stackoom
  简体   繁体   中英

About the MSDN code example, “Enabling and Disabling Privileges”

 原文  2012-10-26 04:52:23       c++/ windows/ winapi

Question

MSDN article, Enabling and Disabling Privileges in C++ , provided a code example to show how to enable or disable a privilege in an access token.

I quote the part in questioned: 

tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
if (bEnablePrivilege)
    tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
else
    tp.Privileges[0].Attributes = 0;


According to the documentation of TOKEN_PRIVILEGES structure, the attributes of a privilege can be a combination of the following values:

  • SE_PRIVILEGE_ENABLED (it is in WinNT.h )
  • SE_PRIVILEGE_ENABLED_BY_DEFAULT (it is in WinNT.h )
  • SE_PRIVILEGE_REMOVED (it is in WinNT.h )
  • SE_PRIVILEGE_USED_FOR_ACCESS (it is in WinNT.h )

So, we don't see any valid constant with a value of zero. I guess, the zero is equal to SE_PRIVILEGE_REMOVED .

Once more, if the zero means disabling all privileges, I doubt it because disabling all privileges can be done simply by setting DisableAllPrivileges parameter of AdjustTokenPrivileges() to TRUE .

Anybody here could explain what the zero value really does?

2 answers

solution1
 4  2014-02-19 16:47:24

There's a difference between disabling a privilege, which allows you to enable it again later, and removing a privilege from the token. Removing the privilege means that it cannot be later re-enabled.

Passing zero means that the SE_PRIVILEGE_ENABLED bit is not set, therefore that privilege is disabled.

Tokens contain a number of privileges when they're created. The SeChangeNotifyPrivilege , known as 'Bypass traverse checking' in the User Rights Assignment section of Local Security Policy/Group Policy, is always enabled by default, and shouldn't ever be disabled (see KB823659 for details). Therefore the DisableAllPrivileges parameter isn't actually useful.

User Account Control (Windows Vista and later) takes the raw logon token, clones it, and uses the SE_PRIVILEGE_REMOVED flag to create the 'filtered token' that is used to start the shell. The raw token is then hidden away so that the 'Run as Administrator' feature can use it to start programs.

You can see the privileges enabled in the process token using Sysinternals Process Explorer .

solution2
 1 ACCPTED  2012-10-26 05:07:58

If SE_PRIVILEGE_REMOVED was equivalent to zero it would be defined as such. Given the definitions that are there, I would suggest that a zero values means no privileges have ever been enabled, or subsequently used/removed: There are, and never have been, any token privileges.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Why is the pointer in this MSDN example not deleted? Example code on MSDN site that called AdjustTokenPrivileges() failed with “Cannot enable the SE_LOCK_MEMORY_NAME privilege” Disabling \ enabling an audio device with WinApi Qt VirtualKeyboard enabling and disabling keys #ifdef vs #if - which is better/safer as a method for enabling/disabling compilation of particular sections of code? Missing file from MSDN example for GDI printing MSDN example for scrolling large image malfunctions MSDN HMAC-SHA1 example not working DHCP client API C++ MSDN example MSDN Example: The Open Dialog Box Not Compiling
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM