Sign in to follow this  
Followers 0
Manko

_WinAPI_ProcessListOWNER_WTS()

28 posts in this topic

#1 ·  Posted (edited)

Hi!

DOES NOT need admin rights.

W2K and up...

#include <array.au3>    ; Needed to display array in example.
#include <security.au3> ; Get OWNER from SID.

$tag_WTS_PROCESS_INFO= _
  "DWORD SessionId;" & _
  "DWORD ProcessId;" & _
  "PTR pProcessName;" & _
  "PTR pUserSid"

; ############ Example code #######################
MsgBox(0,"Process by name or number(PID)", "'Owner' of Explorer.exe is " & _ProcessListOWNER_WTS("Explorer.exe"))
$temp=_ProcessListOWNER_WTS()
$temp[0][0]="Process"
$temp[0][1]="ProcessId"
$temp[0][2]="SessionId"
$temp[0][3]="ProcessOWNER"
_ArrayDisplay($temp, "Process list with OWNER...")
; ###############################################


; ############ Here be func! ####################
Func _ProcessListOWNER_WTS($PID=0)
    Local $i, $ret, $ret1, $mem
    $ret=DllCall("WTSApi32.dll", "int", "WTSEnumerateProcesses", "int", 0, "int", 0, "int", 1, "ptr*", 0, "int*", 0)
    Local $array[$ret[5]][4]
    $mem=DllStructCreate($tag_WTS_PROCESS_INFO,$ret[4])
    for $i=0 to $ret[5]-1
        $mem=DllStructCreate($tag_WTS_PROCESS_INFO, $ret[4]+($i*DllStructGetSize($mem)))
        ;if DllStructGetData($mem, "pProcessName") Then
            $string=DllStructCreate("char[256]", DllStructGetData($mem, "pProcessName"))
            $array[$i][0]=DllStructGetData($string,1)
        ;EndIf
        $array[$i][1]=DllStructGetData($mem, "ProcessId")
        $array[$i][2]=DllStructGetData($mem, "SessionId")
        ;if DllStructGetData($mem, "pUserSid") Then
            $ret1 = _Security__LookupAccountSid(DllStructGetData($mem, "pUserSid"))
            if IsArray($ret1) Then $array[$i][3]=$ret1[0]
        ;EndIf
    Next
    
    DllCall("WTSApi32.dll", "int", "WTSFreeMemory", "int", $ret[4])
    
    if $PID Then
        if IsInt($PID) Then
            for $i=0 to UBound($array, 1) - 1
                if $array[$i][1] = $PID Then
                    Return $array[$i][3]
                EndIf
            Next
        Else
            for $i=0 to UBound($array, 1) - 1
                if $array[$i][0] = $PID Then
                    Return $array[$i][3]
                EndIf
            Next
        EndIf
    EndIf
    
    Return $array
EndFunc
;################################ END FUNC ##########################################

/Manko [Edit: Added getting OWNER of select process.]

Edited by Manko

Yes i rush things! (I sorta do small bursts inbetween doing nothing.) Things I have rushed and reRushed:* ProDLLer - Process manager - Unload viri modules (dll) and moore...* _WinAPI_ProcessListOWNER_WTS() - Get Processes owner list...* _WinAPI_GetCommandLineFromPID() - Get commandline of target process...* _WinAPI_ThreadsnProcesses() Much info if expanded - optional Indented "Parent/Child"-style Processlist. Moore to come... eventually...

Share this post


Link to post
Share on other sites



#2 ·  Posted (edited)

That's the way I like it :unsure:. Great functions pop-up these days... keep on competing Manko and ascendant :P!

Edited by KaFu

Share this post


Link to post
Share on other sites

That's the way I like it :unsure:. Great functions pop-up these days... keep on competing Manko and ascendant :P!

Thanks! Ascendants post reminded me that I had been looking at WTS api calls a while back, but was a little lazy... :D

/Manko


Yes i rush things! (I sorta do small bursts inbetween doing nothing.) Things I have rushed and reRushed:* ProDLLer - Process manager - Unload viri modules (dll) and moore...* _WinAPI_ProcessListOWNER_WTS() - Get Processes owner list...* _WinAPI_GetCommandLineFromPID() - Get commandline of target process...* _WinAPI_ThreadsnProcesses() Much info if expanded - optional Indented "Parent/Child"-style Processlist. Moore to come... eventually...

