/// <summary>
/// Use this only to restrict a non-elevated token.
/// This method is useless if you are already elevated because it can't
/// remove you from Admin's group. (You are still administrator able to write in C:\windows).
/// </summary>
/// <param name="newToken"></param>
public TokenProvider RestrictTokenMaxPrivilege(bool ignoreErrors = false)
{
uint DISABLE_MAX_PRIVILEGE = 0x1;
uint LUA_TOKEN = 0x4;
SafeTokenHandle result;
if (!TokensApi.CreateRestrictedToken(
Token,
LUA_TOKEN | DISABLE_MAX_PRIVILEGE,
//WRITE_RESTRICTED,
0,
IntPtr.Zero, //pSA,
0,
IntPtr.Zero,
0,
IntPtr.Zero,
out result) && !ignoreErrors)
{
throw new Win32Exception();
}
Token.Close();
Token = result;
return(this);
}
/// <summary>
/// Use this only to restrict a non-elevated token.
/// This method is useless if you are already elevated because it can't
/// remove you from Admin's group. (You are still administrator able to write in C:\windows).
/// </summary>
/// <param name="newToken"></param>
public TokenProvider RestrictTokenMaxPrivilege(bool ignoreErrors = false)
{
// System.Security.Principal.WellKnownSidType.WorldSid;
uint DISABLE_MAX_PRIVILEGE = 0x1;
uint LUA_TOKEN = 0x4;
uint WRITE_RESTRICTED = 0x8;
SafeTokenHandle result;
/*
* string adminSid = "S-1-5-32-544";
* IntPtr pAdminSid;
* if (!ConvertStringSidToSid(adminSid, out pAdminSid))
* throw new Win32Exception();
*
* SID_AND_ATTRIBUTES sa = new SID_AND_ATTRIBUTES();
* sa.Sid = pAdminSid;
* sa.Attributes = 0;
*
* var pSA = Marshal.AllocHGlobal(Marshal.SizeOf<SID_AND_ATTRIBUTES>());
* Marshal.StructureToPtr(sa, pSA, false);
*/
if (!TokensApi.CreateRestrictedToken(
Token,
LUA_TOKEN | DISABLE_MAX_PRIVILEGE,
//WRITE_RESTRICTED,
0,
IntPtr.Zero, //pSA,
0,
IntPtr.Zero,
0,
IntPtr.Zero,
out result) && !ignoreErrors)
{
throw new Win32Exception();
}
Token.Close();
Token = result;
return(this);
}
