2 Re: alternative to SeCaptureSubjectContext for Win2000 sought
4 From: "dave porter" <porter@zultranet.com>
5 Reply to: "dave porter"
6 Date: Mon, 26 Jun 2000 10:57:18 -0400
8 comp.os.ms-windows.programmer.nt.kernel-mode
11 <39520e7f$0$15896@wodc7nh1.news.uu.net>
12 <sl5ulbjfe7f47@corp.supernews.com>
13 <39575985$0$24336@wodc7nh0.news.uu.net>
16 > Under advise, I have tried ZwOpenProcessToken(), but to little avail.
17 > ZwQueryInformationToken( ..TokenUser ...) doesn't seem to want to do its
21 I could be jumping in the middle here, but in what way doesn't it work?
22 This code works for me:
24 int bufLen = 256; // we suppose this is enough
25 void* sidBuf = new char[bufLen];
28 void* pToken = PsReferencePrimaryToken(PsGetCurrentProcess());
29 if (!pToken) ... error ...
31 NTSTATUS ntstatus = ObOpenObjectByPointer(pToken, 0, 0, TOKEN_QUERY,
32 0, KernelMode, &handle);
33 if (!NT_SUCCESS(ntstatus)) ... error ...
35 TOKEN_USER* user = static_cast<TOKEN_USER*>(sidBuf);
37 ntstatus = ZwQueryInformationToken(handle, TokenUser, user, bufLen,
39 if (!NT_SUCCESS(ntstatus)) ... error ...
41 assert(tokenInfoLen <= bufLen); // else we would have got an error,
43 assert(user->User.Sid == user+1); // SID is in buffer just past
46 sidLen = tokenInfoLen - sizeof (TOKEN_USER);
47 memmove(sidBuf, user->User.Sid, sidLen); // shuffle down the buffer
49 Naturally, this returns the id of the thread that's running it.
50 If you execute this in DriverEntry, you're running in some
51 thread in the system process, which is not related to
52 the thread which executed the Win32 StartService call.