Merge pull request #48 from fluent-plugins-nursery/skip-sid-translati…

…on-for-capability-sids Skip SID translation for capability SIDs
fluent-plugins-nursery · Aug 19, 2024 · 5e1d6ee · 5e1d6ee
2 parents 792555a + f09c877
commit 5e1d6ee
Showing 1 changed file with 13 additions and 6 deletions.
diff --git a/ext/winevt/winevt_utils.cpp b/ext/winevt/winevt_utils.cpp
@@ -885,14 +885,21 @@ render_system_event(EVT_HANDLE hEvent, BOOL preserve_qualifiers, BOOL preserveSI
       if (preserveSID_p) {
         rbstr = rb_utf8_str_new_cstr(pwsSid);
         rb_hash_aset(hash, rb_str_new2("UserID"), rbstr);
-        LocalFree(pwsSid);
       }
-      if (ExpandSIDWString(pRenderedValues[EvtSystemUserID].SidVal,
-                       &expandSID) == 0) {
-        rbstr = rb_utf8_str_new_cstr(expandSID);
-        free(expandSID);
-        rb_hash_aset(hash, rb_str_new2("User"), rbstr);
+      /* S-1-15-3- is used for capability SIDs. So, we need to skip
+       * SID translation.
+       * ref: https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers
+       * See also: https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/sids-not-resolve-into-friendly-names
+       */
+      if (strnicmp(pwsSid, "S-1-15-3-", 9) != 0) {
+        if (ExpandSIDWString(pRenderedValues[EvtSystemUserID].SidVal,
+                             &expandSID) == 0) {
+          rbstr = rb_utf8_str_new_cstr(expandSID);
+          free(expandSID);
+          rb_hash_aset(hash, rb_str_new2("User"), rbstr);
+        }
       }
+      LocalFree(pwsSid);
     }
   }