Domains

The Security Accounts Manager (SAM) domains are stored in the key:

HKEY_LOCAL_MACHINE\SAM\SAM\Domains

Sub keys:

Name	Description
Account	user, group, and local group accounts.
Builtin	built-in local groups, such as the Administrators and Users groups, that are established when the operating system is installed.

Values:

Name	Data type	Description
(default)

Account or Builtin sub key

Sub keys:

Name	Description
Aliases
Groups
Users

Values:

Name	Data type	Description
F	REG_BINARY
V	REG_BINARY

F value data

Offset	Size	Value	Description
0	...		Unknown

V value data

The V value data consists of:

• 17 x user information descriptors

  • security descriptor

  • username

  • full name

  • comment

  • user comment

  • Unknown

  • home directory

  • home directory connect

  • script path

  • profile path

  • workstations

  • hours allowed

  • Unknown

  • LM hash (LANMAN)

  • NTLM hash

  • Unknown

  • Unknown

• user information data

User information descriptor

A user information descriptor is 12 byte of size and consists of:

Offset	Size	Value	Description
0	4		Data offset The offset is relative to the end of the last user information descriptor
4	4		Data size
8	4		Unknown

Aliases sub key

Sub keys:

Name	Description
Members
Names
%RID%

Where %RID% is the relative identifier (RID) which corresponds to the last sub authority of the SID.

Aliases RID sub key

Values:

Name	Data type	Description
C	REG_BINARY

C value data

Offset	Size	Value	Description
0	4		The relative identifier (RID)
4	4		Unknown (empty values)
8	4		Size of unknown data at offset 52
12	2	2	Unknown: major format version ?
14	2	1	Unknown: minor format version ?
16	4		Name string offset Relative from offset 52
20	4		Name string size Contains number of bytes
24	4		Unknown (empty values)
28	4		Description string offset Relative from offset 52
32	4		Description string size Contains number of bytes
36	4		Unknown (empty values)
40	4		SID array offset Relative from offset 52
44	4		SID array size
48	4		SID array number of values
52	...		Contains an https://code.google.com/p/libfwnt/wiki/SecurityDescriptor[NT security descriptor]
...	...		Name string Contains an UTF-16 little-endian formatted string without end-of-string character The data is stored using 4-byte alignment
...	...		Description string Contains an UTF-16 little-endian formatted string without end-of-string character The data is stored using 4-byte alignment
...	...		SID array Contains Windows NT Security Identifiers (SIDs)

Aliases Members sub key

Sub keys:

Name	Description
%SID%

Where %SID% is the security identifier (SID) in the form of a string e.g. S-1-5.

Aliases Members SID sub key

Sub keys:

Name	Description
%RID%

Where %RID% is the relative identifier (RID) which corresponds to the last sub authority of the SID.

Groups sub key

Sub keys:

Name	Description
Names
%RID%

C value data

Offset	Size	Value	Description
0	2	2	Unknown: major format version ?
2	2	1	Unknown: minor format version ?
4	4		The relative identifier (RID)
8	20		Unknown (empty values)
28	2	2	Unknown: major format version ?
30	2	1	Unknown: minor format version ?
32	4		Name string offset Relative from offset 68
36	4		Name string size Contains number of bytes
40	4		Unknown (empty values)
44	4		Description string offset Relative from offset 68
48	4		Description string size Contains number of bytes
52	4		Unknown (empty values)
56	4		Group member array offset Relative from offset 68
60	4		Group member array size Contains number of bytes
64	4		Group member array number of values
68	...		Contains a security descriptor
...	...		Name string Contains an UTF-16 little-endian formatted string without end-of-string character The data is stored using 4-byte alignment
...	...		Description string Contains an UTF-16 little-endian formatted string without end-of-string character The data is stored using 4-byte alignment
...	...		Group member array Contains 4-byte RID values

Users sub key

Sub keys:

Name	Description
Names
%RID%

Where %RID% is the relative identifier (RID) which corresponds to the last sub authority of the SID.

Users RID sub key

Values:

Name	Data type	Description
F	REG_BINARY
V	REG_BINARY

F value data

Offset	Size	Value	Description
0	2	2	Unknown: major version ?
2	2	2	Unknown: minor version ?
4	2		Unknown: Extended data flags ?
6	2		Unknown: Extended data size ?
8	8		Last logon date and time (lastLogon) Contains a FILETIME
16	8		Unknown (lastLogoff?)
24	8		Password last set date and time (pwdLastSet) Contains a FILETIME
32	8		Account expires date and time (accountExpires) Contains a FILETIME, where 0x7fffffffffffffff represents Never
40	8		Last password failure date and time (badPasswordTime) Contains a FILETIME
48	4		Relative identifier (UserId) The relative identifier (RID) corresponds to the the last authority of the SID
52	4		Primary group identifier (PrimaryGroupId)
56	4		User account control flags (UserAccountControl) See section: User account control flags
60	2		Country code (countryCode) See section: Country code
62	2		Codepage (codePage)
64	2		Number of password failures (badPwdCount)
66	2		Number of logons (logonCount)
68	4		Unknown
72	4		Unknown
76	4		Unknown (checksum?)

