.

Summary

Gets the name of the user or other security principal associated with the calling thread.

C# Signature:

public enum ExtendedNameFormat
{
     /// <summary>
     /// An unknown name type.
     /// </summary>
     NameUnknown = 0,

     /// <summary>
     /// The fully qualified distinguished name
     /// (for example, CN=Jeff Smith,OU=Users,DC=Engineering,DC=Microsoft,DC=Com).
     /// </summary>
     NameFullyQualifiedDN = 1,

     /// <summary>
     /// A legacy account name (for example, Engineering\JSmith).
     /// The domain-only version includes trailing backslashes (\\).
     /// </summary>
     NameSamCompatible = 2,

     /// <summary>
     /// A "friendly" display name (for example, Jeff Smith).
     /// The display name is not necessarily the defining relative distinguished name (RDN).
     /// </summary>
     NameDisplay = 3,

     /// <summary>
     /// A GUID string that the IIDFromString function returns
     /// (for example, {4fa050f0-f561-11cf-bdd9-00aa003a77b6}).
     /// </summary>
     NameUniqueId = 6,

     /// <summary>
     /// The complete canonical name (for example, engineering.microsoft.com/software/someone).
     /// The domain-only version includes a trailing forward slash (/).
     /// </summary>
     NameCanonical = 7,

     /// <summary>
     /// The user principal name (for example, someone@example.com).
     /// </summary>
     NameUserPrincipal = 8,

     /// <summary>
     /// The same as NameCanonical except that the rightmost forward slash (/)
     /// is replaced with a new line character (\n), even in a domain-only case
     /// (for example, engineering.microsoft.com/software\nJSmith).
     /// </summary>
     NameCanonicalEx = 9,

     /// <summary>
     /// The generalized service principal name
     /// (for example, www/www.microsoft.com@microsoft.com).
     /// </summary>
     NameServicePrincipal = 10,

     /// <summary>
     /// The DNS domain name followed by a backward-slash and the SAM user name.
     /// </summary>
     NameDnsDomain = 12
}

[DllImport("secur32.dll", CharSet=CharSet.Auto, SetLastError=true)]
public static extern byte GetUserNameEx (ExtendedNameFormat nameFormat,
    StringBuilder userName, ref int userNameSize);

VB Signature:

Declare Function GetUserNameEx Lib "secur32.dll" (nameFormat As Integer, _
   userName As StringBuilder, ByRef userNameSize As Integer) As Byte

User-Defined Types:

None.

Notes:

This may be required because System.Environment.UserDomainName is broken. If the local machine has a user account that is the same name as a logged in domain user (machineName\bob & domainName\bob) UserDomainName returns the machine name, not the domain name.

Tips & Tricks:

Please add some!

Sample Code:

public class Sample
{
      enum EXTENDED_NAME_FORMAT
      {
     NameUnknown = 0,
     NameFullyQualifiedDN = 1,
     NameSamCompatible = 2,
     NameDisplay = 3,
     NameUniqueId = 6,
     NameCanonical = 7,
     NameUserPrincipal = 8,
     NameCanonicalEx = 9,
     NameServicePrincipal = 10,
     NameDnsDomain = 12
      }

      [DllImport("secur32.dll", CharSet=CharSet.Auto)]
      public static extern byte GetUserNameEx (int nameFormat, StringBuilder userName, ref int userNameSize);

      public String GetUserDomain()
      {
     if (Environment.OSVersion.Platform != PlatformID.Win32NT)
        return null;

     StringBuilder userName = new StringBuilder(1024);
     int userNameSize = userName.Capacity;

     if(0 != GetUserNameEx((int)EXTENDED_NAME_FORMAT.NameSamCompatible, userName, ref userNameSize))
     {
        string[] nameParts = userName.ToString().Split('\\');
        if (2 != nameParts.Length) return null;
        return nameParts[0];
     }

     return null;
      }
}

VB

public class Sample

  Declare Function GetUserNameExA Lib "secur32.dll" (ByVal nameFormat As Integer, _
  ByVal userName As System.Text.StringBuilder, ByRef userNameSize As Integer) As Byte

' GetUserNameExA for ANSI
' GetUserNameExW for UNICODE

    Public Enum EXTENDED_NAME_FORMAT
    NameUnknown = 0
    NameFullyQualifiedDN = 1
    NameSamCompatible = 2
    NameDisplay = 3
    NameUniqueId = 6
    NameCanonical = 7
    NameUserPrincipal = 8
    NameCanonicalEx = 9
    NameServicePrincipal = 10
    NameDnsDomain = 12
    End Enum

    Public Function GetUserName() As String

    Dim UserName As New System.Text.StringBuilder(1024)
    Dim userNameSize As Integer = UserName.Capacity

    If Environment.OSVersion.Platform <> PlatformID.Win32NT Then
        Return ""
    End If

    If GetUserNameExA(EXTENDED_NAME_FORMAT.NameSamCompatible, UserName, userNameSize) <> 0 Then

        Dim NameParts() As String = UserName.ToString().Split("\")
        If NameParts.Length <> 2 Then
        Return ""
        End If

        Return NameParts(1)

    Else
        Return ""

    End If

    End Function

End Class

Alternative Managed API:

System.Environment.UserName

System.Environment.UserDomainName

Documentation

GetUserNameEx on MSDNNALYSIS

NETWORK ANALYSIS

SIGNATURES BY SEVERITY

2LOW

4MID

0HIGH

MID Severity Signatures

The Process Tried To Load Dynamically One Or More Functions.

