Very interesting discussion.
I agree with Jeff, you should not make any assumptions about the memory contents past the buffer length returned by any API.
Additionally, the call to WTSQuerySessionInformation does not just return the address of null terminated strings in BufferRef. It can be the offset of structures like WTSClient, WTSInfo, WTSConfigInfo, etc.
Turns out there is a bug in my original code. The BufferLength returned by the call includes the trailing NULL character. My workstation name is DIMHOLT which is 7 characters. BufferLength is returning 8 when I call to get the client name. No harm in the bug, other than allocating an extra byte of memory for a few milliseconds.
I thought it might be interesting to show how I examined the memory returned by the API call to answer the question of the buffer length and NULL character. Here’s an explanation of the techniques.