Since Windows Vista came out, a bunch of different sets of "virtual account"e; types have been added to the operating system. The most obvious one being Service accounts managed by the Service Control Manager, which belong to the "NET Service" authority and have the SID prefix "S-1-5-80". If we look at the documentation for these SIDs, we'll find that they are basically defined as "S-1-5-80-{SHA1(UNICODE()}".

IIS 7.X/8.X also has its own set of virtual accounts, associated with the AppPoolIdentity. These belong to the "IIS AppPool" authority with base SID prefix "S-1-5-82". The way these application pool names convert to SIDs is basically the same as that of service accounts, with one little difference: The input to the SHA1 function is not the application pool name in uppercase, but in lowercase.

Here's a very simple PowerShell function I wrote to make it easier to do these conversions:

function Get-SIDHash([String]$sidPrefix, [String]$user) {
$userToHash = switch ( $sidPrefix ) {
'S-1-5-82' { $user.ToLower() }
default { $user.ToUpper() }
$userBytes = [Text.Encoding]::Unicode.GetBytes($userToHash)
$hash = Convert-FromBinHex (Get-Hash $userBytes 'SHA1')
$sid = $sidPrefix
for ( $i=0; $i -lt 5; $i++ ) {
$sid += '-' + [BitConverter]::ToUInt32($hash, $i*4)

Tomas Restrepo

Software developer located in Colombia.