包含特权（LUID）

有很多都没翻译，就翻译了几个，就是参考下，这个可以查看这些特权的LUID。。

包含特权

用户账户操作能执行确定类型 [系统操作]的特权.一个管理员将特权分配到用户和组账户. 每个用户的特权包括授予 那些 用户所属的 用户和组.（管理员提升指定用户和组的指定权限）

这个函数从访问令牌里得到和修改特权,用LUID来确定特权类型.使用LookupPrivilegeValue函数,可以在本地系统中，用特权的常量(宏)来确定这个LUID的值.使用LookupPrivilegeName函数,可以将LUID转换成对应的字符串常量

 

在表格里的描述一列中的内容里的 "用户权限" 一栏，代表了操作系统特权的使用.(即什么权限在什么地方用)

操作系统在 本地安全设置的Microsoft管理控制台（MMC）管理单元中的【用户权限转让】策略一列显示用户权限字符串(应该是记录) .

常量/值	描述
SE_ASSIGNPRIMARYTOKEN_NAME TEXT("SeAssignPrimaryTokenPrivilege")	必需分配主要的进程令牌 用户权限: 替换一个进程级令牌.
SE_AUDIT_NAME TEXT("SeAuditPrivilege")	生成所需的审计日志记录. 获得安全服务器权限 用户权限: 生成安全记录
SE_BACKUP_NAME TEXT("SeBackupPrivilege")	Required to perform backup operations. This privilege causes the system to grant all read access control to any file, regardless of the access control list (ACL) specified for the file. Any access request other than read is still evaluated with the ACL. This privilege is required by the RegSaveKey and RegSaveKeyEx functions. The following access rights are granted if this privilege is held: READ_CONTROL ACCESS_SYSTEM_SECURITY FILE_GENERIC_READ FILE_TRAVERSE User Right: Back up files and directories.
SE_CHANGE_NOTIFY_NAME TEXT("SeChangeNotifyPrivilege")	Required to receive notifications of changes to files or directories. This privilege also causes the system to skip all traversal access checks. It is enabled by default for all users. User Right: Bypass traverse checking.
SE_CREATE_GLOBAL_NAME TEXT("SeCreateGlobalPrivilege")	Required to create named file mapping objects in the global namespace during Terminal Services sessions. This privilege is enabled by default for administrators, services, and the local system account. User Right: Create global objects. Windows XP/2000/NT:  This privilege is not supported. Note that this value is supported starting with Windows Server 2003, Windows XP SP2, and Windows 2000 SP4.
SE_CREATE_PAGEFILE_NAME TEXT("SeCreatePagefilePrivilege")	Required to create a paging file. User Right: Create a pagefile.
SE_CREATE_PERMANENT_NAME TEXT("SeCreatePermanentPrivilege")	Required to create a permanent object. User Right: Create permanent shared objects.
SE_CREATE_SYMBOLIC_LINK_NAME TEXT("SeCreateSymbolicLinkPrivilege")	Required to create a symbolic link. User Right: Create symbolic links.
SE_CREATE_TOKEN_NAME TEXT("SeCreateTokenPrivilege")	Required to create a primary token. User Right: Create a token object.
SE_DEBUG_NAME TEXT("SeDebugPrivilege")	可以去调试和修改其他账户拥有的进程内存(包括SYSTEM) 用户权限：调试程序
SE_ENABLE_DELEGATION_NAME TEXT("SeEnableDelegationPrivilege")	Required to mark user and computer accounts as trusted for delegation. User Right: Enable computer and user accounts to be trusted for delegation.
SE_IMPERSONATE_NAME TEXT("SeImpersonatePrivilege")	Required to impersonate. User Right: Impersonate a client after authentication. Windows XP/2000/NT:  This privilege is not supported. Note that this value is supported starting with Windows Server 2003, Windows XP SP2, and Windows 2000 SP4.
SE_INC_BASE_PRIORITY_NAME TEXT("SeIncreaseBasePriorityPrivilege")	Required to increase the base priority of a process. User Right: Increase scheduling priority.
SE_INCREASE_QUOTA_NAME TEXT("SeIncreaseQuotaPrivilege")	Required to increase the quota assigned to a process. User Right: Adjust memory quotas for a process.
SE_INC_WORKING_SET_NAME TEXT("SeIncreaseWorkingSetPrivilege")	Required to allocate more memory for applications that run in the context of users. User Right: Increase a process working set.
SE_LOAD_DRIVER_NAME TEXT("SeLoadDriverPrivilege")	Required to load or unload a device driver. User Right: Load and unload device drivers.
SE_LOCK_MEMORY_NAME TEXT("SeLockMemoryPrivilege")	Required to lock physical pages in memory. User Right: Lock pages in memory.
SE_MACHINE_ACCOUNT_NAME TEXT("SeMachineAccountPrivilege")	Required to create a computer account. User Right: Add workstations to domain.
SE_MANAGE_VOLUME_NAME TEXT("SeManageVolumePrivilege")	Required to enable volume management privileges. User Right: Manage the files on a volume.
