WinAPI LookupAccountSid from an .evt file

Question

I'm trying to get the user account name of a user SID get from an .evt file (Event Log). Until now I have successfully read the file and I have access to the SID of the active user at the time the event was logged.

To get a user name from this SID I'm using the LookupAccountSid function :

wstring userNameFromSid(SID  userSid,wstring computerName)
        {
            DWORD size = 256;
            wchar_t * buff = (wchar_t*)malloc(sizeof(wchar_t)*size);
            wchar_t * buffDomain = (wchar_t*)malloc(sizeof(wchar_t)*size);
            SID_NAME_USE SidType;
            wstring result;
            SID tmpSid = userSid;

            if(LookupAccountSid(computerName.c_str(), &tmpSid, buff, &size, buffDomain, &size, &SidType )){
                result= buff;
            }
            else
            { 
                /*Here some code to print error in a Message box*/
            }

            free(buff);
            free(buffDomain);
            return result;
        }

This works fine when I try on a local .evt file but many of my .evt file are from remote computers, and this is where is the problem. Indeed, when I try with a remote computer name, I get an ERROR_NONE_MAPPED code.
After numerous research, I still can not solve the problem (and this begin to be annoying)

Note:
I tried with a random false computer name to refine the problem and i get an error 1722 : The rpc server is unavailable witch was expected, so i'm able to connect the rpc (when i give the right name).

Thank you in advance,

SIDs are only valid on the domain on which they were created. If that "remote" machine isn't part of the domain then there is no chance to retrieve anything from the number. Limp along by picking fake user names so the output you generate is readable. — Hans Passant, May 06 '13 at 17:25
@HansPassant You are right, the problem is that SIDs I receive are actually **Active Directory** SID, i guess. So they are not registered on the remote machine but on the ldap server. I will try to focus on ldap request and SID research. — Bastien, May 07 '13 at 08:09

score 2 · Answer 1 · answered May 06 '13 at 16:43

You are using the same size variable for multiple in/out parameters. Don't do that. Use separate variables instead. You are also not taking into account if computerName is empty.

Try this:

static const DWORD MAX_BUFF_SIZE = 256;

wstring userNameFromSid(SID userSid, wstring computerName)
{
    wchar_t buffName[MAX_BUFF_SIZE];
    DWORD buffNameSize = MAX_BUFF_SIZE;
    wchar_t buffDomain[MAX_BUFF_SIZE];
    DWORD buffDomainSize = MAX_BUFF_SIZE;
    SID_NAME_USE SidType;

    if (LookupAccountSid(!computerName.empty() ? computerName.c_str() : NULL, &userSid, buffName, &buffNameSize, buffDomain, &buffDomainSize, &SidType))
    {
        return buffName;
    }

    /*Here some code to print error in a Message box*/
    return L"";
}

Your code is definitely more reliable and clean than mine. It will be even safer to make a first call to `LookupAccountSid()` with a size of 1 and realloc `buffName` and `buffDomain` to the right size. — Bastien, May 07 '13 at 08:17

WinAPI LookupAccountSid from an .evt file

1 Answers1