I have this function which is called for certain file events, such as opening a file, deleting a file, etc. Before the attempt is successful, this function of mine will decide if it should be allowed, so the system will suspend the act until the function is completed. If I have the process ID, how can I reliably get the user and group information for the process owner?

In my first attempt to get the user, I tried

::OpenThread(THREAD_QUERY_INFORMATION, FALSE, idThread);

Since I also have the thread ID, followed by

::OpenThreadToken(hThread, TOKEN_QUERY, TRUE, &hToken);
::OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, idProcess);
::OpenProcessToken(hProcess, TOKEN_QUERY, &hToken);
::GetTokenInformation(hToken, TokenOwner, NULL, 0, &dwSizeTokenOwner);

I was disappointed to find that this returned "Administrators", which is not the user, it's the group.

So I moved onto WMI. So the thing that begins with

//The following is abbreviated for simplicity.
::CoInitializeEx(0, COINIT_MULTITHREADED);

when the session starts, and then every time I need to query for a user

sprintf(pQuery, "SELECT * FROM Win32_Process WHERE ProcessId = %lu", (unsigned long)idProcess);
HRESULT hres = m_wMIGlobals.m_pSvc->ExecQuery(bstr_t("WQL"), bstr_t(pQuery), WBEM_FLAG_FORWARD_ONLY | WBEM_FLAG_RETURN_IMMEDIATELY, NULL, &pEnumerator);
hres = pEnumerator->Next(WBEM_INFINITE, 1, &pclsObj, &uReturn);
hres = pclsObj->Get(L"GetOwner", 0, &vtProp, 0, 0);

But all I got from that is crashes.

I've been lead to believe that these methods are not reliable for this context.

I'm running VS2015 (v140).