In some places in the Windows UI, you see Windows account security identifiers (SIDS) that do not resolve to friendly names. These places include the following:
- File Explorer
- Security Audit reports
- The access control list (ACL) editor in Registry Editor, as shown in the following examples:
Windows Server 2012 and Windows 8 introduced a type of SID that is known as a capability SID. By design, a capability SID does not resolve to a friendly name.
Capability SIDs uniquely and immutably identify capabilities. In this context, a capability is an un-forgeable token of authority that grants a Windows component or a Universal Windows Application access to resources such as documents, cameras, locations, and so forth. An application that “has” a capability is granted access to the resource that is associated with the capability. An application that “does not have” a capability is denied access to the associated resource.
The most commonly used capability SID is the following:
Windows 10, version 1809 uses more than 300 capability SIDs.
DO NOT DELETE capability SIDS from either the Registry or file system permissions. Removing a capability SID from file system permissions or registry permissions may cause a feature or application to function incorrectly. After you remove a capability SID, you cannot use the UI to add it back.
When you are troubleshooting an unresolved SID, make sure that it is not a capability SID. To get a list of all of the capability SIDs that Windows has a record of, follow these steps:
- Select Start > Run, and then enter regedt32.exe.
- Navigate to the following registry entry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities.
- Copy the value data and paste it into a text file (or a similar location where you can search the data).
This value may not include all capability SIDs that third-party applications use.
- Search the data for the SID that you are troubleshooting.
- If you find the SID in the registry data, then it is a capability SID. By design, it will not resolve into a friendly name.
- If you do not find the SID in the registry data, then it is not a known capability SID. You can continue to troubleshoot it as a normal unresolved SID. Keep in mind that there is a small chance that the SID could be a third-party capability SID, in which case it will not resolve into a friendly name.