Implement GetProcCredName in gosigar to address elastic/beats#590 ela…

…stic/topbeat#36 in windows

sigar_windows.go

@@ -306,6 +306,45 @@ func GetProcName(pid int) (string, error) {
 
 }
 
+func GetProcCredName(pid int) (string, error) {
+   handle, err := syscall.OpenProcess(syscall.PROCESS_QUERY_INFORMATION, false, uint32(pid))
+
+	defer syscall.CloseHandle(handle)
+
+   if err != nil {
+		return "", fmt.Errorf("OpenProcess fails with %v", err)
+	}
+
+   var token syscall.Token
+
+   // Find process token via win32
+   retOpenProcessToken := syscall.OpenProcessToken(handle, syscall.TOKEN_QUERY, &token)
+   if retOpenProcessToken != nil {
+      return "", fmt.Errorf("Error opening process token %v", retOpenProcessToken)   
+   }
+
+   // Find sid from process token
+   bufferLength := uint32(256)
+   var tokenBuffer [256]byte
+   bufferPointer := (*byte)(unsafe.Pointer(&tokenBuffer))
+
+   var tokenUser syscall.Tokenuser
+
+   // Convert token to sid represented byte buffer
+   retGetTokenInfo := syscall.GetTokenInformation(token, uint32(1), bufferPointer, bufferLength, &bufferLength)
+   if retGetTokenInfo != nil {
+      return "", fmt.Errorf("Error getting process sid %v", retGetTokenInfo)
+   }
+
+   // marshal pointer to Tokenuser struct
+   tokenUser = *(*syscall.Tokenuser)(unsafe.Pointer(bufferPointer))
+
+   // look up domain account by sid
+   account, domain, _, _ := tokenUser.User.Sid.LookupAccount("localhost")
+
+   return fmt.Sprintf("%s\\%s", domain, account), nil
+}
+
 func GetProcStatus(pid int) (RunState, error) {
 
 	handle, err := syscall.OpenProcess(syscall.PROCESS_QUERY_INFORMATION, false, uint32(pid))