Cloning not creating SID!

[Guest]

Hi all,

I am using system cloning tool in my OS. The reseal phase is happening
properly, but when i clone the resealed image, i am not able to see any SID
related keys under HKEY_USERS.
I dont see any dependent component for this and there is nothing wrong in
component setting also!
Am i looking at wrong place to check for SID?

Please help,

 

[KM]

Bill,

What do you see under HKEY_USERS key? What subkeys?
You can always find them under [HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList] key (subkeys).

You can download and use NewSID tools (ex: sysinternals.com, now Microsoft) to generate new SIDs:
http://www.microsoft.com/technet/sysinternals/Security/NewSid.mspx
Here you will find a list of well-known SIDs: http://msdn2.microsoft.com/en-us/library/aa379649.aspx

 

[Guest]

Hi KM,

I am refering Sean Liming's "Windows XP Embedded Advanced" book for cloning,
in which he has mentioned:
"Use regedit and check HKEY_USEER for SID
S-1-5-21-<xxxxxxxxxx><xxxxxxxxxx><xxxxxxxxxx> -500".

I am not able to see any keys similar to this in my XPe cloned image.
Neither it is seen in under [HKLM\Software\Microsoft\Windows
NT\CurrentVersion\ProfileList] key (subkeys).

Why do i need to use some tool to generate new SIDs? Is it not a feature of
cloning to generate new unique SID for each of the cloned system?

Thanks,

Bill,

What do you see under HKEY_USERS key? What subkeys?
You can always find them under [HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList] key (subkeys).

You can download and use NewSID tools (ex: sysinternals.com, now Microsoft) to generate new SIDs:
http://www.microsoft.com/technet/sysinternals/Security/NewSid.mspx
Here you will find a list of well-known SIDs: http://msdn2.microsoft.com/en-us/library/aa379649.aspx

--
=========
Regards,
KM

Hi all,

I am using system cloning tool in my OS. The reseal phase is happening
properly, but when i clone the resealed image, i am not able to see any SID
related keys under HKEY_USERS.
I dont see any dependent component for this and there is nothing wrong in
component setting also!
Am i looking at wrong place to check for SID?

Please help,

 

[KM]

Bill,

No, you don't have to use NewSID. The only purpose for me to mention that link was that the page contains lots of helpful info about
SID.

Anyway, could you please show us what exactly you got under HKEY_USERS key and under the ProfileList key? You would want to show us
only the subkeys. This is what I have asked for in my previous post

A few more questions the answers to which may lead to the root of the issue:
- How exactly do you run fbreseal? What command line switches and/or advanced properties of the System Cloning Tool component do
you use?
- Do you have an Administrator account component included? Any user account component?
- What is your image based on - Minlogon or Winlogon? What Shell?

--
=========
Regards,
KM

Hi KM,

I am refering Sean Liming's "Windows XP Embedded Advanced" book for cloning,
in which he has mentioned:
"Use regedit and check HKEY_USEER for SID
S-1-5-21-<xxxxxxxxxx><xxxxxxxxxx><xxxxxxxxxx> -500".

I am not able to see any keys similar to this in my XPe cloned image.
Neither it is seen in under [HKLM\Software\Microsoft\Windows
NT\CurrentVersion\ProfileList] key (subkeys).

Why do i need to use some tool to generate new SIDs? Is it not a feature of
cloning to generate new unique SID for each of the cloned system?

Thanks,

Bill,

What do you see under HKEY_USERS key? What subkeys?
You can always find them under [HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList] key (subkeys).

You can download and use NewSID tools (ex: sysinternals.com, now Microsoft) to generate new SIDs:
http://www.microsoft.com/technet/sysinternals/Security/NewSid.mspx
Here you will find a list of well-known SIDs: http://msdn2.microsoft.com/en-us/library/aa379649.aspx

--
=========
Regards,
KM

Hi all,

I am using system cloning tool in my OS. The reseal phase is happening
properly, but when i clone the resealed image, i am not able to see any SID
related keys under HKEY_USERS.
I dont see any dependent component for this and there is nothing wrong in
component setting also!
Am i looking at wrong place to check for SID?

