I was digging into exactly how service SIDs are mapped back to a name when I came across the API LsaLookupManageSidNameMapping. Unsurprisingly this API is not officially documented either on MSDN or in the Windows SDK. However, LsaManageSidNameMapping is documented (mostly). Turns out that after a little digging they lead to the same RPC function in LSASS, just through different names:
LsaLookupManageSidNameMapping -> lsass!LsaLookuprManageCache
LsaManageSidNameMapping -> lsasrv!LsarManageSidNameMapping
They ultimately both end up in lsasrv!LsarManageSidNameMapping. I've no idea why there's two of them and why one is documented but the other not. *shrug*. Of course even though there's an MSDN entry for the function it doesn't seem to actually be documented in the Ntsecapi.h include file *double shrug*. Best documentation I found was this header file.
This got me wondering if I could map all the AppContainer named capabilities via LSASS so that normal applications would resolve them rather than having to do it myself. This would be easier than modifying the SAM or similar tricks. Sadly while you can add some SID to name mappings this API won't let you do that for capability SIDs as there are the following calling restrictions:
- The caller needs SeTcbPrivilege (this is a given with an LSA API).
- The SID to map must be in the NT security authority (5) and the domain's first RID must be between 80 and 111 inclusive.
- You must register a domain SID's name first to use the SID which includes it.