Share this post


Link to post
Share on other sites

Nice job. We shall soon kill the need for WMI for good! mwahaha :P

Share this post


Link to post
Share on other sites

Share this post


Link to post
Share on other sites

Hi!

DOES NOT need admin rights.

I'm quite satisfied! It IS W2K up only though...

#include <array.au3>    ; Needed to display array in example.
#include <security.au3> ; Get OWNER from SID.

$tag_WTS_PROCESS_INFO= _
  "DWORD SessionId;" & _
  "DWORD ProcessId;" & _
  "PTR pProcessName;" & _
  "PTR pUserSid"

; ############ Example code #######################
$temp=_ProcessListOWNER_WTS()
$temp[0][0]="Process"
$temp[0][1]="ProcessId"
$temp[0][2]="SessionId"
$temp[0][3]="ProcessOWNER"
_ArrayDisplay($temp, "Process list with OWNER...")
; ###############################################


; ############ Here be func! ####################
Func _ProcessListOWNER_WTS()
    $ret=DllCall("WTSApi32.dll", "int", "WTSEnumerateProcesses", "int", 0, "int", 0, "int", 1, "ptr*", 0, "int*", 0)
    Local $array[$ret[5]][4]
    $mem=DllStructCreate($tag_WTS_PROCESS_INFO,$ret[4])
    for $i=0 to $ret[5]-1
        $mem=DllStructCreate($tag_WTS_PROCESS_INFO, $ret[4]+($i*16))
        ;if DllStructGetData($mem, "pProcessName") Then
            $string=DllStructCreate("char[256]", DllStructGetData($mem, "pProcessName"))
            $array[$i][0]=DllStructGetData($string,1)
        ;EndIf
        $array[$i][1]=DllStructGetData($mem, "ProcessId")
        $array[$i][2]=DllStructGetData($mem, "SessionId")
        ;if DllStructGetData($mem, "pUserSid") Then
            $ret1 = _Security__LookupAccountSid(DllStructGetData($mem, "pUserSid"))
            if IsArray($ret1) Then $array[$i][3]=$ret1[0]
        ;EndIf
    Next
    DllCall("WTSApi32.dll", "int", "WTSFreeMemory", "int", $ret[4])
    Return $array
EndFunc
;################################ END FUNC ##########################################

/Manko

Hi Manko,

I need a bit of your help, its out of topic but hope so you will not mind.

actually i want the SID of Currently Active User, means the user who uses the Desktop, and if there is no active user

the (mentioned) function will return false or 0.

Currently im using 2 methods

1. from sys32\query.exe

2. WMI

1st method uses much cpu, bcoz i have to track the Active User.

2nd method work well, but in loop it will fail some time.


73 108 111 118 101 65 117 116 111 105 116

Share this post


Link to post
Share on other sites

Hi Manko,

I need a bit of your help, its out of topic but hope so you will not mind.

actually i want the SID of Currently Active User, means the user who uses the Desktop, and if there is no active user

the (mentioned) function will return false or 0.

Currently im using 2 methods

1. from sys32\query.exe

2. WMI

1st method uses much cpu, bcoz i have to track the Active User.

2nd method work well, but in loop it will fail some time.

Hi!

Hmm... I want a googeling... Could take days to get something worthwhile... Most threads talked about getting SID from processes or threads, but some talked of WMI...

I was thinking to myself, why not use SID of explorer.exe, and sure enough, I found someone who used that method.

So, just mod this function, and grab SID from explorer.exe... :P

...or keep googling. That's what I always do... Tedious, but ultimately rewarding! (You find scraps and experiment and expand... sorta... nough words!)

/Manko


Yes i rush things! (I sorta do small bursts inbetween doing nothing.) Things I have rushed and reRushed:* ProDLLer - Process manager - Unload viri modules (dll) and moore...* _WinAPI_ProcessListOWNER_WTS() - Get Processes owner list...* _WinAPI_GetCommandLineFromPID() - Get commandline of target process...* _WinAPI_ThreadsnProcesses() Much info if expanded - optional Indented "Parent/Child"-style Processlist. Moore to come... eventually...