Please help,

 

[Guest]

I have minlogon with custom shell, and i have set Automatic mode in system
cloning tool setting which means reseal.exe runs at 12000 phase.
I don't have any administrator/User account component.
The keys under HKEY_USER are:
..DEFAULT
S-1-5-18
S-1-5-19
S-1-5-19_Classes
S-1-5-20
S-1-5-20_Classes

under the ProfileList key:
S-1-5-19
S-1-5-20

Thanks,

Bill,

No, you don't have to use NewSID. The only purpose for me to mention that link was that the page contains lots of helpful info about
SID.

Anyway, could you please show us what exactly you got under HKEY_USERS key and under the ProfileList key? You would want to show us
only the subkeys. This is what I have asked for in my previous post

A few more questions the answers to which may lead to the root of the issue:
- How exactly do you run fbreseal? What command line switches and/or advanced properties of the System Cloning Tool component do
you use?
- Do you have an Administrator account component included? Any user account component?
- What is your image based on - Minlogon or Winlogon? What Shell?

--
=========
Regards,
KM

Hi KM,

I am refering Sean Liming's "Windows XP Embedded Advanced" book for cloning,
in which he has mentioned:
"Use regedit and check HKEY_USEER for SID
S-1-5-21-<xxxxxxxxxx><xxxxxxxxxx><xxxxxxxxxx> -500".

I am not able to see any keys similar to this in my XPe cloned image.
Neither it is seen in under [HKLM\Software\Microsoft\Windows
NT\CurrentVersion\ProfileList] key (subkeys).

Why do i need to use some tool to generate new SIDs? Is it not a feature of
cloning to generate new unique SID for each of the cloned system?

Thanks,

Bill,

What do you see under HKEY_USERS key? What subkeys?
You can always find them under [HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList] key (subkeys).

You can download and use NewSID tools (ex: sysinternals.com, now Microsoft) to generate new SIDs:
http://www.microsoft.com/technet/sysinternals/Security/NewSid.mspx
Here you will find a list of well-known SIDs: http://msdn2.microsoft.com/en-us/library/aa379649.aspx

--
=========
Regards,
KM


Hi all,

I am using system cloning tool in my OS. The reseal phase is happening
properly, but when i clone the resealed image, i am not able to see any SID
related keys under HKEY_USERS.
I dont see any dependent component for this and there is nothing wrong in
component setting also!
Am i looking at wrong place to check for SID?

Please help,

 

[KM]

Bill,

Minlogon and no Admin/User components in your image explains why you don't see the registry subkeys you're expecting to see.
The keys you expected to see are related to user accounts (Admin is also an user).
The keys you saw were related to some system accounts. Please see the list of well-known SIDs I posted the link to earlier in this
thread.

For instance,
SECURITY_LOCAL_SYSTEM_RID S-1-5-18 A special account used by the operating system.




--
=========
Regards,
KM

I have minlogon with custom shell, and i have set Automatic mode in system
cloning tool setting which means reseal.exe runs at 12000 phase.
I don't have any administrator/User account component.
The keys under HKEY_USER are:
.DEFAULT
S-1-5-18
S-1-5-19
S-1-5-19_Classes
S-1-5-20
S-1-5-20_Classes

under the ProfileList key:
S-1-5-19
S-1-5-20

Thanks,

Bill,

No, you don't have to use NewSID. The only purpose for me to mention that link was that the page contains lots of helpful info
about
SID.

Anyway, could you please show us what exactly you got under HKEY_USERS key and under the ProfileList key? You would want to show
us
only the subkeys. This is what I have asked for in my previous post

A few more questions the answers to which may lead to the root of the issue:
- How exactly do you run fbreseal? What command line switches and/or advanced properties of the System Cloning Tool component
do
you use?
- Do you have an Administrator account component included? Any user account component?
- What is your image based on - Minlogon or Winlogon? What Shell?

--
=========
Regards,
KM

Hi KM,

I am refering Sean Liming's "Windows XP Embedded Advanced" book for cloning,
in which he has mentioned:
"Use regedit and check HKEY_USEER for SID
S-1-5-21-<xxxxxxxxxx><xxxxxxxxxx><xxxxxxxxxx> -500".

