brent's hut

NT下判断用户是否有管理员权限

OK,  Thanks to Loaden found out that my original code to determine whether an user is in Administrators group is totally bullshit.

And after googling for a while, I found something and test it, simply works. I will just paste the code here. Thanks to the author and google and God.

http://www.mihai-nita.net/article.php?artID=20070413a
// IsAdminAPI.cpp : Tests if user is Administrator using plain Win32 API
// Copyright (c) April 2007, Mihai Nita
//

#include 
<wtypes.h>
#include 
<Lm.h>

// for ASSERT
#include <crtdbg.h>

#include 
"IsAdminAPI.h"

bool IsAdminAPI( WCHAR const *szUserName )
{
    _ASSERT(szUserName);

    
bool bAdmin = FALSE;
    LOCALGROUP_USERS_INFO_0
* localGroups;
    DWORD entriesread, totalentries;
    NET_API_STATUS nts 
= NetUserGetLocalGroups( NULL, szUserName, 00, (unsigned char**)&localGroups, MAX_PREFERRED_LENGTH, &entriesread, &totalentries);

    
if( nts != NERR_Success ) {
        NetApiBufferFree(localGroups);
        
return FALSE;
    }

    
// Retrieve the Administrators group well-known SID

    
// For some reason CreateWellKnownSid generates error C3861 on Developer Studio .NET:
    
// error C3861: 'CreateWellKnownSid': identifier not found, even with argument-dependent lookup
    BYTE    SidAuth[] = SECURITY_NT_AUTHORITY;
    PSID    pAdminSid;
    AllocateAndInitializeSid( (PSID_IDENTIFIER_AUTHORITY)SidAuth, 
        
2, SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_ADMINS, 
        NULL, NULL, NULL, NULL, NULL, NULL, 
&pAdminSid );

    
// Will use this to retrieve the SID of the group
    BYTE    buffSid[SECURITY_MAX_SID_SIZE];
    wchar_t    buffDomain[DNLEN
+1];
    DWORD    dwSidSize;
    DWORD    dwDomainSize;
    SID_NAME_USE m_sidnameuse;

    
for( DWORD i = 0; i < entriesread; ++i ) {
        dwSidSize 
= sizeof(buffSid);
        dwDomainSize 
= DNLEN;

        
// Although in general is a bad idea to call directly the W or A versions of API
        
// we do it here to avoid converting the localGroups[i].lgrui0_name back to ANSI
        
// This kind of security API is only present on NT/2000/XP family only, so
        
// the W version is present and safe to use
        if( LookupAccountNameW( NULL, localGroups[i].lgrui0_name, buffSid, &dwSidSize, (LPWSTR)buffDomain, &dwDomainSize, &m_sidnameuse) ) // no sid for the actual group
            if( EqualSid( buffSid, pAdminSid ) ) {
                bAdmin 
= TRUE;
                
break;
            }
    }
    FreeSid( pAdminSid );
    NetApiBufferFree(localGroups);

    
return bAdmin;
}


注意有时我们只需要判断当前process是否以管理员权限运行。貌似可以通过调用GetTokenInformation 和AllocateAndInitializeSid 来判断,

google "Searching for a SID in an Access Token in C++" site:msdn.microsoft.com可找到一段代码, 请自行研究自行测试。

#define MAX_NAME 256

BOOL SearchTokenGroupsForSID (VOID) 
{
DWORD i, dwSize 
= 0, dwResult = 0;
HANDLE hToken;
PTOKEN_GROUPS pGroupInfo;
SID_NAME_USE SidType;
char lpName[MAX_NAME];
char lpDomain[MAX_NAME];
BYTE sidBuffer[
100];
PSID pSID 
= (PSID)&sidBuffer;
SID_IDENTIFIER_AUTHORITY SIDAuth 
= SECURITY_NT_AUTHORITY;
   
// Open a handle to the access token for the calling process.

if (!OpenProcessToken( GetCurrentProcess(), TOKEN_QUERY, &hToken )) {
    printf( 
"OpenProcessToken Error %u\n", GetLastError() );
    
return FALSE;
}

// Call GetTokenInformation to get the buffer size.

