성태의 닷넷 이야기
홈 주인
모아 놓은 자료
프로그래밍
질문/답변
사용자 관리
사용자
메뉴
아티클
외부 아티클
유용한 코드
온라인 기능
MathJax 입력기
최근 덧글
[정성태] Detecting blocking calls using asyn...
[정성태] 아쉽게도, 커뮤니티는 아니고 개인 블로그입니다. ^^
[정성태] 질문이 잘 이해가 안 됩니다. 우선, 해당 소스코드에서 ILis...
[양승조
] var대신 dinamic으로 선언해서 해결은 했습니다. 맞는 해...
[양승조
] 또 막혔습니다. ㅠㅠ var list = props[i].Ge...
[양승조
] 아. 감사합니다. 어제는 안됐던것 같은데....정신을 차려야겠네...
[정성태] "props[i].GetValue(props[i])" 코드에서 ...
[정성태] 저렇게 조각 코드 말고, 실제로 재현이 되는 예제 프로젝트를 압...
[정성태] Modules 창(Ctrl+Shift+U)을 띄워서, 해당 Op...
[정성태] 만드실 수 있습니다. 단지, Unity 엔진 내의 스크립트와 W...
글쓰기
제목
이름
암호
전자우편
HTML
홈페이지
유형
제니퍼 .NET
닷넷
COM 개체 관련
스크립트
VC++
VS.NET IDE
Windows
Team Foundation Server
디버깅 기술
오류 유형
개발 환경 구성
웹
기타
Linux
Java
DDK
Math
Phone
Graphics
사물인터넷
부모글 보이기/감추기
내용
MSDN 도움말에서 2개의 토픽을 발췌했습니다. 찾아보기 귀찮아서. ^^;<br><br><hr> <h3 class="h2"> User Rights</h3> <p class="t"> <i>User rights</i> are rules that determine the actions a user can perform. Unless the computer is a domain controller, they are computer-specific policies. If it is a domain controller, the computer policy extends to all domain controllers in the domain. </p> <p class="t"> <b>Note</b></p> <p> In the current release of Windows NT, the set of user rights is defined by the system and cannot be changed. Future versions of Windows NT may allow software developers to define new user rights appropriate to their application.</p> <p class="t"> User rights can be assigned to individual user accounts, but are usually (and more efficiently) assigned to groups. Predefined (built-in) groups have sets of user rights already assigned. Administrators usually assign user rights by adding a user account to one of the predefined groups or by creating a new group and assigning specific user rights to that group. Users who are subsequently added to a group automatically gain all user rights assigned to the group account. </p> <p class="t"> There are several user rights that administrators of high-security installations should be aware of and possibly audit. Of these, you might want to change the default permissions for two rights: <b>Log on locally</b> and <b>Shut down the system</b>.</p> <p class="ttl"> <b>Table 2.1 Default user rights that may require changing</b></p> <table cols="4" cellpadding="7" border="0"> <colgroup> <col valign="top" width="116" /> <col valign="top" width="137" /> <col valign="top" width="94" /> <col valign="top" width="0pt" /> </colgroup> <tr> <td valign="top"> <p class="th"> <b> <br /> User Right</b></p> </td> <td valign="top"> <p class="th"> <b>Groups assigned this right by default</b></p> </td> <td valign="top"> <p class="th"> <b>Recommended change</b></p> </td> </tr> <tr> <td valign="top" colspan="4"> <p> </p> </td> </tr> <tr> <td valign="top"> <p class="tt"> Log on locally<br /> Allows a user to log on at the computer, from the computer's keyboard. </p> </td> <td valign="top"> <p class="tt"> Administrators, Backup Operators, Everyone, Guests, Power Users, and Users</p> </td> <td valign="top"> <p class="tt"> Deny Everyone and Guests this right.</p> </td> </tr> <tr> <td valign="top"> <p class="tt"> Shut down the system (SeShutdownPrivilege)<br /> Allows a user to shut down Windows NT. </p> </td> <td valign="top"> <p class="tt"> Administrators, Backup Operators, Everyone, Power Users, and Users</p> </td> <td valign="top"> <p class="tt"> Deny Everyone and Users this right.</p> </td> </tr> </table> <p class="spacing"> <br /> </p> <p class="t"> The rights in the following table generally require no changes to the default settings, even in the most highly secure installations.</p> <p class="ttl"> <b>Table 2.2 Default user rights</b></p> <table cols="4" cellpadding="7" border="0"> <colgroup> <col valign="top" width="130" /> <col valign="top" width="0pt" /> <col valign="top" width="152" /> <col valign="top" width="81" /> </colgroup> <tr> <td valign="top" colspan="4"> <p> </p> </td> </tr> <tr> <td valign="top" colspan="2"> <p class="th"> <b>Right</b></p> </td> <td valign="top" colspan="2"> <p class="th"> <b>Allows</b></p> </td> <td valign="top" colspan="2"> <p class="th"> <b>Initially assigned to</b></p> </td> </tr> <tr> <td valign="top" colspan="2"> <p class="tt"> Access this computer from the network</p> </td> <td valign="top" colspan="2"> <p class="tt"> A user to connect to the computer over the network.</p> </td> <td valign="top" colspan="2"> <p class="tt"> Administrators, Everyone, Power Users</p> </td> </tr> <tr> <td valign="top" colspan="2"> <p class="tt"> Act as part of the operating system<br /> (SeTcbPrivilege)</p> </td> <td valign="top" colspan="2"> <p class="tt"> A process to perform as a secure, trusted part of the operating system. Some subsystems are granted this right.