在開機啟動應用程序時,可能會碰到權限不夠而啟動失敗或者一些其他問題,所以在開機啟動程序時可能會使用SYSTEM權限,但由于后來的操作不需要高權限來完成,就需要降低應用程序的權限。可以通過獲取explorer.exe進程ID來實現。
1 DWORD CCommonFun::LaunchAppIntoDifferentSession(LPCTSTR lpszAppPath,
2 LPCTSTR lpszParameters,
3 LPCTSTR lpszDirectory,
4 LPCTSTR lpszRightsProcess,
5 DWORD dwMilliseconds, // wait times INFINITE
6 BOOL bIsWait)
7 {
8 PROCESS_INFORMATION pi;
9 STARTUPINFO si;
10 HANDLE hUserTokenDup = NULL;
11 HANDLE hUserToken = NULL;
12 HANDLE hProcess = NULL;
13 HANDLE hPToken = NULL;
14 DWORD dwCreationFlags = 0;
15 DWORD dwSessionId = 0;
16 DWORD winlogonPid = 0;
17 BOOL bResult = FALSE;
18
19
20 // Log the client on to the local computer.
21 // windows2000系統兼容修改 [4/1/2012 wanghaiguang]
22 typedef DWORD (WINAPI *LoadWTSGetActiveConsoleSessionId)(VOID);
23
24 HMODULE hModKrl = LoadLibrary(TEXT("Kernel32.dll"));
25 if (!hModKrl)
26 {
27 LOG("導入 kernel32.dll 失敗");
28 return 1;
29 }
30
31 LoadWTSGetActiveConsoleSessionId fWTSGetActiveConsoleSessionId = (LoadWTSGetActiveConsoleSessionId)GetProcAddress(hModKrl, "WTSGetActiveConsoleSessionId");
32 if (!fWTSGetActiveConsoleSessionId)
33 {
34 LOG("調用WTSGetActiveConsoleSessionId 失敗");
35 FreeLibrary(hModKrl);
36 return 1;
37 }
38 dwSessionId = fWTSGetActiveConsoleSessionId();
39
40 if (hModKrl)
41 {
42 FreeLibrary(hModKrl);
43 }
44
45 //////////////////////////////////////////
46 // Find the winlogon process
47 ////////////////////////////////////////
48
49 PROCESSENTRY32 procEntry;
50
51 HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
52 if (hSnap == INVALID_HANDLE_VALUE)
53 {
54 return 1 ;
55 }
56
57 procEntry.dwSize = sizeof(PROCESSENTRY32);
58
59 if (!Process32First(hSnap, &procEntry))
60 {
61 return 1 ;
62 }
63
64 do
65 {
66 if (_stricmp(procEntry.szExeFile, lpszRightsProcess/*"explorer.exe","winlogon.exe"*/) == 0)
67 {
68 // We found a winlogon process
make sure it's running in the console session
69 DWORD winlogonSessId = 0;
70 if (ProcessIdToSessionId(procEntry.th32ProcessID, &winlogonSessId) && winlogonSessId == dwSessionId)
71 {
72 winlogonPid = procEntry.th32ProcessID;
73 break;
74 }
75 }
76
77 } while (Process32Next(hSnap, &procEntry));
78
79 ////////////////////////////////////////////////////////////////////////
80
81 // windows2000系統兼容修改 [4/1/2012 wanghaiguang]
82 typedef BOOL (__stdcall *LoadWTSQueryUserToken)(ULONG, PHANDLE);
83 HMODULE hModwsi = LoadLibrary(TEXT("Wtsapi32.dll"));
84 if (!hModwsi)
85 {
86 LOG("導入Wtsapi32.dll 失敗");
87 return 1;
88 }
89
90 LoadWTSQueryUserToken fWTSQueryUserToken = (LoadWTSQueryUserToken)GetProcAddress(hModwsi, "WTSQueryUserToken");
91 if (!fWTSQueryUserToken)
92 {
93 LOG("調用WTSQueryUserToken 失敗");
94 FreeLibrary(hModKrl);
95 return 1;
96 }
97 fWTSQueryUserToken(dwSessionId,&hUserToken);
98
99 if (hModwsi)
100 {
101 FreeLibrary(hModKrl);
102 }
103 //WTSQueryUserToken(dwSessionId,&hUserToken);
104 dwCreationFlags = NORMAL_PRIORITY_CLASS|CREATE_NEW_CONSOLE;
105 ZeroMemory(&si, sizeof(STARTUPINFO));
