wrhwww

一般Windows下的系統文件(夾)只讓受限帳戶讀取而不讓寫入和修改。如果要開啟寫操作權限就需要手動修改文件(夾)的用戶帳戶安全權限(這操作當然要在管理員帳戶下執行).以下用程序封裝了一下該操作:

　　先來個API版本:

　　//

　　// 啟用某個賬戶對某個文件(夾)的所有操作權限

　　// pszPath: 文件(夾)路徑

　　// pszAccount: 賬戶名稱

　　//

　　BOOL  EnableFileAccountPrivilege (PCTSTR pszPath, PCTSTR pszAccount)

　　{

　　BOOL bSuccess = TRUE;

　　PACL pNewDacl = NULL, pOldDacl = NULL;

　　EXPLICIT_ACCESS ea;

　　do

　　{

　　// 獲取文件(夾)安全對象的DACL列表

　　if (ERROR_SUCCESS != ::GetNamedSecurityInfo ((LPTSTR)pszPath, SE_FILE_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, &pOldDacl, NULL, NULL))

　　{

　　bSuccess  =  FALSE;

　　break;

　　}

　　// 此處不可直接用AddAccessAllowedAce函數,因為已有的DACL長度是固定,必須重新創建一個DACL對象

　　// 生成指定用戶帳戶的訪問控制信息(這里指定賦予全部的訪問權限)

　　::BuildExplicitAccessWithName (&ea, (LPTSTR)pszAccount, GENERIC_ALL, GRANT_ACCESS, SUB_CONTAINERS_AND_OBJECTS_INHERIT);

　　// 創建新的ACL對象(合并已有的ACL對象和剛生成的用戶帳戶訪問控制信息)

　　if (ERROR_SUCCESS != ::SetEntriesInAcl(1, &ea, pOldDacl, &pNewDacl))

　　{

　　bSuccess   =  FALSE;

　　break;

　　}[next]

　　// 設置文件(夾)安全對象的DACL列表

　　if (ERROR_SUCCESS != ::SetNamedSecurityInfo ((LPTSTR)pszPath, SE_FILE_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, pNewDacl, NULL))

　　{

　　bSuccess   =  FALSE;

　　}

　　} while (FALSE);

　　// 釋放資源

　　if (pNewDacl != NULL)

　　::LocalFree(pNewDacl);

　　return bSuccess;

　　}ATL封裝了安全操作函數,用ATL來寫就簡單多了: //

　　// 啟用某個賬戶對某個文件(夾)的所有操作權限(ATL版本)

　　// pszPath: 文件(夾)路徑

　　// pszAccount: 賬戶名稱

　　//

　　BOOL  AtlEnableFileAccountPrivilege (PCTSTR pszPath, PCTSTR pszAccount)

　　{

　　CDacl  dacl;

　　CSid   sid;

　　// 獲取用戶帳戶標志符

　　if (!sid.LoadAccount (pszAccount))

　　{

　　return FALSE;

　　}

　　// 獲取文件(夾)的DACL

　　if (!AtlGetDacl (pszPath, SE_FILE_OBJECT, &dacl))

　　{

　　return FALSE;

　　}

　　// 在DACL中添加新的ACE項

　　dacl.AddAllowedAce (sid, GENERIC_ALL);

　　// 設置文件(夾)的DACL

　　return AtlSetDacl (pszPath, SE_FILE_OBJECT, dacl) ? TRUE : FALSE;

　　}

來源：http://www.uniuc.com/computer/show-6322-1.html\\\

通過程序對文件夾的訪問權限進行控制。
BOOL   My_SetFolderSecurity(WCHAR*   szPath)
{
SID_IDENTIFIER_AUTHORITY   sia   =   SECURITY_NT_AUTHORITY;
PSID   pSidSystem   =   NULL;
PSID   pSidAdmins   =   NULL;
PSID   pSidWorld   =   NULL;
PACL   pDacl   =   NULL;
EXPLICIT_ACCESS   ea[4];
SECURITY_DESCRIPTOR   SecDesc;

ULONG   lRes   =   ERROR_SUCCESS;

__try
{
//   create   SYSTEM   SID
if   (!AllocateAndInitializeSid(&sia,   1,   SECURITY_LOCAL_SYSTEM_RID,
0,   0,   0,   0,   0,   0,   0,   &pSidSystem))
{
lRes   =   GetLastError();
__leave;
}

//   create   Local   Administrators   alias   SID
if   (!AllocateAndInitializeSid(&sia,   2,   SECURITY_BUILTIN_DOMAIN_RID,
DOMAIN_ALIAS_RID_ADMINS,   0,   0,   0,   0,  
0,   0,   &pSidAdmins))
{
lRes   =   GetLastError();
__leave;
}


//   create   Authenticated   users   well-known   group   SID
if   (!AllocateAndInitializeSid(&sia,   1,   SECURITY_AUTHENTICATED_USER_RID,
0,   0,   0,   0,   0,   0,   0,   &pSidWorld))
{
lRes   =   GetLastError();
__leave;
}

//   fill   an   entry   for   the   SYSTEM   account
ea[0].grfAccessMode   =   GRANT_ACCESS;
ea[0].grfAccessPermissions   =   FILE_ALL_ACCESS;
ea[0].grfInheritance   =   OBJECT_INHERIT_ACE|CONTAINER_INHERIT_ACE;
ea[0].Trustee.MultipleTrusteeOperation   =   NO_MULTIPLE_TRUSTEE;
ea[0].Trustee.pMultipleTrustee   =   NULL;
ea[0].Trustee.TrusteeForm   =   TRUSTEE_IS_SID;
ea[0].Trustee.TrusteeType   =   TRUSTEE_IS_WELL_KNOWN_GROUP;
ea[0].Trustee.ptstrName   =   (LPTSTR)pSidSystem;

