1 2 Re: alternative to SeCaptureSubjectContext for Win2000 sought 3 4 From: "dave porter" <porter@zultranet.com> 5 Reply to: "dave porter" 6 Date: Mon, 26 Jun 2000 10:57:18 -0400 7 Newsgroups: 8 comp.os.ms-windows.programmer.nt.kernel-mode 9 Followup to: newsgroup 10 References: 11 <39520e7f$0$15896@wodc7nh1.news.uu.net> 12 <sl5ulbjfe7f47@corp.supernews.com> 13 <39575985$0$24336@wodc7nh0.news.uu.net> 14 15 16> Under advise, I have tried ZwOpenProcessToken(), but to little avail. 17> ZwQueryInformationToken( ..TokenUser ...) doesn't seem to want to do its 18job 19> either under NT4. 20 21I could be jumping in the middle here, but in what way doesn't it work? 22This code works for me: 23 24 int bufLen = 256; // we suppose this is enough 25 void* sidBuf = new char[bufLen]; 26 int sidLen = 0; 27 28 void* pToken = PsReferencePrimaryToken(PsGetCurrentProcess()); 29 if (!pToken) ... error ... 30 31 NTSTATUS ntstatus = ObOpenObjectByPointer(pToken, 0, 0, TOKEN_QUERY, 320, KernelMode, &handle); 33 if (!NT_SUCCESS(ntstatus)) ... error ... 34 35 TOKEN_USER* user = static_cast<TOKEN_USER*>(sidBuf); 36 ULONG tokenInfoLen; 37 ntstatus = ZwQueryInformationToken(handle, TokenUser, user, bufLen, 38&tokenInfoLen); 39 if (!NT_SUCCESS(ntstatus)) ... error ... 40 41 assert(tokenInfoLen <= bufLen); // else we would have got an error, 42right? 43 assert(user->User.Sid == user+1); // SID is in buffer just past 44TOKEN_USER structure 45 46 sidLen = tokenInfoLen - sizeof (TOKEN_USER); 47 memmove(sidBuf, user->User.Sid, sidLen); // shuffle down the buffer 48 49Naturally, this returns the id of the thread that's running it. 50If you execute this in DriverEntry, you're running in some 51thread in the system process, which is not related to 52the thread which executed the Win32 StartService call. 53