CODEWITHSUNDEEP
c++winapievent-logsid
Bastien
Bastien

Reputation: 1013

WinAPI LookupAccountSid from an .evt file

I'm trying to get the user account name of a user SID get from an .evt file (Event Log). Until now I have successfully read the file and I have access to the SID of the active user at the time the event was logged.

To get a user name from this SID I'm using the LookupAccountSid function : 

wstring userNameFromSid(SID  userSid,wstring computerName)
        {
            DWORD size = 256;
            wchar_t * buff = (wchar_t*)malloc(sizeof(wchar_t)*size);
            wchar_t * buffDomain = (wchar_t*)malloc(sizeof(wchar_t)*size);
            SID_NAME_USE SidType;
            wstring result;
            SID tmpSid = userSid;

            if(LookupAccountSid(computerName.c_str(), &tmpSid, buff, &size, buffDomain, &size, &SidType )){
                result= buff;
            }
            else
            { 
                /*Here some code to print error in a Message box*/
            }

            free(buff);
            free(buffDomain);
            return result;
        }

This works fine when I try on a local .evt file but many of my .evt file are from remote computers, and this is where is the problem. Indeed, when I try with a remote computer name, I get an ERROR_NONE_MAPPED code.
After numerous research, I still can not solve the problem (and this begin to be annoying)

Note:
I tried with a random false computer name to refine the problem and i get an error 1722 : The rpc server is unavailable witch was expected, so i'm able to connect the rpc (when i give the right name).

Thank you in advance,

Upvotes: 0

Views: 2043

Answers (1)

Remy Lebeau
Remy Lebeau

Reputation: 597036

You are using the same size variable for multiple in/out parameters. Don't do that. Use separate variables instead. You are also not taking into account if computerName is empty.

Try this:

static const DWORD MAX_BUFF_SIZE = 256;

wstring userNameFromSid(SID userSid, wstring computerName)
{
    wchar_t buffName[MAX_BUFF_SIZE];
    DWORD buffNameSize = MAX_BUFF_SIZE;
    wchar_t buffDomain[MAX_BUFF_SIZE];
    DWORD buffDomainSize = MAX_BUFF_SIZE;
    SID_NAME_USE SidType;

    if (LookupAccountSid(!computerName.empty() ? computerName.c_str() : NULL, &userSid, buffName, &buffNameSize, buffDomain, &buffDomainSize, &SidType))
    {
        return buffName;
    }

    /*Here some code to print error in a Message box*/
    return L"";
}

Upvotes: 2

Related Questions