Get User ID from EVENTLOGRECORD

I think this question is quite straight forward.....but I dun know how to go about it.....my question:

How can I get User ID from EVENTLOGRECORD?  

Example:
If I have a EVENTLOGRECORD pointer that points to a record, how do I print that user ID using that record pointer, to a string?

I think that maybe using UserSidOffset or/and UserSidLength might help.....but I don't know how to.

Any suggestion will be appreciated.
LVL 1
YamSengAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

YamSengAuthor Commented:
Adjusted points to 20
0
y96andhaCommented:
You need to use the LookupAccountSid function. Just pass in the pointer to the SID, and you will receive the name of the user and the domain the account was found on.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
YamSengAuthor Commented:
Ho do I get the sid?

pEventLogRecord + pEventLogRecord->UserSidOffset  ?
and pEventLogRecord->UserSidLength ?

Can show me a sample?  
0
OWASP: Avoiding Hacker Tricks

Learn to build secure applications from the mindset of the hacker and avoid being exploited.

y96andhaCommented:
20 points is not much.

if(pEventLogRecord->UserSidLength) {
 PSID sp;
 sp = (PSID)(((char *)pEventLogRecord) + pEventLogRecord->UserSidOffset);

 SID_NAME_USE snu;
 DWORD len1,len2;
 int ok;
 TCHAR name[256],dom[256];
 len1=len2=256;
 ok = LookupAccountSid(0,sp,name,&len1,dom,&len2,&snu);
 if(ok) {
   // Success
 } else {
  printf("Error: %d\n",GetLastError());  
 }
}

I have not tested this code, but it should work.
0
YamSengAuthor Commented:
sorry about the points, but I a new member and I dun have much points.....

anyway, I've increased the points....
0
YamSengAuthor Commented:
If you can help me, I can only offer this much....sorry!
0
YamSengAuthor Commented:
I've tried the codes, but found that it gives the user that I do not want.  I want the user name.

If you go to event viewer, you can see that under security log, details for eventID 529 (failed to logon) has 2 "user".  One is "user" the other is "user name"

For example:
If my name is ash and I failed to logon to NT workstation, the event viewer should show

user = system
username = ash

The user name is the value I want to find out.....

thanks!

0
y96andhaCommented:
OK, you mean the name in the description box?

This is found in one of the strings, I am not sure which one, and I currently don't have any such entries in my log. You could test it out yourself. The strings are accessed like this:

 TCHAR *p;
 p = (TCHAR *)(((char *)pEventLogRecord) + pEventLogRecord->StringOffset);

 int i;
 for(i=0;i<pEventLogRecord->NumStrings;i++) {
  wprintf(L"String %d : %s\n", i, p);
  p+=_tcslen(p)+1;
 }

0
YamSengAuthor Commented:
Thanks!!!  I've got it...

FYI, the user name is in string 0.  
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Development

From novice to tech pro — start learning today.