1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
|
// Copyright (c) 2012 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
//
// Information about the current process.
#include "rlz/win/lib/process_info.h"
#include <windows.h>
#include <Sddl.h> // For ConvertSidToStringSid.
#include <LMCons.h> // For UNLEN
#include "base/logging.h"
#include "base/memory/scoped_ptr.h"
#include "base/process_util.h"
#include "base/win/scoped_handle.h"
#include "base/win/windows_version.h"
#include "rlz/lib/assert.h"
#include "rlz/win/lib/vista_winnt.h"
namespace {
HRESULT GetCurrentUser(std::wstring* name,
std::wstring* domain,
std::wstring* sid) {
DWORD err;
// Get the current username & domain the hard way. (GetUserNameEx would be
// nice, but unfortunately requires connectivity to a domain controller.
// Useless.)
// (Following call doesn't work if running as a Service - because a Service
// runs under special accounts like LOCAL_SYSTEM, not as the logged in user.
// In which case, search for and use the process handle of a running
// Explorer.exe.)
HANDLE token;
if (!::OpenProcessToken(::GetCurrentProcess(), TOKEN_QUERY, &token))
return E_FAIL;
base::win::ScopedHandle scoped_process_token(token);
// (Following call will fail with ERROR_INSUFFICIENT_BUFFER and give us the
// required size.)
scoped_array<char> token_user_bytes;
DWORD token_user_size;
DWORD token_user_size2;
BOOL result = ::GetTokenInformation(token, TokenUser, NULL, 0,
&token_user_size);
err = ::GetLastError();
CHECK(!result && err == ERROR_INSUFFICIENT_BUFFER);
token_user_bytes.reset(new char[token_user_size]);
if (!token_user_bytes.get())
return E_OUTOFMEMORY;
if (!::GetTokenInformation(token, TokenUser, token_user_bytes.get(),
token_user_size, &token_user_size2)) {
return E_FAIL;
}
WCHAR user_name[UNLEN + 1]; // max username length
WCHAR domain_name[UNLEN + 1];
DWORD user_name_size = UNLEN + 1;
DWORD domain_name_size = UNLEN + 1;
SID_NAME_USE sid_type;
TOKEN_USER* token_user =
reinterpret_cast<TOKEN_USER*>(token_user_bytes.get());
if (!token_user)
return E_FAIL;
PSID user_sid = token_user->User.Sid;
if (!::LookupAccountSidW(NULL, user_sid, user_name, &user_name_size,
domain_name, &domain_name_size, &sid_type)) {
return E_FAIL;
}
if (name != NULL) {
*name = user_name;
}
if (domain != NULL) {
*domain = domain_name;
}
if (sid != NULL) {
LPWSTR string_sid;
ConvertSidToStringSidW(user_sid, &string_sid);
*sid = string_sid; // copy out to cstring
// free memory, as documented for ConvertSidToStringSid
LocalFree(string_sid);
}
return S_OK;
}
HRESULT GetElevationType(PTOKEN_ELEVATION_TYPE elevation) {
if (!elevation)
return E_POINTER;
*elevation = TokenElevationTypeDefault;
if (base::win::GetVersion() < base::win::VERSION_VISTA)
return E_FAIL;
HANDLE process_token;
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &process_token))
return HRESULT_FROM_WIN32(GetLastError());
base::win::ScopedHandle scoped_process_token(process_token);
DWORD size;
TOKEN_ELEVATION_TYPE elevation_type;
if (!GetTokenInformation(process_token, TokenElevationType, &elevation_type,
sizeof(elevation_type), &size)) {
return HRESULT_FROM_WIN32(GetLastError());
}
*elevation = elevation_type;
return S_OK;
}
// based on http://msdn2.microsoft.com/en-us/library/aa376389.aspx
bool GetUserGroup(long* group) {
if (!group)
return false;
*group = 0;
// groups are listed in DECREASING order of importance
// (eg. If a user is a member of both the admin group and
// the power user group, it is more useful to list the user
// as an admin)
DWORD user_groups[] = {DOMAIN_ALIAS_RID_ADMINS,
DOMAIN_ALIAS_RID_POWER_USERS};
SID_IDENTIFIER_AUTHORITY nt_authority = SECURITY_NT_AUTHORITY;
for (int i = 0; i < arraysize(user_groups) && *group == 0; ++i) {
PSID current_group;
if (AllocateAndInitializeSid(&nt_authority, 2,
SECURITY_BUILTIN_DOMAIN_RID,
user_groups[i], 0, 0, 0, 0,
0, 0, ¤t_group)) {
BOOL current_level;
if (CheckTokenMembership(NULL, current_group, ¤t_level) &&
current_level) {
*group = user_groups[i];
}
FreeSid(current_group);
}
}
return group != 0;
}
} //anonymous
namespace rlz_lib {
bool ProcessInfo::IsRunningAsSystem() {
static std::wstring name;
static std::wstring domain;
static std::wstring sid;
if (name.empty())
CHECK(SUCCEEDED(GetCurrentUser(&name, &domain, &sid)));
return (name == L"SYSTEM");
}
bool ProcessInfo::HasAdminRights() {
static bool evaluated = false;
static bool has_rights = false;
if (!evaluated) {
if (IsRunningAsSystem()) {
has_rights = true;
} else if (base::win::GetVersion() >= base::win::VERSION_VISTA) {
TOKEN_ELEVATION_TYPE elevation;
base::IntegrityLevel level;
if (SUCCEEDED(GetElevationType(&elevation)) &&
base::GetProcessIntegrityLevel(base::GetCurrentProcessHandle(), &level))
has_rights = (elevation == TokenElevationTypeFull) ||
(level == HIGH_INTEGRITY);
} else {
long group = 0;
if (GetUserGroup(&group))
has_rights = (group == DOMAIN_ALIAS_RID_ADMINS);
}
}
evaluated = true;
if (!has_rights)
ASSERT_STRING("ProcessInfo::HasAdminRights: Does not have admin rights.");
return has_rights;
}
}; // namespace
|
