Holy cow, I wrote a book!
Of course, if you want to do this programmatically, you would use
but often you're studying a
memory dump or otherwise need to do the conversion manually.
If you have a SID like S-a-b-c-d-e-f-g-...
Then the bytes are
So for example, if your SID is
then your raw hex SID is
This breaks down as follows:
Yeah, that's great, Raymond, but what do all those numbers mean?
Each machine generates a unique ID that it uses to stamp all the SIDs
it creates (-...-...-...-). The last number is a "relative id (RID)"
that represents a user created by that machine. There are a bunch of
predefined RIDs; you can see them in the header file ntseapi.h,
which is also where I got these names from.
The system reserves RIDs up to 999, so the first non-builtin account
gets assigned ID number 1000.
The number 72713 means that this particular SID is the 71714th SID
created by the issuer. (The machine that issued this SID is clearly
a domain controller,
responsible for creating the accounts of tens of thousands of users.)
(Actually, I lied above when I said that this is the 71714th SID
created by the issuer. Large servers can delegate SID creation to
helpers, in which case SID issuance is no longer strictly consecutive.)
Security isn't my area of expertise, so it's entirely possibly
(perhaps even likely) that I got something wrong up above.
But it's mostly correct, I think.