgintadd_opsucc))
goto lrgintadd
:lrgintadd_opsucc
set exitcode=0
:lrgintadd_endproc
call:ThrowErrorLevel exitcode %exitcode%
endlocal&set %3=%outvar%&exit/b%errorlevel%
:ThrowErrorLevel
if defined %1 set %1=
exit/b%2
The above variant is just a theoretical example, as it is terribly slow: it needs over 3 times (333%) the time the next one. The aim of writing it was to show that it is possible to handle hex values, plus properly converting them to decimal (this script can cope with DWORDs decimal value of which exceeds 2^31-1). It is slow, but it works, and is possible.
This one also gets data from the
ProfileList key, but acts more lazily. It just gets user name from
ProfileImagePath value of each existing key of the pattern of a "typical" SID, and takes the subkey name, which is believed to be always equal with what's in
Sid value in that subkey.
My objective opinion on why did Microsoft decide to store SID in one place in two forms
I think it is that it could be faster for the OS to grab "raw" SID (in hexadecimal form) from a
REG_BINARY value rather than to convert string SID (included in the key name) to hexadecimal form each time it's needed.
Here is the faster one.
@echo off
call:EnumerateProfileSids var
for %%A in (%var%) do (
for /f "tokens=1,2,3,4 delims=+" %%B in (%%A) do (
echo.
echo SID : %%B
echo Logged in : %%C
echo Possible username : %%D
echo Profile storage path : %%E
)
)
pause
goto:eof
:EnumerateProfileSids
setlocal
set key=HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
for /f "tokens=7 delims=\" %%A in ('reg query "%key%"') do (for /f "tokens=1,2,3,4,5,6,7,8,9 delims=.-" %%B in ("%%A") do (if not "%%B"=="" (if not "%%C"=="" (if not "%%D"=="" (if not "%%E"=="" (if not "%%F"=="" (if not "%%G"=="" (if not "%%H"=="" (if not "%%I"=="" (if "%%J"=="" (call:process_sid %%B-%%C-%%D-%%E-%%F-%%G-%%H-%%I)))))))))))
endlocal&set %1=%sids%&exit/b0
:process_sid
for /f "tokens=3*" %%A in ('reg query "%key%\%1" /v "ProfileImagePath"') do (if not "%%B"=="" (set ProfileImagePath=%%A %%B) else (set ProfileImagePath=%%A))
set LoggedIn=False
set reported_username=
reg query "HKU\%1\Volatile Environment">nul 2>&1&&set LoggedIn=True&® query "HKU\%1\Volatile Environment" /v "USERNAME">nul 2>&1&&for /f "tokens=3*" %%A in ('reg query "HKU\%1\Volatile Environment" /v "USERNAME"') do (if not "%%B"=="" (set reported_username=%%A %%B) else (set reported_username=%%A))
if "%ProfileImagePath:~-1,1%"=="\" (set ProfileImagePath=%ProfileImagePath:~0,-1%)
if not defined reported_username (call:extract_the_deepest_dir_from_path ProfileImagePath reported_username)
if not defined sids (
set sids="%1+%LoggedIn%+%reported_username%+%ProfileImagePath%"
) else (
set sids=%sids%;"%1+%LoggedIn%+%reported_username%+%ProfileImagePath%"
)
exit/b0
:extract_the_deepest_dir_from_path
::syntax: call:extract_the_deepest_dir_from_path path_var_name last_token_name
setlocal&set v1=&set v2=&set v0=%%%1%%&for /f "tokens=2 delims=^=" %%A in ('set v0') do (call set v0=%%A)
:etddfp_
set v1=[%v0:~-1,1%]
if not "%v1%"=="[\]" (set v2=%v1:~1,1%%v2%&set v0=%v0:~0,-1%&goto etddfp_) else (endlocal&set %2=%v2%&exit/b0)
Rarely do I recommend others' work, but in this case
that page assured me about my guesses.
A bit off-topic: I overtook the future a bit, because the slower variant of the function I described uses Hex2Dec procedure I am going to release. I have it ready, and I will publish it soon so please hold on from using sid16_10
because it is truncated for needs of the script. The original ("full") one supports numbers greater than 2^64.