it doesn't null-terminate correctly, or initialise the whole of the buffer to zero before use. %s\\%s with two string-pairs, one pair shorter than the other, shows up the previous pair: BUILTIN\Administrator TEST\rootdministrator in rpcclient lookupsids command, for example.