开发者

How to have service ImpersonateLoggedOnUser but with high mandatory integrity level?

问答 作者:

According to Blocking mouse input from a service in Vista BlockInput() requires a high mandatory integrity level. Also, a service cannot make use of the function since it doesn't run on the desktop. Whenever the occasional interaction with the desktop is required, I have the service temporarily ImpersonateLoggedOnUser() and then RevertToSelf() However, the logged on user is not Administrator. So how do I set the integrity level to high during some impersonations so I can BlockInput()? I could not figure out from the MSDN documentation about modifying the token that ImpersonateLoggedOnUser() takes. Any help?

Thanks

[Edit:] Tried modifying my impersonation code as follows:

Previously, I had code like this that impersonates a user to access the user's registry and files (and at a later point start a user program with CreateProcessAsUser()):

if (!WTSQueryUserToken(sid, &token))  throw "ERROR: Could not get logged on user token";
if (!DuplicateTokenEx(token, TOKEN_ASSIGN_PRIMARY | TOKEN_DUPLICATE | TOKEN_QUERY | TOKEN_ADJUST_DEFAULT | TOKEN_IMPERSONATE, 0, SecurityImpersonation, TokenPrimary, &userTok))
{
    CloseHandle(token);
    throw "ERROR: Could not duplicate user token";
}
CloseHandle(token);
if (!ImpersonateLoggedOnUser(userTok)) throw "ERROR: Could not impersonate logged on user";
... // Do stuff needing impersonation
if (!RevertToSelf()) throw "ERROR: Could not revert to self";

Doing BlockInput(1); Sleep(5000); right after ImpersonateLoggedOnUser() doesn't block input. So I tried adding the following right before ImpersonateLo开发者_Go百科ggedOnUser():

PSID sid(0);
if (!ConvertStringSidToSid(SDDL_ML_HIGH, &sid)) throw "ERROR: Could not convert string to SID";
TOKEN_MANDATORY_LABEL tml;
tml.Label.Attributes = SE_GROUP_INTEGRITY | SE_GROUP_INTEGRITY_ENABLED;
tml.Label.Sid = sid;
if (!SetTokenInformation(userTok, TokenIntegrityLevel, &tml, sizeof(tml) + GetLengthSid(sid)))) throw "ERROR: Could not set token information";
LocalFree(sid);

I get no errors during execution, indicating it should be setting it right. But input still doesn't get blocked!

I eventually solved it by launching a separate process from the service as an Administrator user and the service asks it to block the input.

继续阅读:authorizationimpersonationwinapi

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9