Surviving the Win32 Security API
If there are two things you should remember above all others when working with the Win32 Security API, they are:
1. Nearly everything is variable length. Not only does this mean you should make no assumptions about being able to iterate through composite/collection types in an integral fashion, but you should also never assume that things are of a predeterminable size.
2. The common paradigm is Size-Allocate-Retrieve, as we saw with GetTokenInformation(). You call a function with a null destination pointer and give an initial size of 0. It will return into your size parameter the required size (and set the last error to ERROR_INSUFFICIENT_BUFFER). You allocate an appropriately sized buffer and call again, and the function will fill your buffer with the desired information.