Successful AdjustTokenPrivileges doesn't mean privilege could be changed
最近为了方便重起某些远程 Server,写了个重起机器的Web Service,调用user32.dll 的ExitWindowsEx 来重启机器。 从Win2K 开始,在调用ExitWindowsEx 之前需要先调用AdjustTokenPrivileges 设置Privilege,说实话在C#里做这个挺麻烦的说,还好 Goolge 了一下,在MS Newsgroup 里找到了别人的代码
internal class TokenAdjuster
{
[DllImport("user32.dll")]
internal static extern bool ExitWindowsEx(int uFlags,int dwReserved);
// PInvoke stuff required to set/enable security privileges
[DllImport("advapi32", SetLastError=true)]
[SuppressUnmanagedCodeSecurity]
static extern int OpenProcessToken(
IntPtr ProcessHandle, // handle to process
int DesiredAccess, // desired access to process
ref IntPtr TokenHandle // handle to open access token
);
[DllImport("kernel32", SetLastError=true)]
[SuppressUnmanagedCodeSecurity]
static extern bool CloseHandle(IntPtr handle);
[DllImport("advapi32.dll", CharSet=CharSet.Auto, SetLastError=true)]
[SuppressUnmanagedCodeSecurity]
static extern int AdjustTokenPrivileges(
IntPtr TokenHandle,
int DisableAllPrivileges,
IntPtr NewState,
int BufferLength,
IntPtr PreviousState,
ref int ReturnLength);
[DllImport("advapi32.dll", CharSet=CharSet.Auto, SetLastError=true)]
[SuppressUnmanagedCodeSecurity]
static extern bool LookupPrivilegeValue(
string lpSystemName,
string lpName,
ref LUID lpLuid);
[StructLayout(LayoutKind.Sequential)]
internal struct LUID
{
internal int LowPart;
internal int HighPart;
}
[StructLayout(LayoutKind.Sequential)]
internal struct LUID_AND_ATTRIBUTES
{
LUID Luid;
int Attributes;
}
[StructLayout(LayoutKind.Sequential)]
internal struct _PRIVILEGE_SET
{
int PrivilegeCount;
int Control;
[MarshalAs(UnmanagedType.ByValArray, SizeConst=1)] // ANYSIZE_ARRAY = 1
LUID_AND_ATTRIBUTES [] Privileges;
}
[StructLayout(LayoutKind.Sequential)]
internal struct TOKEN_PRIVILEGES
{
internal int PrivilegeCount;
[MarshalAs(UnmanagedType.ByValArray, SizeConst=3)]
internal int[] Privileges;
}
const int SE_PRIVILEGE_ENABLED = 0x00000002;
const int TOKEN_ADJUST_PRIVILEGES = 0X00000020;
const int TOKEN_QUERY = 0X00000008;
const int TOKEN_ALL_ACCESS = 0X001f01ff;
const int PROCESS_QUERY_INFORMATION = 0X00000400;
public static bool SetPrivilege (string privilege, bool enablePrivilege)
{
bool retval = false;
int ltkpOld = 0;
IntPtr hToken = IntPtr.Zero;
TOKEN_PRIVILEGES tkp = new TOKEN_PRIVILEGES();
tkp.Privileges = new int[3];
TOKEN_PRIVILEGES tkpOld = new TOKEN_PRIVILEGES();
tkpOld.Privileges = new int[3];
LUID tLUID = new LUID();
tkp.PrivilegeCount = 1;
if (enablePrivilege)
tkp.Privileges[2] = SE_PRIVILEGE_ENABLED;
else
tkp.Privileges[2] = 0;
if(LookupPrivilegeValue(null , privilege , ref tLUID))
{
Process proc = Process.GetCurrentProcess();
if(proc.Handle != IntPtr.Zero)
{
if (OpenProcessToken(proc.Handle, TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,ref hToken) != 0)
{
tkp.PrivilegeCount = 1;
tkp.Privileges[2] = SE_PRIVILEGE_ENABLED;
tkp.Privileges[1] = tLUID.HighPart;
tkp.Privileges[0] = tLUID.LowPart;
const int bufLength = 256;
IntPtr tu = Marshal.AllocHGlobal( bufLength );
Marshal.StructureToPtr(tkp, tu, true);
if(AdjustTokenPrivileges(hToken, 0, tu, bufLength, IntPtr.Zero, ref ltkpOld) != 0)
{
// successful AdjustTokenPrivileges doesn't mean privilege could be changed
int iError = Marshal.GetLastWin32Error();
if (iError == 0)
{
retval = true; // Token changed
}
else
{
throw new ApplicationException(iError.ToString());
}
}
TOKEN_PRIVILEGES tokp = (TOKEN_PRIVILEGES) Marshal.PtrToStructure(tu,
typeof(TOKEN_PRIVILEGES) );
Marshal.FreeHGlobal( tu );
}
}
}
if (hToken != IntPtr.Zero)
{
CloseHandle(hToken);
}
return retval;
}
}
先写了个Command Line App 作试验,很顺利的搞定了,但是同样的代码改写成Web Service以后, 调用 ExitWindowsEx 却没有反应--跟踪检查了一下,AdjustTokenPrivileges 似乎也沒有返回错误.不放心在后面加了个 GetLastError,拿到一个1300错误--Not all privileges referenced are assigned to the caller. 看来是运行进程的User权限不够....试着把machine.config 里的processModel/@user 从machine 改成SYSTEM, 一切就OK了。不过如果我不这么改,而是试着给ASPNET这个User加权限,似乎好像还是有问题--我甚至在Local Policy里把 Act as a part of OS都给了ASPNET,更不用说加入Local Admin组了。不知道成功设置这个Privilege到底需要什么样的权限。
BTW: 写完这个以后,倒是想到跳过AdjustTokenPrivileges Restart 机器的一个办法:简单的写一Windows Service,想重起的时候,想办法要这Service 抛出1错误,只要在Service 配置的Recover页里做一点小小的设置,就可以重起了。 想法来源于以前的那个会搞s RPC服务的病毒,没有试验过,不过相信基本上没有什么大问题。
最后,恭喜开心同学结婚成功,今后天天有番茄炒蛋
吃。haha