--- /dev/null
+
+ Re: alternative to SeCaptureSubjectContext for Win2000 sought
+
+ From: "dave porter" <porter@zultranet.com>
+ Reply to: "dave porter"
+ Date: Mon, 26 Jun 2000 10:57:18 -0400
+ Newsgroups:
+ comp.os.ms-windows.programmer.nt.kernel-mode
+ Followup to: newsgroup
+ References:
+ <39520e7f$0$15896@wodc7nh1.news.uu.net>
+ <sl5ulbjfe7f47@corp.supernews.com>
+ <39575985$0$24336@wodc7nh0.news.uu.net>
+
+
+> Under advise, I have tried ZwOpenProcessToken(), but to little avail.
+> ZwQueryInformationToken( ..TokenUser ...) doesn't seem to want to do its
+job
+> either under NT4.
+
+I could be jumping in the middle here, but in what way doesn't it work?
+This code works for me:
+
+ int bufLen = 256; // we suppose this is enough
+ void* sidBuf = new char[bufLen];
+ int sidLen = 0;
+
+ void* pToken = PsReferencePrimaryToken(PsGetCurrentProcess());
+ if (!pToken) ... error ...
+
+ NTSTATUS ntstatus = ObOpenObjectByPointer(pToken, 0, 0, TOKEN_QUERY,
+0, KernelMode, &handle);
+ if (!NT_SUCCESS(ntstatus)) ... error ...
+
+ TOKEN_USER* user = static_cast<TOKEN_USER*>(sidBuf);
+ ULONG tokenInfoLen;
+ ntstatus = ZwQueryInformationToken(handle, TokenUser, user, bufLen,
+&tokenInfoLen);
+ if (!NT_SUCCESS(ntstatus)) ... error ...
+
+ assert(tokenInfoLen <= bufLen); // else we would have got an error,
+right?
+ assert(user->User.Sid == user+1); // SID is in buffer just past
+TOKEN_USER structure
+
+ sidLen = tokenInfoLen - sizeof (TOKEN_USER);
+ memmove(sidBuf, user->User.Sid, sidLen); // shuffle down the buffer
+
+Naturally, this returns the id of the thread that's running it.
+If you execute this in DriverEntry, you're running in some
+thread in the system process, which is not related to
+the thread which executed the Win32 StartService call.