我的目标是查看任意进程是否在某些(非本地,域)管理员帐户下运行。我使用以下代码:
check_membership(WinAccountDomainAdminsSid);
check_membership(WinAccountEnterpriseAdminsSid);
check_membership(WinAccountCertAdminsSid);
check_membership(WinAccountPolicyAdminsSid);
check_membership(WinAccountSchemaAdminsSid);
void check_membership(WELL_KNOWN_SID_TYPE wellKnownSidType)
{
//Most error checks are omitted for brevity!
HANDLE hToken;
HANDLE hImpToken;
HANDLE hProc = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, pid);
OpenProcessToken(hProc, TOKEN_QUERY | TOKEN_DUPLICATE, &hToken);
DuplicateTokenEx(hToken, TOKEN_QUERY, NULL, SecurityImpersonation, TokenImpersonation, &hImpToken);
DWORD dwcbSize;
BYTE buffTokenUser[sizeof(TOKEN_USER) + SECURITY_MAX_SID_SIZE] = {0};
GetTokenInformation(hToken, TokenUser, buffTokenUser, sizeof(buffTokenUser), &dwcbSize);
BYTE buffDomainSid[SECURITY_MAX_SID_SIZE] = {0};
GetWindowsAccountDomainSid(((PTOKEN_USER)buffTokenUser)->User.Sid, buffDomainSid, &dwcbSize);
BYTE sid[SECURITY_MAX_SID_SIZE] = {0};
dwcbSize = sizeof(sid);
if(CreateWellKnownSid(wellKnownSidType, (PSID)buffDomainSid, sid, &dwcbSize))
{
BOOL bIsMember = FALSE;
if(CheckTokenMembership(hImpToken, &sid, &bIsMember))
{
wprintf(L"SidType=%d, Member: %s\n", wellKnownSidType, bIsMember ? L"Yes" : L"No");
}
}
CloseHandle(hToken);
CloseHandle(hImpToken);
CloseHandle(hProc);
}
适用于大多数流程,但部分GetWindowsAccountDomainSid失败,错误代码为1257或ERROR_NON_ACCOUNT_SID。
在这种情况下如何获取域SID?