How to find the user account of elevated app on SUA?

[AndyFul]

The problem is related to executing the program (coded in AutoIt) with admin rights on Standard User Account (SUA). The program is initially started from the SUA as standard user, but after elevation, the program is actually running on Administrator type of account. Only the program GUI windows are displayed on the initial SUA. Administrator account, where the program is actually running, is determined by credentials written in the UAC prompt.

How can such a program check from what account (SID of that account is required) it was started if several users are actually logged in the computer?

It is rather easy to find out the SID of the current Administrator account where the elevated program is running, but it is harder to see backwards, because the program could be started initially from any actually logged SUA account.

I am thinking about finding the handle of the displayed window on SUA and using this information to find out the SID of SUA that hosts that handle. 

Thanks, for any suggestions.

[AndyFul]

It seems that the solution was found 9 years ago, here:

I worked for me for Windows 10 when on SUA or on Admin. Thanks.

 

; https://www.autoitscript.com/forum/topic/90572-_winapi_processlistowner_wts/
#include<Security.au3>
Func _GetCurrentUser()
    Local $result = DllCall("Wtsapi32.dll","int", "WTSQuerySessionInformationW", "Ptr", 0, "int", -1, "int", 5, "ptr*", 0, "dword*", 0)
    If @error Or $result[0] = 0 Then Return SetError(1,0,"")
    Local $User = DllStructGetData(DllStructCreate("wchar[" & $result[5] & "]" , $result[4]),1)
    DllCall("Wtsapi32.dll", "int", "WTSFreeMemory", "ptr", $result[4])
    Return $User
EndFunc

Func _GetCurrentUserSID()
    ; Prog@ndy
    Local $User = _Security__LookupAccountName(_GetCurrentUser(),@ComputerName)
    If @error Then Return SetError(1,0,"")
    Return $User[0]
EndFunc

MsgBox(0, '', _GetCurrentUser() & @CRLF & _GetCurrentUserSID())

 

Edited September 2, 2018 by AndyFul