how to set admin privilege
in [MFC]
|
Prev: Source code library.
Next: [SOLVED] Looking for a API for listing all Domains/Workgroups on a Network (non WMI solution!)
From: Ashish on 16 Dec 2009 05:19 How to set admin privilege for a windows user In windows7 i login to a user which admin right. when i use CreateFile to open a device say hard drive then it's fail. While if i login to administrator and use CreateFile then it's succeed. So i think i need to set admin privilege to current user. Please suggest.
From: David Lowndes on 16 Dec 2009 10:36 >In windows7 i login to a user which admin right. when i use CreateFile to >open a device say hard drive then it's fail. While if i login to >administrator and use CreateFile then it's succeed. It sounds to me as though your application needs to run elevated - i.e. it needs the "requireAdministrator" setting in its manifest. Dave
From: Tom Serface on 16 Dec 2009 13:20 Just to add to David's reply, here is a function I wrote that will tell you the current privileges so you could make the decision programmatically. You'l have to fill in the way you check the version (I use the XTreme Toolkit function. This also works on Win7 (for me so far anyway). You may also find this link informational: http://en.wikipedia.org/wiki/User_Account_Control Tom bool IsRunningVistaElevated() { bool bRet = false; TOKEN_ELEVATION_TYPE ptet; if (/* Check OS version here XTOSVersionInfo()->IsWinVistaOrGreater() */) { HANDLE hToken = NULL; if (::OpenProcessToken(::GetCurrentProcess(), TOKEN_QUERY, &hToken)) { DWORD dwReturnLength = 0; if (::GetTokenInformation(hToken, TokenElevationType, &ptet, sizeof ptet, &dwReturnLength)) bRet = ptet == TokenElevationTypeFull; ::CloseHandle( hToken ); } } return bRet; } "Ashish" <akohli_2004(a)hotmail.com> wrote in message news:u0b2ImjfKHA.5784(a)TK2MSFTNGP05.phx.gbl... > How to set admin privilege for a windows user > > In windows7 i login to a user which admin right. when i use CreateFile to > open a device say hard drive then it's fail. While if i login to > administrator and use CreateFile then it's succeed. > So i think i need to set admin privilege to current user. > Please suggest. >
From: Pete Delgado on 16 Dec 2009 15:27 "Tom Serface" <tom(a)camaswood.com> wrote in message news:uLIWkxnfKHA.6096(a)TK2MSFTNGP02.phx.gbl... > Just to add to David's reply, here is a function I wrote that will tell > you the current privileges so you could make the decision > programmatically. You'l have to fill in the way you check the version (I > use the XTreme Toolkit function. > > This also works on Win7 (for me so far anyway). > > You may also find this link informational: > > http://en.wikipedia.org/wiki/User_Account_Control > > Tom > > bool IsRunningVistaElevated() > { > bool bRet = false; > TOKEN_ELEVATION_TYPE ptet; > if (/* Check OS version here XTOSVersionInfo()->IsWinVistaOrGreater() */) > { > HANDLE hToken = NULL; > if (::OpenProcessToken(::GetCurrentProcess(), TOKEN_QUERY, &hToken)) { > DWORD dwReturnLength = 0; > if (::GetTokenInformation(hToken, TokenElevationType, &ptet, sizeof ptet, > &dwReturnLength)) > bRet = ptet == TokenElevationTypeFull; > ::CloseHandle( hToken ); > } > } > return bRet; > } Tom, Elevation is not the same as having administrative privileges. The OP asked for administrative privileges and your code simply tells the elevation status of the process token which is not the same thing.For example, if i were to create an account that has the SeImpersonatePrivilege privilege, then I can launch the process with this elevated token. Your code will correctly see that this is an elevated token, but yet this is not a user that is a member of the Administrators group. With that being said, for most applications like the OP has created, it is far better for security to only require those permissions that the process actually needs. Requiring Administrator rights is heavy handed and was done in the XP days. I suggest that the OP have his code use the PrivilegeCheck function in conjuction with obtaining the elevation status of the token rather than using membership to a specific group in order to determine whether the process has the necessary rights to do something. -Pete
From: Tom Serface on 17 Dec 2009 02:05
Makes sense. We do anything we need to have administrator privileges for in the setup/install and anything else that needs admin as a service. I do understand apps needing it at sometimes, but I think the days of assuming you can do anything on the system are over. Tom "Pete Delgado" <Peter.Delgado(a)NoSpam.com> wrote in message news:Ofoey4ofKHA.5500(a)TK2MSFTNGP04.phx.gbl... > > "Tom Serface" <tom(a)camaswood.com> wrote in message > news:uLIWkxnfKHA.6096(a)TK2MSFTNGP02.phx.gbl... >> Just to add to David's reply, here is a function I wrote that will tell >> you the current privileges so you could make the decision >> programmatically. You'l have to fill in the way you check the version (I >> use the XTreme Toolkit function. >> >> This also works on Win7 (for me so far anyway). >> >> You may also find this link informational: >> >> http://en.wikipedia.org/wiki/User_Account_Control >> >> Tom >> >> bool IsRunningVistaElevated() >> { >> bool bRet = false; >> TOKEN_ELEVATION_TYPE ptet; >> if (/* Check OS version here XTOSVersionInfo()->IsWinVistaOrGreater() */) >> { >> HANDLE hToken = NULL; >> if (::OpenProcessToken(::GetCurrentProcess(), TOKEN_QUERY, &hToken)) { >> DWORD dwReturnLength = 0; >> if (::GetTokenInformation(hToken, TokenElevationType, &ptet, sizeof ptet, >> &dwReturnLength)) >> bRet = ptet == TokenElevationTypeFull; >> ::CloseHandle( hToken ); >> } >> } >> return bRet; >> } > > Tom, > Elevation is not the same as having administrative privileges. The OP > asked for administrative privileges and your code simply tells the > elevation status of the process token which is not the same thing.For > example, if i were to create an account that has the > SeImpersonatePrivilege privilege, then I can launch the process with this > elevated token. Your code will correctly see that this is an elevated > token, but yet this is not a user that is a member of the Administrators > group. > > With that being said, for most applications like the OP has created, it is > far better for security to only require those permissions that the process > actually needs. Requiring Administrator rights is heavy handed and was > done in the XP days. I suggest that the OP have his code use the > PrivilegeCheck function in conjuction with obtaining the elevation status > of the token rather than using membership to a specific group in order to > determine whether the process has the necessary rights to do something. > > -Pete > > > |