Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

List of Windows "real" users using Win32 API

I'm trying to get a list of the real users on the local machine. By real I mean the users that can physically logon to the system and use it, excluding remote only accounts and the like.

This is what I do already.

  • Call NetUserEnum() with FILTER_NORMAL_ACCOUNT.

    I get the following users:

    • __ vmware_user __
    • Administrator
    • Help Assistant
    • ASPNET
    • Guest
    • SUPPORT_xxxxxx

    Note that this are the same users that I get when calling net user from the command line, but in the logon dialog I can only select Administrator. This is what I want.

  • From the return list on NetUserEnum(), I can tell which accounts are disabled. That leaves:

    • __ vmware_user __
    • Administrator
    • ASPNET
    • SUPPORT_xxxxxx
  • Then I run LsaEnumerateAccountRights() to check which accounts have the SeInteractiveLogonRight.

    All of them have it. Except the real one, Administrator. Some of them have SeDenyInteractiveLogonRight. That leaves me with:

    • __ vmware_user __
    • Administrator (no SeInteractiveLogonRight)

I found somewhere that maybe I should be checking group permissions first, as my user account might be inheriting SeInteractiveLogonRight. So far, I haven't found a way to list the groups for a given account (SID or name). Tried with NetUserGetGroups() but it turns out that this one only returns domain groups (in my case, "None").

Right now I don't know what else to try. Looks like everything will be easier if I had an 'Access Token' but there seems to be no way of getting that for a user other than the currently logged on. There are like 20 different APIs related to authentication and this is crazy.

I appreciate your help

like image 495
bts Avatar asked Feb 08 '11 10:02

bts


People also ask

What is a 'real' user?

By real I mean the users that can physically logon to the system and use it, excluding remote only accounts and the like. This is what I do already. Call NetUserEnum () with FILTER_NORMAL_ACCOUNT.

How to find the profile image path of a user?

You can get the SID for the user and then look it up under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList and get the ProfileImagePath value.

Is there a kernel-mode API for Windows file monitoring?

Like so many other engineering challenges in Windows environments, file monitoring has a nuclear option in the form of a kernel-mode APIs. Windows is kind enough to provide two general categories for this purpose: the legacy file system filter API and the more recent minifilter framework.


1 Answers

As you said, the last step probably is just filter the users which belong to Administrators or Users group.

Try the method NetUserGetLocalGroups for enumerating the groups an user belongs to.

like image 88
rossoft Avatar answered Oct 17 '22 02:10

rossoft