Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Dropping privileges in C++ on Windows

Tags:

c++

permissions

uac

Is it possible for a C++ application running on Windows to drop privileges at runtime?

For instance, if a user starts my application as Administrator, but there's no reason to run my application as administrator, can I in some way give up the Administrator-privileges?

In short, I would like to write code in the main() function which drops privileges I don't need (for instance, Write access on the Windows directory).

like image 516
Nitramk Avatar asked Oct 07 '09 17:10

Nitramk

People also ask

What is drop privilege?

The first of two functions, spc_drop_privileges( ) drops any extra group or user privileges either permanently or temporarily, depending on the value of its only argument. If a nonzero value is passed, privileges will be dropped permanently; otherwise, the privilege drop is temporary.

What are Windows privileges?

A privilege is the right of an account, such as a user or group account, to perform various system-related operations on the local computer, such as shutting down the system, loading device drivers, or changing the system time.

How do I elevate my privileges in Windows 10?

How Do I Get Full Administrator Privileges On Windows 10? Search settings, then open the Settings App. Then, click Accounts -> Family & other users. Finally, click your user name and click Change account type – then, on the Account type drop-down, select Administrators and click OK.

1 Answers

Yes, you can use AdjustTokenPrivileges to remove unneeded and dangerous privileges from your token. You can either disable if not immediately needed (the privilege can be enabled later) or remove a privilege from your token altogether.

You can also create a restricted token via CreateRestrictedToken and relaunch your application running with that restricted token. CreateRestrictedToken can be used to disable privileges and remove groups (like Administrators Group) from a token.

You may be able to use AdjustTokenGroups to remove the administrator group from the token of your running process, but I've never tried this on an already running process.

Note that write-access to the Windows directory is not covered by a privilege. Resources in the system have ACL's which govern who has access. System and administrators have write-access to the Windows directory.

like image 142
Michael Avatar answered Sep 21 '22 03:09

Michael
Sign in to Comment

Related questions

Dynamic downcast on private inheritance within private scope
How to find which elements are in the bag, using Knapsack Algorithm [and not only the bag's value]?
Visual Studio 2010 C++ code formatter
Does an exception use move semantics when thrown in C++11?
What makes a template different from a generic?
clang++ not accepting use of template template parameter when using CRTP
Can I safely use std::string for binary data in C++11?
Does the standard mandate an lvalue-to-rvalue conversion of the pointer variable when applying indirection?
Using new with decltype
Is calling wait() on a std::future multiple times and from multiple threads safe?
Lookup of dependent names in C++ template instantiation
g++ compilation error "... is protected from within this context" while there's no error with clang
How do you scale the title bar on a DPI aware win application?
Protocol Buffer Error on compile during GOOGLE_PROTOBUF_MIN_PROTOC_VERSION check
Return value optimization of tuple/tie
Why can an aggreggate struct be brace-initialized, but not emplaced using the same list of arguments as in the brace initialization?
Existence of objects created in C functions
Is it legal to call delete on a null pointer of an incomplete type?
Is it safe to link gcc 6, gcc 7, and gcc 8 objects?
int numeral -> pointer conversion rules

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!