SE_PROF_SINGLE_PROCESS_NAME TEXT("SeProfileSingleProcessPrivilege")	Required to gather profiling information for a single process. User Right: Profile single process.
SE_RELABEL_NAME TEXT("SeRelabelPrivilege")	Required to modify the mandatory integrity level of an object. User Right: Modify an object label.
SE_REMOTE_SHUTDOWN_NAME TEXT("SeRemoteShutdownPrivilege")	Required to shut down a system using a network request. User Right: Force shutdown from a remote system.
SE_RESTORE_NAME TEXT("SeRestorePrivilege")	Required to perform restore operations. This privilege causes the system to grant all write access control to any file, regardless of the ACL specified for the file. Any access request other than write is still evaluated with the ACL. Additionally, this privilege enables you to set any valid user or group SID as the owner of a file. This privilege is required by the RegLoadKey function. The following access rights are granted if this privilege is held: WRITE_DAC WRITE_OWNER ACCESS_SYSTEM_SECURITY FILE_GENERIC_WRITE FILE_ADD_FILE FILE_ADD_SUBDIRECTORY DELETE User Right: Restore files and directories.
SE_SECURITY_NAME TEXT("SeSecurityPrivilege")	Required to perform a number of security-related functions, such as controlling and viewing audit messages. This privilege identifies its holder as a security operator. User Right: Manage auditing and security log.
SE_SHUTDOWN_NAME TEXT("SeShutdownPrivilege")	Required to shut down a local system. User Right: Shut down the system.
SE_SYNC_AGENT_NAME TEXT("SeSyncAgentPrivilege")	Required for a domain controller to use the LDAP directory synchronization services. This privilege enables the holder to read all objects and properties in the directory, regardless of the protection on the objects and properties. By default, it is assigned to the Administrator and LocalSystem accounts on domain controllers. User Right: Synchronize directory service data.
SE_SYSTEM_ENVIRONMENT_NAME TEXT("SeSystemEnvironmentPrivilege")	Required to modify the nonvolatile RAM of systems that use this type of memory to store configuration information. User Right: Modify firmware environment values.
SE_SYSTEM_PROFILE_NAME TEXT("SeSystemProfilePrivilege")	Required to gather profiling information for the entire system. User Right: Profile system performance.
SE_SYSTEMTIME_NAME TEXT("SeSystemtimePrivilege")	请求修改系统时间 用户权限: 更改系统时间.
SE_TAKE_OWNERSHIP_NAME TEXT("SeTakeOwnershipPrivilege")	Required to take ownership of an object without being granted discretionary access. This privilege allows the owner value to be set only to those values that the holder may legitimately assign as the owner of an object. User Right: Take ownership of files or other objects.
SE_TCB_NAME TEXT("SeTcbPrivilege")	This privilege identifies its holder as part of the trusted computer base. Some trusted protected subsystems are granted this privilege. User Right: Act as part of the operating system.
SE_TIME_ZONE_NAME TEXT("SeTimeZonePrivilege")	Required to adjust the time zone associated with the computer's internal clock. User Right: Change the time zone.
SE_TRUSTED_CREDMAN_ACCESS_NAME TEXT("SeTrustedCredManAccessPrivilege")	Required to access Credential Manager as a trusted caller. User Right: Access Credential Manager as a trusted caller.
SE_UNDOCK_NAME TEXT("SeUndockPrivilege")	Required to undock a laptop. User Right: Remove computer from docking station.
SE_UNSOLICITED_INPUT_NAME TEXT("SeUnsolicitedInputPrivilege")	Required to read unsolicited input from a terminal device. User Right: Not applicable.

Remarks

Privilege constants are defined as strings in Winnt.h. For example, the SE_AUDIT_NAME constant is defined as "SeAuditPrivilege".

Requirements

Client	Requires Windows Vista, Windows XP, Windows 2000 Professional, or Windows NT Workstation.
Server	Requires Windows Server 2008, Windows Server 2003, Windows 2000 Server, or Windows NT Server.
Header	Declared in Winnt.h.