another question about RID,below 1003 is RID(relative ID)?(from ms-sntp:w32tm.exe /ntpte relative RID)sid :S-1-5-21-1343024091-1682526488-839522115-1003

WMIC /LOGON:LIST ALL LOGON but no current user logon id.....?

in process explore find windows xp LOGON SIDand find svchost.exe has 3 kinds sids

psgetsid.exe can not get logon id C:\Documents and Settings\user\My Documents\SysinternalsSuite>psgetsid.exe S-1-5-5-0-59347 PsGetSid v1.43 - Translates SIDs to names and vice versaCopyright (C) 1999-2006 Mark RussinovichSysinternals - www.sysinternals.com Error querying SID: C:\Documents and Settings\user\My Documents\SysinternalsSuite>

SECURITY_LOGON_IDS_RID S-1-5-5-X-Y A logon session. This is used to ensure that only processes in a given logon session can gain access to the window-station objects for that session. The X and Y values for these SIDs are different for each logon session. The value SECURITY_LOGON_IDS_RID_COUNT is the number of RIDs in this identifier (5-X-Y). /* S-1-5 */4072 #define SECURITY_NT_AUTHORITY {0,0,0,0,0,5}4073 #define SECURITY_DIALUP_RID 0x00000001L4074 #define SECURITY_NETWORK_RID 0x00000002L4075 #define SECURITY_BATCH_RID 0x00000003L 4076 #define SECURITY_INTERACTIVE_RID 0x00000004L4077 #define SECURITY_LOGON_IDS_RID 0x00000005L4078 #define SECURITY_SERVICE_RID 0x00000006L4079 #define SECURITY_ANONYMOUS_LOGON_RID 0x00000007L4080 #define SECURITY_PROXY_RID 0x00000008L4081 #define SECURITY_ENTERPRISE_CONTROLLERS_RID 0x00000009L4082 #define SECURITY_SERVER_LOGON_RID SECURITY_ENTERPRISE_CONTROLLERS_RID

SECURITY_LOGON_IDS_RID:Accounts authorized to log on as a service. This is a group identifier 5-0-59347 to the token of a process