如何拥有服务 ImpersonateLoggedOnUser 但具有高强制完整性级别?
根据阻止来自 Vista 中的服务的鼠标输入 BlockInput( )需要较高的强制完整性级别。此外,服务无法使用该功能,因为它不在桌面上运行。每当需要偶尔与桌面交互时,我都会暂时使用该服务 ImpersonateLoggedOnUser(),然后使用 RevertToSelf() 但是,登录的用户不是管理员。那么,如何在某些模拟过程中将完整性级别设置为高,以便可以使用 BlockInput()?我无法从 MSDN 文档中找出有关修改 ImpersonateLoggedOnUser() 所采用的令牌的信息。有什么帮助吗?
谢谢
[编辑:]尝试按如下方式修改我的模拟代码:
用户来访问用户的注册表和文件(稍后使用 CreateProcessAsUser() 启动用户程序):
if (!WTSQueryUserToken(sid, &token)) throw "ERROR: Could not get logged on user token";
if (!DuplicateTokenEx(token, TOKEN_ASSIGN_PRIMARY | TOKEN_DUPLICATE | TOKEN_QUERY | TOKEN_ADJUST_DEFAULT | TOKEN_IMPERSONATE, 0, SecurityImpersonation, TokenPrimary, &userTok))
{
CloseHandle(token);
throw "ERROR: Could not duplicate user token";
}
CloseHandle(token);
if (!ImpersonateLoggedOnUser(userTok)) throw "ERROR: Could not impersonate logged on user";
... // Do stuff needing impersonation
if (!RevertToSelf()) throw "ERROR: Could not revert to self";
以前,我有这样的代码,模拟 1);睡眠(5000);在 ImpersonateLoggedOnUser() 不会阻止输入之后。因此,我尝试在 ImpersonateLoggedOnUser() 之前添加以下内容:
PSID sid(0);
if (!ConvertStringSidToSid(SDDL_ML_HIGH, &sid)) throw "ERROR: Could not convert string to SID";
TOKEN_MANDATORY_LABEL tml;
tml.Label.Attributes = SE_GROUP_INTEGRITY | SE_GROUP_INTEGRITY_ENABLED;
tml.Label.Sid = sid;
if (!SetTokenInformation(userTok, TokenIntegrityLevel, &tml, sizeof(tml) + GetLengthSid(sid)))) throw "ERROR: Could not set token information";
LocalFree(sid);
在执行过程中没有收到任何错误,表明应该将其设置正确。但输入仍然没有被阻止!
According to Blocking mouse input from a service in Vista BlockInput() requires a high mandatory integrity level. Also, a service cannot make use of the function since it doesn't run on the desktop. Whenever the occasional interaction with the desktop is required, I have the service temporarily ImpersonateLoggedOnUser() and then RevertToSelf()
However, the logged on user is not Administrator. So how do I set the integrity level to high during some impersonations so I can BlockInput()? I could not figure out from the MSDN documentation about modifying the token that ImpersonateLoggedOnUser() takes. Any help?
Thanks
[Edit:] Tried modifying my impersonation code as follows:
Previously, I had code like this that impersonates a user to access the user's registry and files (and at a later point start a user program with CreateProcessAsUser()):
if (!WTSQueryUserToken(sid, &token)) throw "ERROR: Could not get logged on user token";
if (!DuplicateTokenEx(token, TOKEN_ASSIGN_PRIMARY | TOKEN_DUPLICATE | TOKEN_QUERY | TOKEN_ADJUST_DEFAULT | TOKEN_IMPERSONATE, 0, SecurityImpersonation, TokenPrimary, &userTok))
{
CloseHandle(token);
throw "ERROR: Could not duplicate user token";
}
CloseHandle(token);
if (!ImpersonateLoggedOnUser(userTok)) throw "ERROR: Could not impersonate logged on user";
... // Do stuff needing impersonation
if (!RevertToSelf()) throw "ERROR: Could not revert to self";
Doing BlockInput(1); Sleep(5000); right after ImpersonateLoggedOnUser() doesn't block input. So I tried adding the following right before ImpersonateLoggedOnUser():
PSID sid(0);
if (!ConvertStringSidToSid(SDDL_ML_HIGH, &sid)) throw "ERROR: Could not convert string to SID";
TOKEN_MANDATORY_LABEL tml;
tml.Label.Attributes = SE_GROUP_INTEGRITY | SE_GROUP_INTEGRITY_ENABLED;
tml.Label.Sid = sid;
if (!SetTokenInformation(userTok, TokenIntegrityLevel, &tml, sizeof(tml) + GetLengthSid(sid)))) throw "ERROR: Could not set token information";
LocalFree(sid);
I get no errors during execution, indicating it should be setting it right. But input still doesn't get blocked!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
我最终通过以管理员用户身份从服务启动一个单独的进程来解决这个问题,并且该服务要求它阻止输入。
I eventually solved it by launching a separate process from the service as an Administrator user and the service asks it to block the input.