Share this post


Link to post
Share on other sites

It should work with LookupAccountName :P

#include <array.au3>    ; Needed to display array in example.
#include <security.au3> ; Get OWNER from SID.

$tag_WTS_PROCESS_INFO= _
  "DWORD SessionId;" & _
  "DWORD ProcessId;" & _
  "PTR pProcessName;" & _
  "PTR pUserSid"

; ############ Example code #######################
$temp=_ProcessListOWNER_WTS()
$temp[0][0]="Process"
$temp[0][1]="ProcessId"
$temp[0][2]="SessionId"
$temp[0][3]="ProcessOWNER"
$temp[0][4]="Owner SID"
$temp[0][5]="Current User Process"
_ArrayDisplay($temp, "Process list with OWNER...")
; ###############################################

; ############ Here be func! ####################
Func _ProcessListOWNER_WTS()
    $ret=DllCall("WTSApi32.dll", "int", "WTSEnumerateProcesses", "int", 0, "int", 0, "int", 1, "ptr*", 0, "int*", 0)
    Local $array[$ret[5]][6], $Current_User_SID = _GetCurrentUserSID()
    $mem=DllStructCreate($tag_WTS_PROCESS_INFO,$ret[4])
    for $i=0 to $ret[5]-1
        $mem=DllStructCreate($tag_WTS_PROCESS_INFO, $ret[4]+($i*16))
        ;if DllStructGetData($mem, "pProcessName") Then
            $string=DllStructCreate("char[256]", DllStructGetData($mem, "pProcessName"))
            $array[$i][0]=DllStructGetData($string,1)
        ;EndIf
        $array[$i][1]=DllStructGetData($mem, "ProcessId")
        $array[$i][2]=DllStructGetData($mem, "SessionId")
        ;if DllStructGetData($mem, "pUserSid") Then
            $ret1 = _Security__LookupAccountSid(DllStructGetData($mem, "pUserSid"))
            if IsArray($ret1) Then 
                $array[$i][3]=$ret1[0]
                $array[$i][4]=_Security__SidToStringSid(DllStructGetData($mem, "pUserSid"))
                $array[$i][5]=$Current_User_SID=$array[$i][4]
            EndIf
        ;EndIf
    Next
    DllCall("WTSApi32.dll", "int", "WTSFreeMemory", "int", $ret[4])
    Return $array
EndFunc
;################################ END FUNC ##########################################
Func _GetCurrentUserSID()
    ; Prog@ndy
    Local $User = _Security__LookupAccountName(@UserName,@ComputerName)
    If @error Then Return SetError(1,0,"")
    Return $User[0]
EndFunc

*GERMAN* [note: you are not allowed to remove author / modified info from my UDFs]My UDFs:[_SetImageBinaryToCtrl] [_TaskDialog] [AutoItObject] [Animated GIF (GDI+)] [ClipPut for Image] [FreeImage] [GDI32 UDFs] [GDIPlus Progressbar] [Hotkey-Selector] [Multiline Inputbox] [MySQL without ODBC] [RichEdit UDFs] [SpeechAPI Example] [WinHTTP]UDFs included in AutoIt: FTP_Ex (as FTPEx), _WinAPI_SetLayeredWindowAttributes

Share this post


Link to post
Share on other sites

@ProgAndy

Cool, expansion! :P

I foolishly assumed he was working through a service, in which case my ass-umptions would have been sensible... hrm...

If ones OWN process doing the checking is running as the user, it's easy... :unsure:

Which is it?

/Manko


Yes i rush things! (I sorta do small bursts inbetween doing nothing.) Things I have rushed and reRushed:* ProDLLer - Process manager - Unload viri modules (dll) and moore...* _WinAPI_ProcessListOWNER_WTS() - Get Processes owner list...* _WinAPI_GetCommandLineFromPID() - Get commandline of target process...* _WinAPI_ThreadsnProcesses() Much info if expanded - optional Indented "Parent/Child"-style Processlist. Moore to come... eventually...

Share this post


Link to post
Share on other sites

ass-umptions :P

Nice function.

