Lm th? no ? xc ?nh li?u m?t ch? ? ch?y trong b?i c?nh ng?i dng ti kho?n qu?n tr? ?a phng

D?ch tiu ? D?ch tiu ?
ID c?a bi: 118626 - Xem s?n ph?m m bi ny p d?ng vo.
Bung t?t c? | Thu g?n t?t c?

? Trang ny

TM T?T

? xc ?nh li?u m?t ch? ? ch?y theo m?t ?a phng ti kho?n qu?n tr?, b?n ph?i ki?m tra m? thng bo truy c?p ?c lin k?t v?i ch? ?. Bi vi?t ny m t? lm th? no ? lm i?u ny.

V?i Windows Phin b?n 2000 v sau ny, b?n c th? s? d?ng cc CheckTokenMembership() API thay v? c?a cc b?c ?c m t? trong bi vi?t ny. Cho thng tin thm, xem ti li?u Microsoft n?n t?ng SDK.

THNG TIN THM

Theo m?c ?nh, m? thng bo l lin k?t v?i m?t ch? ? l m c?a qu tr?nh ch?a c?a n. B?i c?nh ng?i dng"ny" superceded b?i b?t k? m? thng bo m ?c g?n tr?c ti?p vo cc ch? ?. V? v?y, ? xc ?nh m?t thread b?i c?nh ng?i dng, ?u tin b?n nn c? g?ng ? c ?c m?t m? thng bo cho ch? ? v?i cc OpenThreadToken ch?c nng. N?u phng php ny khng thnh cng v cc GetLastError ch?c nng bo co ERROR_NO_TOKEN, sau b?n c th? c ?c m? thng bo cho qu tr?nh v?i cc OpenProcessToken ch?c nng.

Sau khi b?n c ?c m? thng bo c?a hi?n t?i ng?i s? d?ng, b?n c th? s? d?ng cc AccessCheck ch?c nng pht hi?n cho d ng?i dng l m?t qu?n tr? vin. ? lm i?u ny, h?y lm theo cc b?c sau:
  1. T?o ra m?t ?nh danh b?o m?t (SID) cho cc ?a phng nhm ng?i qu?n tr? b?ng cch s? d?ng cc AllocateAndInitializeSid ch?c nng.
  2. Xy d?ng m?t m t? b?o m?t m?i (SD) v?i m?t Ty Access Control List (DACL) c ch?a m?t m?c i?u khi?n truy c?p (ACE) cho nhm ng?i qu?n tr? SID.
  3. Cu?c g?i AccessCheck v?i m? thng bo c?a ng?i dng hi?n t?i v v?a ?c xy d?ng SD ? pht hi?n cho d ng?i dng l m?t qu?n tr? vin.
M?u m? sau y s? d?ng cc ch?c nng ?c ? c?p tr?c trong bi vi?t ny ? th? nghi?m cho d cc ch? ? hi?n t?i ang ch?y nh m?t ng?i s? d?ng Ai l ng?i qu?n tr? trn my tnh ?a phng.

Ma mu


#include <windows.h>
#include <stdio.h>
#include <lmcons.h>


BOOL IsCurrentUserLocalAdministrator(void);


void main(int argc, char **argv)
{
   if (IsCurrentUserLocalAdministrator())
      printf("You are an administrator\n");
   else
      printf("You are not an administrator\n");
}



/*-------------------------------------------------------------------------

-
IsCurrentUserLocalAdministrator ()

This function checks the token of the calling thread to see if the caller
belongs to the Administrators group.

Return Value:
   TRUE if the caller is an administrator on the local machine.
   Otherwise, FALSE.
--------------------------------------------------------------------------*

/
BOOL IsCurrentUserLocalAdministrator(void)
{
   BOOL   fReturn         = FALSE;
   DWORD  dwStatus;
   DWORD  dwAccessMask;
   DWORD  dwAccessDesired;
   DWORD  dwACLSize;
   DWORD  dwStructureSize = sizeof(PRIVILEGE_SET);
   PACL   pACL            = NULL;
   PSID   psidAdmin       = NULL;

   HANDLE hToken              = NULL;
   HANDLE hImpersonationToken = NULL;

   PRIVILEGE_SET   ps;
   GENERIC_MAPPING GenericMapping;

   PSECURITY_DESCRIPTOR     psdAdmin           = NULL;
   SID_IDENTIFIER_AUTHORITY SystemSidAuthority = SECURITY_NT_AUTHORITY;


   /*
      Determine if the current thread is running as a user that is a member 

of
      the local admins group.  To do this, create a security descriptor 

that
      has a DACL which has an ACE that allows only local aministrators 

access.
      Then, call AccessCheck with the current thread's token and the 

security
      descriptor.  It will say whether the user could access an object if 

it
      had that security descriptor.  Note: you do not need to actually 

create
      the object.  Just checking access against the security descriptor 

alone
      will be sufficient.
   */
   const DWORD ACCESS_READ  = 1;
   const DWORD ACCESS_WRITE = 2;


   __try
   {

      /*
         AccessCheck() requires an impersonation token.  We first get a 

primary
         token and then create a duplicate impersonation token.  The
         impersonation token is not actually assigned to the thread, but is
         used in the call to AccessCheck.  Thus, this function itself never
         impersonates, but does use the identity of the thread.  If the 

thread
         was impersonating already, this function uses that impersonation 

context.
      */
      if (!OpenThreadToken(GetCurrentThread(), TOKEN_DUPLICATE|TOKEN_QUERY, 

