C# (CSharp) AdvApi32.DuplicateToken 예제들

예제 #1

파일: WindowsIdentityHelper.cs 프로젝트: sishui198/Framework-Class-Library-Extension

        /// <summary>
        ///   Checks whether the primary access token of the process belongs to a user account that is a member of the local Administrator group, even if it currently is not elevated.
        /// </summary>
        /// <returns>
        ///   True if the primary access token of the process belongs to a user account that is a member of the Administrators group; false otherwise.
        /// </returns>
        public static bool IsUserInAdminGroup()
        {
            // Default token's received aren't impersonation tokens, we are looking for an impersonation token.
            bool isImpersonationToken = false;

            // Open the access token of the current process.
            SafeTokenHandle processToken;

            if (!AdvApi32.OpenProcessToken(Process.GetCurrentProcess().Handle, (uint)(TokenAccessLevels.Query | TokenAccessLevels.Duplicate), out processToken))
            {
                MarshalHelper.ThrowLastWin32ErrorException();
            }

            // Starting from Vista linked tokens are supported which need to be checked.
            if (EnvironmentHelper.VistaOrHigher)
            {
                // Determine token type: limited, elevated, or default.
                int marshalSize         = sizeof(AdvApi32.TokenElevationType);
                var elevationTypeHandle = SafeUnmanagedMemoryHandle.FromNewlyAllocatedMemory(marshalSize);
                if (!AdvApi32.GetTokenInformation(processToken, AdvApi32.TokenInformationClass.TokenElevationType, elevationTypeHandle.DangerousGetHandle(), marshalSize, out marshalSize))
                {
                    MarshalHelper.ThrowLastWin32ErrorException();
                }
                var tokenType = (AdvApi32.TokenElevationType)Marshal.ReadInt32(elevationTypeHandle.DangerousGetHandle());

                // If limited, get the linked elevated token for further check.
                if (tokenType == AdvApi32.TokenElevationType.TokenElevationTypeLimited)
                {
                    // Get the linked token.
                    marshalSize = IntPtr.Size;
                    var linkedTokenHandle = SafeUnmanagedMemoryHandle.FromNewlyAllocatedMemory(marshalSize);
                    if (!AdvApi32.GetTokenInformation(processToken, AdvApi32.TokenInformationClass.TokenLinkedToken, linkedTokenHandle.DangerousGetHandle(), marshalSize, out marshalSize))
                    {
                        MarshalHelper.ThrowLastWin32ErrorException();
                    }
                    processToken         = new SafeTokenHandle(Marshal.ReadIntPtr(linkedTokenHandle.DangerousGetHandle()));
                    isImpersonationToken = true;                     // Linked tokens are already impersonation tokens.
                }
            }

            // We need an impersonation token in order to check whether it contains admin SID.
            if (!isImpersonationToken)
            {
                SafeTokenHandle impersonatedToken;
                if (!AdvApi32.DuplicateToken(processToken, AdvApi32.SecurityImpersonationLevel.SecurityIdentification, out impersonatedToken))
                {
                    MarshalHelper.ThrowLastWin32ErrorException();
                }
                processToken = impersonatedToken;
            }

            // Check if the token to be checked contains admin SID.
            var identity  = new WindowsIdentity(processToken.DangerousGetHandle());
            var principal = new WindowsPrincipal(identity);

            return(principal.IsInRole(WindowsBuiltInRole.Administrator));
        }