kanishk619

Thanks for pointing out the mistake, I have made the below changes Func _GetTokenPSid($hToken) Local $aCall = DllStructGetData(_Security__GetTokenInformation($hToken, $TOKENUSER), 1) $tempPtr = DllStructCreate("PTR") $ptrSize = DllStructGetSize($tempPtr) $rawSid = BinaryMid($aCall, $ptrSize * 2 + 1, BinaryLen($aCall)) $tBuffer = DllStructCreate("byte Attributes[" & BinaryLen($rawSid) & "]") DllStructSetData($tBuffer, "Attributes", $rawSid) Return $tBuffer EndFunc ;==>_GetTokenPSid Func _GetTokenUser1($hToken) $aCall = _GetTokenPSid($hToken) $pSid = DllStructGetPtr($aCall) $aCall = _Security__LookupAccountSid($pSID) If IsArray($aCall) Then Return $aCall[1] & "\" & $aCall[0] Else Return "" EndIf EndFunc ;==>_GetTokenUser The above works, but I'm not sure why the below code doesn't (I mostly use python hence m trying to figure out why this shouldn't work). Func _GetTokenUser1($hToken) $aCall = _Security__LookupAccountSid(DllStructGetPtr(_GetTokenPSid($hToken)) ConsoleWrite(DllStructGetPtr(_GetTokenPSid($hToken)) & " , " & DllStructGetData(_GetTokenPSid($hToken),1) & @CRLF) If IsArray($aCall) Then Return $aCall[1] & "\" & $aCall[0] & @CRLF Else Return "" EndIf EndFunc ;==>_GetTokenUser Output The buffer is always the same, is it always required to assign function calls to variables?

Try to view the import functions of that program and find more info about them, you might be able to put it all together.

The following code contains 2 functions to achieve the same results, although function2 works fine whereas function1 returns different results ;#include <Array.au3> #include <security.au3> #include <WinAPI.au3> #include <ProcessConstants.au3> Global Const $TOKEN_MAXIMUM_ALLOWED = 0x02000000 Func _GetTokenPSid($hToken) Local $aCall = DllStructGetData(_Security__GetTokenInformation($hToken, $TOKENUSER), 1) $tempPtr = DllStructCreate("PTR") $ptrSize = DllStructGetSize($tempPtr) $rawSid = BinaryMid($aCall, $ptrSize * 2 + 1, BinaryLen($aCall)) $mem = DllStructCreate("byte Attributes[" & BinaryLen($rawSid) & "]") DllStructSetData($mem, "Attributes", $rawSid) $pSid = DllStructGetPtr($mem) Return $pSid EndFunc ;==>_GetTokenPSid Func _GetTokenUser1($hToken) $pSid = _GetTokenPSid($hToken) Local $aCall = DllCall("advapi32.dll", "bool", "LookupAccountSidW", "ptr", "", "ptr", $pSid, "wstr", "", "dword*", 65536, "wstr", "", "dword*", 65536, "int*", 0) If IsArray($aCall) Then Return $aCall[5] & "\" & $aCall[3] Else Return "" EndIf EndFunc ;==>_GetTokenUser Func _GetTokenUser2($hToken) Local $aCall = DllStructGetData(_Security__GetTokenInformation($hToken, $TOKENUSER), 1) $tempPtr = DllStructCreate("PTR") $ptrSize = DllStructGetSize($tempPtr) $rawSid = BinaryMid($aCall, $ptrSize * 2 + 1, BinaryLen($aCall)) $mem = DllStructCreate("byte Attributes[" & BinaryLen($rawSid) & "]") DllStructSetData($mem, "Attributes", $rawSid) $pSid = DllStructGetPtr($mem) Local $bCall = DllCall("advapi32.dll", "bool", "LookupAccountSidW", "ptr", "", "ptr", $pSID, "wstr", "", "dword*", 65536, "wstr", "", "dword*", 65536, "int*", 0) If IsArray($bCall) Then Return $bCall[5] & "\" & $bCall[3] Else Return "" EndIf EndFunc Func _ProcessTokenInfo($pid) $hToken = _Security__OpenProcessToken(_WinAPI_OpenProcess($TOKEN_MAXIMUM_ALLOWED, 0, $pid), $TOKEN_QUERY) If Not $hToken Then $hToken = _Security__OpenProcessToken(_WinAPI_OpenProcess($PROCESS_QUERY_LIMITED_INFORMATION, 0, $pid), $TOKEN_QUERY) EndIf ConsoleWrite("GetTokenUser1 : " & _GetTokenUser1($hToken) & @CRLF) ConsoleWrite("GetTokenUser2 : " & _GetTokenUser2($hToken) & @CRLF) ConsoleWrite(@CRLF) _WinAPI_CloseHandle($hToken) Return EndFunc ;==>_ProcessTokenInfo For $i = 1 To 10 _ProcessTokenInfo(856) Next Below are the results Am I doing something wrong here ?

