/// <summary> /// Use this only to restrict a non-elevated token. /// This method is useless if you are already elevated because it can't /// remove you from Admin's group. (You are still administrator able to write in C:\windows). /// </summary> /// <param name="newToken"></param> public TokenProvider RestrictTokenMaxPrivilege(bool ignoreErrors = false) { uint DISABLE_MAX_PRIVILEGE = 0x1; uint LUA_TOKEN = 0x4; SafeTokenHandle result; if (!TokensApi.CreateRestrictedToken( Token, LUA_TOKEN | DISABLE_MAX_PRIVILEGE, //WRITE_RESTRICTED, 0, IntPtr.Zero, //pSA, 0, IntPtr.Zero, 0, IntPtr.Zero, out result) && !ignoreErrors) { throw new Win32Exception(); } Token.Close(); Token = result; return(this); }
/// <summary> /// Use this only to restrict a non-elevated token. /// This method is useless if you are already elevated because it can't /// remove you from Admin's group. (You are still administrator able to write in C:\windows). /// </summary> /// <param name="newToken"></param> public TokenProvider RestrictTokenMaxPrivilege(bool ignoreErrors = false) { // System.Security.Principal.WellKnownSidType.WorldSid; uint DISABLE_MAX_PRIVILEGE = 0x1; uint LUA_TOKEN = 0x4; uint WRITE_RESTRICTED = 0x8; SafeTokenHandle result; /* * string adminSid = "S-1-5-32-544"; * IntPtr pAdminSid; * if (!ConvertStringSidToSid(adminSid, out pAdminSid)) * throw new Win32Exception(); * * SID_AND_ATTRIBUTES sa = new SID_AND_ATTRIBUTES(); * sa.Sid = pAdminSid; * sa.Attributes = 0; * * var pSA = Marshal.AllocHGlobal(Marshal.SizeOf<SID_AND_ATTRIBUTES>()); * Marshal.StructureToPtr(sa, pSA, false); */ if (!TokensApi.CreateRestrictedToken( Token, LUA_TOKEN | DISABLE_MAX_PRIVILEGE, //WRITE_RESTRICTED, 0, IntPtr.Zero, //pSA, 0, IntPtr.Zero, 0, IntPtr.Zero, out result) && !ignoreErrors) { throw new Win32Exception(); } Token.Close(); Token = result; return(this); }