Sorry for brining this up again, but I have finally got round to trying the copy SID2Text function. What I have now gets the string fine (eg. "S-1-5-21...") but buf always comes out as "S-1-5-32-544" for Administrators. I know that there are some processes running as "LOCAL SERVICE" and "NETWORK SERVICE" aswell. Also when I check:
Code:
if (buf == "S-1-5-32-544") return "Administrators";
It doesn't return "Administrators" even when buf = "S-1-5-32-544" (see code coloured in red). Here is all the code I have:
Code:
char *Sid2Text(PSID ps, char *buf, int bufSize)
{
PSID_IDENTIFIER_AUTHORITY psia;
DWORD dwSubAuthorities;
DWORD dwSidRev = SID_REVISION;
DWORD i;
int n, size;
char *p;
if (!IsValidSid(ps))
return "";
psia = GetSidIdentifierAuthority(ps);
dwSubAuthorities = *GetSidSubAuthorityCount(ps);
size = 15 + 12 + (12 * dwSubAuthorities) + 1;
if ( bufSize < size )
{
SetLastError(ERROR_INSUFFICIENT_BUFFER);
return "";
}
size = wsprintf( buf, "S-%lu-", dwSidRev );
p = buf + size;
// Add SID identifier authority to the string.
if ( psia->Value[0] != 0 || psia->Value[1] != 0 )
{
n = wsprintf( p, "0x%02hx%02hx%02hx%02hx%02hx%02hx",
(USHORT) psia->Value[0], (USHORT) psia->Value[1],
(USHORT) psia->Value[2], (USHORT) psia->Value[3],
(USHORT) psia->Value[4], (USHORT) psia->Value[5]);
size += n;
p += n;
}
else
{
n = wsprintf( p, "%lu", ((ULONG) psia->Value[5]) +
( (ULONG) psia->Value[4] << 8 ) + ( (ULONG) psia->Value[3] << 16 ) +
( (ULONG) psia->Value[2] << 24));
size += n;
p += n;
}
//Add SID subauthorities to the string.
for ( i = 0; i < dwSubAuthorities; ++ i)
{
n = wsprintf(p, "-%lu", *GetSidSubAuthority(ps, i));
size += n;
p += n;
}
if (buf == "S-1-5-18") return "Local System";
if (buf == "S-1-5-19") return "Local Service";
if (buf == "S-1-5-20") return "Network Service";
if (buf == "S-1-5-32-544") return "Administrators";
if (buf == "S-1-5-32-545") return "Users";
return buf;
}
char *GetUserInfo(int ProcessID, HANDLE hProcess) {
HANDLE Token;
BOOL Debug = FALSE;
if (!OpenProcessToken(hProcess, MAXIMUM_ALLOWED, &Token))
return "SYSTEM";
DWORD dwSize, dwResult;
SID *sid;
char buf[MAX_PATH];
char AcctName[MAX_PATH], DomainName[MAX_PATH];
SID_NAME_USE SidType = SidTypeUnknown;
TOKEN_OWNER *Owner;
dwSize = 0;
GetTokenInformation(Token, TokenOwner, NULL, 0, &dwSize);
if (!dwSize)
{
if (Debug) SEEMsgBox("Error retrieving initial token information");
return "SYSTEM";
}
if (( Owner = (TOKEN_OWNER *)malloc(sizeof(DWORD) * dwSize) ) == NULL)
{
if (Debug) SEEMsgBox("Error allocating memory for Owner");
return "SYSTEM";
}
// This second call retrieves the required data which is stored in the Owner information class variable
if(!GetTokenInformation(Token, TokenOwner, Owner, dwSize, &dwSize))
{
if (Debug) SEEMsgBox("Error retrieving token owner information class data");
return "SYSTEM";
}
dwSize = GetLengthSid(Owner->Owner);
sid = (SID *)malloc(dwSize);
// Extracts the sid (Security identifier) from the token owner information class
CopySid(dwSize, sid, Owner->Owner);
// Now we translate the returned sid (Security Identifier) which is in the following general format:
// S-1-5-21-1482476501-963894560-682003330-123 to an account name. This is passed to the LookupAccountSid
// function which will find the sid for a named account.
dwSize = MAX_PATH;
if(!LookupAccountSid(NULL,sid,AcctName,(LPDWORD)&dwSize,DomainName,(LPDWORD)&dwSize,&SidType))
{
dwResult = GetLastError();
if( dwResult == ERROR_NONE_MAPPED )
strcpy(AcctName, "NONE_MAPPED" );
else {
if (Debug) SEEMsgBox("LookupAccountSid failed");
return "SYSTEM";
}
}
free(sid);
switch (SidType)
{
case SidTypeUser:
int bufCharCount = 16380;
TCHAR infoBuf[bufCharCount];
GetUserName(infoBuf, &bufCharCount);
return infoBuf;
break;
case SidTypeAlias:
return Sid2Text(Owner->Owner,buf, sizeof(buf));
//return "alias";
break;
case SidTypeUnknown:
return "unknown";
break;
default: return "SYSTEM";
break;
}
}
And here is the GetProcesses function that calls GetUserInfo:
Code:
int getProcesses() {
HMODULE hModule;
char szProcessName[MAX_PATH] = {0};
DWORD dwProcesses[1024], cbNeeded, cProcesses;
unsigned int i;
char PIDbuf[10];
char buf[50];
if (!EnumProcesses(dwProcesses, sizeof(dwProcesses), &cbNeeded))
return -1;
cProcesses = cbNeeded / sizeof(DWORD);
for (i = 0; i < cProcesses; i++)
if(dwProcesses[i] != 0)
{
HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION |
PROCESS_VM_READ, FALSE, dwProcesses[i]);
if (NULL != hProcess)
{
strcpy(szProcessName, "System");
if (EnumProcessModules(hProcess, &hModule, sizeof(hModule),
&cbNeeded))
{
GetModuleBaseName(hProcess, hModule, szProcessName,
sizeof(szProcessName)/sizeof(CHAR));
}
}
sprintf(PIDbuf, "%d", dwProcesses[i]);
InsertRow(GetDlgItem(hwndMain, ID_LISTVIEW), szProcessName,PIDbuf,
GetProcessMemoryWSS(hProcess, buf), GetProcessMemoryPWSS(hProcess, buf),
GetProcessPriority(hProcess),
GetUserInfo(dwProcesses[i], hProcess));
//AddIndex(szProcessName, i, 0);
CloseHandle(hProcess);
}
return cProcesses;
}
I have removed some of the comments that overlap with those of CodePlug's link (http://win32.mvps.org/security/opt_gti.cpp). Sorry it is so big, there is quite alot of it copyed form what has been previously posted.