if(!GetTokenInformation(hToken, TokenGroups, NULL, dwSize, &dwSize)) {
    dwResult 
= GetLastError();
    
if( dwResult != ERROR_INSUFFICIENT_BUFFER ) {
        printf( 
"GetTokenInformation Error %u\n", dwResult );
        
return FALSE;
    }
}

// Allocate the buffer.

pGroupInfo 
= (PTOKEN_GROUPS) GlobalAlloc( GPTR, dwSize );

// Call GetTokenInformation again to get the group information.

if(! GetTokenInformation(hToken, TokenGroups, pGroupInfo, 
                        dwSize, 
&dwSize ) ) {
    printf( 
"GetTokenInformation Error %u\n", GetLastError() );
    
return FALSE;
   }

// Create a SID for the BUILTIN\Administrators group.

if(! AllocateAndInitializeSid( &SIDAuth, 2,
                 SECURITY_BUILTIN_DOMAIN_RID,
                 DOMAIN_ALIAS_RID_ADMINS,
                 
000000,
                 
&pSID) ) {
    printf( 
"AllocateAndInitializeSid Error %u\n", GetLastError() );
    
return FALSE;
   }

// Loop through the group SIDs looking for the administrator SID.

for(i=0; i<pGroupInfo->GroupCount; i++) {
    
if ( EqualSid(pSID, pGroupInfo->Groups[i].Sid) ) {

        
// Lookup the account name and print it.

        dwSize 
= MAX_NAME;
        
if!LookupAccountSid( NULL, pGroupInfo->Groups[i].Sid,
                              lpName, 
&dwSize, lpDomain, 
                              
&dwSize, &SidType ) ) {
            dwResult 
= GetLastError();
            
if( dwResult == ERROR_NONE_MAPPED )
               strcpy_s (lpName, dwSize, 
"NONE_MAPPED" );
            
else {
                printf(
"LookupAccountSid Error %u\n", GetLastError());
                
return FALSE;
            }
        }
        printf( 
"Current user is a member of the %s\\%s group\n"
                lpDomain, lpName );

        
// Find out whether the SID is enabled in the token.
        if (pGroupInfo->Groups[i].Attributes & SE_GROUP_ENABLED)
            printf(
"The group SID is enabled.\n");
         
else if (pGroupInfo->Groups[i].Attributes & 
                          SE_GROUP_USE_FOR_DENY_ONLY)
            printf(
"The group SID is a deny-only SID.\n");
         
else 
            printf(
"The group SID is not enabled.\n");
    }
}

if (pSID)
    FreeSid(pSID);
if ( pGroupInfo )
    GlobalFree( pGroupInfo );
return TRUE;
}

向曾被我误导的同志表示真挚的道歉和沉痛的悼念。

NSIS下判断当前用户是否管理员:
http://nsis.sourceforge.net/Check_if_the_current_user_is_an_Administrator
!macro IsUserAdmin RESULT
 !define Index 
"Line${__LINE__}"
   StrCpy ${RESULT} 0
   System::Call 
'*(&i1 0,&i4 0,&i1 5)i.r0'
   System::Call 
'advapi32::AllocateAndInitializeSid(i r0,i 2,i 32,i 544,i 0,i 0,i 0,i 0,i 0, \
   i 0,*i .R0)i.r5'
   System::Free $0
   System::Call 
'advapi32::CheckTokenMembership(i n,i R0,*i .R1)i.r5'
   StrCmp $
5 0 ${Index}_Error
   StrCpy ${RESULT} $R1
   Goto ${Index}_End
 ${Index}_Error:
   StrCpy ${RESULT} 
-1
 ${Index}_End:
   System::Call 
'advapi32::FreeSid(i R0)i.r5'
 !undef Index
!macroend

posted on 2005-07-25 09:11 brent 阅读(3182) 评论(2)  编辑 收藏 引用 所属分类: C++Windows

评论

# re: NT下判断用户是否有管理员权限[未登录] 2008-12-01 17:00 Loaden

有严重缺陷:如果用户原来是管理员,后从管理员组中删除,则上述代码仍然认为是管理员。  回复  更多评论   

# re: NT下判断用户是否有管理员权限 2008-12-02 11:45 brent

Thanks, 已经更新了  回复  更多评论   


只有注册用户登录后才能发表评论。
网站导航: 博客园   IT新闻   BlogJava   知识库   博问   管理