NT下判断用户是否有管理员权限
OK, Thanks to Loaden found out that my original code to determine whether an user is in Administrators group is totally bullshit.And after googling for a while, I found something and test it, simply works. I will just paste the code here. Thanks to the author and google and God.
http://www.mihai-nita.net/article.php?artID=20070413a
//
IsAdminAPI.cpp : Tests if user is Administrator using plain Win32 API
// Copyright (c) April 2007, Mihai Nita
//
#include <wtypes.h>
#include <Lm.h>
// for ASSERT
#include <crtdbg.h>
#include "IsAdminAPI.h"
bool IsAdminAPI( WCHAR const *szUserName )
{
_ASSERT(szUserName);
bool bAdmin = FALSE;
LOCALGROUP_USERS_INFO_0* localGroups;
DWORD entriesread, totalentries;
NET_API_STATUS nts = NetUserGetLocalGroups( NULL, szUserName, 0, 0, (unsigned char**)&localGroups, MAX_PREFERRED_LENGTH, &entriesread, &totalentries);
if( nts != NERR_Success ) {
NetApiBufferFree(localGroups);
return FALSE;
}
// Retrieve the Administrators group well-known SID
// For some reason CreateWellKnownSid generates error C3861 on Developer Studio .NET:
// error C3861: 'CreateWellKnownSid': identifier not found, even with argument-dependent lookup
BYTE SidAuth[] = SECURITY_NT_AUTHORITY;
PSID pAdminSid;
AllocateAndInitializeSid( (PSID_IDENTIFIER_AUTHORITY)SidAuth,
2, SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_ADMINS,
NULL, NULL, NULL, NULL, NULL, NULL, &pAdminSid );
// Will use this to retrieve the SID of the group
BYTE buffSid[SECURITY_MAX_SID_SIZE];
wchar_t buffDomain[DNLEN+1];
DWORD dwSidSize;
DWORD dwDomainSize;
SID_NAME_USE m_sidnameuse;
for( DWORD i = 0; i < entriesread; ++i ) {
dwSidSize = sizeof(buffSid);
dwDomainSize = DNLEN;
// Although in general is a bad idea to call directly the W or A versions of API
// we do it here to avoid converting the localGroups[i].lgrui0_name back to ANSI
// This kind of security API is only present on NT/2000/XP family only, so
// the W version is present and safe to use
if( LookupAccountNameW( NULL, localGroups[i].lgrui0_name, buffSid, &dwSidSize, (LPWSTR)buffDomain, &dwDomainSize, &m_sidnameuse) ) // no sid for the actual group
if( EqualSid( buffSid, pAdminSid ) ) {
bAdmin = TRUE;
break;
}
}
FreeSid( pAdminSid );
NetApiBufferFree(localGroups);
return bAdmin;
}
// Copyright (c) April 2007, Mihai Nita
//
#include <wtypes.h>
#include <Lm.h>
// for ASSERT
#include <crtdbg.h>
#include "IsAdminAPI.h"
bool IsAdminAPI( WCHAR const *szUserName )
{
_ASSERT(szUserName);
bool bAdmin = FALSE;
LOCALGROUP_USERS_INFO_0* localGroups;
DWORD entriesread, totalentries;
NET_API_STATUS nts = NetUserGetLocalGroups( NULL, szUserName, 0, 0, (unsigned char**)&localGroups, MAX_PREFERRED_LENGTH, &entriesread, &totalentries);
if( nts != NERR_Success ) {
NetApiBufferFree(localGroups);
return FALSE;
}
// Retrieve the Administrators group well-known SID
// For some reason CreateWellKnownSid generates error C3861 on Developer Studio .NET:
// error C3861: 'CreateWellKnownSid': identifier not found, even with argument-dependent lookup
BYTE SidAuth[] = SECURITY_NT_AUTHORITY;
PSID pAdminSid;
AllocateAndInitializeSid( (PSID_IDENTIFIER_AUTHORITY)SidAuth,
2, SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_ADMINS,
NULL, NULL, NULL, NULL, NULL, NULL, &pAdminSid );
// Will use this to retrieve the SID of the group
BYTE buffSid[SECURITY_MAX_SID_SIZE];
wchar_t buffDomain[DNLEN+1];
DWORD dwSidSize;
DWORD dwDomainSize;
SID_NAME_USE m_sidnameuse;
for( DWORD i = 0; i < entriesread; ++i ) {
dwSidSize = sizeof(buffSid);
