INFO: Services and Redirected Drives
服务程序和重定向驱动器
SUMMARY
摘要
A service should not directly access local or network resources through mapped drive letters. Additionally, a service should not use the WNetXXXXXXX APIs to add, remove, or query any mapped drive letters. Although the WNetXXXXXXX APIs may return successfully, the results will be incorrect. A service (or any process that is running in a different security context) that must access a remote resource should use the Universal Naming Convention (UNC) name to access the resource. UNC names do not suffer from the limitations described in this article.
服务程序不能直接通过映射驱动器盘符(如:H:)访问本地或网络资源。另外,服务程序也不能使用WNetXXXXXXX APIs添加、移除或查询任何映射驱动器盘符。通过WNetXXXXXXX APIs也许会返回成功,而实际结果却并不正确。服务(或任何运行于不同security上下文的进程)一定要访问远程资源的话,应该使用通用命名规则(UNC, Universal Naming Convention)名称。UNC名不受本文所描述的限制的影响。
MORE INFORMATION
更多信息
When the system establishes a redirected drive, it is stored on a per-user basis. Only the user himself can manipulate the redirected drive. The system keeps track of redirected drives based on the user's Logon Security Identifier (SID). The Logon SID is a unique identifier for the user's Logon Session. A single user can have multiple, simultaneous logon sessions on the system.
系统建立一个重定向驱动器时,它被存储在per-user basis(不清楚,各用户基本信息表?)中。只有用户自身可以操作重定向驱动器。系统通过用户登录安全标识符(SID, Security Identifier)信息,保持对重定向驱动器的追踪。登录SID是用户登录会话的唯一标识符,单个用户在系统中可以有多个并发的登录会话。
If a service is configured to run under a user account, the system will always create a new logon session for the user and then launch the service in that new logon session. Thus, the service cannot manipulate the drive mappings that are established within the user's other session(s).
如果服务被注册运行在某个用户账号下,系统将会为该用户创建一个新的登录会话,并在这个新会话中运行此服务。因此,该服务不能操作该用户在其他会话中所建立的驱动器映射。
Redirected Drives on Microsoft Windows NT and Microsoft Windows 2000
基于Microsoft Windows NT和2000系统的重定向驱动器
On Windows NT and on Windows 2000, drive letters are global to the system. All users on the system share the letters A-Z. Each user does not get their own set of drive letters. This means a user can access the redirected drives of another user if they have the appropriate security access.
在Windows NT和Windows 2000中,驱动器盘符对于系统是全局的,系统的所有用户共享盘符A-Z。每个用户不保有专属于自己的驱动器集合,这意味着如果拥有适当的安全使用权,用户就能够访问另一用户的重定向驱动器。
If a user tries to redirect a drive letter that is used by another user (such as WNetAddConnection2()), the error ERROR_ALREADY_ASSIGNED will be returned. Although the redirected drive is global to all users, only the user who established it can manipulate it. Another example is if a user tries to remove or query information on a redirected drive that was established by a different user. The WNetGetConnection() function and the WNetCancelConnection2() function will return the following error message:
ERROR_NOT_CONNECTED
如果用户试图重定向一个已被其他用户所使用的驱动器盘符(如WNetAddConnection2()),将返回错误ERROR_ALREADY_ASSIGNED。尽管重定向驱动器对于所有用户是全局的,也只有创建它的用户才能对它进行操作。另一个事例是如果一个用户试图移除或查询一个由另一个用户建立的重定向驱动器时,WNetGetConnection()和WNetCancelConnection2()函数将返回错误信息:ERROR_NOT_CONNECTED
If a user tries to enumerate the list of redirected drives through WNetOpenEnum() and WNetEnumResource(), the functions only list redirected drives that were established by that user. Drives that were redirected by other users will not be visible.
如果用户试图通过WNetOpenEnum()和WNetEnumResource()函数枚举重定向驱动器列表时,只会列出由该用户建立的重定向驱动器,而其他用户所建立的是非可见的。
Windows NT File Manager and Windows NT Explorer can see all the redirected drives because they call the GetDriveType() function on each drive, and they display an icon for each drive that is found. Windows NT File Manager and Windows NT Explorer create an icon for redirected drives that are created by all users because drive letters are global to the system. However, the interactive user cannot use Windows NT File Manager or Windows NT Explorer to disconnect the drive because the drive was created in a different logon session.
Windows NT文件管理器和Windows NT Explorer能“看见”所有的重定向驱动器,它们对每个驱动器调用GetDriveType()函数,并显示所有驱动器的图标。Windows NT文件管理器和Windows NT Explorer为所有用户创建的重定向驱动器都生成一个图标,因为驱动器盘符是全局的。但是,交互用户不能使用Windows NT File Manager或Windows NT Explorer重定向驱动器之断开连接,因为这些驱动器是在不同的登录会话中建立的。
If a service that is running in the LocalSystem security context establishes a drive mapping, only that service or another process running in the LocalSystem account can call WNetCancelConnection2() to disconnect the drive.
如果一个运行在本地系统security上下文的服务建立一个驱动器映射,只有该服务或者其它运行在本地系统账户下的进程才能通过调用WNetCancelConnection2()切断与该驱动器的连接。
Note All processes that are running in the LocalSystem account are running in the same logon session.
注意:所有运行在本地系统账户下的进程都运行于相同的登录会话中。
Redirected Drives on Microsoft Windows XP
基于Microsoft Windows XP的重定向驱动器
On Windows XP and on Microsoft Windows Server 2003, each logon session receives its own set of drive letters, A through Z. Therefore, redirected drives cannot be shared between processes that are running under different user accounts. Additionally, a service (or any process that is running in its own logon session) cannot access the drive letters that are established in a different logon session. However, drive letters that are mapped from a service that is running under the local System account are visible to all logon sessions.
在Windows XP和Microsoft Windows Server 2003系统中,每个登录会话接收它自己的驱动器盘符集,从A到Z。因此,重定向驱动器无法在运行于不同用户帐户中的进程之间共享。另外,一个服务(或任何运行于自身登录会话的进程)不能访问不同登录会话中所建立的驱动器盘符。但是,由运行在本地系统帐户下的服务所映射的驱动器盘符,对于所有登录会话都是可见的。
MSDN原文地址:
http://support.microsoft.com/kb/180362/en-us