Page 1 of 1

Get domain and user name of process

Posted: Mon Nov 14, 2005 6:25 pm
by nagylzs
Do you know if madRemote is capable of returning the domain/workgroup and user name for a given process id? I was experimenting with OpenProcess, VirtualAllocEx, WriteProcessMemory, CreateRemoteThread but under windows XP it does not work for some processes. madRemote can get almost any information for a process, but I could not get user and domain name (owner of the process).

Posted: Mon Nov 14, 2005 7:00 pm
by madshi
Can you do it with your own process? I'm not sure about the right APIs to use for that in my own process. If you know that, madRemote should work for that, too, as long as you have enough access rights and privileges to create remote threads in the target process.

Posted: Mon Nov 14, 2005 7:24 pm
by nagylzs
>Can you do it with your own process?

I can execute GetUserName in a remote thread to get the user name in that thread. I do it from a win32 service, running under the SYSTEM user account. I use an IPC queue to send requests from an application to the service. For Win2K, it works fine. But when many users are logged in on WinXP, then I cannot do this for some of the running "explorer.exe" processes. Most strangely, I get an error for one user but don't for another, and this changes randomly. The most common error I get is getlasterror=8 while calling CreateRemoteThread.

BTW I did not use madRemote. I used VirtualAllocEx, WriteProcessMemory and CreateRemoteThread. I just thought I may have success with madRemote because it might use a different API for executing code in remote processes.

Posted: Mon Nov 14, 2005 7:33 pm
by madshi
CreateRemoteThread doesn't work for other terminal server and fast user switching sessions, only for your own session. In contrast madRemote's CreateRemoteThreadEx and RemoteExecute *should* work for other sessions, as well (if you have enough privileges). Have you tried CreateRemoteThreadEx or RemoteExecute?

Solution found

Posted: Tue Nov 15, 2005 9:01 am
by nagylzs
Now I tried RemoteExecute with a function that uses LookupUserSID. I had to remove all Delphi related code, and only use Win32 API calls. It took a while, but now it is working like a dream! :-)

The only problem is that when I try to use it on a system process, the whole Windows hangs. But I can live with this - probably I only need to use it for normal processes.

Thanks a lot

Question: is this problem general enough to add new methods to IProcess?

IProcess.GetUser
IProcess.GetDomain

Posted: Tue Nov 15, 2005 9:04 am
by madshi
Have you tried using OpenProcessToken + GetTokenInformation(TokenUser)? That might work without having to use madRemote at all.

Posted: Tue Nov 15, 2005 6:38 pm
by nagylzs
Yes, I tried. In fact, I'm using this sequence:

GetCurrentProcess()
OpenProcessToken()
GetTokenInformation(,TokenUser,)
LookupAccountSid()

Here is the problem. If I use this from a normal user account, it does not have the rights to do this. So I wrote a service and execute this function remotely with madRemote. I'm not sure why but if I simply use the pid of the other process instead of executing GetCurrentProcess() remotely then it does not work.

Posted: Tue Nov 15, 2005 6:51 pm
by madshi
Of course you can't use the PID of the other process. You need to use the PH of the other process, or did you just say it wrong? I've used OpenProcessToken etc on other processes with success.

Posted: Tue Nov 15, 2005 7:40 pm
by nagylzs
Yes, I just said it wrong. BTW you said that CreateRemoteThread doesn't work for other terminal server and fast user switching sessions. Is there a similar issue with CreateProcess? I'm not able to 'RemoteExecute' a 'CreateProcess' call within any terminal based/fast user switching session. But I can do it in any 'normal' session. (LastError=1, Invalid parameter)

I cannot tell how much I owe you!

Posted: Tue Nov 15, 2005 9:17 pm
by madshi
"LastError=1" is *not* "invalid parameter"!