DynamicLoader

ADVAPI32/RegisterTraceGuidsA

DynamicLoader

api-ms-win-downlevel-ole32-l1-1-0/CoCreateGuid

DynamicLoader

urlmon/CoInternetIsFeatureEnabled

DynamicLoader

USER32/SetProcessDPIAware

DynamicLoader

inetcpl.cpl/ClearMyTracksByProcessW

DynamicLoader

kernel32/SortGetHandle

DynamicLoader

kernel32/SortCloseHandle

DynamicLoader

ADVAPI32/IsTextUnicode

DynamicLoader

ADVAPI32/RegisterTraceGuidsW

DynamicLoader

ADVAPI32/EventRegister

DynamicLoader

ADVAPI32/EventUnregister

DynamicLoader

ADVAPI32/EventEnabled

DynamicLoader

ADVAPI32/EventWrite

DynamicLoader

PROPSYS/PSCreatePropertyStoreFromObject

DynamicLoader

PROPSYS/PSCreateAdapterFromPropertyStore

DynamicLoader

OLEAUT32/

DynamicLoader

Secur32/GetUserNameExA

DynamicLoader

shell32/SHGetKnownFolderPath

DynamicLoader

ole32/CoTaskMemFree

DynamicLoader

ole32/CoTaskMemAlloc

DynamicLoader

api-ms-win-downlevel-ole32-l1-1-0/CoTaskMemFree

DynamicLoader

api-ms-win-downlevel-advapi32-l2-1-0/ConvertSidToStringSidW

DynamicLoader

api-ms-win-downlevel-advapi32-l2-1-0/ConvertStringSecurityDescriptorToSecurityDescriptorW

DynamicLoader

urlmon/

DynamicLoader

RPCRT4/UuidCreateSequential

DynamicLoader

ole32/StgOpenStorageEx

DynamicLoader

CRYPTSP/CryptAcquireContextW

DynamicLoader

rsaenh/CPAcquireContext

DynamicLoader

rsaenh/CPReleaseContext

DynamicLoader

rsaenh/CPGenKey

DynamicLoader

rsaenh/CPDeriveKey

DynamicLoader

rsaenh/CPDestroyKey

DynamicLoader

rsaenh/CPSetKeyParam

DynamicLoader

rsaenh/CPGetKeyParam

DynamicLoader

rsaenh/CPExportKey

DynamicLoader

rsaenh/CPImportKey

DynamicLoader

rsaenh/CPEncrypt

DynamicLoader

rsaenh/CPDecrypt

DynamicLoader

rsaenh/CPCreateHash

DynamicLoader

rsaenh/CPHashData

DynamicLoader

rsaenh/CPHashSessionKey

DynamicLoader

rsaenh/CPDestroyHash

DynamicLoader

rsaenh/CPSignHash

DynamicLoader

rsaenh/CPVerifySignature

DynamicLoader

rsaenh/CPGenRandom

DynamicLoader

rsaenh/CPGetUserKey

DynamicLoader

rsaenh/CPSetProvParam

DynamicLoader

rsaenh/CPGetProvParam

DynamicLoader

rsaenh/CPSetHashParam

DynamicLoader

rsaenh/CPGetHashParam

DynamicLoader

rsaenh/CPDuplicateKey

DynamicLoader

rsaenh/CPDuplicateHash

DynamicLoader

ADVAPI32/OpenThreadToken

DynamicLoader

ADVAPI32/OpenProcessToken

DynamicLoader

ADVAPI32/GetTokenInformation

DynamicLoader

ADVAPI32/AllocateAndInitializeSid

DynamicLoader

ADVAPI32/EqualSid

DynamicLoader

ADVAPI32/FreeSid

DynamicLoader

CRYPTBASE/SystemFunction036

DynamicLoader

CRYPTSP/CryptGenRandom

DynamicLoader

WININET/GetUrlCacheEntryInfoW

DynamicLoader

shell32/SHGetInstanceExplorer

DynamicLoader

iertutil/

DynamicLoader

api-ms-win-downlevel-ole32-l1-1-0/CoTaskMemAlloc

DynamicLoader

WS2_32/

DynamicLoader

winhttp/WinHttpCreateProxyResolver

DynamicLoader

SHLWAPI/

DynamicLoader

WS2_32/WSAIoctl

DynamicLoader

IPHLPAPI/NotifyIpInterfaceChange

DynamicLoader

IPHLPAPI/NotifyUnicastIpAddressChange

DynamicLoader

IPHLPAPI/GetBestInterfaceEx

DynamicLoader

IPHLPAPI/GetIfEntry2

DynamicLoader

shell32/SHGetFolderPathW

DynamicLoader

sechost/ConvertSidToStringSidW

DynamicLoader

ADVAPI32/RegEnumKeyW

Yara Detected Something

The Process Attempted To Bypass The DEP System By Marking A Part Of The Heap As Executable

The Process Tried To Collect Informations About The System Reading Some Known Registry Keys

ACTION GRAPH

ANALYZE