在 Windows 上删除 C++ 中的权限

2022-01-04 00:00:00 permissions c++ uac

在 Windows 上运行的 C++ 应用程序是否有可能在运行时放弃特权?

Is it possible for a C++ application running on Windows to drop privileges at runtime?

例如,如果用户以管理员身份启动我的应用程序,但没有理由以管理员身份运行我的应用程序,我可以以某种方式放弃管理员权限吗?

For instance, if a user starts my application as Administrator, but there's no reason to run my application as administrator, can I in some way give up the Administrator-privileges?

简而言之,我想在 main() 函数中编写代码,该函数会删除我不需要的权限(例如,对 Windows 目录的写访问权限).

In short, I would like to write code in the main() function which drops privileges I don't need (for instance, Write access on the Windows directory).

推荐答案

是的,您可以使用 AdjustTokenPrivileges 从您的令牌中删除不需要和危险的权限.如果不是立即需要,您可以禁用(可以稍后启用该权限)或完全从您的令牌中删除一个权限.

Yes, you can use AdjustTokenPrivileges to remove unneeded and dangerous privileges from your token. You can either disable if not immediately needed (the privilege can be enabled later) or remove a privilege from your token altogether.

您还可以通过 CreateRestrictedToken 并重新启动使用该受限令牌运行的应用程序.CreateRestrictedToken 可用于禁用权限并从令牌中删除组(如管理员组).

You can also create a restricted token via CreateRestrictedToken and relaunch your application running with that restricted token. CreateRestrictedToken can be used to disable privileges and remove groups (like Administrators Group) from a token.

您可以使用 AdjustTokenGroups从正在运行的进程的令牌中删除管理员组,但我从未在已经运行的进程上尝试过.

You may be able to use AdjustTokenGroups to remove the administrator group from the token of your running process, but I've never tried this on an already running process.

请注意,对 Windows 目录的写访问权限不包含在特权范围内.系统中的资源具有ACL,用于管理谁拥有使用权.系统和管理员对 Windows 目录具有写访问权限.

Note that write-access to the Windows directory is not covered by a privilege. Resources in the system have ACL's which govern who has access. System and administrators have write-access to the Windows directory.

相关文章