//   fill   an   entry   entries   for   the   Administrators   alias
ea[1].grfAccessMode   =   GRANT_ACCESS;
ea[1].grfAccessPermissions   =   FILE_ALL_ACCESS;
ea[1].grfInheritance   =   OBJECT_INHERIT_ACE|CONTAINER_INHERIT_ACE;
ea[1].Trustee.MultipleTrusteeOperation   =   NO_MULTIPLE_TRUSTEE;
ea[1].Trustee.pMultipleTrustee   =   NULL;
ea[1].Trustee.TrusteeForm   =   TRUSTEE_IS_SID;
ea[1].Trustee.TrusteeType   =   TRUSTEE_IS_ALIAS;
ea[1].Trustee.ptstrName   =   (LPTSTR)pSidAdmins;

//   fill   an   entry   for   the   Authenticated   users   well-known   group
ea[2].grfAccessMode   =   GRANT_ACCESS;
ea[2].grfAccessPermissions   =   FILE_GENERIC_READ|FILE_GENERIC_WRITE   ;
ea[2].grfInheritance   =   OBJECT_INHERIT_ACE|CONTAINER_INHERIT_ACE;
ea[2].Trustee.MultipleTrusteeOperation   =   NO_MULTIPLE_TRUSTEE;
ea[2].Trustee.pMultipleTrustee   =   NULL;
ea[2].Trustee.TrusteeForm   =   TRUSTEE_IS_SID;
ea[2].Trustee.TrusteeType   =   TRUSTEE_IS_WELL_KNOWN_GROUP;
ea[2].Trustee.ptstrName   =   (LPTSTR)pSidWorld;


//   create   a   DACL
lRes   =   SetEntriesInAcl(3,   ea,   NULL,   &pDacl);
if   (lRes   !=   ERROR_SUCCESS)
__leave;

//   initialize   security   descriptor
if(!InitializeSecurityDescriptor(&SecDesc,   SECURITY_DESCRIPTOR_REVISION))
__leave   ;

if(!SetSecurityDescriptorDacl(&SecDesc,   TRUE,   pDacl,   FALSE))
__leave   ;

//   assign   security   descriptor   to   the   key
//lRes   =   RegSetKeySecurity(hKey,   DACL_SECURITY_INFORMATION,   &SecDesc);

lRes   =   SR_SetFileSecurityRecursive(szPath,   DACL_SECURITY_INFORMATION,   &SecDesc);
//lRes   =   SetFileSecurity(szPath,   DACL_SECURITY_INFORMATION,   &SecDesc);


}
__finally
{
if   (pSidSystem   !=   NULL)
FreeSid(pSidSystem);
if   (pSidAdmins   !=   NULL)
FreeSid(pSidAdmins);
if   (pSidWorld   !=   NULL)
FreeSid(pSidWorld);
if   (pDacl   !=   NULL)
LocalFree((HLOCAL)pDacl);
}

SetLastError(lRes);
return   lRes   !=   ERROR_SUCCESS;
}  


Command   what   is   yours
Conquer   what   is   not

==========================================================
我解決了，在MSDN里找到的
(取自MSDN）

#define   _WIN32_WINNT   0x0500

#include   <windows.h>
#include   <sddl.h>
#include   <stdio.h>

BOOL   CreateMyDACL(SECURITY_ATTRIBUTES   *);

void   main()
{
SECURITY_ATTRIBUTES     sa;

sa.nLength   =   sizeof(SECURITY_ATTRIBUTES);
sa.bInheritHandle   =   FALSE;    

//   Call   function   to   set   the   DACL.   The   DACL
//   is   set   in   the   SECURITY_ATTRIBUTES  
//   lpSecurityDescriptor   member.
if   (!CreateMyDACL(&sa))
{
//   Error   encountered;   generate   message   and   exit.
printf( "Failed   CreateMyDACL\n ");
exit(1);
}

//   Use   the   updated   SECURITY_ATTRIBUTES   to   specify
//   security   attributes   for   securable   objects.
//   This   example   uses   security   attributes   during
//   creation   of   a   new   directory.
if   (0   ==   CreateDirectory(TEXT( "C:\\MyFolder "),   &sa))
{
//   Error   encountered;   generate   message   and   exit.
printf( "Failed   CreateDirectory\n ");
exit(1);
}

//   Free   the   memory   allocated   for   the   SECURITY_DESCRIPTOR.
if   (NULL   !=   LocalFree(sa.lpSecurityDescriptor))
{
//   Error   encountered;   generate   message   and   exit.
printf( "Failed   LocalFree\n ");
exit(1);
}
}

BOOL   CreateMyDACL(SECURITY_ATTRIBUTES   *   pSA)
{
TCHAR   *   szSD   =   TEXT( "D: ")               //   Discretionary   ACL
TEXT( "(D;OICI;GA;;;BG) ")           //   Deny   access   to   built-in   guests
TEXT( "(D;OICI;GA;;;AN) ")           //   Deny   access   to   anonymous   logon
TEXT( "(A;OICI;GRGWGX;;;AU) ")   //   Allow   read/write/execute   to   authenticated   users
TEXT( "(A;OICI;GA;;;BA) ");         //   Allow   full   control   to   administrators

if   (NULL   ==   pSA)
return   FALSE;

return   ConvertStringSecurityDescriptorToSecurityDescriptor(
szSD,
SDDL_REVISION_1,
&(pSA-> lpSecurityDescriptor),
NULL);
}