Getting the Logon SID in C++

A logon security identifier (SID) identifies the logon session associated with an access token. A typical use of a logon SID is in an ACE that allows access for the duration of a client's logon session. For example, a Windows service can use the LogonUser function to start a new logon session. The LogonUser function returns an access token from which the service can extract the logon SID. The service can then use the SID in an ACE that allows the client's logon session to access the interactive window station and desktop.

The following example gets the logon SID from an access token. It uses the GetTokenInformation function to fill a TOKEN_GROUPS buffer with an array of the group SIDs from an access token. This array includes the logon SID, which is identified by the SE_GROUP_LOGON_ID attribute. The example function allocates a buffer for the logon SID; it is the caller's responsibility to free the buffer.

 BOOL GetLogonSID (HANDLE hToken, PSID  * ppsid) 
  {
   BOOL bSuccess  =  FALSE;
   DWORD dwIndex;
   DWORD dwLength  =   0 ;
   PTOKEN_GROUPS ptg  =  NULL;

 //  Verify the parameter passed in is not NULL. 
      if  (NULL  ==  ppsid)
         goto  Cleanup;

 //  Get required buffer size and allocate the TOKEN_GROUPS buffer. 
 
    if  ( ! GetTokenInformation(
         hToken,          //  handle to the access token 
          TokenGroups,     //  get information about the token's groups  
          (LPVOID) ptg,    //  pointer to TOKEN_GROUPS buffer 
           0 ,               //  size of buffer 
           & dwLength        //  receives required buffer size 
       )) 
    {
       if  (GetLastError()  !=  ERROR_INSUFFICIENT_BUFFER) 
          goto  Cleanup;

      ptg  =  (PTOKEN_GROUPS)HeapAlloc(GetProcessHeap(),
         HEAP_ZERO_MEMORY, dwLength);

       if  (ptg  ==  NULL)
          goto  Cleanup;
   } 
 
 //  Get the token group information from the access token. 
 
    if  ( ! GetTokenInformation(
         hToken,          //  handle to the access token 
          TokenGroups,     //  get information about the token's groups  
          (LPVOID) ptg,    //  pointer to TOKEN_GROUPS buffer 
          dwLength,        //  size of buffer 
           & dwLength        //  receives required buffer size 
          )) 
    {
       goto  Cleanup;
   } 
 
 //  Loop through the groups to find the logon SID. 
 
    for  (dwIndex  =   0 ; dwIndex  <  ptg -> GroupCount; dwIndex ++ ) 
       if  ((ptg -> Groups[dwIndex].Attributes  &  SE_GROUP_LOGON_ID)
              ==   SE_GROUP_LOGON_ID) 
       {
       //  Found the logon SID; make a copy of it. 
 
         dwLength  =  GetLengthSid(ptg -> Groups[dwIndex].Sid);
          * ppsid  =  (PSID) HeapAlloc(GetProcessHeap(),
                     HEAP_ZERO_MEMORY, dwLength);
          if  ( * ppsid  ==  NULL)
              goto  Cleanup;
          if  ( ! CopySid(dwLength,  * ppsid, ptg -> Groups[dwIndex].Sid)) 
          {
             HeapFree(GetProcessHeap(),  0 , (LPVOID) * ppsid);
              goto  Cleanup;
         } 
          break ;
      } 
 
   bSuccess  =  TRUE;

Cleanup: 

 //  Free the buffer for the token groups. 
 
    if  (ptg  !=  NULL)
      HeapFree(GetProcessHeap(),  0 , (LPVOID)ptg);

    return  bSuccess;
} 

The following function frees the buffer allocated by the  GetLogonSID  example function.

VOID FreeLogonSID (PSID *ppsid) 
{
    HeapFree(GetProcessHeap(), 0, (LPVOID)*ppsid);
}