The correct way to find out if a service is running as a SYSTEM user

Question

The correct way to find out if a service is running as a SYSTEM user

What is the right way to find out if a process is running as a SYSTEM user. I am looking for a win32 C API to check for a system user.

We used to check if the username was "SYSTEM", but with Windows Server 2008 R2, the SYSTEM user becomes localized. Ie SYSTEEM in the Dutch system.

I can not find much information about the user of the system through search engines, since you receive millions of false hits.

Thanks in advance Neil

+3

c windows permissions system

Neil wightman Oct 26 '10 at 12:22

source share

1 answer

Steve Townsend · Accepted Answer · 2010-10-26T13:56:52+0000

There is code for this regardless of localization here .

BOOL IsLocalSystem()
{
  HANDLE hToken;
  UCHAR bTokenUser[sizeof(TOKEN_USER) + 8 + 4 * SID_MAX_SUB_AUTHORITIES];
  PTOKEN_USER pTokenUser = (PTOKEN_USER)bTokenUser;
  ULONG cbTokenUser;
  SID_IDENTIFIER_AUTHORITY siaNT = SECURITY_NT_AUTHORITY;
  PSID pSystemSid;
  BOOL bSystem;

  // open process token
  if (!OpenProcessToken(GetCurrentProcess(),
    TOKEN_QUERY,
    &hToken))
      return FALSE;

  // retrieve user SID
  if (!GetTokenInformation(hToken, TokenUser, pTokenUser,
    sizeof(bTokenUser), &cbTokenUser))
  {
    CloseHandle(hToken);
    return FALSE;
  }

  CloseHandle(hToken);

  // allocate LocalSystem well-known SID
  if (!AllocateAndInitializeSid(&siaNT, 1, SECURITY_LOCAL_SYSTEM_RID,
    0, 0, 0, 0, 0, 0, 0, &pSystemSid))
    return FALSE;

  // compare the user SID from the token with the LocalSystem SID
  bSystem = EqualSid(pTokenUser->User.Sid, pSystemSid);

  FreeSid(pSystemSid);

  return bSystem;
}

( ) SID, .

The correct way to find out if a service is running as a SYSTEM user

More articles: