啥都不说了,就是这样搞!!!!
本文共 3714 字,大约阅读时间需要 12 分钟。
这版作为基础版。
获取当前session的token,有几个思路,
可以通过进程,活动session,或是循环所有用户,或是从共享session里弄出来。
#include#include #include #include #pragma comment(lib, "WtsApi32.lib")#pragma comment(lib, "advapi32.lib")#pragma comment(lib, "userenv.lib")using namespace std;HANDLE GetUserToken(DWORD dwSessionId){ HANDLE hImpersonationToken = 0; if (!WTSQueryUserToken(dwSessionId, &hImpersonationToken)) { printf(" WTSQueryUserToken ERROR: %d\n", GetLastError()); return FALSE; } DWORD dwNeededSize = 0; HANDLE *realToken = new HANDLE; TOKEN_USER *pTokenUser = NULL; PTOKEN_GROUPS pGroups = NULL; //twice call function if (!GetTokenInformation(hImpersonationToken, TokenUser, NULL, 0, &dwNeededSize)) { if (GetLastError() == ERROR_INSUFFICIENT_BUFFER && dwNeededSize > 0) { pTokenUser = (TOKEN_USER*)new BYTE[dwNeededSize]; if (!GetTokenInformation(hImpersonationToken, TokenUser, pTokenUser, dwNeededSize, &dwNeededSize)) { printf("GetTokenInformation ERROR: %d", GetLastError()); } } return hImpersonationToken; } return hImpersonationToken;}bool GetSessionUserName(DWORD dwSessionId, char username[256]){ LPTSTR pBuffer = NULL; DWORD dwBufferLen; if (!WTSQuerySessionInformation(WTS_CURRENT_SERVER_HANDLE, dwSessionId, WTSUserName, &pBuffer, &dwBufferLen)) { printf(" WTSQuerySessionInformation ERROR: %d\n", GetLastError()); return FALSE; } lstrcpy(username ,pBuffer); WTSFreeMemory(pBuffer); return TRUE;}int main(int argc, char **argv){ DWORD session_id = -1; DWORD session_count = 0; WTS_SESSION_INFOA *pSession = NULL; char username[256]; HMODULE hInstKernel32 = NULL; HMODULE hInstWtsapi32 = NULL; //EnumerateSessions if (!WTSEnumerateSessions(WTS_CURRENT_SERVER_HANDLE, 0, 1, &pSession, &session_count)) { printf("WTSEnumerateSessions ERROR: %d", GetLastError()); return FALSE; } //Get the right user and his session id for(DWORD i = 0; i < session_count; ++i) { if( (pSession[i].State == WTSActive) && (pSession[i].State != WTSDisconnected) ) { printf("\tsessionInfo.SessionId=%d\n",pSession[i].SessionId); GetSessionUserName(pSession[i].SessionId,username); printf("\tSession user's name = %s\n",username); session_id = pSession[i].SessionId; } } WTSFreeMemory(pSession); //free meme heap //Duplicate User Token HANDLE hTokenThis = GetUserToken(session_id); HANDLE hTokenDup = NULL; if (!DuplicateTokenEx(hTokenThis, TOKEN_ALL_ACCESS, NULL, SecurityIdentification, TokenPrimary, &hTokenDup)) { printf("DuplicateTokenEx ERROR: %d\n", GetLastError()); return FALSE; } if (!SetTokenInformation(hTokenDup, TokenSessionId, &session_id, sizeof(DWORD))) { printf("SetTokenInformation Error === %d\n",GetLastError()); return FALSE; } //init this process info STARTUPINFO si; PROCESS_INFORMATION pi; ZeroMemory(&si, sizeof(STARTUPINFO)); ZeroMemory(&pi, sizeof(PROCESS_INFORMATION)); si.cb = sizeof(STARTUPINFO); si.lpDesktop = "WinSta0\\Default"; //LPVOID pEnv = NULL; DWORD dwCreationFlag = NORMAL_PRIORITY_CLASS | CREATE_NEW_CONSOLE; //CreateEnvironmentBlock(&pEnv, hTokenDup, FALSE); LPSTR lpCmdLine = "c:\\windows\\system32\\notepad.exe"; if (!CreateProcessAsUser(hTokenDup, NULL, lpCmdLine, NULL, NULL, FALSE, dwCreationFlag, NULL, NULL, &si, &pi)) { printf("CreateProcessAsUser Error === %d\n",GetLastError()); } printf("OK"); return 0;}
转载地址:http://jyznl.baihongyu.com/
你可能感兴趣的文章
04封装 里氏转换 多态
查看>>
虚拟机Ping不通主机解决
查看>>
精子的N死法
查看>>
微信小程序:字体保持大小
查看>>
jsonp跨域实现单点登录,跨域传递用户信息以及保存cookie注意事项
查看>>
redis命令手册
查看>>
android WIFI检测与设置
查看>>
自动调整Body的宽度
查看>>
Asp.Net 上传大文件
查看>>
ubuntu安装nodejs
查看>>
158
查看>>
表单验证小记
查看>>
【Android】4.3 屏幕布局和旋转
查看>>
MVC 源码系列之路由(一)
查看>>
HDU - 2041 - 超级楼梯(dp)
查看>>
HsqlDB Demo
查看>>
Chapter 7. 对话框控件
查看>>
初学T4模板
查看>>
access database in a helper function ?
查看>>
php对二维数据排序
查看>>