How Does Netplwiz Get a UserName?

Question

If a Windows username is created in a [email protected] email syntax, the System.Security.Principal.WindowsIdentity.GetCurrent().Name value returned is in the DOMAIN\UserName syntax.

How does Netplwiz retrieve and display usernames properly in their email syntax? Can that be done for the currently logged in user?

What classes/methods/fields are available for retrieval?

Answer 1

If a Windows username is created in a [email protected] email syntax...

They're more formally referred to as User Principal Name, or UPN for short precisely to avoid confusion with identically-formatted SMTP e-mail addresses.

_{Nostalgia time!: Back in the days of Windows 2000 I remember the mood and expectation was that UPNs would eventually be mapped to a valid e-mail address and they'd replace NT's DOMAIN\USERNAME-style logins long before Windows Server 2003 came out - well, that never happened, and despite Microsoft really pushing people to use UPNs in the early 2000s I think they realised it wasn't going to go anywhere by the time Windows 7 came out.}

How does Netplwiz retrieve and display usernames properly in their email syntax?

(Ghidra speedrun time...)

I noticed that netplwiz uses COM to access and call-out into services that would be resolved at runtime and so it's possible that netplwiz may be using some hither-unknown COM interface/service to perform some aspects of name translation, so the function list here is not exhaustive.

But moving on to what a straightforward static-analysis can tell us:

• Looking at the Imports table, ``netplwiz.dll` directly references dozens of Win32 libraries, and from those I saw these imported funcs that can perform name translation (either searching by UPN or login-name and resolving it to a SID, or vice-versa; or translating between them).

  • API-MS-WIN-SECURITY-ACTIVEDIRECTORYCLIENT-L1-1-0.DLL::DsCrackNamesW
  • API-MS-WIN-SECURITY-LSALOOKUP-L2-1-0.DLL::LookupAccountNameW
  • API-MS-WIN-SECURITY-LSALOOKUP-L2-1-0.DLL::LookupAccountSidW
  • API-MS-WIN-SECURITY-SDDL-L1-1-0.DLL::ConvertSidToStringSidW
  • DSROLE.DLL::DsRoleGetPrimaryDomainInformation
  • SAMCLI.DLL::NetLocalGroupEnum
  • SAMCLI.DLL::NetLocalGroupGetMembers
  • SAMCLI.DLL::NetUserGetInfo
  • SECUR32.DLL::TranslateNameW

---

There are other parts of Win32 that can do this too, which netplziwz doesn't use, like:

• NetQueryDisplayInformation.
• NetUserEnum
• GetUserNameExW

---

Can that be done for the currently logged in user?

Yes.

From the command-line, just run whoami /upn

I poked around in whoami.exe just to be sure and it looks like it gets your username in UPN format using GetUserNameExW by passing NameUserPrincipal (i.e. the integer value 8) as the first argument: