This is a post I had sitting in draft form for a long while. Looking back, I’m less convinced my end solution is foolproof. But the research was interesting and I’d rather throw it out there.

I was working in an environment a while ago where I needed to terminate all processes in a user account, but with only tools built into Windows. Seemed easy enough, taskkill with a filter can accomplish that:

taskkill.exe /F /FI "USERNAME eq %USERNAME%"

I was running as SYSTEM, though, so I first had to parse out logged on users. While I was working on that a different approach was posed - filtering via exclusion.

taskkill.exe /F /FI "USERNAME ne NT AUTHORITY\*"

This was interesting. If you’ve ever looked at what accounts processes are running in you probably caught a pattern. Built-in Windows accounts like System, Local Service, and Network Service sit under NT AUTHORITY\<username>, but local user accounts show as %COMPUTERNAME%\<username>. If you’re joined to a domain, domain accounts show as %USERDOMAIN%\<username>. For example, here’s a Lenovo idea-PC with a local user account ‘ASDF’:

In an effort to terminate all user processes, then, taskkilling everything not NT AUTHORITY\* would successfully take out anything idea-PC\ASDF, or MyDomain\Joe or otherwise.

But it raised a question I didn’t know the answer to. Does Windows just have NT AUTHORITY, %USERDOMAIN% and %COMPUTERNAME%? What was the mechanism at work here? I wanted to find out.

DOMAINS AND AUTHORITIES

I went looking for information on the built-in accounts and landed at KB243330, Well-known security identifiers in Windows operating systems. The KB lists a metric ton of user accounts, groups, and other objects that are built-in to Windows. Each object has it’s own unique Security Identifier (SID). Among the list was NT Authority, defined as an identifier authority.

There is a noticable relationship between NT Authority’s SID and the SIDs of accounts under it:

S-1-5        NT Authority
S-1-5-18     NT Authority\SYSTEM
S-1-5-19     NT Authority\Local Service
S-1-5-20     NT Authority\Network Service

So I found TechNet’s Security Identifier Structure article to break down the SID format:

S-R-X-Y¹-Y²-Yⁿ-A

S indicates that the string is a SID.
R is the revision level.
X is the identifier authority value.
Y is a series of subauthority values
A is the account under the authorit[y][ies] 

[...]

The most important information in a SID is contained in a series of one or more subauthority values. All values up to but not including the last value in the series collectively identify a domain in an enterprise. This part of the series is the domain identifier . The last value in the series identifies a particular account or group relative to a domain.

Perfect. In the case of SYSTEM, Local Service, and Network service, the last value in the SID string represents the account. That leaves 5 representing the domain, thus, the domain is NT Authority.

What about idea-PC\ASDF? The SID for the ASDF acount on the Lenovo is:

S-1-5-21-443461471-642785168-2980392841-1002

Then, 1002 represents ASDF. 5-21-443461471-642785168-2980392841 must represent idea-PC. This can be tested with the tool sid2user, which translates an SID to its friendly name:

(By the by, for background on how this SID was generated by Windows, check out this MSDN article. The short version is that the local computer account and any enterprise domains will be under S-1-5-21-* with a three-block-wide randomly generated 96-bit number.)

Sid2user lines up perfectly and even helpfully lists the SID type as SIDTypeDomain for the idea-PC string.

Hunting for Hidden Domains

So what other domains are there? I pulled each unique authority/subauthority string from the KB article to check against sid2user. Just these four are of type SIDTypeDomain:

S-1-5       NT Psuedo Domain (NT Authority)
S-1-5-32    BUILTIN
S-1-5-80    NT SERVICE
S-1-16      Mandatory Label

From such a long list of SIDs I’m surprised there were only three domains. But hey, three new faces! In looking for documentation on them I found many other MSDN articles with SIDs not in the original KB article. There didn’t seem to be any easily understood database anywhere in documentation or in Windows, so I ended up rolling through some FOR loops. By incrementing authority and subauthority values and checking against sid2user, I found a bigger list:

S-1-5       NT Psuedo Domain (NT Authority)
S-1-5-32    BUILTIN
S-1-5-80    NT SERVICE
S-5-82      IIS APPPOOL
S-1-5-87    NT TASK
S-1-7       Internet$
S-1-16      Mandatory Label
S-1-5-90    Window Manager (Windows 8+)

Very interesting! Way beyond just NT Authority, but what do any of these do? Some were easier to find documentation on than others.

Applying the knowledge

For the taskkill filter, NT SERVICE, IIS Apppool, NT Task, and Window Manager could be confirmed as having user accounts running processes that would thus need to be filtered out. I don’t particularly care for the method given new subauthorites of any name can be generated, though.

But, I can still apply what I learned to find a solution. Perhaps instead of blacklisting with ne or trying to parse usernames, I could just focus on the domains users I care about appear under - anything S-1-5-21-*. Taskkill unfortunately doesn’t support filtering with SID strings, but perhaps some environment variables can do the trick:

taskkill.exe /F /FI "USERNAME eq %COMPUTERNAME%\*" /FI "USERNAME eq %USERDOMAIN%\*"