I'm developing a Windows 10 credential provider which acts only at the unlock scenario (of a currently signed in user). As described here, starting from Windows 10, the CPUS_LOGON and CPUS_UNLOCK_WORKSTATION user scenarios have been combined. Credential providers that need to enumerate the currently user logged into the system can keep track of the current user or leverage APIs such as WTSQuerySessionInformation to obtain that information.
Using WTSQuerySessionInformation, I can get the username of the currently logged in user (WTSUserName). At login, the system calls ICredentialProviderSetUserArray::SetUserArray during the initialization of the login UI to retrieve the set of users to show in the UI. Credential provider users (ICredentialProviderUser) can be retrieved from the ICredentialProviderUserArray interface and for each user we can query the username (by querying the string value PKEY_Identity_UserName). Comparing the username from WTSQuerySessionInformation and the one returned by PKEY_Identity_UserName allows me to know which user is the last currently locked user. (There could be multiple accounts with PKEY_Identity_LogonStatusString set to "Locked").
This works well for local accounts which are not signed in with a Microsoft Account. For the ones signed in as Microsoft Account, the username returned by WTSQuerySessionInformation differs from the one given by PKEY_Identity_UserName.
For user signed in as "[email protected]", I got the following mismatch.
Using WTSQuerySessionInformation, I get as username of currently locked user:
Username: my_us
And the one returned by PKEY_Identity_UserName is well:
Username: [email protected]
Qualified Username: MicrosoftAccount\[email protected]
The username returned by the WTSQuerySessionInformation is truncated and don't report the full email address and thus don't allow me to compare to the other usernames while enumerating the users.
Any idea why the username is cropped this way? Is there a way to get the full username using WTSQuerySessionInformation? This behaviour has been tested on a freshly created Microsoft Account.
I solved this issue by comparing the SID rather than the username and domain. The SID can be retrieved using LookupAccountName with the username and domain of the currently locked user (query WTSUserName and WTSDomainName with WTSQuerySessionInformation). This example code from Microsoft was very helpful.
Then while looping through the credential provider users (in the ICredentialProviderSetUserArray::SetUserArray function), I could detect which one is the currently locked user. Thanks @Swift to point me on the solution.