I am not able to see any keys similar to this in my XPe cloned image.
Neither it is seen in under [HKLM\Software\Microsoft\Windows
NT\CurrentVersion\ProfileList] key (subkeys).

Why do i need to use some tool to generate new SIDs? Is it not a feature of
cloning to generate new unique SID for each of the cloned system?

Thanks,

:

Bill,

What do you see under HKEY_USERS key? What subkeys?
You can always find them under [HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList] key (subkeys).

You can download and use NewSID tools (ex: sysinternals.com, now Microsoft) to generate new SIDs:
http://www.microsoft.com/technet/sysinternals/Security/NewSid.mspx
Here you will find a list of well-known SIDs: http://msdn2.microsoft.com/en-us/library/aa379649.aspx

--
=========
Regards,
KM


Hi all,

I am using system cloning tool in my OS. The reseal phase is happening
properly, but when i clone the resealed image, i am not able to see any SID
related keys under HKEY_USERS.
I dont see any dependent component for this and there is nothing wrong in
component setting also!
Am i looking at wrong place to check for SID?

Please help,

 

[Sean Liming \(eMVP\)]

In the book, the example uses Windows Logon (standard) or WinLogon. If you
are using Minlogon, the results are what you see.

Regards,

Sean Liming
www.sjjmicro.com / www.seanliming.com
XP Embedded Book Author - XP Embedded Advanced, XP Embedded Supplemental
Toolkit

Bill,

Minlogon and no Admin/User components in your image explains why you don't
see the registry subkeys you're expecting to see.
The keys you expected to see are related to user accounts (Admin is also
an user).
The keys you saw were related to some system accounts. Please see the list
of well-known SIDs I posted the link to earlier in this thread.

For instance,
SECURITY_LOCAL_SYSTEM_RID S-1-5-18 A special account used by the
operating system.




--
=========
Regards,
KM

I have minlogon with custom shell, and i have set Automatic mode in system
cloning tool setting which means reseal.exe runs at 12000 phase.
I don't have any administrator/User account component.
The keys under HKEY_USER are:
.DEFAULT
S-1-5-18
S-1-5-19
S-1-5-19_Classes
S-1-5-20
S-1-5-20_Classes

under the ProfileList key:
S-1-5-19
S-1-5-20

Thanks,

Bill,

No, you don't have to use NewSID. The only purpose for me to mention
that link was that the page contains lots of helpful info about
SID.

Anyway, could you please show us what exactly you got under HKEY_USERS
key and under the ProfileList key? You would want to show us
only the subkeys. This is what I have asked for in my previous post

A few more questions the answers to which may lead to the root of the
issue:
- How exactly do you run fbreseal? What command line switches and/or
advanced properties of the System Cloning Tool component do
you use?
- Do you have an Administrator account component included? Any user
account component?
- What is your image based on - Minlogon or Winlogon? What Shell?

--
=========
Regards,
KM


Hi KM,

I am refering Sean Liming's "Windows XP Embedded Advanced" book for
cloning,
in which he has mentioned:
"Use regedit and check HKEY_USEER for SID
S-1-5-21-<xxxxxxxxxx><xxxxxxxxxx><xxxxxxxxxx> -500".

I am not able to see any keys similar to this in my XPe cloned image.
Neither it is seen in under [HKLM\Software\Microsoft\Windows
NT\CurrentVersion\ProfileList] key (subkeys).

Why do i need to use some tool to generate new SIDs? Is it not a
feature of
cloning to generate new unique SID for each of the cloned system?

Thanks,

:

Bill,

What do you see under HKEY_USERS key? What subkeys?
You can always find them under [HKLM\Software\Microsoft\Windows
NT\CurrentVersion\ProfileList] key (subkeys).

You can download and use NewSID tools (ex: sysinternals.com, now
Microsoft) to generate new SIDs:
http://www.microsoft.com/technet/sysinternals/Security/NewSid.mspx
Here you will find a list of well-known SIDs:
http://msdn2.microsoft.com/en-us/library/aa379649.aspx

--
=========
Regards,
KM


Hi all,

I am using system cloning tool in my OS. The reseal phase is
happening
properly, but when i clone the resealed image, i am not able to see
any SID
related keys under HKEY_USERS.
I dont see any dependent component for this and there is nothing
wrong in
component setting also!
Am i looking at wrong place to check for SID?

Please help,

 

[Guest]

Hi,

Thank you so much for the help!

I now have a small query: How do i validate the creation of SID on each of
the cloned system? I mean, how do i test and confirm, after cloning, that the
system has been assigned unique SID?
if my question sounds like i am a bit confused about SIDs, it could be true!!

Thanks,

In the book, the example uses Windows Logon (standard) or WinLogon. If you
are using Minlogon, the results are what you see.

Regards,

Sean Liming
www.sjjmicro.com / www.seanliming.com
XP Embedded Book Author - XP Embedded Advanced, XP Embedded Supplemental
Toolkit

Bill,

Minlogon and no Admin/User components in your image explains why you don't
see the registry subkeys you're expecting to see.
The keys you expected to see are related to user accounts (Admin is also
an user).
The keys you saw were related to some system accounts. Please see the list
of well-known SIDs I posted the link to earlier in this thread.

For instance,
SECURITY_LOCAL_SYSTEM_RID S-1-5-18 A special account used by the
operating system.




--
=========
Regards,
KM

I have minlogon with custom shell, and i have set Automatic mode in system
cloning tool setting which means reseal.exe runs at 12000 phase.
I don't have any administrator/User account component.
The keys under HKEY_USER are:
.DEFAULT
S-1-5-18
S-1-5-19
S-1-5-19_Classes
S-1-5-20
S-1-5-20_Classes

under the ProfileList key:
S-1-5-19
S-1-5-20

Thanks,

:

Bill,

No, you don't have to use NewSID. The only purpose for me to mention
that link was that the page contains lots of helpful info about
SID.

Anyway, could you please show us what exactly you got under HKEY_USERS
key and under the ProfileList key? You would want to show us
only the subkeys. This is what I have asked for in my previous post

A few more questions the answers to which may lead to the root of the
issue:
- How exactly do you run fbreseal? What command line switches and/or
advanced properties of the System Cloning Tool component do
you use?
- Do you have an Administrator account component included? Any user
account component?
- What is your image based on - Minlogon or Winlogon? What Shell?

--
=========
Regards,
KM


Hi KM,

I am refering Sean Liming's "Windows XP Embedded Advanced" book for
cloning,
in which he has mentioned:
"Use regedit and check HKEY_USEER for SID
S-1-5-21-<xxxxxxxxxx><xxxxxxxxxx><xxxxxxxxxx> -500".

I am not able to see any keys similar to this in my XPe cloned image.
Neither it is seen in under [HKLM\Software\Microsoft\Windows
NT\CurrentVersion\ProfileList] key (subkeys).

Why do i need to use some tool to generate new SIDs? Is it not a
feature of
cloning to generate new unique SID for each of the cloned system?

Thanks,

:

Bill,

What do you see under HKEY_USERS key? What subkeys?
You can always find them under [HKLM\Software\Microsoft\Windows
NT\CurrentVersion\ProfileList] key (subkeys).

You can download and use NewSID tools (ex: sysinternals.com, now
Microsoft) to generate new SIDs:
http://www.microsoft.com/technet/sysinternals/Security/NewSid.mspx
Here you will find a list of well-known SIDs:
http://msdn2.microsoft.com/en-us/library/aa379649.aspx

--
=========
Regards,
KM


Hi all,

I am using system cloning tool in my OS. The reseal phase is
happening
properly, but when i clone the resealed image, i am not able to see
any SID
related keys under HKEY_USERS.
I dont see any dependent component for this and there is nothing
wrong in
component setting also!
Am i looking at wrong place to check for SID?

Please help,

 

[KM]

Bill,

User SID duplication is not much an issue in Minlogon environment. However, there is still computer SID. You can find that SID
somewhere in SAM hive (HKLM\SECURITY\SAM), typically listed in the list of Members keys.
Much easier way to find out that SID though is to run PsGetSid utility from sysinternals.com (I should've mentioned this tool
earlier but not NewSID to avoid confutions). here is where you can download it as a part of PsTools package:
http://www.microsoft.com/technet/sysinternals/utilities/psgetsid.mspx

FYI.. In Release Notes for SP2 there was mentioned the following: If your embedded run-time image is based on the Minlogon baseline
configuration and you add the System Cloning Tool component, you must also ensure that your configuration includes the Local
Security Authority Subsystem (LSASS) and TCP/IP Networking components.

