为什么在使用 ExitWindowsEx 之前需要添加 SE_SHUTDOWN_NAME 权限 [英] Why do we need to add SE_SHUTDOWN_NAME privilege before using ExitWindowsEx
问题描述
在我们可以使用ExitWindowsEx函数关闭计算机之前,我们必须像这样为进程添加SE_SHUTDOWN_NAME权限:
Before we can use the ExitWindowsEx function for shutting down the computer, we must add the SE_SHUTDOWN_NAME privilege to the process like this:
HANDLE hToken = NULL;
LUID luid;
OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken);
LookupPrivilegeValue(L"", SE_SHUTDOWN_NAME, &luid);
TOKEN_PRIVILEGES tp;
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
bRet = AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(tp), NULL, 0);
ExitWindowsEx(EWX_REBOOT, 0);
这工作得很好.
我知道这是设计使然,但我不明白 Microsoft 决定在使用 ExitWindowsEx 函数之前必须启用特权的动机是什么.它显然不是为了防止进程重新启动计算机而设计的,因为重新启动所需要做的就是将 SE_SHUTDOWN_NAME 添加到进程并调用 ExitWindowsEx.
I know that this is by design, but I don't understand what's the motivation of Microsoft for deciding that a privilege must be enabled before the ExitWindowsEx function can be used. It's obviously not designed to prevent a process from rebooting the computer, because all it needs to do for rebooting is adding the SE_SHUTDOWN_NAME to the process and call ExitWindowsEx.
Windows 开发术语本可以将上面的代码直接放入 ExitWindowsEx 函数中.
The Windows developpment term could have put the code above directly into the ExitWindowsEx function.
推荐答案
你不需要添加它(你不能给你当前的令牌添加一个权限),你需要启用
You don't need to add it (you can't add a privilege to your current token), you need to enable it.
默认情况下大多数权限是禁用的,可能是为了避免意外使用(就像文件的只读属性一样).没有必要在任何时候都启用特权的情况下到处跑,让 ExitWindowsEx 函数自己启用它会破坏与其他特权相关函数的一致性.
Most privileges are disabled by default, probably to avoid an accidental use (just like the read-only attribute on files). There's no need to run around with the privilege enabled at all times, and having the ExitWindowsEx function enable it by itself would break consistency with other privilege-dependent functions.
这篇关于为什么在使用 ExitWindowsEx 之前需要添加 SE_SHUTDOWN_NAME 权限的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
