How to get owner of process running on remote machine without WMI

  • 1 year ago
Comment

ChatGPTChatGPT
1 / 1

To get the owner of a process running on a remote machine without using WMI (Windows Management Instrumentation), you can use the OpenProcess and OpenProcessToken functions from the Windows API. Here's an example in C++:

cpp
#include <iostream>

#include <Windows.h>

#include <TlHelp32.h>



DWORD GetProcessOwner(DWORD processId)

{

    DWORD ownerId = 0;



    HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, processId);

    if (hProcess)

    {

        HANDLE hToken;

        if (OpenProcessToken(hProcess, TOKEN_QUERY, &hToken))

        {

            DWORD tokenInfoLength = 0;

            if (GetTokenInformation(hToken, TokenOwner, nullptr, 0, &tokenInfoLength) || GetLastError() == ERROR_INSUFFICIENT_BUFFER)

            {

                PTOKEN_OWNER tokenOwner = reinterpret_cast<PTOKEN_OWNER>(new BYTE[tokenInfoLength]);

                if (GetTokenInformation(hToken, TokenOwner, tokenOwner, tokenInfoLength, &tokenInfoLength))

                {

                    DWORD bufferSize = 0;

                    if (LookupAccountSid(nullptr, tokenOwner->Owner, nullptr, &bufferSize, nullptr, nullptr, nullptr) || GetLastError() == ERROR_INSUFFICIENT_BUFFER)

                    {

                        PTSTR accountName = new TCHAR[bufferSize];

                        TCHAR domainName[256];

                        SID_NAME_USE sidType;

                        if (LookupAccountSid(nullptr, tokenOwner->Owner, accountName, &bufferSize, domainName, &bufferSize, &sidType))

                        {

                            std::wcout << "Owner: " << domainName << "\\" << accountName << std::endl;

                        }

                        delete[] accountName;

                    }

                }

                delete[] tokenOwner;

            }

            CloseHandle(hToken);

        }

        CloseHandle(hProcess);

    }



    return ownerId;

}



int main()

{

    DWORD processId = 1234; // Replace with the actual process ID



    DWORD ownerId = GetProcessOwner(processId);



    return 0;

}

In this example, we define the GetProcessOwner function, which takes the process ID as input and retrieves the owner information. It uses OpenProcess to open a handle to the process, and then OpenProcessToken to obtain the process token. Finally, it uses GetTokenInformation and LookupAccountSid to retrieve the owner account information.

Replace the processId variable with the actual process ID you want to query. Compile and run the program, and it will display the owner of the specified process.

Note that this approach requires appropriate privileges to access process information on the remote machine. You may need administrative privileges or the necessary access rights to retrieve the owner information successfully.