SIDs, GUIDs, and CLSIDs
In the Windows operating system environment, all users, groups, and computers have unique SIDs. A SID identifies a security subject or group of subjects. Local users and groups are assigned SIDs that are unique to a single computer, while domain objects are assigned SIDs that are unique within the domain. A subject’s SID is assigned when the subject is created and never changes throughout its lifetime. A user’s name can be changed, but the user’s SID remains the same. The use of SIDs gives Windows the ability to record references to users, groups, and computers that remain constant and don’t change over time.
As information systems have grown, they have become more diverse and distributed. Many applications now operate as a collection of distributed components running on several different computers. Microsoft uses identification values that are unique across all environments to keep track of objects across many computers. Microsoft assigns many objects a globally unique identifier (GUID), also called a universally unique identifier (UUID), to distinguish objects that may originate from different computers. Originally intended in Windows to uniquely identify GUI controls, GUIDs are now used to identify many different types of objects, including:
Computers
Web browsers
Database records
Files
Application components
There are several ways to generate GUIDs/UUIDs. Performing an Internet search for “Generate GUID” or “Generate UUID” will result in references to programs, websites, scripts, and other strategies to create GUIDs/UUIDs on demand. Microsoft offers a tool to create UUIDs called UUIDGEN.EXE. Any strategy that generates a true globally unique ID will provide a UUID that can be used in your own system.
Windows uses GUIDs extensively to keep track of many objects. The Windows Registry uses GUIDs to identify objects and record many of their attributes. When used in this context, the GUIDs are stored as Class Identifiers (CLSIDs). Windows uses CLSIDs to represent a software application or software component. In fact, CLSIDs can represent even more. Using CLSIDs, even basic information, such as an executable filename, can be changed but still refers to the same application. Windows recognizes either the filename or the CLSID for executable objects. For example, follow these steps to launch the Recycle Bin by running its CLSID:
Select the Windows icon or press the Windows key, then press ‘R.’
Type the following value in the Open box:
::{645ff040-5081-101b-9f08-00aa002f954e}
Choose OK.
Windows uses CLSIDs to reference software components without having to know the component’s name. TABLE 3-4 lists some common Windows CLSIDs to run programs without referencing the program name. Run any of the listed CLSIDs to open the corresponding program.
TABLE 3-4 Common CLSIDs |
|
|---|---|
| CLSID | DESCRIPTION |
| ::{20d04fe0-3aea-1069-a2d8-08002b30309d} | My Computer |
| ::{450d8fba-ad25-11d0-98a8-0800361b1103} | My Documents |
| ::{208d2c60-3aea-1069-a2d7-08002b30309d} | My Network Places |
| ::{1f4de370-d627-11d1-ba4f-00a0c91eedba} | Network Computers |
| ::{7007acc7-3202-11d1-aad2-00805fc1270e} | Network Connections |
| ::{2227a280-3aea-1069-a2de-08002b30309d} | Printers and Faxes |
| ::{645ff040-5081-101b-9f08-00aa002f954e} | Recycle Bin |
| ::{d6277990-4c6a-11cf-8d87-00aa0060f5bf} | Scheduled Tasks |
| ::{450d8fba-ad25-11d0-98a8-0800361b1103}My Folder | Opens My Folder under My Documents; assumes the folder “My Folder” exists |
© Jones & Bartlett Learning. |
|
Regardless of whether Microsoft refers to objects using a CLSID or the object name, all access control rules must be satisfied before access is allowed. There is no shortcut that uses direct CLSID references to bypass access controls.