All geek questions in one place

Revoke Windows Rights

I have a C ++ application that runs as an administrator (it is compiled with a manifest with requestedExecutionLevel set to requireAdministrator .

At some point, when all tasks requiring administrator rights are completed, I would like to waive these rights and complete the remaining tasks as the user who launched the application.

Windows provides the ImpersonateLoggedOnUser function, but I cannot find a way to get the token for the user who called the application.

Are there other ways to do what I described here?

+5
source share
2 answers

Perhaps a better approach would be to request highAvailable instead of requireAdministrator in your manifest. Then, if you find yourself working at a higher level, just do whatever you need. If you find that you are not using an elevated level:

  • Run your program again using ShellExecute with the runAs verb to run its enhanced.
  • Expect your raw process to require an advanced process to do whatever it needs. (How to know when an elevated process is running remains as an exercise for the performer. You also need to worry about what happens if the user does not allow the launch of your elevated process.)
  • Once the process is complete, do the rest of your idle work.

If you want to continue your initial plan, this Raymond Chen blog post explains how to start an un-elective process with an elevated process. (The fact that your manifest requests require an Administrator can complicate this process.)

0
source

MSDN:

Enabling privileges in an access token allows a process to perform actions at the system level that it could not previously. Your application must fully verify that the privilege matches the type of account.

You can check: https://msdn.microsoft.com/en-us/library/windows/desktop/aa446619(v=vs.85).aspx

And here is their C ++ example:

 #include <windows.h> #include <stdio.h> #pragma comment(lib, "cmcfg32.lib") BOOL SetPrivilege( HANDLE hToken, // access token handle LPCTSTR lpszPrivilege, // name of privilege to enable/disable BOOL bEnablePrivilege // to enable or disable privilege ) { TOKEN_PRIVILEGES tp; LUID luid; if ( !LookupPrivilegeValue( NULL, // lookup privilege on local system lpszPrivilege, // privilege to lookup &luid ) ) // receives LUID of privilege { printf("LookupPrivilegeValue error: %u\n", GetLastError() ); return FALSE; } tp.PrivilegeCount = 1; tp.Privileges[0].Luid = luid; if (bEnablePrivilege) tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; else tp.Privileges[0].Attributes = 0; // Enable the privilege or disable all privileges. if ( !AdjustTokenPrivileges( hToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), (PTOKEN_PRIVILEGES) NULL, (PDWORD) NULL) ) { printf("AdjustTokenPrivileges error: %u\n", GetLastError() ); return FALSE; } if (GetLastError() == ERROR_NOT_ALL_ASSIGNED) { printf("The token does not have the specified privilege. \n"); return FALSE; } return TRUE; }

And also see: https://msdn.microsoft.com/en-us/library/windows/desktop/ms717797(v=vs.85).aspx

Hope this helps.

0
source

Source: https://habr.com/ru/post/1273524/

More articles:


All Articles