#include <Array.au3> #include <security.au3> #include <WinAPI.au3> $seDebug = _Security__LookupPrivilegeValue(Null, $SE_DEBUG_NAME) If $seDebug Then ConsoleWrite(@CRLF & "[+] SeDebugPrivilege Available" & @CRLF) ConsoleWrite("[+] Getting CurrentProcess PID:" & @AutoItPID & " token" & @CRLF) $hToken = _Security__OpenProcessToken(_WinAPI_GetCurrentProcess(), $TOKEN_ALL_ACCESS) If $hToken Then ConsoleWrite("[+] Trying to set SeDebugPrivilege" & @CRLF) _Security__SetPrivilege($hToken, $SE_DEBUG_NAME, True) ConsoleWrite("[+] Confirming SeDebugPrivilege" & @CRLF) $d = DllStructGetData(_Security__GetTokenInformation($hToken, 3), 1) $privCount = Int(BinaryMid($d, 1, 4)) $offset = 0 $seDebugSet = False For $i = 1 To $privCount If $offset == 0 Then $offset = 5 $luidandattributes = BinaryMid($d, $offset, 12) $highpart = Int(BinaryMid($luidandattributes, 1, 4)) ;$lowpart = BinaryMid($luidandattributes,4,4) ;$attributes = BinaryMid($luidandattributes,8,4) $offset += 12 If $highpart == $seDebug Then $seDebugSet = True EndIf Next _WinAPI_CloseHandle($hToken) EndIf If $seDebugSet Then ConsoleWrite("[+] SeDebugPrivilege Confirmed!" & @CRLF) Else ConsoleWrite("[-] Set SeDebugPrivilege Failed! Try Run as Administrator" & @CRLF) EndIf Else ConsoleWrite(@CRLF & "[+] SeDebugPrivilege Not Available" & @CRLF) EndIf Hi, I made this above code to confirm whether SeDebug is enabled or not, is there any better and easy/efficient/correct way to check the same?

A quick fix for partial process names (unicode process names appears perfectly fine) #include <Array.au3> #include <security.au3> $WTS_PROCESS_INFO_EXW = _ "DWORD SessionId;" & _ "DWORD ProcessId;" & _ "PTR pProcessName;" & _ "PTR pUserSid;" & _ "DWORD NumberOfThreads;" & _ "DWORD HandleCount;" & _ "DWORD PagefileUsage;" & _ "DWORD PeakPagefileUsage;" & _ "DWORD WorkingSetSize;" & _ "DWORD PeakWorkingSetSize;" & _ "INT64 UserTime;" & _ "INT64 KernelTime;" Const $WTS_CURRENT_SERVER_HANDLE = 0 $level = 1 Const $WTS_ANY_SESSION = -2 $ret = DllCall("wtsapi32.dll", "int", "WTSEnumerateProcessesExW", _ "hwnd", $WTS_CURRENT_SERVER_HANDLE, _ "dword*", $level, _ "dword", $WTS_ANY_SESSION, _ "ptr*", 0, _ "dword*", 0) Local $array[$ret[5]][6] $mem = DllStructCreate($WTS_PROCESS_INFO_EXW, $ret[4]) For $i = 0 To $ret[5] - 1 $mem=DllStructCreate($WTS_PROCESS_INFO_EXW, $ret[4]+($i*DllStructGetSize($mem))) $processName=DllStructCreate("wchar[256]", DllStructGetData($mem, "pProcessName")) $array[$i][0]=DllStructGetData($processName,1) $array[$i][1]=DllStructGetData($mem, "ProcessId") $array[$i][2]=DllStructGetData($mem, "SessionId") $userSid = _Security__LookupAccountSid(DllStructGetData($mem, "pUserSid")) $strSid = _Security__SidToStringSid(DllStructGetData($mem, "pUserSid")) If IsArray($userSid) Then $array[$i][3] = $userSid[0] If $strSid Then $array[$i][4] = $strSid $array[$i][5]=DllStructGetData($mem, "NumberOfThreads") Next _ArrayDisplay($array) Can someone help me out in understanding why unicode returned names are showing completely and properly whereas ANSI process names are of varying partial length with the below snippet #include <Array.au3> #include <security.au3> $WTS_PROCESS_INFO_EXA = _ "DWORD SessionId;" & _ "DWORD ProcessId;" & _ "PTR pProcessName;" & _ "PTR pUserSid;" & _ "DWORD NumberOfThreads;" & _ "DWORD HandleCount;" & _ "DWORD PagefileUsage;" & _ "DWORD PeakPagefileUsage;" & _ "DWORD WorkingSetSize;" & _ "DWORD PeakWorkingSetSize;" & _ "INT64 UserTime;" & _ "INT64 KernelTime;" Const $WTS_CURRENT_SERVER_HANDLE = 0 $level = 1 Const $WTS_ANY_SESSION = -2 $ret = DllCall("wtsapi32.dll", "int", "WTSEnumerateProcessesEx", _ "hwnd", $WTS_CURRENT_SERVER_HANDLE, _ "dword*", $level, _ "dword", $WTS_ANY_SESSION, _ "ptr*", 0, _ "dword*", 0) Local $array[$ret[5]][6] $mem = DllStructCreate($WTS_PROCESS_INFO_EXA, $ret[4]) For $i = 0 To $ret[5] - 1 $mem=DllStructCreate($WTS_PROCESS_INFO_EXA, $ret[4]+($i*DllStructGetSize($mem))) $processName=DllStructCreate("char[256]", DllStructGetData($mem, "pProcessName")) $array[$i][0]=DllStructGetData($processName,1) $array[$i][1]=DllStructGetData($mem, "ProcessId") $array[$i][2]=DllStructGetData($mem, "SessionId") $userSid = _Security__LookupAccountSid(DllStructGetData($mem, "pUserSid")) $strSid = _Security__SidToStringSid(DllStructGetData($mem, "pUserSid")) If IsArray($userSid) Then $array[$i][3] = $userSid[0] If $strSid Then $array[$i][4] = $strSid $array[$i][5]=DllStructGetData($mem, "NumberOfThreads") Next _ArrayDisplay($array)

