@msdn=http://search.microsoft.com/search/results.aspx?qu=$$$ @pinvoke=http://pinvoke.net/$$$.htm Summary: Gets the name of the user or other security principal associated with the calling thread. !!!!C# Signature: public enum ExtendedNameFormat { /// <summary> /// An unknown name type. /// </summary> NameUnknown = 0, /// <summary> /// The fully qualified distinguished name /// (for example, CN=Jeff Smith,OU=Users,DC=Engineering,DC=Microsoft,DC=Com). /// </summary> NameFullyQualifiedDN = 1, /// <summary> /// A legacy account name (for example, Engineering\JSmith). /// The domain-only version includes trailing backslashes (\\). /// </summary> NameSamCompatible = 2, /// <summary> /// A "friendly" display name (for example, Jeff Smith). /// The display name is not necessarily the defining relative distinguished name (RDN). /// </summary> NameDisplay = 3, /// <summary> /// A GUID string that the IIDFromString function returns /// (for example, {4fa050f0-f561-11cf-bdd9-00aa003a77b6}). /// </summary> NameUniqueId = 6, /// <summary> /// The complete canonical name (for example, engineering.microsoft.com/software/someone). /// The domain-only version includes a trailing forward slash (/). /// </summary> NameCanonical = 7, /// <summary> /// The user principal name (for example, someone@example.com). /// </summary> NameUserPrincipal = 8, /// <summary> /// The same as NameCanonical except that the rightmost forward slash (/) /// is replaced with a new line character (\n), even in a domain-only case /// (for example, engineering.microsoft.com/software\nJSmith). /// </summary> NameCanonicalEx = 9, /// <summary> /// The generalized service principal name /// (for example, www/www.microsoft.com@microsoft.com). /// </summary> NameServicePrincipal = 10, /// <summary> /// The DNS domain name followed by a backward-slash and the SAM user name. /// </summary> NameDnsDomain = 12 } [DllImport("secur32.dll", CharSet=CharSet.Auto, SetLastError=true)] public static extern byte GetUserNameEx (ExtendedNameFormat nameFormat, StringBuilder userName, ref int userNameSize); !!!!VB Signature: Declare Function GetUserNameEx Lib "secur32.dll" (nameFormat As Integer, _ userName As StringBuilder, ByRef userNameSize As Integer) As Byte !!!!User-Defined Types: None. !!!!Notes: This may be required because System.Environment.UserDomainName is broken. If the local machine has a user account that is the same name as a logged in domain user (machineName\bob & domainName\bob) UserDomainName returns the machine name, not the domain name. !!!!Tips & Tricks: Please add some! !!!!Sample Code: public class Sample { enum EXTENDED_NAME_FORMAT { NameUnknown = 0, NameFullyQualifiedDN = 1, NameSamCompatible = 2, NameDisplay = 3, NameUniqueId = 6, NameCanonical = 7, NameUserPrincipal = 8, NameCanonicalEx = 9, NameServicePrincipal = 10, NameDnsDomain = 12 } [DllImport("secur32.dll", CharSet=CharSet.Auto)] public static extern byte GetUserNameEx (int nameFormat, StringBuilder userName, ref int userNameSize); public String GetUserDomain() { if (Environment.OSVersion.Platform != PlatformID.Win32NT) return null; StringBuilder userName = new StringBuilder(1024); int userNameSize = userName.Capacity; if(0 != GetUserNameEx((int)EXTENDED_NAME_FORMAT.NameSamCompatible, userName, ref userNameSize)) { string[] nameParts = userName.ToString().Split('\\'); if (2 != nameParts.Length) return null; return nameParts[0]; } return null; } } !!!!VB public class Sample Declare Function GetUserNameExA Lib "secur32.dll" (ByVal nameFormat As Integer, _ ByVal userName As System.Text.StringBuilder, ByRef userNameSize As Integer) As Byte ' GetUserNameExA for ANSI ' GetUserNameExW for UNICODE Public Enum EXTENDED_NAME_FORMAT NameUnknown = 0 NameFullyQualifiedDN = 1 NameSamCompatible = 2 NameDisplay = 3 NameUniqueId = 6 NameCanonical = 7 NameUserPrincipal = 8 NameCanonicalEx = 9 NameServicePrincipal = 10 NameDnsDomain = 12 End Enum Public Function GetUserName() As String Dim UserName As New System.Text.StringBuilder(1024) Dim userNameSize As Integer = UserName.Capacity If