TRUE, &hToken))
      {
         if (GetLastError() != ERROR_NO_TOKEN)
            __leave;

         if (!OpenProcessToken(GetCurrentProcess(), 

TOKEN_DUPLICATE|TOKEN_QUERY, &hToken))
            __leave;
      }

      if (!DuplicateToken (hToken, SecurityImpersonation, 

&hImpersonationToken))
          __leave;


      /*
        Create the binary representation of the well-known SID that
        represents the local administrators group.  Then create the 

security
        descriptor and DACL with an ACE that allows only local admins 

access.
        After that, perform the access check.  This will determine whether
        the current user is a local admin.
      */
      if (!AllocateAndInitializeSid(&SystemSidAuthority, 2,
                                    SECURITY_BUILTIN_DOMAIN_RID,
                                    DOMAIN_ALIAS_RID_ADMINS,
                                    0, 0, 0, 0, 0, 0, &psidAdmin))
         __leave;

      psdAdmin = LocalAlloc(LPTR, SECURITY_DESCRIPTOR_MIN_LENGTH);
      if (psdAdmin == NULL)
         __leave;

      if (!InitializeSecurityDescriptor(psdAdmin, 

SECURITY_DESCRIPTOR_REVISION))
         __leave;

      // Compute size needed for the ACL.
      dwACLSize = sizeof(ACL) + sizeof(ACCESS_ALLOWED_ACE) +
                  GetLengthSid(psidAdmin) - sizeof(DWORD);

      pACL = (PACL)LocalAlloc(LPTR, dwACLSize);
      if (pACL == NULL)
         __leave;

      if (!InitializeAcl(pACL, dwACLSize, ACL_REVISION2))
         __leave;

      dwAccessMask= ACCESS_READ | ACCESS_WRITE;

      if (!AddAccessAllowedAce(pACL, ACL_REVISION2, dwAccessMask, 

psidAdmin))
         __leave;

      if (!SetSecurityDescriptorDacl(psdAdmin, TRUE, pACL, FALSE))
         __leave;

      /*
         AccessCheck validates a security descriptor somewhat; set the 

group
         and owner so that enough of the security descriptor is filled out 

to
         make AccessCheck happy.
      */
      SetSecurityDescriptorGroup(psdAdmin, psidAdmin, FALSE);
      SetSecurityDescriptorOwner(psdAdmin, psidAdmin, FALSE);

      if (!IsValidSecurityDescriptor(psdAdmin))
         __leave;

      dwAccessDesired = ACCESS_READ;

      /*
         Initialize GenericMapping structure even though you
         do not use generic rights.
      */
      GenericMapping.GenericRead    = ACCESS_READ;
      GenericMapping.GenericWrite   = ACCESS_WRITE;
      GenericMapping.GenericExecute = 0;
      GenericMapping.GenericAll     = ACCESS_READ | ACCESS_WRITE;

      if (!AccessCheck(psdAdmin, hImpersonationToken, dwAccessDesired,
                       &GenericMapping, &ps, &dwStructureSize, &dwStatus,
                       &fReturn))
      {
         fReturn = FALSE;
         __leave;
      }
   }
   __finally
   {
      // Clean up.
      if (pACL) LocalFree(pACL);
      if (psdAdmin) LocalFree(psdAdmin);
      if (psidAdmin) FreeSid(psidAdmin);
      if (hImpersonationToken) CloseHandle (hImpersonationToken);
      if (hToken) CloseHandle (hToken);
   }

   return fReturn;
}

Thu?c tnh

ID c?a bi: 118626 - L?n xem xt sau cng: 17 Thang Tam 2011 - Xem xt l?i: 2.0
p d?ng
  • Microsoft Win32 Application Programming Interface
T? kha:
kbapi kbhowto kbkernbase kbsecurity kbmt KB118626 KbMtvi
My d?ch
QUAN TRONG: Bi vi?t ny ?c d?ch b?ng ph?n m?m d?ch my c?a Microsoft ch? khng ph?i do con ng?i d?ch. Microsoft cung c?p cc bi vi?t do con ng?i d?ch v c? cc bi vi?t do my d?ch ? b?n c th? truy c?p vo t?t c? cc bi vi?t trong C s? Ki?n th?c c?a chng ti b?ng ngn ng? c?a b?n. Tuy nhin, bi vi?t do my d?ch khng ph?i lc no c?ng hon h?o. Lo?i bi vi?t ny c th? ch?a cc sai st v? t? v?ng, c php ho?c ng? php, gi?ng nh m?t ng?i n?c ngoi c th? m?c sai st khi ni ngn ng? c?a b?n. Microsoft khng ch?u trch nhi?m v? b?t k? s? thi?u chnh xc, sai st ho?c thi?t h?i no do vi?c d?ch sai n?i dung ho?c do ho?t ?ng s? d?ng c?a khch hng gy ra. Microsoft c?ng th?ng xuyn c?p nh?t ph?n m?m d?ch my ny.
Nh?p chu?t vo y ? xem b?n ti?ng Anh c?a bi vi?t ny:118626

Cung cp Phan hi

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com