Access violation writing location 0x00000000 when using LookupAccountName

Question

After creating a user account with NetUserAdd, I found out that I would need to use NetLocalGroupAddMembers to add the user to the Users group, so I called CreateWellKnownSid to get the Users' SID, LookupAccountSid to get the string name from that SID and pass it to NetLocalGroupAddMembers.

I also needed to specify the user name, but the function required domain\name format as level 3 (LOCALGROUP_MEMBERS_INFO_3), but I did not have that. I decided to call LookupAccountName to get the user name SID and pass it to level 0 (LOCALGROUP_MEMBERS_INFO_0).

This is how I did it:

//LocalAlloc
    UINT memAttributes = LMEM_FIXED;
    SIZE_T sidSize = SECURITY_MAX_SID_SIZE;

//LookupAccountName
    PSID accountSID;
    SID_NAME_USE typeOfAccount;

//NetLocalGroupAddMembers
    NET_API_STATUS localGroupAdd;
    DWORD levelOfData = 0;  //LOCALGROUP_MEMBERS_INFO_0
    LOCALGROUP_MEMBERS_INFO_0 localMembers;
    DWORD totalEntries = 0;



//Allocate memory for LookupAccountName
        if (!(accountSID = LocalAlloc(memAttributes, sidSize)))
        {
            wprintf(L"\nMemory allocation for account SID failed: \n");
            ShowError(GetLastError());
            exit(1);

        }


if (!LookupAccountNameW(NULL, argv[1], accountSID,
                                    (LPDWORD)&sidSize, NULL, 0, &typeOfAccount))
            {
                fwprintf(stderr, L"Error getting SID from name: \n");
                ShowError(GetLastError());
                return 1;

            }

//Here I should be able to use NetLocalGroupAddMembers
            //to add the user passed as argument to the Users group. 
            localMembers.lgrmi0_sid = accountSID;

            localGroupAdd = NetLocalGroupAddMembers(NULL, name, levelOfData, (LPBYTE)&localMembers, totalEntries);

            if (localGroupAdd != NERR_Success)
            {
                fwprintf(stderr, L"Error adding member to the local group: \n");
                ShowError(GetLastError());
                return 1;
            }
            else
            {
                wprintf(L"\nUser %s has been successfully added.\n", argv[1]);

            }

This is the error I am getting:

Exception thrown at 0x743F059A (sechost.dll) in UserCreator.exe: 0xC0000005: Access violation writing location 0x00000000.

Any clues?

Answer 1

The ReferencedDomainName parameter is not actually optional.

LPCTSTR machine = NULL, username = /*TEXT("Anders")*/ argv[1];
TCHAR domain[MAX_PATH];
BYTE accountSIDbuf[SECURITY_MAX_SID_SIZE];
PSID accountSID = (PSID) accountSIDbuf;
DWORD cbSid = SECURITY_MAX_SID_SIZE, cchRD = MAX_PATH;
SID_NAME_USE snu;

if (!LookupAccountName(machine, username, accountSID, &cbSid, domain, &cchRD, &snu))
{
    printf("Error %u\n", GetLastError());
    return ;
}

LPTSTR sidstr;
if (!ConvertSidToStringSid(accountSID, &sidstr)) { return ; }
_tprintf(_T("SID of %s\\%s is %s\n"), domain, username, sidstr);
LocalFree(sidstr);

Another problem with your code is ShowError(GetLastError()); You cannot use GetLastError() after calling some other function. Rewrite as

DWORD error = GetLastError();
fwprintf(stderr, L"Error getting SID from name: \n");
ShowError(error);

but in this case even that is wrong because NetLocalGroupAddMembers does not call SetLastError, it just returns the error code directly.

Edit:

Just to clarify the paramter usage; If you want to query the required size of the domain buffer you can do this:

DWORD cchRD = 0;
LookupAccountName(..., NULL, &cchRD, &snu); // The function is still going to report failure
LPTSTR domain = malloc(cchRD * sizeof(*domain));
LookupAccountName(..., domain, &cchRD, &snu);

In my example I avoid this by just passing in a buffer that is "large enough".