使用 WMI、WSMAN 和 PowerShell 解析 SID

在 Windows 世界中，帐户 SID 可能是一件非常神秘的事情。 S-1-5-21-2250542124-3280448597-2353175939-1019 是谁？幸运的是，许多应用程序（例如事件日志查看器）将 SID 解析为帐户名。缺点是，当您从 PowerShell 访问相同类型的信息时，您最终会得到“原始”SID。虽然有各种各样的命令行工具，甚至可能有人会在我发布本文后分享一些很酷的 .NET 技巧，但您很可能想要找到 PowerShell 解决方案。

您最初的假设可能是使用 WMI。搜索 Root\CIMv2 您甚至会找到 Win32_SID 类。呜呼！这就是我需要做的：

get-wmiobject win32_sid -filter "sid='S-1-5-21-2250542124-3280448597-2353175939-1019'"

嗯，不。如图所示，您无法查询这个特定的类。

相反，您需要直接访问 Win32_SID 类的实例。在PowerShell中，简单的方法是使用[WMI]类型加速器，并指定实例的路径。

[WMI]"root\cimv2:win32_sid.sid='S-1-5-21-2250542124-3280448597-2353175939-1019'"

如果要查询远程计算机上的 SID，路径将为 \\SERVERNAME\root\cimv2:CLASSNAME.Keyproperty='Something'。但请注意，无法使用 [WMI] 指定备用凭据。不过，您可以查询 Win32_Account 类来获取 SID。

PS Scripts:\> get-wmiobject win32_account -filter "sid='S-1-5-21-2250542124-3280448597-2353175939-1019'"

AccountType : 512
Caption     : Serenity\localadmin
Domain      : Serenity
SID         : S-1-5-21-2250542124-3280448597-2353175939-1019
FullName    :
Name        : localadmin

这使您可以享受使用 cmdlet、查询远程计算机和使用备用凭据的好处。

在 PowerShell 3.0 中，如果您想使用新的 CIM cmdlet 并通过 WSMan 查询 WMI，则可以很容易地将以前的命令转换为 CIM 命令。

PS Scripts:\> get-ciminstance win32_account -filter "sid='S-1-5-21-2250542124-3280448597-2353175939-1019'"

Name             Caption              AccountType          SID                  Domain
----             -------              -----------          ---                  ------
localadmin       Serenity\localadmin  512                  S-1-5-21-22505421... Serenity

这些查询非常好，但我相信如果您能直接进入实例，那就更好了。不幸的是，我找不到任何与 CIM 相关的加速器可以给我提供与使用 [WMI] 加速器相同的结果。请记住，我的目标是利用新的 WSMan 协议。解决方案是使用 Get-WSManInstance cmdlet。

Get-WSManInstance -ResourceURI "wmicimv2/Win32_SID" -SelectorSet @{SID="S-1-5-21-2250542124-3280448597-2353175939-1019"}

我认为您可以看出 ResourceUri 是类的路径，而 SelectorSet 是一个带有键属性（在本例中为 SID）和相应值的哈希表。结果看起来有点不同，但关键部分（例如帐户名称）都在那里。

Get-WSManInstance 还支持备用凭据。因此，考虑到所有这些，我组合了一个使用这种方法的名为 Resolve-SID 的函数。但作为后备方案，您也可以告诉它使用 WMI。

Function Resolve-SID {

<#
.Synopsis
Resolve account name from SID.
.Description
This command uses the WSMAN protocol to query WMI and resolve an account based
on its SID.  Using WMI it was possible to run a command like this:

[wmi]$user="\SERVER01\root\cimv2:Win32_SID.Sid='S-1-5-18'"

But this relies on WMI and DCOM. This command uses a CIM-cmdlet approach that
queries WMI over the WSMAN protocol. If the SID can't be resolved to a user name
an exception will be thrown.

If you want to revert back to the WMI and DCOM approach, use the -UseWMI parameter.
However, you will not be able to use alternate credentials.

.Parameter SID
It is assumed the SID will start with S- and you must enter a complete SID.
Wildcards are not allowed.

.Parameter Computername
The name of the computer to query. The default is the localhost. The parameter
has an alias of CN.

.Parameter UseWMI
Revert to the legacy [WMI] command. This parameter has an alias of WMI.

.Parameter Credential
This parameter as an alias of RunAs. Specify either a username or a PSCredential
object.

.Notes
Last Updated: October 15, 2013
Version     : 1.0

Learn more:
 PowerShell in Depth: An Administrator's Guide (http://www.manning.com/jones2/)
 PowerShell Deep Dives (http://manning.com/hicks/)
 Learn PowerShell 3 in a Month of Lunches (http://manning.com/jones3/)
 Learn PowerShell Toolmaking in a Month of Lunches (http://manning.com/jones4/)
 PowerShell and WMI (http://www.manning.com/siddaway2/)

****************************************************************
* DO NOT USE IN A PRODUCTION ENVIRONMENT UNTIL YOU HAVE TESTED *
* THOROUGHLY IN A LAB ENVIRONMENT. USE AT YOUR OWN RISK.  IF   *
* YOU DO NOT UNDERSTAND WHAT THIS SCRIPT DOES OR HOW IT WORKS, *
* DO NOT USE IT OUTSIDE OF A SECURE, TEST SETTING.             *
****************************************************************

