I have a need to determine the SID's for the account domain (
PolicyAccountDomainInformation) and primary domain (
PolicyDnsDomainInformation) in an FSD. I understand that this information lives inside the user-mode LSA service. In user mode it is straightforward to get this information by using the
LsaQueryInformationPolicy API. In kernel mode there is no direct equivalent; the
SecLookup* exports from
ksecdd provide limited access to the LSA.
I am considering the following 2 solutions:
HKEY_LOCAL_MACHINE\SECURITY\Policy\PolAcDmS - SID for PolicyAccountDomainInformation HKEY_LOCAL_MACHINE\SECURITY\Policy\PolPrDmS - SID for PolicyDnsDomainInformation
Does anyone have any better suggestions?
It looks like you're new here. If you want to get involved, click one of these buttons!
|Upcoming OSR Seminars|
|Developing Minifilters||29 July 2019||OSR Seminar Space|
|Writing WDF Drivers||23 Sept 2019||OSR Seminar Space|
|Kernel Debugging||21 Oct 2019||OSR Seminar Space|
|Internals & Software Drivers||18 Nov 2019||Dulles, VA|