I had a look on "WTS_PROCESS_INFO_EXW" and DllStructCreate again and few examples circulating around this forum which helped me. #include <Array.au3> #include <security.au3> $WTS_PROCESS_INFO_EXW = _ "DWORD SessionId;" & _ "DWORD ProcessId;" & _ "PTR pProcessName;" & _ "PTR pUserSid;" & _ "DWORD NumberOfThreads;" & _ "DWORD HandleCount;" & _ "DWORD PagefileUsage;" & _ "DWORD PeakPagefileUsage;" & _ "DWORD WorkingSetSize;" & _ "DWORD PeakWorkingSetSize;" & _ "INT64 UserTime;" & _ "INT64 KernelTime;" Const $WTS_CURRENT_SERVER_HANDLE = 0 $level = 1 Const $WTS_ANY_SESSION = -2 $ret = DllCall("wtsapi32.dll", "int", "WTSEnumerateProcessesEx", _ "hwnd", $WTS_CURRENT_SERVER_HANDLE, _ "dword*", $level, _ "dword", $WTS_ANY_SESSION, _ "ptr*", 0, _ "dword*", 0) Local $array[$ret[5]][5] $mem = DllStructCreate($WTS_PROCESS_INFO_EXW, $ret[4]) For $i = 0 To $ret[5] - 1 $mem = DllStructCreate($WTS_PROCESS_INFO_EXW, $ret[4] + ($i * DllStructGetSize($mem))) $processname = DllStructCreate("char[256]", DllStructGetData($mem, "pProcessName")) $array[$i][0] = DllStructGetData($processname, 1) $array[$i][1] = DllStructGetData($mem, "ProcessId") $array[$i][2] = DllStructGetData($mem, "SessionId") $sidToUserName = _Security__LookupAccountSid(DllStructGetData($mem, "pUserSid")) $sidToString = _Security__SidToStringSid(DllStructGetData($mem, "pUserSid")) If IsArray($sidToUserName) Then $array[$i][3]=$sidToUserName[0] If $sidToString Then $array[$i][4]=$sidToString Next _ArrayDisplay($array) Thanks to amazing devs and people around here

I'm trying to get the process list through wtsapi with the help of the following #AutoIt3Wrapper_UseX64=N #include <Array.au3> $WTS_PROCESS_INFO_EXW = _ "DWORD SessionId;" & _ "DWORD ProcessId;" & _ "CHAR pProcessName[256];" & _ "INT pUserSid;" & _ "DWORD NumberOfThreads;" & _ "DWORD HandleCount;" & _ "DWORD PagefileUsage;" & _ "DWORD PeakPagefileUsage;" & _ "DWORD WorkingSetSize;" & _ "DWORD PeakWorkingSetSize;" & _ "INT64 UserTime;" & _ "INT64 KernelTime;" Const $WTS_CURRENT_SERVER_HANDLE = 0 $level = 1 Const $WTS_ANY_SESSION = 0 $ret = DllCall("wtsapi32.dll","int","WTSEnumerateProcessesEx", _ "hwnd",$WTS_CURRENT_SERVER_HANDLE, _ "dword*",$level, _ "dword",$WTS_ANY_SESSION, _ "ptr*",DllStructGetPtr(DllStructCreate($WTS_PROCESS_INFO_EXW)), _ "dword*",0) _ArrayDisplay($ret) I'm not sure whether m doing it correctly or not, if its correct then how to access the returned data?Insert other media