Extended data:

Offset	Size	Value	Description
80

Note that the relative identifier (RID) is sometimes referred to as user number or user identifier.

User account control flags

The user account control flags (or USER_ACCOUNT Codes) are defined in subauth.h

Value	Identifier	Description
0x00000001	USER_ACCOUNT_DISABLED	Account disabled (inactive)
0x00000002	USER_HOME_DIRECTORY_REQUIRED	Home directory required
0x00000004	USER_PASSWORD_NOT_REQUIRED	User password not required
0x00000008	USER_TEMP_DUPLICATE_ACCOUNT	Temporary duplicate account
0x00000010	USER_NORMAL_ACCOUNT	Normal user account
0x00000020	USER_MNS_LOGON_ACCOUNT	Majority Node Set (MNS) logon user account
0x00000040	USER_INTERDOMAIN_TRUST_ACCOUNT	Interdomain trust account
0x00000080	USER_WORKSTATION_TRUST_ACCOUNT	Workstation trust account
0x00000100	USER_SERVER_TRUST_ACCOUNT	Server trust account Object is a domain controller (DC)
0x00000200	USER_DONT_EXPIRE_PASSWORD	User password does not expire
0x00000400	USER_ACCOUNT_AUTO_LOCKED	Account auto locked
0x00000800	USER_ENCRYPTED_TEXT_PASSWORD_ALLOWED	Encryped text password is allowed
0x00001000	USER_SMARTCARD_REQUIRED	Smart Card required
0x00002000	USER_TRUSTED_FOR_DELEGATION	Trusted for Delegation
0x00004000	USER_NOT_DELEGATED	Not delegated
0x00008000	USER_USE_DES_KEY_ONLY	Use DES key only
0x00010000	USER_DONT_REQUIRE_PREAUTH	Preauth not required
0x00020000	USER_PASSWORD_EXPIRED	Password Expired
0x00040000	USER_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION	Used by Kerberos see MS-KILE
0x00080000	USER_NO_AUTH_DATA_REQUIRED	Used by Kerberos see RFC4120
0x00100000	USER_PARTIAL_SECRETS_ACCOUNT	Partial secrets account Object is a read-only domain controller (RODC)
0x00200000	USER_USE_AES_KEYS	Use AES keys

Note that these flags differ from ADS_USER_FLAG_ENUM. Mappings between the two are defined in “MS-SAMR: userAccountControl Mapping Table”.

Note that the samba project defines these as flags with the WBC_ACB prefix, where WBC is short for winbind client.

Country code

Unknown. Is this suppose to be the country phone prefix?

Value	Description
000	System Default
001	United States
002	Canada (French)
003	Latin America
031	Netherlands
032	Belgium
033	France
034	Spain
039	Italy
041	Switzerland
044	United Kingdom
045	Denmark
046	Sweden
047	Norway
049	Germany
061	Australia
081	Japan
082	Korea
086	China (PRC)
088	Taiwan
099	Asia
351	Portugal
358	Finland
785	Arabic
972	Hebrew

V value data

Account types

Value	Identifier	Description
0x00000000	SAM_DOMAIN_OBJECT	Represents a domain object
0x10000000	SAM_GROUP_OBJECT	Represents a group object
0x10000001	SAM_NON_SECURITY_GROUP_OBJECT	Represents a group object that is not used for authorization context generation
0x20000000	SAM_ALIAS_OBJECT	Represents an alias object
0x20000001	SAM_NON_SECURITY_ALIAS_OBJECT	Represents an alias object that is not used for authorization context generation
0x30000000	SAM_USER_OBJECT	Represents a user object
0x30000001	SAM_MACHINE_ACCOUNT	Represents a computer object
0x30000002	SAM_TRUST_ACCOUNT	Represents a user object that is used for domain trusts
0x40000000	SAM_APP_BASIC_GROUP	Represents an application-defined group
0x40000001	SAM_APP_QUERY_GROUP	Represents an application-defined group whose members are determined by the results of a query

Predefined RIDs

Value	Identifier	Description
0x000001f4	DOMAIN_USER_RID_ADMIN	User: Administrator
0x000001f5	DOMAIN_USER_RID_GUEST	User: Guest
0x000001f6	DOMAIN_USER_RID_KRBTGT	User: krbtgt (Key Distribution Center Service)
0x00000201	DOMAIN_GROUP_RID_USERS	Group: Domain Users
0x00000203	DOMAIN_GROUP_RID_COMPUTERS	Group: Domain Computers
0x00000204	DOMAIN_GROUP_RID_CONTROLLERS	Group: Domain Controllers
0x00000220	DOMAIN_ALIAS_RID_ADMINS	Group: Administrators
0x00000209	DOMAIN_GROUP_RID_READONLY_CONTROLLERS	Group: Read-only Domain Controllers

External Links

• ACCOUNT_TYPE Values

• Built-in and Account Domains

• Predefined RIDs

• SAMPR_USER_ALL_INFORMATION

• Security Account Manager (SAM)

• SysKey and the SAM, by Brendan Dolan-Gavitt, February 21, 2008

• USER_ACCOUNT Codes

• userAccountControl Mapping Table

• USER_ALL_INFORMATION structure

• Well-known SIDs