.Example
PS C:\> resolve-sid S-1-5-18

Name                 : NT AUTHORITY\SYSTEM
AccountName          : SYSTEM
ReferencedDomainName : NT AUTHORITY
SID                  : S-1-5-18
Computername         : WIN8-LAP

.Example
PS C:\> resolve-sid S-1-5-21-1199145963-1667969739-787794555-1011 -Computername chi-win8-01 -Credential globomantics\administrator

Name                 : CHI-WIN8-01\localadmin
AccountName          : localadmin
ReferencedDomainName : CHI-WIN8-01
SID                  : S-1-5-21-1199145963-1667969739-787794555-1011
Computername         : CHI-WIN8-01

.Example
PS C:\> resolve-sid S-1-5-18 -verbose -computername jdhit-dc01 -UseWMI

VERBOSE: Starting Resolve-SID
VERBOSE: Resolving SID S-1-5-18 on jdhit-dc01
VERBOSE: Reverting back to WMI
VERBOSE: \jdhit-dc01\root\cimv2:Win32_SID.SID='S-1-5-18'
VERBOSE: Associated account found

Name                 : NT AUTHORITY\SYSTEM
Accountname          : SYSTEM
ReferencedDomainName : NT AUTHORITY
SID                  : S-1-5-18
Computername         : JDHIT-DC01

VERBOSE: Ending Resolve-SID

.Link
Get-WSManInstance
Get-CIMInstance

.Link
https://jdhitsolutions.com/blog/2013/10/resolving-sids-with-wmi-wsman-and-powershell

.Inputs
Strings

.Outputs
A custom object
#>
[cmdletbinding(DefaultParameterSetName="CIM")]

Param(
[Parameter(Position=0,Mandatory=$True,HelpMessage="Enter a SID",
ValueFromPipeline,ValueFromPipelineByPropertyName)]
[ValidatePattern("^S-")]
[string]$SID,
[Parameter(ValueFromPipelineByPropertyName)]
[Alias("CN","PSComputername")]
[ValidateNotNullorEmpty()]
[string]$Computername=$env:computername,
[Alias("RunAs")]
[Parameter(ParameterSetName="CIM")]
[System.Management.Automation.Credential()]$Credential = [System.Management.Automation.PSCredential]::Empty,
[Parameter(ParameterSetName="WMI")]
[Alias("wmi")]
[switch]$UseWMI
)

Begin {
    Write-Verbose -Message "Starting $($MyInvocation.Mycommand)"  
} #begin
Process {
    Write-Verbose "Resolving SID $SID on $Computername"
    #build a hashtable of paramters to splat to Get-WSManInstance
    $paramHash=@{
        ErrorAction="Stop"
        ErrorVariable="MyError"
        ResourceURI="wmicimv2/win32_SID"
        SelectorSet=@{SID="$SID"}
        Computername=$Computername
    }

    If ($Credential.username) {
        Write-Verbose "Adding alternate credential for $($Credential.username)"
        $paramHash.Add("Credential",$Credential)
    }

    Try {

        #if UseWMI, use Get-WMIObject
        if ($UseWMI) {
            Write-Verbose "Reverting back to WMI"
            Write-Verbose "\$computername\root\cimv2:Win32_SID.SID='$SID'"
            [WMI]$Result = "\$computername\root\cimv2:Win32_SID.SID='$SID'"

        }
        else {
            $result = Get-WSManInstance @paramhash 
        }
    }
    Catch {
        Write-Warning "Get-WSManInstance failed to retrieve SID from $($Computername.ToUpper())"
        Write-Warning $myError.ErrorRecord
        #bail out
        Return
    }

    <#
    if there is no account name then the SID was not resolved, but there was
    no error. The query will still succeed and write an object to the pipeline
    but it won't have any useful information.  Only write the result to the pipeline
    if there is an associated account, otherwise an exception will be thrown.
    #>

    if ($result.AccountName) {
        Write-Verbose "Associated account found"
        $result | 
        Select @{Name="Name";Expression={"$($_.ReferencedDomainName)$($_.AccountName)"}},
        Accountname,ReferencedDomainName,SID,
        @{Name="Computername";Expression={$Computername.ToUpper()}}
    }
    else {
        Write-Verbose "Failed to resolve SID. This is the result"
        Write-Verbose $($Result | Out-String)
        Throw "Failed to resolve SID $SID on $($Computername.ToUpper())"
    }
} #process

End {
    Write-Verbose -Message "Ending $($MyInvocation.Mycommand)"
} #end

} #close function Resolve-SID

我认为在基于注释的帮助、内部注释和详细消息之间，您应该能够理解该函数是如何工作的。现在您拥有了多种解决 SID 的技术。在本地查询、使用 [WMI] 或查询 Win32_Account 类的 SID 在性能方面应该足够了。但在远程，使用 [WMI] 或 Get-WSManInstance 比查询和过滤要快得多。使用 Get-WMIboject 或 Get-CIMInstance 需要 600-750 毫秒，而 [WMI] 方法大约需要 200 毫秒，而使用 Get-WSManInstance 需要 150 毫秒。

我希望您决心不再让 SIDS 成为您的障碍。