AdjustTokenPrivileges可以提升作为管理员的特权吗? [英] Can AdjustTokenPrivileges elevate the privilege as Administrator?

问题描述

需要管理员特权的Windows下的程序在启动时必须获得用户的许可.而且，还可以通过右键单击EXE并选择以管理员身份运行"，以管理员权限运行.但是，在EXE启动之前，将显示一个消息框.真令人恶心.

现在，我希望我的应用程序以管理员身份运行，并且我不希望用户单击EXE文件时出现弹出消息框.

现在，我想知道AdjustTokenPrivileges函数是否可以帮助我实现这一目标.

有人可以帮助我吗?

解决方案

您在权利和特权之间感到困惑.至少从Windows API的角度来看，两者是完全不同的(尽管在很多时候，至少在处理在Windows上可以做什么"时，它们被视为同义词).

您真正要寻找的是提升权利的能力.缺少系统安全模型中的某些缺陷，您不应该能够做到这一点.为了获得管理权限，目的是使代码必须在管理帐户下运行-通过最初以管理员身份登录的用户，或者通过他们在运行时输入凭据来实现，如您所见. >

特权(实际上是AdjustTokenPrivileges所操纵的)是您具有权利的事情，但在没有明确启用特权的情况下仍然不能执行.例如，假设您以管理员身份开始登录.这给您正确来调整系统时钟-但是调整系统时钟是普通程序几乎没有理由要做的事情，因此在您可以执行之前，他们增加了一个额外的步骤-您需要先启用SE_SYSTEMTIME特权，然后才能使用该权限.

如果您使用的帐户没有权利来更改系统时间，那么您将无法执行此操作.如果您登录的帐户可以 进行更改，则必须先启用特权，然后才能进行操作.

底线:AdjustTokenPrivileges无法完成您要尝试的操作.

Programs under windows need administrator privilege must get user's permission when they start. And they can also run with administrator privilege by right click the EXE and select "Run as Administrator". But, before the EXE start, a message box will show up. It's really disgusting.

Now I want my application to run as the Administrator, and I don't want the popup message box when user click the EXE file.

Now I wonder whether the AdjustTokenPrivileges function can help me achieve this.

Any one can help me?

解决方案

You're getting confused between rights and privileges. At least from the viewpoint of the Windows API, the two are entirely different (though they're otherwise treated as synonymous a great deal of the time, at least when dealing with "what you can do on Windows").

What you're really looking for is the ability to elevate rights. Short of some defect in the security model of the system, you shouldn't be able to do this. To get administrative rights, the intent is that the code should have to run under an administrative account -- either by the user initially logging in as an administrator, or else by them entering the credentials at run time as you've seen.

Privileges (which are what AdjustTokenPrivileges actually manipulates) are things you have the right to do, but still aren't allowed to do without specifically enabling that privilege. For example, let's assume you start out logged in as an administrator. That gives you the right to adjust the system clock -- but adjusting the system clock is something normal programs almost never have a reason to do, so they added an extra step, before you can do it -- you need to enable the SE_SYSTEMTIME privilege before you can make use of that right.

If you're logged in under an account that doesn't have the right to change the system time, you simply can't do it. If you're logged into an account that can change it, you have to enable the privilege first before you can do it.

Bottom line: AdjustTokenPrivileges won't accomplish what you're trying to do.

这篇关于AdjustTokenPrivileges可以提升作为管理员的特权吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！