Solved

Get User ID from EVENTLOGRECORD

Posted on 1997-07-09
9
566 Views
Last Modified: 2013-12-03
I think this question is quite straight forward.....but I dun know how to go about it.....my question:

How can I get User ID from EVENTLOGRECORD?  

Example:
If I have a EVENTLOGRECORD pointer that points to a record, how do I print that user ID using that record pointer, to a string?

I think that maybe using UserSidOffset or/and UserSidLength might help.....but I don't know how to.

Any suggestion will be appreciated.
0
Comment
Question by:YamSeng
  • 6
  • 3
9 Comments
 
LVL 1

Author Comment

by:YamSeng
ID: 1400483
Adjusted points to 20
0
 
LVL 5

Accepted Solution

by:
y96andha earned 50 total points
ID: 1400484
You need to use the LookupAccountSid function. Just pass in the pointer to the SID, and you will receive the name of the user and the domain the account was found on.
0
 
LVL 1

Author Comment

by:YamSeng
ID: 1400485
Ho do I get the sid?

pEventLogRecord + pEventLogRecord->UserSidOffset  ?
and pEventLogRecord->UserSidLength ?

Can show me a sample?  
0
Instantly Create Instructional Tutorials

Contextual Guidance at the moment of need helps your employees adopt to new software or processes instantly. Boost knowledge retention and employee engagement step-by-step with one easy solution.

 
LVL 5

Expert Comment

by:y96andha
ID: 1400486
20 points is not much.

if(pEventLogRecord->UserSidLength) {
 PSID sp;
 sp = (PSID)(((char *)pEventLogRecord) + pEventLogRecord->UserSidOffset);

 SID_NAME_USE snu;
 DWORD len1,len2;
 int ok;
 TCHAR name[256],dom[256];
 len1=len2=256;
 ok = LookupAccountSid(0,sp,name,&len1,dom,&len2,&snu);
 if(ok) {
   // Success
 } else {
  printf("Error: %d\n",GetLastError());  
 }
}

I have not tested this code, but it should work.
0
 
LVL 1

Author Comment

by:YamSeng
ID: 1400487
sorry about the points, but I a new member and I dun have much points.....

anyway, I've increased the points....
0
 
LVL 1

Author Comment

by:YamSeng
ID: 1400488
If you can help me, I can only offer this much....sorry!
0
 
LVL 1

Author Comment

by:YamSeng
ID: 1400489
I've tried the codes, but found that it gives the user that I do not want.  I want the user name.

If you go to event viewer, you can see that under security log, details for eventID 529 (failed to logon) has 2 "user".  One is "user" the other is "user name"

For example:
If my name is ash and I failed to logon to NT workstation, the event viewer should show

user = system
username = ash

The user name is the value I want to find out.....

thanks!

0
 
LVL 5

Expert Comment

by:y96andha
ID: 1400490
OK, you mean the name in the description box?

This is found in one of the strings, I am not sure which one, and I currently don't have any such entries in my log. You could test it out yourself. The strings are accessed like this:

 TCHAR *p;
 p = (TCHAR *)(((char *)pEventLogRecord) + pEventLogRecord->StringOffset);

 int i;
 for(i=0;i<pEventLogRecord->NumStrings;i++) {
  wprintf(L"String %d : %s\n", i, p);
  p+=_tcslen(p)+1;
 }

0
 
LVL 1

Author Comment

by:YamSeng
ID: 1400491
Thanks!!!  I've got it...

FYI, the user name is in string 0.  
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Windows Standards for file storage. 3 35
Need to impress with my knowledge of .NET 5 97
Recommendation vb6 to vb.net or others 14 200
Graph API & MS Apps 1 52
This article describes a technique for converting RTF (Rich Text Format) data to HTML and provides C++ source that does it all in just a few lines of code. Although RTF is coming to be considered a "legacy" format, it is still in common use... po…
With most software applications trying to cater to multiple user needs nowadays, the focus is to make them as configurable as possible. For e.g., when creating Silverlight applications which will connect to WCF services, the service end point usuall…
This is Part 3 in a 3-part series on Experts Exchange to discuss error handling in VBA code written for Excel. Part 1 of this series discussed basic error handling code using VBA. http://www.experts-exchange.com/videos/1478/Excel-Error-Handlin…
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…

680 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question