/*++ Copyright (c) 1995 Microsoft Corporation Module Name: security.c Abstract: Routines to deal with security-related stuff. Externally exposed routines: IsUserAdmin DoesUserHavePrivilege EnablePrivilege Author: Ted Miller (tedm) 14-Jun-1995 --*/ #include "precomp.h" #pragma hdrstop BOOL IsUserAdmin(VOID) /*++ Routine Description: This routine returns TRUE if the caller's process is a member of the Administrators local group. Caller is NOT expected to be impersonating anyone and IS expected to be able to open their own process and process token. Return Value: TRUE - Caller has Administrators local group. FALSE - Caller does not have Administrators local group. --*/ { HANDLE Token; DWORD BytesRequired; PTOKEN_GROUPS Groups; BOOL b; DWORD i; SID_IDENTIFIER_AUTHORITY NtAuthority = SECURITY_NT_AUTHORITY; PSID AdministratorsGroup; // Open the process token. if(!OpenProcessToken(GetCurrentProcess(),TOKEN_QUERY,&Token)) { return(FALSE); } b = FALSE; Groups = NULL; // Get group information. if(!GetTokenInformation(Token,TokenGroups,NULL,0,&BytesRequired) && (GetLastError() == ERROR_INSUFFICIENT_BUFFER) && (Groups = MyMalloc(BytesRequired)) && GetTokenInformation(Token,TokenGroups,Groups,BytesRequired,&BytesRequired)) { b = AllocateAndInitializeSid(&NtAuthority, 2, SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_ADMINS, 0, 0, 0, 0, 0, 0, &AdministratorsGroup); if(b) { // See if the user has the administrator group. b = FALSE; for(i=0; iGroupCount; i++) { if(EqualSid(Groups->Groups[i].Sid,AdministratorsGroup)) { b = TRUE; break; } } FreeSid(AdministratorsGroup); } } // Clean up and return. if(Groups) { MyFree(Groups); } CloseHandle(Token); return(b); } BOOL DoesUserHavePrivilege(PCTSTR PrivilegeName) /*++ Routine Description: This routine returns TRUE if the caller's process has the specified privilege. The privilege does not have to be currently enabled. This routine is used to indicate whether the caller has the potential to enable the privilege. Caller is NOT expected to be impersonating anyone and IS expected to be able to open their own process and process token. Arguments: Privilege - the name form of privilege ID (such as SE_SECURITY_NAME). Return Value: TRUE - Caller has the specified privilege. FALSE - Caller does not have the specified privilege. --*/ { HANDLE Token; ULONG BytesRequired; PTOKEN_PRIVILEGES Privileges; BOOL b; DWORD i; LUID Luid; // Open the process token. if(!OpenProcessToken(GetCurrentProcess(),TOKEN_QUERY,&Token)) { return(FALSE); } b = FALSE; Privileges = NULL; // Get privilege information. if(!GetTokenInformation(Token,TokenPrivileges,NULL,0,&BytesRequired) && (GetLastError() == ERROR_INSUFFICIENT_BUFFER) && (Privileges = MyMalloc(BytesRequired)) && GetTokenInformation(Token,TokenPrivileges,Privileges,BytesRequired,&BytesRequired) && LookupPrivilegeValue(NULL,PrivilegeName,&Luid)) { // See if we have the requested privilege for(i=0; iPrivilegeCount; i++) { if((Luid.LowPart == Privileges->Privileges[i].Luid.LowPart) && (Luid.HighPart == Privileges->Privileges[i].Luid.HighPart)) { b = TRUE; break; } } } // Clean up and return. if(Privileges) { MyFree(Privileges); } CloseHandle(Token); return(b); } BOOL EnablePrivilege(IN PCTSTR PrivilegeName, IN BOOL Enable) /*++ Routine Description: Enable or disable a given named privilege. Arguments: PrivilegeName - supplies the name of a system privilege. Enable - flag indicating whether to enable or disable the privilege. Return Value: Boolean value indicating whether the operation was successful. --*/ { HANDLE Token; BOOL b; TOKEN_PRIVILEGES NewPrivileges; LUID Luid; if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES,&Token)) { return(FALSE); } if(!LookupPrivilegeValue(NULL,PrivilegeName,&Luid)) { CloseHandle(Token); return(FALSE); } NewPrivileges.PrivilegeCount = 1; NewPrivileges.Privileges[0].Luid = Luid; NewPrivileges.Privileges[0].Attributes = Enable ? SE_PRIVILEGE_ENABLED : 0; b = AdjustTokenPrivileges(Token, FALSE, &NewPrivileges, 0, NULL, NULL); CloseHandle(Token); return(b); }