dwDomainSize = DNLEN;
// Although in general is a bad idea to call directly the W or A versions of API
// we do it here to avoid converting the localGroups[i].lgrui0_name back to ANSI
// This kind of security API is only present on NT/2000/XP family only, so
// the W version is present and safe to use
if( LookupAccountNameW( NULL, localGroups[i].lgrui0_name, buffSid, &dwSidSize, (LPWSTR)buffDomain, &dwDomainSize, &m_sidnameuse) ) // no sid for the actual group
if( EqualSid( buffSid, pAdminSid ) ) {
bAdmin = TRUE;
break;
}
}
FreeSid( pAdminSid );
NetApiBufferFree(localGroups);
return bAdmin;
}
注意有时我们只需要判断当前process是否以管理员权限运行。貌似可以通过调用GetTokenInformation 和AllocateAndInitializeSid 来判断,
google "Searching for a SID in an Access Token in C++" site:msdn.microsoft.com可找到一段代码, 请自行研究自行测试。
#define MAX_NAME 256
BOOL SearchTokenGroupsForSID (VOID)
{
DWORD i, dwSize = 0, dwResult = 0;
HANDLE hToken;
PTOKEN_GROUPS pGroupInfo;
SID_NAME_USE SidType;
char lpName[MAX_NAME];
char lpDomain[MAX_NAME];
BYTE sidBuffer[100];
PSID pSID = (PSID)&sidBuffer;
SID_IDENTIFIER_AUTHORITY SIDAuth = SECURITY_NT_AUTHORITY;
// Open a handle to the access token for the calling process.
if (!OpenProcessToken( GetCurrentProcess(), TOKEN_QUERY, &hToken )) {
printf( "OpenProcessToken Error %u\n", GetLastError() );
return FALSE;
}
// Call GetTokenInformation to get the buffer size.
if(!GetTokenInformation(hToken, TokenGroups, NULL, dwSize, &dwSize)) {
dwResult = GetLastError();
if( dwResult != ERROR_INSUFFICIENT_BUFFER ) {
printf( "GetTokenInformation Error %u\n", dwResult );
return FALSE;
}
}
// Allocate the buffer.
pGroupInfo = (PTOKEN_GROUPS) GlobalAlloc( GPTR, dwSize );
// Call GetTokenInformation again to get the group information.
if(! GetTokenInformation(hToken, TokenGroups, pGroupInfo,
dwSize, &dwSize ) ) {
printf( "GetTokenInformation Error %u\n", GetLastError() );
return FALSE;
}
// Create a SID for the BUILTIN\Administrators group.
if(! AllocateAndInitializeSid( &SIDAuth, 2,
SECURITY_BUILTIN_DOMAIN_RID,
DOMAIN_ALIAS_RID_ADMINS,
0, 0, 0, 0, 0, 0,
&pSID) ) {
printf( "AllocateAndInitializeSid Error %u\n", GetLastError() );
return FALSE;
}
// Loop through the group SIDs looking for the administrator SID.
for(i=0; i<pGroupInfo->GroupCount; i++) {
if ( EqualSid(pSID, pGroupInfo->Groups[i].Sid) ) {
// Lookup the account name and print it.
dwSize = MAX_NAME;
if( !LookupAccountSid( NULL, pGroupInfo->Groups[i].Sid,
lpName, &dwSize, lpDomain,
&dwSize, &SidType ) ) {
dwResult = GetLastError();
if( dwResult == ERROR_NONE_MAPPED )
strcpy_s (lpName, dwSize, "NONE_MAPPED" );
else {
printf("LookupAccountSid Error %u\n", GetLastError());
return FALSE;
}
}
printf( "Current user is a member of the %s\\%s group\n",
lpDomain, lpName );
// Find out whether the SID is enabled in the token.
if (pGroupInfo->Groups[i].Attributes & SE_GROUP_ENABLED)
printf("The group SID is enabled.\n");
else if (pGroupInfo->Groups[i].Attributes &
SE_GROUP_USE_FOR_DENY_ONLY)
printf("The group SID is a deny-only SID.\n");
else
printf("The group SID is not enabled.\n");
}
}
if (pSID)
FreeSid(pSID);
if ( pGroupInfo )
GlobalFree( pGroupInfo );
return TRUE;
}
BOOL SearchTokenGroupsForSID (VOID)
{
DWORD i, dwSize = 0, dwResult = 0;
HANDLE hToken;
PTOKEN_GROUPS pGroupInfo;
SID_NAME_USE SidType;
char lpName[MAX_NAME];
char lpDomain[MAX_NAME];
BYTE sidBuffer[100];
PSID pSID = (PSID)&sidBuffer;
SID_IDENTIFIER_AUTHORITY SIDAuth = SECURITY_NT_AUTHORITY;
// Open a handle to the access token for the calling process.