Unicode would be nice too (maybe even in combination with lstrlenW).


♡♡♡

.

eMyvnE

Share this post


Link to post
Share on other sites

Thanks Manko, for your Reply.

It should work with LookupAccountName :P

Func _GetCurrentUserSID()
    ; Prog@ndy
    Local $User = _Security__LookupAccountName(@UserName,@ComputerName)
    If @error Then Return SetError(1,0,"")
    Return $User[0]
EndFunc
Thanks for this function ProgAndy,

1 more question, we have to mention the User Name in your function. In my case i am using my script as service process, so if i mention @UserName in function, it will return me the SID of System Account not the user of Desktop.

hope so its clear the concept of my need.

thanks in advance for your kind help.


73 108 111 118 101 65 117 116 111 105 116

Share this post


Link to post
Share on other sites

Thanks Manko, for your Reply.

In my case i am using my script as service process, so if i mention @UserName in function, it will return me the SID of System Account not the user of Desktop.

hope so its clear the concept of my need.

thanks in advance for your kind help.

Hi!

Hehe... My assumptions were correct! :P Try the method I suggested!

Just change MY function to only return SID of explorer.exe... Since explorer is desktop of current user, it should do you right! :unsure:

If you need help with that, just PM or reply again.

/Manko


Yes i rush things! (I sorta do small bursts inbetween doing nothing.) Things I have rushed and reRushed:* ProDLLer - Process manager - Unload viri modules (dll) and moore...* _WinAPI_ProcessListOWNER_WTS() - Get Processes owner list...* _WinAPI_GetCommandLineFromPID() - Get commandline of target process...* _WinAPI_ThreadsnProcesses() Much info if expanded - optional Indented "Parent/Child"-style Processlist. Moore to come... eventually...

Share this post


Link to post
Share on other sites

Hi!

Hehe... My assumptions were correct! :P Try the method I suggested!

Just change MY function to only return SID of explorer.exe... Since explorer is desktop of current user, it should do you right! :unsure:

If you need help with that, just PM or reply again.

/Manko

Ya , thanks Manko.

i done as you said. Its work now!

here is my modification

Func _Active_account($givenPID)
    $ret=DllCall("WTSApi32.dll", "int", "WTSEnumerateProcesses", "int", 0, "int", 0, "int", 1, "ptr*", 0, "int*", 0)
    $mem=DllStructCreate($tag_WTS_PROCESS_INFO,$ret[4])
    for $i=0 to $ret[5]-1
        $mem=DllStructCreate($tag_WTS_PROCESS_INFO, $ret[4]+($i*16))
         If DllStructGetData($mem, "ProcessId") = $givenPID Then
            $ret1 = _Security__LookupAccountSid(DllStructGetData($mem, "pUserSid"))
            if IsArray($ret1) Then 
                DllCall("WTSApi32.dll", "int", "WTSFreeMemory", "int", $ret[4])
                Return $ret1[0]
            EndIf
        EndIf
    Next
    DllCall("WTSApi32.dll", "int", "WTSFreeMemory", "int", $ret[4])
    Return False
EndFunc

I used it when i need the UserName,

if you can improve it so plz..


73 108 111 118 101 65 117 116 111 105 116

Share this post


Link to post
Share on other sites

Try this: This func retrieves the username from the current session. But now, this is really OT :P

#include<Security.au3>
Func _GetCurrentUser()
    Local $result = DllCall("Wtsapi32.dll","int", "WTSQuerySessionInformationW", "Ptr", 0, "int", -1, "int", 5, "ptr*", 0, "dword*", 0)
    If @error Or $result[0] = 0 Then Return SetError(1,0,"")
    Local $User = DllStructGetData(DllStructCreate("wchar[" & $result[5] & "]" , $result[4]),1)
    DllCall("Wtsapi32.dll", "int", "WTSFreeMemory", "ptr", $result[4])
    Return $User
EndFunc

Func _GetCurrentUserSID()
    ; Prog@ndy
    Local $User = _Security__LookupAccountName(_GetCurrentUser(),@ComputerName)
    If @error Then Return SetError(1,0,"")
    Return $User[0]
EndFunc