Environment.OSVersion.Platform <> PlatformID.Win32NT Then Return "" End If If GetUserNameExA(EXTENDED_NAME_FORMAT.NameSamCompatible, UserName, userNameSize) <> 0 Then Dim NameParts() As String = UserName.ToString().Split("\") If NameParts.Length <> 2 Then Return "" End If Return NameParts(1) Else Return "" End If End Function End Class !!!!Alternative Managed API: System.Environment.UserName@msdn System.Environment.UserDomainName@msdn Documentation: GetUserNameEx@msdn on MSDNNALYSIS NETWORK ANALYSIS SIGNATURES BY SEVERITY 2LOW 4MID 0HIGH MID Severity Signatures The Process Tried To Load Dynamically One Or More Functions. DynamicLoader: ADVAPI32/RegisterTraceGuidsA DynamicLoader: api-ms-win-downlevel-ole32-l1-1-0/CoCreateGuid DynamicLoader: urlmon/CoInternetIsFeatureEnabled DynamicLoader: USER32/SetProcessDPIAware DynamicLoader: inetcpl.cpl/ClearMyTracksByProcessW DynamicLoader: kernel32/SortGetHandle DynamicLoader: kernel32/SortCloseHandle DynamicLoader: ADVAPI32/IsTextUnicode DynamicLoader: ADVAPI32/RegisterTraceGuidsW DynamicLoader: ADVAPI32/EventRegister DynamicLoader: ADVAPI32/EventUnregister DynamicLoader: ADVAPI32/EventEnabled DynamicLoader: ADVAPI32/EventWrite DynamicLoader: PROPSYS/PSCreatePropertyStoreFromObject DynamicLoader: PROPSYS/PSCreateAdapterFromPropertyStore DynamicLoader: OLEAUT32/ DynamicLoader: Secur32/GetUserNameExA DynamicLoader: shell32/SHGetKnownFolderPath DynamicLoader: ole32/CoTaskMemFree DynamicLoader: ole32/CoTaskMemAlloc DynamicLoader: api-ms-win-downlevel-ole32-l1-1-0/CoTaskMemFree DynamicLoader: api-ms-win-downlevel-advapi32-l2-1-0/ConvertSidToStringSidW DynamicLoader: api-ms-win-downlevel-advapi32-l2-1-0/ConvertStringSecurityDescriptorToSecurityDescriptorW DynamicLoader: urlmon/ DynamicLoader: RPCRT4/UuidCreateSequential DynamicLoader: ole32/StgOpenStorageEx DynamicLoader: CRYPTSP/CryptAcquireContextW DynamicLoader: rsaenh/CPAcquireContext DynamicLoader: rsaenh/CPReleaseContext DynamicLoader: rsaenh/CPGenKey DynamicLoader: rsaenh/CPDeriveKey DynamicLoader: rsaenh/CPDestroyKey DynamicLoader: rsaenh/CPSetKeyParam DynamicLoader: rsaenh/CPGetKeyParam DynamicLoader: rsaenh/CPExportKey DynamicLoader: rsaenh/CPImportKey DynamicLoader: rsaenh/CPEncrypt DynamicLoader: rsaenh/CPDecrypt DynamicLoader: rsaenh/CPCreateHash DynamicLoader: rsaenh/CPHashData DynamicLoader: rsaenh/CPHashSessionKey DynamicLoader: rsaenh/CPDestroyHash DynamicLoader: rsaenh/CPSignHash DynamicLoader: rsaenh/CPVerifySignature DynamicLoader: rsaenh/CPGenRandom DynamicLoader: rsaenh/CPGetUserKey DynamicLoader: rsaenh/CPSetProvParam DynamicLoader: rsaenh/CPGetProvParam DynamicLoader: rsaenh/CPSetHashParam DynamicLoader: rsaenh/CPGetHashParam DynamicLoader: rsaenh/CPDuplicateKey DynamicLoader: rsaenh/CPDuplicateHash DynamicLoader: ADVAPI32/OpenThreadToken DynamicLoader: ADVAPI32/OpenProcessToken DynamicLoader: ADVAPI32/GetTokenInformation DynamicLoader: ADVAPI32/AllocateAndInitializeSid DynamicLoader: ADVAPI32/EqualSid DynamicLoader: ADVAPI32/FreeSid DynamicLoader: CRYPTBASE/SystemFunction036 DynamicLoader: CRYPTSP/CryptGenRandom DynamicLoader: WININET/GetUrlCacheEntryInfoW DynamicLoader: shell32/SHGetInstanceExplorer DynamicLoader: iertutil/ DynamicLoader: api-ms-win-downlevel-ole32-l1-1-0/CoTaskMemAlloc DynamicLoader: WS2_32/ DynamicLoader: winhttp/WinHttpCreateProxyResolver DynamicLoader: SHLWAPI/ DynamicLoader: WS2_32/WSAIoctl DynamicLoader: IPHLPAPI/NotifyIpInterfaceChange DynamicLoader: IPHLPAPI/NotifyUnicastIpAddressChange DynamicLoader: IPHLPAPI/GetBestInterfaceEx DynamicLoader: IPHLPAPI/GetIfEntry2 DynamicLoader: shell32/SHGetFolderPathW DynamicLoader: sechost/ConvertSidToStringSidW DynamicLoader: ADVAPI32/RegEnumKeyW Yara Detected Something The Process Attempted To Bypass The DEP System By Marking A Part Of The Heap As Executable The Process Tried To Collect Informations About The System Reading Some Known Registry Keys ACTION GRAPH ANALYZE
Edit secur32.getuserna...
You do not have permission to change this page. If you feel this is in error, please send feedback with the contact link on the main page.