管理员用户-UAC关闭状态-直接运行
普通用户-不存在本用户UAC-直接运行
管理员用户-UAC开启状态-管理员权限运行
管理员用户-UAC开启状态-直接运行
#include <Windows.h>
#include <stdio.h>
BOOL TestUAC(int *result) {
BOOL bResult = FALSE;
HANDLE hToken = NULL;
bResult = OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hToken);
if (!bResult) {
return FALSE;
}
do {
TOKEN_ELEVATION_TYPE tet;
TOKEN_ELEVATION te;
DWORD dwReturnLength = 0;
bResult = GetTokenInformation(hToken, TokenElevationType, &tet, sizeof(tet),
&dwReturnLength);
if (!bResult) {
break;
}
bResult = GetTokenInformation(hToken, TokenElevation, &te, sizeof(te),
&dwReturnLength);
if (!bResult) {
break;
}
if (te.TokenIsElevated) {
*result = 1;
}
else if (tet == TokenElevationTypeDefault) {
// 普通用户,无法bypass uac
*result = -1;
}
else if (tet == TokenElevationTypeLimited) {
// 管理员用户,需要bypass UAC
*result = 0;
}
} while (0);
CloseHandle(hToken);
return bResult;
}
//http: //technet.microsoft.com/en-us/library/dd835564(v=ws.10).aspx
// 2 - Always Notify, 5 - Default, 0 - Disabled
BOOL CanBypassUAC() {
DWORD ConsentPromptBehaviorAdmin=0;
DWORD cbConsentPromptBehaviorAdmin = sizeof(ConsentPromptBehaviorAdmin);
RegGetValueA(
HKEY_LOCAL_MACHINE,
"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System",
"ConsentPromptBehaviorAdmin", RRF_RT_DWORD, NULL,
&ConsentPromptBehaviorAdmin, &cbConsentPromptBehaviorAdmin);
if (ConsentPromptBehaviorAdmin == 2) {
return FALSE;
}
return TRUE;
}
int main(int argc, char *argv[]) {
int uac_tested;
TestUAC(&uac_tested);
switch (uac_tested) {
case 0:
printf("管理员用户,UAC开启,普通运行\n");
if (CanBypassUAC())
printf("可以Bypass\n");
else
printf("UAC为最高等级,不能Bypass\n");
break;
case -1:
printf("普通用户\n");
break;
case 1:
printf("具备管理员权限\n");
break;
}
system("pause");
return 1;
}
发表回复