rbmm/gist:3a4c80b45f87a11654cf4458d7418981

## gistfile1.txt
void PrintNameByToken(HANDLE hToken)
{
	ULONG cb;
	SE_TOKEN_USER user;
	NTSTATUS status = NtQueryInformationToken(hToken, TokenUser, &user, sizeof(user), &cb);
	if (0 <= status)
	{
		LSA_OBJECT_ATTRIBUTES oa = { sizeof(oa) };
		HANDLE hPolicy;
		if (0 <= (status = LsaOpenPolicy(0, &oa, POLICY_LOOKUP_NAMES, &hPolicy)))
		{
			PLSA_REFERENCED_DOMAIN_LIST ReferencedDomains = 0;
			PLSA_TRANSLATED_NAME Names = 0;
			if (0 <= (status = LsaLookupSids2(hPolicy, 0, 1, &user.TokenUser.User.Sid, &ReferencedDomains, &Names)))
			{
				ULONG DomainIndex = Names->DomainIndex;
				PCUNICODE_STRING DomainName = 0;
				if (DomainIndex < ReferencedDomains->Entries)
				{
					DomainName = &ReferencedDomains->Domains[DomainIndex].Name;
				}

				DbgPrint("%x %wZ\\%wZ\n", Names->Use, DomainName, &Names->Name);
			}
			LsaFreeMemory(ReferencedDomains);
			LsaFreeMemory(Names);
			LsaClose(hPolicy);
		}
	}
}

NTSTATUS IsSystem(_Out_ PBOOL pbIsSystem)
{
	HANDLE hToken;
	NTSTATUS status = NtOpenProcessToken(NtCurrentProcess(), TOKEN_QUERY, &hToken);
	if (0 <= status)
	{
		TOKEN_STATISTICS ts;
		if (0 <= (status = NtQueryInformationToken(hToken, TokenStatistics, &ts, sizeof(ts), &ts.DynamicCharged)))
		{
			static const LUID System = SYSTEM_LUID;
			*pbIsSystem =
				System.LowPart == ts.AuthenticationId.LowPart &&
				System.HighPart == ts.AuthenticationId.HighPart;

			PrintNameByToken(hToken);
		}
		NtClose(hToken);
	}
	return status;
}
	void PrintNameByToken(HANDLE hToken)
	{
	ULONG cb;
	SE_TOKEN_USER user;
	NTSTATUS status = NtQueryInformationToken(hToken, TokenUser, &user, sizeof(user), &cb);
	if (0 <= status)
	{
	LSA_OBJECT_ATTRIBUTES oa = { sizeof(oa) };
	HANDLE hPolicy;
	if (0 <= (status = LsaOpenPolicy(0, &oa, POLICY_LOOKUP_NAMES, &hPolicy)))
	{
	PLSA_REFERENCED_DOMAIN_LIST ReferencedDomains = 0;
	PLSA_TRANSLATED_NAME Names = 0;
	if (0 <= (status = LsaLookupSids2(hPolicy, 0, 1, &user.TokenUser.User.Sid, &ReferencedDomains, &Names)))
	{
	ULONG DomainIndex = Names->DomainIndex;
	PCUNICODE_STRING DomainName = 0;
	if (DomainIndex < ReferencedDomains->Entries)
	{
	DomainName = &ReferencedDomains->Domains[DomainIndex].Name;
	}

	DbgPrint("%x %wZ\\%wZ\n", Names->Use, DomainName, &Names->Name);
	}
	LsaFreeMemory(ReferencedDomains);
	LsaFreeMemory(Names);
	LsaClose(hPolicy);
	}
	}
	}

	NTSTATUS IsSystem(_Out_ PBOOL pbIsSystem)
	{
	HANDLE hToken;
	NTSTATUS status = NtOpenProcessToken(NtCurrentProcess(), TOKEN_QUERY, &hToken);
	if (0 <= status)
	{
	TOKEN_STATISTICS ts;
	if (0 <= (status = NtQueryInformationToken(hToken, TokenStatistics, &ts, sizeof(ts), &ts.DynamicCharged)))
	{
	static const LUID System = SYSTEM_LUID;
	*pbIsSystem =
	System.LowPart == ts.AuthenticationId.LowPart &&
	System.HighPart == ts.AuthenticationId.HighPart;

	PrintNameByToken(hToken);
	}
	NtClose(hToken);
	}
	return status;
	}