craigw has asked for the wisdom of the Perl Monks concerning the following question:

Edited by mirod: added code (and other) tags

I writing a utility to do some parsing/reporting/alerting from the eventlog. I'm trying to deal with the events that are reporting the "Target Account ID:" with a SID not a name.
I'm parsing the $event_handle{STRINGS} and passing LookupAccoutSID the string that contains the SID, but the function fails.
I'm looking for a good example on how this can be done. All my searches seem to keep referring to Win32Faq9 which does not help. It mentions the function, and that's all. No examples.
Here's the code I'm trying to use. It's sloppy, but I'm just tring to get it to work, then I'll worry about efficiency.

@strings = split(/\x00/,$evt_h->{Strings});
foreach $piece (@strings) {
    print ("string-$piece\n");
}

print ("$strings[2]\n");
$mysid=$strings[2];
#tried this to strip off the %,{,} but it didn't help
#$mysid =~ s/[\%{}]//g;
print ("mysid: $mysid\n");

if Win32::LookupAccountSID($nodename,$strings[2],$account,$domain,$sid
+type)) 
{
    print ("Account: $account\n");
    print (" Domain: $domain\n");
    print ("SIDType: $sidtype\n");
} else {
    print ("LookupAccountSID Error\n");
}

[download]

Replies are listed 'Best First'.
Re: How to use LookupAccountSID
by davemabe (Monk) on Feb 28, 2001 at 20:30 UTC
    LookupAccountSID takes a binary SID, not the text SID that commonly appears in NT Event Logs. You will first need to convert that text SID to binary and then feed it to LookupAccountSID. Here is some code to do that conversion:

    sub SID_text2bin {
    my($text) = @_;

    my(@Values) = split(/\-/, $text);
    (@Values[0] == "S") or return;
    return pack("CCnnnV".(@Values-3), $Values[1], @Values-3, 0, 0, $Va
+lues[2], @Values[3..(@Values-1)]);
}

    [download]
    Dave
[reply]
[d/l]

Back to Seekers of Perl Wisdom