c++ - 强制完整性级别值 0x2010 代表什么？

我在我的用户模式进程中运行以下代码片段，该进程在 Windows 用户帐户登录到工作站时启动。或者，换句话说，它的路径位于 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 注册表项中。

代码应该确定 mandatory integrity level我的用户进程。它是这样的:

DWORD getMIL()
{
    //Try to get integrity level
    //-1                                            Unknown
    //SECURITY_MANDATORY_UNTRUSTED_RID              0x00000000 Untrusted.
    //SECURITY_MANDATORY_LOW_RID                    0x00001000 Low integrity.
    //SECURITY_MANDATORY_MEDIUM_RID                 0x00002000 Medium integrity.
    //SECURITY_MANDATORY_MEDIUM_PLUS_RID            SECURITY_MANDATORY_MEDIUM_RID + 0x100 Medium high integrity.
    //SECURITY_MANDATORY_HIGH_RID                   0X00003000 High integrity.
    //SECURITY_MANDATORY_SYSTEM_RID                 0x00004000 System integrity.
    //SECURITY_MANDATORY_PROTECTED_PROCESS_RID      0x00005000 Protected process.
    DWORD dwIntgtyLvl = -1;

    HANDLE hToken;
    if(OpenProcessToken(::GetCurrentProcess(), TOKEN_QUERY, &hToken))
    {

        DWORD dwSizeIntgtyLvl = 0;
        if(!GetTokenInformation(hToken, TokenIntegrityLevel, NULL, dwSizeIntgtyLvl, &dwSizeIntgtyLvl) &&
            ::GetLastError() == ERROR_INSUFFICIENT_BUFFER)
        {
            BYTE* pbIntgtyLvl = new BYTE[dwSizeIntgtyLvl];
            if(pbIntgtyLvl)
            {
                TOKEN_MANDATORY_LABEL* pTML = (TOKEN_MANDATORY_LABEL*)pbIntgtyLvl;
                DWORD dwSizeIntgtyLvl2;
                if(GetTokenInformation(hToken, TokenIntegrityLevel, pTML, dwSizeIntgtyLvl, &dwSizeIntgtyLvl2) &&
                    dwSizeIntgtyLvl2 <= dwSizeIntgtyLvl)
                {
                    dwIntgtyLvl = *GetSidSubAuthority(pTML->Label.Sid,
                        (DWORD)(UCHAR)(*GetSidSubAuthorityCount(pTML->Label.Sid)-1));
                }

                //Free mem
                delete[] pbIntgtyLvl;
                pbIntgtyLvl = NULL;
            }
        }

        ::CloseHandle(hToken);
    }

    return dwIntgtyLvl;
}

在正常的事件流中，我希望为 SECURITY_MANDATORY_MEDIUM_RID 获取值 0x2000，或为 SECURITY_MANDATORY_HIGH_RID 获取值 0x3000 ，但是如果我已经登录了一个 Windows 用户帐户，然后切换用户并使用另一个用户帐户登录，则上述方法将为我获取 0x2010 的值强制完整性级别。

有人知道这个值代表什么吗？

最佳答案

在 Windows Integrity Mechanism Design 的 MSDN 页面底部对其进行了描述:

The RIDs are separated by intervals of 0x1000 to allow for definition of additional levels in the future. The separation also allows assigning an integrity level to a process that is slightly higher than medium: for example, to meet specific system design goals.

...

Applications that are launched with UIAccess rights for a standard user are assigned a slightly higher integrity level value in the access token. The access token integrity level for the UIAccess application for a standard user is the value of medium integrity level, plus an increment of 0x10. The higher integrity level for UIAccess applications prevents other processes on the same desktop at the medium integrity level from opening the UIAccess process object

关于c++ - 强制完整性级别值 0x2010 代表什么？，我们在Stack Overflow上找到一个类似的问题： https://stackoverflow.com/questions/31151139/

c++ - 强制完整性级别值 0x2010 代表什么？

上一篇：windows - 命令脚本退出代码未被同一行 && 或 || 看到？

下一篇：windows - 在 Windows 上使用 Youtube-dl 提取 MP3 的问题