Skip to main content

How to Resolve a SID to a Username in Batch Script

A Security Identifier (SID) is the "True Identity" of a Windows account, but strings like S-1-5-21-397... are impossible for humans to read. In many security scenarios, such as analyzing a "Denied" file access log, auditing the HKEY_USERS registry hive, or investigating a suspicious event in the Windows Event Log, you will encounter a SID and need to know which Username it belongs to. For IT administrators and forensic analysts, translating these identifiers back into readable names is a daily task.

This guide explains how to resolve SIDs using Batch and WMI.

Why Resolve SIDs to Usernames?

  • Forensic Investigation: Identifying the person responsible for a specific action recorded in the security log.
  • Registry Cleanup: Finding out which user profile belongs to a specific SID folder in C:\Users when the profile has been partially deleted.
  • Permission Auditing: Verifying who exactly has "Full Control" over a file when the permission list only shows an "Unknown Account" SID.
The Whoami Shortcut

If you need to know the name of the user belonging to the current session's SID, you can simply use the whoami command.

Method 1: Using WMIC (The Professional Standard)

The WMIC utility allows you to query the UserAccount class using the SID as the filter.

@echo off
setlocal

set "THE_SID=S-1-5-21-123456789-123456789-123456789-1001"

echo [PROCESS] Resolving identity for SID: %THE_SID%...
echo.

:: Check if the account exists by attempting to capture the name
set "FOUND_NAME="
for /f "tokens=2 delims==" %%A in ('wmic useraccount where "sid='%THE_SID%'" get name /value 2^>nul') do set "FOUND_NAME=%%A"

if defined FOUND_NAME (
    echo [SUCCESS] Account Found:
    wmic useraccount where sid='%THE_SID%' get domain, name
) else (
    echo [ERROR] No account found with SID: %THE_SID%
)
pause

Method 2: Extracting the Name into a Variable

To use the resolved name in an automated report (e.g., "Scanning folder for user X"), use a FOR loop to isolate the name string.

@echo off
setlocal

set "TARGET_SID=S-1-5-21-2550186536-2244248473-1349091636-1001"

echo [PROCESS] Searching for identity...

set "USER_NAME="
for /f "skip=1 tokens=1" %%n in ('wmic useraccount where sid^='%TARGET_SID%' get name 2^>nul') do (
    for /f "tokens=1" %%m in ("%%n") do (
        if not "%%m"=="" set "USER_NAME=%%m"
    )
)

if defined USER_NAME (
    echo [SUCCESS] Identity Found: %USER_NAME%
) else (
    echo [ERROR] This SID was not found in the local user database.
    echo [TIP] It may belong to a domain account, group, or service.
    echo       Try: wmic group where sid='%TARGET_SID%' get name
)
pause

Creating a SID Resolver Utility

A professional script allows you to paste any SID, validates the format, and checks both user accounts and groups.

@echo off
setlocal EnableDelayedExpansion

echo ============================================================
echo   Identity Resolution Engine (SID to Name^)
echo ============================================================

set /p "INPUT_SID=Paste SID to Resolve: "

if "!INPUT_SID!"=="" (
    echo [ERROR] No SID entered.
    pause
    exit /b 1
)

:: Validate SID format (must start with S-1-)
echo !INPUT_SID! | findstr /r "^S-1-" >nul
if !errorlevel! neq 0 (
    echo [ERROR] Invalid SID format. SIDs must start with 'S-1-'.
    pause
    exit /b 1
)

:: 1. Check well-known SIDs first
set "RESOLVED="
if "!INPUT_SID!"=="S-1-5-18" set "RESOLVED=NT AUTHORITY\SYSTEM"
if "!INPUT_SID!"=="S-1-5-19" set "RESOLVED=NT AUTHORITY\LOCAL SERVICE"
if "!INPUT_SID!"=="S-1-5-20" set "RESOLVED=NT AUTHORITY\NETWORK SERVICE"
if "!INPUT_SID!"=="S-1-5-32-544" set "RESOLVED=BUILTIN\Administrators"
if "!INPUT_SID!"=="S-1-5-32-545" set "RESOLVED=BUILTIN\Users"

if defined RESOLVED (
    echo.
    echo [OK] Well-Known SID Resolved: !RESOLVED!
    echo ============================================================
    pause
    exit /b 0
)

:: 2. Attempt user account lookup
set "USN="
set "DOMAIN="
for /f "skip=1 tokens=1,2" %%a in ('wmic useraccount where sid^='!INPUT_SID!' get domain^,name 2^>nul') do (
    for /f "tokens=1,2" %%c in ("%%a %%b") do (
        if not "%%c"=="" (
            set "DOMAIN=%%c"
            set "USN=%%d"
        )
    )
)

if defined USN (
    echo.
    echo [OK] User Account: !DOMAIN!\!USN!
    echo ============================================================
    pause
    exit /b 0
)

:: 3. Attempt group lookup
set "GRP="
for /f "skip=1 tokens=1" %%g in ('wmic group where sid^='!INPUT_SID!' get name 2^>nul') do (
    for /f "tokens=1" %%h in ("%%g") do (
        if not "%%h"=="" set "GRP=%%h"
    )
)

if defined GRP (
    echo.
    echo [OK] Group Account: !GRP!
    echo ============================================================
    pause
    exit /b 0
)

:: 4. Not found
echo.
echo [FAIL] Could not resolve SID: !INPUT_SID!
echo [INFO] This SID may belong to:
echo   - A domain account (requires Domain Controller access^)
echo   - A deleted account (orphaned SID^)
echo   - A service account not queryable via WMI
echo ============================================================
pause

Common Pitfalls and How to Avoid Them

Administrative Rights

While standard users can resolve their own SID, you must run as an Administrator to resolve the SIDs of other users or privileged system accounts.

Well-Known SIDs

Not all SIDs belong to "Users." Some belong to Windows services or groups.

SEO and UX Tip

Advise your users that if they see a SID like S-1-5-18, it is the System account. S-1-5-32-544 is the Administrators group. Your script might fail to find these in the useraccount class; you might need to query wmic group where sid=... instead.

Best Practices for Identity Resolution

  1. Check for Groups: If useraccount returns nothing, try querying the group class: wmic group where sid='...' get name.
  2. Handle SID History: If a user was migrated from another domain, they might have an old SID that doesn't resolve locally.
  3. Audit Orphaned Profiles: Use your script to check every folder in C:\Users. If a folder is named after a SID that doesn't resolve to a name, it is an "Orphaned Profile" and can likely be deleted to save space.
Domain Controllers

Note that resolving a Domain SID requires access to the Domain Controller. If the machine is offline, it can only resolve local SIDs or cached domain credentials.

Conclusion

Resolving a SID to a username via Batch script is an essential task for any IT administrator or security analyst working in a professional Windows environment. By programmatically identifying the human names behind complex security strings, you can make informed decisions during audits, investigations, and system maintenance. This professional approach to identity management simplifies the translation of raw security data into actionable intelligence, providing a clear and automated path for your user administration and system defense strategies across the entire Windows ecosystem.

Table of Contents