我有一个从受限 UAC 启动进程复制的用户 token ,我想从中删除拒绝组 SID。我怎么做? 如果我使用 TOKEN_GROUPS 信息类类型调用 SetTokenInformation,我会收到无效参数错误。
谢谢。
最佳答案
事实证明,有一种受支持的方法可以做到这一点。基本上你需要做一个双重间接来完成这项工作。首先,您想要使用 WTSQueryUserToken 获取用户 token 的 session .接下来,您需要使用 GetTokenInformation 获取关联的管理用户 token (寻找 TokenLinkedToken 信息)。现在您有了 admintokn,您可以使用该 token 调用 CreateProcessAsUser。如果需要环境 block ,可以调用CreateEnvironmentBlock获取正确的环境变量。
这是我从同事那里得到的一段 VB 代码(他传递了这个提示):
Public Function StartAppInSessionAsAdmin(ByVal SessionID As String, ByVal WinstationName As String, ByVal AppName As String) As Integer
Dim hToken As IntPtr
Dim hLinkedToken As IntPtr
Dim bRet As Boolean
Dim pi As New PROCESS_INFORMATION
Dim si As New STARTUPINFO
Dim err As Integer
Dim iret As Integer
Dim lpEB As IntPtr
Dim TLT As New TOKEN_LINKED_TOKEN
Dim TLTSize As Integer
Dim retSize As Integer
si.lpDesktop = WinstationName '”Winsta0\default”
si.cb = Marshal.SizeOf(si)
TLTSize = Marshal.SizeOf(TLT.LinkedToken)
'get SessionID token
bRet = WTSQueryUserToken(Integer.Parse(SessionID), hToken)
'we need to get the TokenLinked Token
bRet = GetTokenInformation(hToken, TOKEN_INFORMATION_CLASS.TokenLinkedToken, hLinkedToken, TLTSize, retSize)
'Use CreateEnvironment Block with the original token to create an environment for the new program with the USER Environment
bRet = CreateEnvironmentBlock(lpEB, hToken, False)
If bRet Then
'Call CreateProcessAsUser to create the process using the user's modified Token
iret = CreateProcessAsUser(hLinkedToken, Nothing, AppName, 0, 0, False, 1072, lpEB, Nothing, si, pi)
'Give user a feedback
If iret <> 0 Then
GiveFeedback(SessionID, "Message from StartAppInSessionAsAdmin", "CreateProcessAsUser succeeded", 2)
Else
err = Marshal.GetLastWin32Error
GiveFeedback(SessionID, "Message from StartAppInSessionAsAdmin", "CreateProcessAsUser failed with error " & err.ToString, 5)
End If
End If
End Function
他还写了一篇包含更多信息的博文:http://blogs.msdn.com/b/itasupport/archive/2010/03/29/uac-bypass-o-meglio-il-modo-supportato-e-by-design-di-aggirare-la-uac.aspx
关于windows - 如何将受限用户 token 转换为不受限用户 token ?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/5704537/