How do I get a local NT Service SID using Powershell?

Question

I found this snippet on SO:

Get User SID From Logon ID (Windows XP and Up)

Function GetSIDfromAcctName()
{
$myacct = Get-WmiObject Win32_UserAccount -filter "Name = '$env:USERNAME " 
write-host Name: $myacct.name
Write-Host SID : $myacct.sid
}

But it doesn't show everything.

For example, I just want the sid of "nt service\dhcp." How can I get that? When I run my powershell manually with

Get-WmiObject Win32_UserAccont

I get all the users, but there's only three "regular" users. None of the "special" nt service users.

Thanks for help.

score 3 · Answer 1 · answered Aug 03 '12 at 06:50

3

To get the built-in accounts you need another WMI class: Win32_Account.

gwmi -class win32_account -Filter 'name="LOCAL SERVICE"'

answered Aug 03 '12 at 06:50

Andy Arismendi

50,577
16
107
124

JPBlanc · Accepted Answer · 2012-08-03T03:28:57.543

1

If you want to know the name of the account under which a service is started you can use :

gwmi Win32_service -Filter "name='dhcp'" | % {return $_.startname}

The result is "NT Authority\LocalService" which is a well known SID as discribed in SID Values For Default Windows NT Installations, you'll find more SIDs in Well-known security identifiers in Windows operating systems.

Edited : As you can see in the following screen shot, yes the dhcp client is running in a session started as "NT Authority\LocalService"

enter image description here

edited Aug 03 '12 at 03:28

answered Aug 02 '12 at 20:17

JPBlanc

70,406
17
130
175

you're telling me that dhcp is really localservice? – johnny Aug 02 '12 at 21:58
Yes dhcp is running under localservice session. – JPBlanc Aug 03 '12 at 03:29

How do I get a local NT Service SID using Powershell?

2 Answers2