From d1d889d91052be2ba29533372cf7ee9d3b66aa31 Mon Sep 17 00:00:00 2001 From: Erik Onarheim Date: Tue, 19 Jan 2016 14:40:29 -0600 Subject: [PATCH] Implement GetProcCredName in gosigar to address elastic/beats#590 elastic/topbeat#36 in windows --- sigar_windows.go | 39 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) diff --git a/sigar_windows.go b/sigar_windows.go index 7e4fe45a4..2b77e2cef 100644 --- a/sigar_windows.go +++ b/sigar_windows.go @@ -306,6 +306,45 @@ func GetProcName(pid int) (string, error) { } +func GetProcCredName(pid int) (string, error) { + handle, err := syscall.OpenProcess(syscall.PROCESS_QUERY_INFORMATION, false, uint32(pid)) + + defer syscall.CloseHandle(handle) + + if err != nil { + return "", fmt.Errorf("OpenProcess fails with %v", err) + } + + var token syscall.Token + + // Find process token via win32 + retOpenProcessToken := syscall.OpenProcessToken(handle, syscall.TOKEN_QUERY, &token) + if retOpenProcessToken != nil { + return "", fmt.Errorf("Error opening process token %v", retOpenProcessToken) + } + + // Find sid from process token + bufferLength := uint32(256) + var tokenBuffer [256]byte + bufferPointer := (*byte)(unsafe.Pointer(&tokenBuffer)) + + var tokenUser syscall.Tokenuser + + // Convert token to sid represented byte buffer + retGetTokenInfo := syscall.GetTokenInformation(token, uint32(1), bufferPointer, bufferLength, &bufferLength) + if retGetTokenInfo != nil { + return "", fmt.Errorf("Error getting process sid %v", retGetTokenInfo) + } + + // marshal pointer to Tokenuser struct + tokenUser = *(*syscall.Tokenuser)(unsafe.Pointer(bufferPointer)) + + // look up domain account by sid + account, domain, _, _ := tokenUser.User.Sid.LookupAccount("localhost") + + return fmt.Sprintf("%s\\%s", domain, account), nil +} + func GetProcStatus(pid int) (RunState, error) { handle, err := syscall.OpenProcess(syscall.PROCESS_QUERY_INFORMATION, false, uint32(pid))