if (!OpenProcessToken( GetCurrentProcess(), TOKEN_QUERY, &hToken )) {
printf( "OpenProcessToken Error %u\n", GetLastError() );
return FALSE;
}
// Call GetTokenInformation to get the buffer size.
if(!GetTokenInformation(hToken, TokenGroups, NULL, dwSize, &dwSize)) {
dwResult = GetLastError();
if( dwResult != ERROR_INSUFFICIENT_BUFFER ) {
printf( "GetTokenInformation Error %u\n", dwResult );
return FALSE;
}
}
// Allocate the buffer.
pGroupInfo = (PTOKEN_GROUPS) GlobalAlloc( GPTR, dwSize );
// Call GetTokenInformation again to get the group information.
if(! GetTokenInformation(hToken, TokenGroups, pGroupInfo,
dwSize, &dwSize ) ) {
printf( "GetTokenInformation Error %u\n", GetLastError() );
return FALSE;
}
// Create a SID for the BUILTIN\Administrators group.
if(! AllocateAndInitializeSid( &SIDAuth, 2,
SECURITY_BUILTIN_DOMAIN_RID,
DOMAIN_ALIAS_RID_ADMINS,
0, 0, 0, 0, 0, 0,
&pSID) ) {
printf( "AllocateAndInitializeSid Error %u\n", GetLastError() );
return FALSE;
}
// Loop through the group SIDs looking for the administrator SID.
for(i=0; i<pGroupInfo->GroupCount; i++) {
if ( EqualSid(pSID, pGroupInfo->Groups[i].Sid) ) {
// Lookup the account name and print it.
dwSize = MAX_NAME;
if( !LookupAccountSid( NULL, pGroupInfo->Groups[i].Sid,
lpName, &dwSize, lpDomain,
&dwSize, &SidType ) ) {
dwResult = GetLastError();
if( dwResult == ERROR_NONE_MAPPED )
strcpy_s (lpName, dwSize, "NONE_MAPPED" );
else {
printf("LookupAccountSid Error %u\n", GetLastError());
return FALSE;
}
}
printf( "Current user is a member of the %s\\%s group\n",
lpDomain, lpName );
// Find out whether the SID is enabled in the token.
if (pGroupInfo->Groups[i].Attributes & SE_GROUP_ENABLED)
printf("The group SID is enabled.\n");
else if (pGroupInfo->Groups[i].Attributes &
SE_GROUP_USE_FOR_DENY_ONLY)
printf("The group SID is a deny-only SID.\n");
else
printf("The group SID is not enabled.\n");
}
}
if (pSID)
FreeSid(pSID);
if ( pGroupInfo )
GlobalFree( pGroupInfo );
return TRUE;
}
向曾被我误导的同志表示真挚的道歉和沉痛的悼念。
NSIS下判断当前用户是否管理员:
http://nsis.sourceforge.net/Check_if_the_current_user_is_an_Administrator
!macro IsUserAdmin RESULT
!define Index " Line${__LINE__} "
StrCpy ${RESULT} 0
System::Call ' *(&i1 0,&i4 0,&i1 5)i.r0 '
System::Call ' advapi32::AllocateAndInitializeSid(i r0,i 2,i 32,i 544,i 0,i 0,i 0,i 0,i 0, \
i 0,*i .R0)i.r5 '
System::Free $0
System::Call ' advapi32::CheckTokenMembership(i n,i R0,*i .R1)i.r5 '
StrCmp $5 0 ${Index}_Error
StrCpy ${RESULT} $R1
Goto ${Index}_End
${Index}_Error:
StrCpy ${RESULT} -1
${Index}_End:
System::Call ' advapi32::FreeSid(i R0)i.r5 '
!undef Index
!macroend
!define Index " Line${__LINE__} "
StrCpy ${RESULT} 0
System::Call ' *(&i1 0,&i4 0,&i1 5)i.r0 '
System::Call ' advapi32::AllocateAndInitializeSid(i r0,i 2,i 32,i 544,i 0,i 0,i 0,i 0,i 0, \
i 0,*i .R0)i.r5 '
System::Free $0
System::Call ' advapi32::CheckTokenMembership(i n,i R0,*i .R1)i.r5 '
StrCmp $5 0 ${Index}_Error
StrCpy ${RESULT} $R1
Goto ${Index}_End
${Index}_Error:
StrCpy ${RESULT} -1
${Index}_End:
System::Call ' advapi32::FreeSid(i R0)i.r5 '
!undef Index
!macroend
6091
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
