I have a need to determine the SID’s for the account domain (PolicyAccountDomainInformation) and primary domain (PolicyDnsDomainInformation) in an FSD. I understand that this information lives inside the user-mode LSA service. In user mode it is straightforward to get this information by using the LsaQueryInformationPolicy API. In kernel mode there is no direct equivalent; the SecLookup* exports from ksecdd provide limited access to the LSA.
I am considering the following 2 solutions:
- Pass the information to the FSD from a user mode process. Unfortunately this is not easily feasible for all of the scenarios that I wish to enable. Ideally I would like to have a kernel-mode solution.
- Access the information that I need directly from the registry:
HKEY_LOCAL_MACHINE\SECURITY\Policy\PolAcDmS - SID for PolicyAccountDomainInformation
HKEY_LOCAL_MACHINE\SECURITY\Policy\PolPrDmS - SID for PolicyDnsDomainInformation
Does anyone have any better suggestions?