Hi Rod,
So the worst case scenario: User1 somehow manages to start the application with environment variable
username set to User2. Your application uses GetEnv() and gets faked User2 value.
I think this is possible when using CreateProcess API to start an executable. This function has input parameter
pEnvironment that can be a pointer to environment block for the new process.
In such case the bad guy must write a small program -- launcher for the application.
* * *
How about using instead of GetEnv() some API functions like:
GetUserName
GetNetworkParams
NetGetJoinInformation
...