--
=========
Regards,
KM

Hi,

Thank you so much for the help!

I now have a small query: How do i validate the creation of SID on each of
the cloned system? I mean, how do i test and confirm, after cloning, that the
system has been assigned unique SID?
if my question sounds like i am a bit confused about SIDs, it could be true!!

Thanks,

In the book, the example uses Windows Logon (standard) or WinLogon. If you
are using Minlogon, the results are what you see.

Regards,

Sean Liming
www.sjjmicro.com / www.seanliming.com
XP Embedded Book Author - XP Embedded Advanced, XP Embedded Supplemental
Toolkit

Bill,

Minlogon and no Admin/User components in your image explains why you don't
see the registry subkeys you're expecting to see.
The keys you expected to see are related to user accounts (Admin is also
an user).
The keys you saw were related to some system accounts. Please see the list
of well-known SIDs I posted the link to earlier in this thread.

For instance,
SECURITY_LOCAL_SYSTEM_RID S-1-5-18 A special account used by the
operating system.




--
=========
Regards,
KM


I have minlogon with custom shell, and i have set Automatic mode in system
cloning tool setting which means reseal.exe runs at 12000 phase.
I don't have any administrator/User account component.
The keys under HKEY_USER are:
.DEFAULT
S-1-5-18
S-1-5-19
S-1-5-19_Classes
S-1-5-20
S-1-5-20_Classes

under the ProfileList key:
S-1-5-19
S-1-5-20

Thanks,

:

Bill,

No, you don't have to use NewSID. The only purpose for me to mention
that link was that the page contains lots of helpful info about
SID.

Anyway, could you please show us what exactly you got under HKEY_USERS
key and under the ProfileList key? You would want to show us
only the subkeys. This is what I have asked for in my previous post

A few more questions the answers to which may lead to the root of the
issue:
- How exactly do you run fbreseal? What command line switches and/or
advanced properties of the System Cloning Tool component do
you use?
- Do you have an Administrator account component included? Any user
account component?
- What is your image based on - Minlogon or Winlogon? What Shell?

--
=========
Regards,
KM


Hi KM,

I am refering Sean Liming's "Windows XP Embedded Advanced" book for
cloning,
in which he has mentioned:
"Use regedit and check HKEY_USEER for SID
S-1-5-21-<xxxxxxxxxx><xxxxxxxxxx><xxxxxxxxxx> -500".

I am not able to see any keys similar to this in my XPe cloned image.
Neither it is seen in under [HKLM\Software\Microsoft\Windows
NT\CurrentVersion\ProfileList] key (subkeys).

Why do i need to use some tool to generate new SIDs? Is it not a
feature of
cloning to generate new unique SID for each of the cloned system?

Thanks,

:

Bill,

What do you see under HKEY_USERS key? What subkeys?
You can always find them under [HKLM\Software\Microsoft\Windows
NT\CurrentVersion\ProfileList] key (subkeys).

You can download and use NewSID tools (ex: sysinternals.com, now
Microsoft) to generate new SIDs:
http://www.microsoft.com/technet/sysinternals/Security/NewSid.mspx
Here you will find a list of well-known SIDs:
http://msdn2.microsoft.com/en-us/library/aa379649.aspx

--
=========
Regards,
KM


Hi all,

I am using system cloning tool in my OS. The reseal phase is
happening
properly, but when i clone the resealed image, i am not able to see
any SID
related keys under HKEY_USERS.
I dont see any dependent component for this and there is nothing
wrong in
component setting also!
Am i looking at wrong place to check for SID?

Please help,

 

[Guest]

Hi KM,

Thank you very much for the support!

I could do it using psgetsid tool. I found that the computer SID is stored
in :
HKLM\SAM\SAM\Domain\Builtin\Aliases\Members
and cloned images are acquiring unique IDs.

Thanks a lot!

