Get domain and user name of process
Get domain and user name of process
Do you know if madRemote is capable of returning the domain/workgroup and user name for a given process id? I was experimenting with OpenProcess, VirtualAllocEx, WriteProcessMemory, CreateRemoteThread but under windows XP it does not work for some processes. madRemote can get almost any information for a process, but I could not get user and domain name (owner of the process).
>Can you do it with your own process?
I can execute GetUserName in a remote thread to get the user name in that thread. I do it from a win32 service, running under the SYSTEM user account. I use an IPC queue to send requests from an application to the service. For Win2K, it works fine. But when many users are logged in on WinXP, then I cannot do this for some of the running "explorer.exe" processes. Most strangely, I get an error for one user but don't for another, and this changes randomly. The most common error I get is getlasterror=8 while calling CreateRemoteThread.
BTW I did not use madRemote. I used VirtualAllocEx, WriteProcessMemory and CreateRemoteThread. I just thought I may have success with madRemote because it might use a different API for executing code in remote processes.
I can execute GetUserName in a remote thread to get the user name in that thread. I do it from a win32 service, running under the SYSTEM user account. I use an IPC queue to send requests from an application to the service. For Win2K, it works fine. But when many users are logged in on WinXP, then I cannot do this for some of the running "explorer.exe" processes. Most strangely, I get an error for one user but don't for another, and this changes randomly. The most common error I get is getlasterror=8 while calling CreateRemoteThread.
BTW I did not use madRemote. I used VirtualAllocEx, WriteProcessMemory and CreateRemoteThread. I just thought I may have success with madRemote because it might use a different API for executing code in remote processes.
CreateRemoteThread doesn't work for other terminal server and fast user switching sessions, only for your own session. In contrast madRemote's CreateRemoteThreadEx and RemoteExecute *should* work for other sessions, as well (if you have enough privileges). Have you tried CreateRemoteThreadEx or RemoteExecute?
Solution found
Now I tried RemoteExecute with a function that uses LookupUserSID. I had to remove all Delphi related code, and only use Win32 API calls. It took a while, but now it is working like a dream!
The only problem is that when I try to use it on a system process, the whole Windows hangs. But I can live with this - probably I only need to use it for normal processes.
Thanks a lot
Question: is this problem general enough to add new methods to IProcess?
IProcess.GetUser
IProcess.GetDomain
The only problem is that when I try to use it on a system process, the whole Windows hangs. But I can live with this - probably I only need to use it for normal processes.
Thanks a lot
Question: is this problem general enough to add new methods to IProcess?
IProcess.GetUser
IProcess.GetDomain
Yes, I tried. In fact, I'm using this sequence:
GetCurrentProcess()
OpenProcessToken()
GetTokenInformation(,TokenUser,)
LookupAccountSid()
Here is the problem. If I use this from a normal user account, it does not have the rights to do this. So I wrote a service and execute this function remotely with madRemote. I'm not sure why but if I simply use the pid of the other process instead of executing GetCurrentProcess() remotely then it does not work.
GetCurrentProcess()
OpenProcessToken()
GetTokenInformation(,TokenUser,)
LookupAccountSid()
Here is the problem. If I use this from a normal user account, it does not have the rights to do this. So I wrote a service and execute this function remotely with madRemote. I'm not sure why but if I simply use the pid of the other process instead of executing GetCurrentProcess() remotely then it does not work.
Yes, I just said it wrong. BTW you said that CreateRemoteThread doesn't work for other terminal server and fast user switching sessions. Is there a similar issue with CreateProcess? I'm not able to 'RemoteExecute' a 'CreateProcess' call within any terminal based/fast user switching session. But I can do it in any 'normal' session. (LastError=1, Invalid parameter)
I cannot tell how much I owe you!
I cannot tell how much I owe you!