Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

Determine SID's for account domain and primary domain from kernel mode

Bill_ZissimopoulosBill_Zissimopoulos Member Posts: 110

I have a need to determine the SID's for the account domain (PolicyAccountDomainInformation) and primary domain (PolicyDnsDomainInformation) in an FSD. I understand that this information lives inside the user-mode LSA service. In user mode it is straightforward to get this information by using the LsaQueryInformationPolicy API. In kernel mode there is no direct equivalent; the SecLookup* exports from ksecdd provide limited access to the LSA.

I am considering the following 2 solutions:

  • Pass the information to the FSD from a user mode process. Unfortunately this is not easily feasible for all of the scenarios that I wish to enable. Ideally I would like to have a kernel-mode solution.
  • Access the information that I need directly from the registry:
HKEY_LOCAL_MACHINE\SECURITY\Policy\PolAcDmS - SID for PolicyAccountDomainInformation
HKEY_LOCAL_MACHINE\SECURITY\Policy\PolPrDmS - SID for PolicyDnsDomainInformation

Does anyone have any better suggestions?

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
Developing Minifilters 29 July 2019 OSR Seminar Space
Writing WDF Drivers 23 Sept 2019 OSR Seminar Space
Kernel Debugging 21 Oct 2019 OSR Seminar Space
Internals & Software Drivers 18 Nov 2019 Dulles, VA