Bill,

User SID duplication is not much an issue in Minlogon environment. However, there is still computer SID. You can find that SID
somewhere in SAM hive (HKLM\SECURITY\SAM), typically listed in the list of Members keys.
Much easier way to find out that SID though is to run PsGetSid utility from sysinternals.com (I should've mentioned this tool
earlier but not NewSID to avoid confutions). here is where you can download it as a part of PsTools package:
http://www.microsoft.com/technet/sysinternals/utilities/psgetsid.mspx

FYI.. In Release Notes for SP2 there was mentioned the following: If your embedded run-time image is based on the Minlogon baseline
configuration and you add the System Cloning Tool component, you must also ensure that your configuration includes the Local
Security Authority Subsystem (LSASS) and TCP/IP Networking components.

--
=========
Regards,
KM

Hi,

Thank you so much for the help!

I now have a small query: How do i validate the creation of SID on each of
the cloned system? I mean, how do i test and confirm, after cloning, that the
system has been assigned unique SID?
if my question sounds like i am a bit confused about SIDs, it could be true!!

Thanks,

In the book, the example uses Windows Logon (standard) or WinLogon. If you
are using Minlogon, the results are what you see.

Regards,

Sean Liming
www.sjjmicro.com / www.seanliming.com
XP Embedded Book Author - XP Embedded Advanced, XP Embedded Supplemental
Toolkit



Bill,

Minlogon and no Admin/User components in your image explains why you don't
see the registry subkeys you're expecting to see.
The keys you expected to see are related to user accounts (Admin is also
an user).
The keys you saw were related to some system accounts. Please see the list
of well-known SIDs I posted the link to earlier in this thread.

For instance,
SECURITY_LOCAL_SYSTEM_RID S-1-5-18 A special account used by the
operating system.




--
=========
Regards,
KM


I have minlogon with custom shell, and i have set Automatic mode in system
cloning tool setting which means reseal.exe runs at 12000 phase.
I don't have any administrator/User account component.
The keys under HKEY_USER are:
.DEFAULT
S-1-5-18
S-1-5-19
S-1-5-19_Classes
S-1-5-20
S-1-5-20_Classes

under the ProfileList key:
S-1-5-19
S-1-5-20

Thanks,

:

Bill,

No, you don't have to use NewSID. The only purpose for me to mention
that link was that the page contains lots of helpful info about
SID.

Anyway, could you please show us what exactly you got under HKEY_USERS
key and under the ProfileList key? You would want to show us
only the subkeys. This is what I have asked for in my previous post

A few more questions the answers to which may lead to the root of the
issue:
- How exactly do you run fbreseal? What command line switches and/or
advanced properties of the System Cloning Tool component do
you use?
- Do you have an Administrator account component included? Any user
account component?
- What is your image based on - Minlogon or Winlogon? What Shell?

--
=========
Regards,
KM


Hi KM,

I am refering Sean Liming's "Windows XP Embedded Advanced" book for
cloning,
in which he has mentioned:
"Use regedit and check HKEY_USEER for SID
S-1-5-21-<xxxxxxxxxx><xxxxxxxxxx><xxxxxxxxxx> -500".

I am not able to see any keys similar to this in my XPe cloned image.
Neither it is seen in under [HKLM\Software\Microsoft\Windows
NT\CurrentVersion\ProfileList] key (subkeys).

Why do i need to use some tool to generate new SIDs? Is it not a
feature of
cloning to generate new unique SID for each of the cloned system?

Thanks,

:

Bill,

What do you see under HKEY_USERS key? What subkeys?
You can always find them under [HKLM\Software\Microsoft\Windows
NT\CurrentVersion\ProfileList] key (subkeys).

You can download and use NewSID tools (ex: sysinternals.com, now
Microsoft) to generate new SIDs:
http://www.microsoft.com/technet/sysinternals/Security/NewSid.mspx
Here you will find a list of well-known SIDs:
http://msdn2.microsoft.com/en-us/library/aa379649.aspx

--
=========
Regards,
KM


Hi all,

I am using system cloning tool in my OS. The reseal phase is
happening
properly, but when i clone the resealed image, i am not able to see
any SID
related keys under HKEY_USERS.
I dont see any dependent component for this and there is nothing
wrong in
component setting also!
Am i looking at wrong place to check for SID?

Please help,