COMP41590_Advanced_Computer_Forensics > Windows User Groups > Flashcards

Windows User Groups Flashcards

(13 cards)

Study These Flashcards
1
Q

Name the 3 user account types.

A
  • Administrator, Full Control
  • Standard, day to day access
  • Guest, Limited access
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is a SID?

A

Its a unique User and Security Identifier, each user has one.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is the SID format?

A

S-1-5-2-……-…….-……1007
Where:
S = An SID allways begins with this char
1 = Revision number
5 = Identifier Authority (found in every SID)
21 = Sub Authority value
1007 = RID

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is RID?

A

Is means Relative IDentifier. (Written as HEX eg 0x3EA = 1002)
The portion of a SID that uniquely identifies a user or custom group.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What RID number do Administrator, User and Guest have?

A
  • Admin has number 500
  • Guest has number 501
  • Users and Groups begins with 1000 and increment by 1.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Name several well know User SID’s.

A
  • S-1-5-18 = Local system
  • S-1-5-19 = local service
  • S-1-5-20 = network service
  • S-1-5-21- xxxx - 500 = local admin
  • S-1-5-21- xxxx - 501 = local guest.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What means “SAM” ?

A

SAM stands for “Security Account Manager”.
It contains info about local user accounts:
- usernames
- passwords hashes (with syskey encryption)
- account restrictions

It is stored in C:\Windows\System32\config\SAM

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Name several well know Group SID’s. And where are they stored in the registry?

A
  • S-1-5-32-544 = Aministrators
  • S-1-5-32-545 = Users
  • S-1-5-32-546 = Guests
  • S-1-5-32-547 = Power Users
  • S-1-5-32-551 = Backup Operators
  • S-1-5-32-552 = Replicator

HKLM\SAM\SAM\Domains\Builtin\Aliases

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Where are User Profiles stored in the registry?

A

They are located in the following location:
HKLM\SOTFWARE\Microsoft\WindowsNT\CurrentVersion\Profilelist

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Where are all the Users stored in the registry?

A

They are located in the following location:
HKLM\SAM\SAM\Domains\Account\Users

(It contains all the users of this system)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Where is the User Group Memberships stored in the registry?

A

HKLM\SOTFWARE\Microsoft\WindowsNT\CurrentVersion\GroupPolicy\user_id\GroupMemberShip

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Where is the Windows ProfileList stored in the registry?

A

HKLM\SOTFWARE\Microsoft\WindowsNT\CurrentVersion\ProfileList

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Name the 2 most important Registry hives.

A
  • HKLM\System => C:\Windows\System32\config\System
  • HKLM\Software => C:\Windows\System32\config\Software
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
COMP41590_Advanced_Computer_Forensics
flashcards
Decks in class (11)
# Cards
Brainscape helps you reach your goals faster, through stronger study habits.
© 2026 Bold Learning Solutions. Terms and Conditions