Re: User access rights within process on Vista
- From: Milan Tomes <MilanTomes@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 25 Feb 2008 12:20:02 -0800
Hi Paul,
I need to know access rights not simply access denial. My application will
disable some functions in non-elevated rights and enable them if there are
elevated rights.
I've also tried AccessCheck, but I failed because I don't know much about
impersonation etc. My testing code looks like:
Token := INVALID_HANDLE_VALUE;
DllHnd := 0;
if isWinNT then
begin
try
DllHnd := LoadLibrary('ADVAPI32.DLL');
if DllHnd = 0 then
raise EG3OSError.Create('Nelze naèíst knihovnu AdvApi32.dll !!!');
@GetNamedSecurityInfo := GetProcAddress(DllHnd,
'GetNamedSecurityInfoA');
if not OpenProcessToken(GetCurrentProcess, TOKEN_ALL_ACCESS, Token) then
raise EG3OSError.Create('OpenProcessToken failed !!!');
Err := GetNamedSecurityInfo('USERS\.DEFAULT\Software',
SE_REGISTRY_KEY, 0, nil, nil, nil, nil, SD);
if Err <> ERROR_SUCCESS then
raise EG3OSError.CreateCode('Nastala chyba pøi zjišování
pøístupových práv k objektu USERS\.DEFAULT\Software (GetNamedSecurityInfo)
!!!', Err)
else
begin
GM.GenericRead := KEY_READ;
GM.GenericWrite := KEY_WRITE;
GM.GenericExecute := KEY_EXECUTE;
GM.GenericAll := KEY_ALL_ACCESS;
PSSize := SizeOf(_PRIVILEGE_SET);
if not AccessCheck(PSecurityDescriptor(SD), Token, MAXIMUM_ALLOWED,
GM, PS, PSSize, Mask, AccessStatus) then
raise EG3OSError.Create('Chyba AccessCheck !!!');
if not AccessStatus then
raise EG3OSError.Create('Access denied !!!');
end;
finally
if Token <> INVALID_HANDLE_VALUE then
CloseHandle(Token);
if SD <> nil then
LocalFree(Cardinal(SD));
if DllHnd <> 0 then
FreeLibrary(DllHnd);
end;
end;
but calling AccessCheck failed with code 1309. Any help will be appreciated.
Thanks
Milan Tomes
"Paul Baker [MVP, Windows - SDK]" wrote:
Are you asking simply because your application needs to be able to handle.
access denial? If so, the best practice would be to go ahead and try to open
the key (RegOpenKey) and see if you get ERROR_ACCESS_DENIED.
If you literally mean you need to know what access will be granted, you
should use AccessCheck or one of the related APIs (the parameters are a
quite complicated). You should not attempt to implement all the rules
yourself, as you are quite likely to get it wrong and, even if you don't,
fail to take into account new features in future versions of Windows.
What do you mean it is not working in a non-elevated environment? Are you
aware of how that will affect your token and the access it gives you?
Paul
"Milan Tomes" <Milan Tomes@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:85DF5562-D0D9-4834-84AA-66BD0DB4E65D@xxxxxxxxxxxxxxxx
Hi,
how to determine user access rights for securable objects on Vista ? I've
tried GetTokenInformation to get user & user groups SIDs and
GetNamedSecurityInfo to get ACL. Then I go through the ACL and determine
access right. Unfortunately this is not working in non-elevated
environment.
So how to determine if my process have rights for e.g.
HKEY_USERS\.DEFAULT\Software registry key ???
Pls help me cause I'm already going crazy.
Thanks
Milan Tomes
- Follow-Ups:
- Re: User access rights within process on Vista
- From: Milan Tomes
- Re: User access rights within process on Vista
- References:
- Re: User access rights within process on Vista
- From: Paul Baker [MVP, Windows - SDK]
- Re: User access rights within process on Vista
- Prev by Date: Re: User access rights within process on Vista
- Next by Date: Re: User access rights within process on Vista
- Previous by thread: Re: User access rights within process on Vista
- Next by thread: Re: User access rights within process on Vista
- Index(es):
Relevant Pages
|