106 si.cb= sizeof(STARTUPINFO);
107 si.lpDesktop = "winsta0\\default";
108 ZeroMemory(&pi, sizeof(pi));
109 TOKEN_PRIVILEGES tp;
110 LUID luid;
111 hProcess = OpenProcess(MAXIMUM_ALLOWED,FALSE,winlogonPid);
112
113 if(!::OpenProcessToken(hProcess,TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY
114 |TOKEN_DUPLICATE|TOKEN_ASSIGN_PRIMARY|TOKEN_ADJUST_SESSIONID
115 |TOKEN_READ|TOKEN_WRITE,&hPToken))
116 {
117 int abcd = GetLastError();
118 printf("Process token open Error: %u\n",GetLastError());
119 }
120
121 if (!LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&luid))
122 {
123 printf("Lookup Privilege value Error: %u\n",GetLastError());
124 }
125 tp.PrivilegeCount =1;
126 tp.Privileges[0].Luid =luid;
127 tp.Privileges[0].Attributes =SE_PRIVILEGE_ENABLED;
128
129 DuplicateTokenEx(hPToken,MAXIMUM_ALLOWED,NULL,SecurityIdentification,TokenPrimary,&hUserTokenDup);
130 int dup = GetLastError();
131
132 //Adjust Token privilege
133 SetTokenInformation(hUserTokenDup,TokenSessionId,(void*)dwSessionId,sizeof(DWORD));
134
135 if (!AdjustTokenPrivileges(hUserTokenDup,FALSE,&tp,sizeof(TOKEN_PRIVILEGES),(PTOKEN_PRIVILEGES)NULL,NULL))
136 {
137 int abc =GetLastError();
138 printf("Adjust Privilege value Error: %u\n",GetLastError());
139 }
140
141 if (GetLastError()== ERROR_NOT_ALL_ASSIGNED)
142 {
143 printf("Token does not have the provilege\n");
144 }
145
146 LPVOID pEnv =NULL;
147
148 if(CreateEnvironmentBlock(&pEnv,hUserTokenDup,TRUE))
149 {
150 dwCreationFlags|=CREATE_UNICODE_ENVIRONMENT;
151 }
152 else
153 pEnv=NULL;
154
155 // Launch the process in the client's logon session.
156 bResult = CreateProcessAsUser(
157 hUserTokenDup, // client's access token
158 lpszAppPath, // file to execute
159 (LPSTR)lpszParameters, // command line
160 NULL, // pointer to process SECURITY_ATTRIBUTES
161 NULL, // pointer to thread SECURITY_ATTRIBUTES
162 FALSE, // handles are not inheritable
163 dwCreationFlags, // creation flags
164 pEnv, // pointer to new environment block
165 lpszDirectory, // name of current directory
166 &si, // pointer to STARTUPINFO structure
167 &pi // receives information about new process
168 );
169 // End impersonation of client.
170
171 //GetLastError Shud be 0
172
173 int iResultOfCreateProcessAsUser = GetLastError();
174
175 //Perform All the Close Handles task
176
177 if (hProcess)
178 {
179 CloseHandle(hProcess);
180 }
181
182 if (hUserToken)
183 {
184 CloseHandle(hUserToken);
185 }
186
187 if (hUserTokenDup)
188 {
189 CloseHandle(hUserTokenDup);
190 }
191
192 if (hPToken)
193 {
194 CloseHandle(hPToken);
195 }
196
197 if ( !bIsWait )
198 return 0;
199
200 if (WaitForSingleObject(pi.hProcess, dwMilliseconds) == WAIT_TIMEOUT)
201 {
202 TerminateProcess(pi.hProcess, 0);
203 return 0;
204 }
205
206 DWORD dwExitCode;
207 BOOL bOK = GetExitCodeProcess(pi.hProcess, &dwExitCode);
208 ASSERT(bOK);
209
210 return 0;
211 }
posted on 2012-09-29 14:22
王海光 閱讀(1213)
評論(0) 編輯 收藏 引用 所屬分類:
MFC