Using checkTokenMemberShip always returns true, even if the process user is not an administrator.

Question

Using checkTokenMemberShip always returns true, even if the process user is not an administrator.

the following code that I use (copied from msdn), but even if the user pocess is not a local administrator, does it return as if it were some ideas?

BOOL IsUserAdmin(VOID)
/*++ 
Routine Description: This routine returns TRUE if the caller's
process is a member of the Administrators local group. Caller is NOT
expected to be impersonating anyone and is expected to be able to
open its own process and process token. 
Arguments: None. 
Return Value: 
   TRUE - Caller has Administrators local group. 
   FALSE - Caller does not have Administrators local group. --
*/ 
{
BOOL b;
SID_IDENTIFIER_AUTHORITY NtAuthority = SECURITY_NT_AUTHORITY;
PSID AdministratorsGroup; 
b = AllocateAndInitializeSid(
    &NtAuthority,
    2,
    SECURITY_BUILTIN_DOMAIN_RID,
    DOMAIN_ALIAS_RID_ADMINS,
    0, 0, 0, 0, 0, 0,
    &AdministratorsGroup); 
if(b) 
{
    if (!CheckTokenMembership( NULL, AdministratorsGroup, &b)) 
    {
         b = FALSE;
    } 
    FreeSid(AdministratorsGroup); 
}

return(b);
}

+3

c ++

sofr Jun 14 '09 at 11:25

source share

2 answers

Gabriel answer, Microsoft :

http://msdn.microsoft.com/en-us/windows/ff420334.aspx

0

Steve-o 19 . '10 6:37

Gabriel · Accepted Answer · 2009-06-14T14:31:52+0000

The MSDN document here ... There is a note that mentions issues when using this in VISTA (or later).

To paraphrase if you use it in Vista - the API will return true - because Vista uses a separation token for security.

Here is the original note (originally written by tchao ):

UAC Windows Vista - , : a . SID , SID , UAC . , SID "", TOKEN_ELEVATION_TYPE TokenElevationTypeLimited.
, , CheckTokenMembership() , - (?) . , ?!

Using checkTokenMemberShip always returns true, even if the process user is not an administrator.

More articles: