如何不以管理员身份创建流程 [英] How to CreateProcess NOT as administrator

问题描述

我们的模块之一是可执行文件，将始终以管理员身份运行(在获得用户许可后).其屏幕之一允许用户运行其他可执行文件，该代码当前由CreateProcess执行.问题在于，由于第一个进程以admin身份运行，因此CreateProcess的第二个进程也以admin身份运行.这是不受欢迎的，因为这是一个安全漏洞(第二种方法可以打开在这种情况下不应该具有管理员权限的浏览对话框).如何在没有管理员权限的情况下第二次运行?我不希望将清单附加到第二个exe文件，该清单文件表示它不希望具有管理员权限，因为在某些情况下(不是来自第一个exe文件)，它应该以管理员权限运行.我本来希望CreateProcess允许控制对子进程的特权，但是找不到与此相关的任何文档.

One of our modules is an executable that will always be run as administrator (after getting permission from user). One of its screens allows the user to run a different executable, which the code currently does by CreateProcess. The problem is that since the first process is running as admin, CreateProcess has the second process run as admin also. This is undesirable because it is a security breach (the second process can open browse dialogs that should not have admin privileges in this scenario). How do I get the second to run without admin privileges? I do NOT want attach a manifest to the second exe that says it does not want admin privileges because under certain circumstances (not from the first exe), it SHOULD be run with admin privileges. I would have expected CreateProcess to allow control over the privileges to be given to the child process, but can not find any documentation for this. Help!

推荐答案

我想大概的想法是创建一个受限制的令牌，然后调用CreateProcessWithToken()
(或类似)用于第二个进程

I guess the rough idea is to create a restricted token, and the call CreateProcessWithToken()
( or similar ) for the second process

这篇关于如何不以管理员身份创建流程的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！