MsgBox(0, '', _GetCurrentUser() & @CRLF & _GetCurrentUserSID())

*GERMAN* [note: you are not allowed to remove author / modified info from my UDFs]My UDFs:[_SetImageBinaryToCtrl] [_TaskDialog] [AutoItObject] [Animated GIF (GDI+)] [ClipPut for Image] [FreeImage] [GDI32 UDFs] [GDIPlus Progressbar] [Hotkey-Selector] [Multiline Inputbox] [MySQL without ODBC] [RichEdit UDFs] [SpeechAPI Example] [WinHTTP]UDFs included in AutoIt: FTP_Ex (as FTPEx), _WinAPI_SetLayeredWindowAttributes

Share this post


Link to post
Share on other sites

#15 ·  Posted (edited)

Try this: This func retrieves the username from the current session. But now, this is really OT :P

You may be offtopic but this function , WTSQuerySessionInformation, is really great!

http://msdn.microsoft.com/en-us/library/aa383838(VS.85).aspx

Lot's of uses. I was sniffing through the WTS-functions, but I missed that one... ??

Great work!

/Manko

Edited by Manko

Yes i rush things! (I sorta do small bursts inbetween doing nothing.) Things I have rushed and reRushed:* ProDLLer - Process manager - Unload viri modules (dll) and moore...* _WinAPI_ProcessListOWNER_WTS() - Get Processes owner list...* _WinAPI_GetCommandLineFromPID() - Get commandline of target process...* _WinAPI_ThreadsnProcesses() Much info if expanded - optional Indented "Parent/Child"-style Processlist. Moore to come... eventually...

Share this post


Link to post
Share on other sites

:unsure:

Try this: This func retrieves the username from the current session. But now, this is really OT :P

#include<Security.au3>
Func _GetCurrentUser()
    Local $result = DllCall("Wtsapi32.dll","int", "WTSQuerySessionInformationW", "Ptr", 0, "int", -1, "int", 5, "ptr*", 0, "dword*", 0)
    If @error Or $result[0] = 0 Then Return SetError(1,0,"")
    Local $User = DllStructGetData(DllStructCreate("wchar[" & $result[5] & "]" , $result[4]),1)
    DllCall("Wtsapi32.dll", "int", "WTSFreeMemory", "ptr", $result[4])
    Return $User
EndFunc

Func _GetCurrentUserSID()
    ; Prog@ndy
    Local $User = _Security__LookupAccountName(_GetCurrentUser(),@ComputerName)
    If @error Then Return SetError(1,0,"")
    Return $User[0]
EndFunc

MsgBox(0, '', _GetCurrentUser() & @CRLF & _GetCurrentUserSID())
Thanks for this function, thats exactly wat i want!

@Manko

Thanks 4 your help & that link.


73 108 111 118 101 65 117 116 111 105 116

Share this post


Link to post
Share on other sites

Try this: This func retrieves the username from the current session. But now, this is really OT :P

#include<Security.au3>
Func _GetCurrentUser()
    Local $result = DllCall("Wtsapi32.dll","int", "WTSQuerySessionInformationW", "Ptr", 0, "int", -1, "int", 5, "ptr*", 0, "dword*", 0)
    If @error Or $result[0] = 0 Then Return SetError(1,0,"")
    Local $User = DllStructGetData(DllStructCreate("wchar[" & $result[5] & "]" , $result[4]),1)
    DllCall("Wtsapi32.dll", "int", "WTSFreeMemory", "ptr", $result[4])
    Return $User
EndFunc

Func _GetCurrentUserSID()
    ; Prog@ndy
    Local $User = _Security__LookupAccountName(_GetCurrentUser(),@ComputerName)
    If @error Then Return SetError(1,0,"")
    Return $User[0]
EndFunc

MsgBox(0, '', _GetCurrentUser() & @CRLF & _GetCurrentUserSID())
Your function work well for 1 account only, if user switch to other login it will still give the Old User name & SID?

73 108 111 118 101 65 117 116 111 105 116

Share this post


Link to post
Share on other sites

Your function work well for 1 account only, if user switch to other login it will still give the Old User name & SID?

That is interesting.

It could be the definition of WTS_CURRENT_SESSION maybe.

Try this:

#include <Security.au3>

MsgBox(0, '', _GetCurrentUser() & @CRLF & _GetCurrentUserSID())


Func _GetCurrentUser()

    Local $aCall = DllCall("Wtsapi32.dll", "int", "WTSQuerySessionInformationW", _
            "hwnd", 0, _ ;  WTS_CURRENT_SERVER_HANDLE
            "dword", 0, _ ; WTS_CURRENT_SESSION?
            "int", 5, _ ; WTSUserName
            "ptr*", 0, _
            "dword*", 0)

    If @error Or Not $aCall[0] Then
        Return SetError(1, 0, "")
    EndIf

    Local $sUser = DllStructGetData(DllStructCreate("wchar[" & $aCall[5] / 2 & "]", $aCall[4]), 1)

    DllCall("Wtsapi32.dll", "none", "WTSFreeMemory", "ptr", $aCall[4])

    Return SetError(0, 0, $sUser)

EndFunc   


Func _GetCurrentUserSID()
    ; Prog@ndy
    Local $User = _Security__LookupAccountName(_GetCurrentUser(), @ComputerName)
    If @error Then Return SetError(1, 0, "")
    Return $User[0]
EndFunc

♡♡♡

.

eMyvnE

Share this post


Link to post
Share on other sites

That is interesting.

It could be the definition of WTS_CURRENT_SESSION maybe.

Try this:

#include <Security.au3>

MsgBox(0, '', _GetCurrentUser() & @CRLF & _GetCurrentUserSID())


Func _GetCurrentUser()

    Local $aCall = DllCall("Wtsapi32.dll", "int", "WTSQuerySessionInformationW", _
            "hwnd", 0, _ ;  WTS_CURRENT_SERVER_HANDLE
            "dword", 0, _ ; WTS_CURRENT_SESSION?
            "int", 5, _ ; WTSUserName
            "ptr*", 0, _
            "dword*", 0)

    If @error Or Not $aCall[0] Then
        Return SetError(1, 0, "")
    EndIf

    Local $sUser = DllStructGetData(DllStructCreate("wchar[" & $aCall[5] / 2 & "]", $aCall[4]), 1)

    DllCall("Wtsapi32.dll", "none", "WTSFreeMemory", "ptr", $aCall[4])

    Return SetError(0, 0, $sUser)

EndFunc   


Func _GetCurrentUserSID()
    ; Prog@ndy
    Local $User = _Security__LookupAccountName(_GetCurrentUser(), @ComputerName)
    If @error Then Return SetError(1, 0, "")
    Return $User[0]
EndFunc
thanks for the modification i'll try it.

73 108 111 118 101 65 117 116 111 105 116

Share this post


Link to post
Share on other sites

That is interesting.

It could be the definition of WTS_CURRENT_SESSION maybe.

Try this:

#include <Security.au3>

MsgBox(0, '', _GetCurrentUser() & @CRLF & _GetCurrentUserSID())


Func _GetCurrentUser()

    Local $aCall = DllCall("Wtsapi32.dll", "int", "WTSQuerySessionInformationW", _
            "hwnd", 0, _ ;  WTS_CURRENT_SERVER_HANDLE
            "dword", 0, _ ; WTS_CURRENT_SESSION?
            "int", 5, _ ; WTSUserName
            "ptr*", 0, _
            "dword*", 0)

    If @error Or Not $aCall[0] Then
        Return SetError(1, 0, "")
    EndIf

    Local $sUser = DllStructGetData(DllStructCreate("wchar[" & $aCall[5] / 2 & "]", $aCall[4]), 1)

    DllCall("Wtsapi32.dll", "none", "WTSFreeMemory", "ptr", $aCall[4])

    Return SetError(0, 0, $sUser)

EndFunc   


Func _GetCurrentUserSID()
    ; Prog@ndy
    Local $User = _Security__LookupAccountName(_GetCurrentUser(), @ComputerName)
    If @error Then Return SetError(1, 0, "")
    Return $User[0]
EndFunc

Its still not working, only work once after that allways return "" string.


73 108 111 118 101 65 117 116 111 105 116

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0