</p> </td> <td valign="top" colspan="2"> <p class="tt"> (None)</p> </td> </tr> <tr> <td valign="top" colspan="2"> <p class="tt"> Add workstations to the domain (SeMachineAccountPrivilege)</p> </td> <td valign="top" colspan="2"> <p class="tt"> Nothing. This right has no effect on computers running Windows NT.</p> </td> <td valign="top" colspan="2"> <p class="tt"> (None)</p> </td> </tr> <tr> <td valign="top" colspan="2"> <p class="tt"> Back up files and directories <br /> (SeBackupPrivilege)</p> </td> <td valign="top" colspan="2"> <p class="tt"> A user to back up files and directories. This right supersedes file and directory permissions.</p> </td> <td valign="top" colspan="2"> <p class="tt"> Administrators, Backup Operators</p> </td> </tr> <tr> <td valign="top" colspan="2"> <p class="tt"> Bypass traverse checking (SeChangeNotifyPrivilege)</p> </td> <td valign="top" colspan="2"> <p class="tt"> A user to change directories and to access files and subdirectories, even if the user has no permission to access parent directories.</p> </td> <td valign="top" colspan="2"> <p class="tt"> Everyone</p> </td> </tr> <tr> <td valign="top" colspan="2"> <p class="tt"> Change the system time<br /> (SeSystemTimePrivilege)</p> </td> <td valign="top" colspan="2"> <p class="tt"> A user to set the time for the internal clock of the computer.</p> </td> <td valign="top" colspan="2"> <p class="tt"> Administrators, Power Users</p> </td> </tr> <tr> <td valign="top" colspan="2"> <p class="tt"> Create a pagefile <br /> (SeCreatePagefilePrivilege)</p> </td> <td valign="top" colspan="2"> <p class="tt"> Nothing. This right has no effect in current versions of Windows NT.</p> </td> <td valign="top" colspan="2"> <p class="tt"> Administrators</p> </td> </tr> <tr> <td valign="top" colspan="2"> <p class="tt"> Create a token object <br /> (SeCreateTokenPrivilege)</p> </td> <td valign="top" colspan="2"> <p class="tt"> A process to create access tokens. Only the Local Security Authority can do this.</p> </td> <td valign="top" colspan="2"> <p class="tt"> (None)</p> </td> </tr> <tr> <td valign="top" colspan="2"> <p class="tt"> Create permanent shared objects <br /> (SeCreatePermanentPrivilege)</p> </td> <td valign="top" colspan="2"> <p class="tt"> A user to create special permanent objects, such as \\Device, that are used within Windows NT.</p> </td> <td valign="top" colspan="2"> <p class="tt"> (None)</p> </td> </tr> <tr> <td valign="top" colspan="2"> <p class="tt"> Debug programs<br /> (SeDebugPrivilege)</p> </td> <td valign="top" colspan="2"> <p class="tt"> A user to debug various low-level objects, such as threads.</p> </td> <td valign="top" colspan="2"> <p class="tt"> Administrators</p> </td> </tr> <tr> <td valign="top" colspan="2"> <p class="tt"> Force shutdown from a remote system <br /> (SeRemoteShutdownName)</p> </td> <td valign="top" colspan="2"> <p class="tt"> A user to shut down a remote computer.</p> </td> <td valign="top" colspan="2"> <p class="tt"> Administrators</p> </td> </tr> <tr> <td valign="top" colspan="2"> <p class="tt"> Generate security audits <br /> (SeAuditPrivilege)</p> </td> <td valign="top" colspan="2"> <p class="tt"> A process to generate security-audit log entries.</p> </td> <td valign="top" colspan="2"> <p class="tt"> (None)</p> </td> </tr> <tr> <td valign="top" colspan="2"> <p class="tt"> Increase quotas <br /> (SeIncreaseQuotaPrivilege)</p> </td> <td valign="top" colspan="2"> <p class="tt"> Nothing. This right has no effect in current versions of Windows NT.</p> </td> <td valign="top" colspan="2"> <p class="tt"> (None)</p> </td> </tr> <tr> <td valign="top" colspan="2"> <p class="tt"> Increase scheduling priority <br /> (SeIncreaseBasePriorityPrivilege)</p> </td> <td valign="top" colspan="2"> <p class="tt"> A user to boost the execution priority of a process.</p> </td> <td valign="top" colspan="2"> <p class="tt"> Administrators, Power Users</p> </td> </tr> <tr> <td valign="top" colspan="2"> <p class="tt"> Load and unload device drivers <br /> (SeLoadDriverPrivilege)</p> </td> <td valign="top" colspan="2"> <p class="tt"> A user to install and remove device drivers. </p> </td> <td valign="top" colspan="2"> <p class="tt"> Administrators</p> </td> </tr> <tr> <td valign="top" colspan="2"> <p class="tt"> Lock pages in memory<br /> (SeLockMemoryPrivilege)</p> </td> <td valign="top" colspan="2"> <p class="tt"> A user to lock pages in memory so they cannot be paged out to a backing store, such as Pagefile.sys.</p> </td> <td valign="top" colspan="2"> <p class="tt"> (None)</p> </td> </tr> <tr> <td valign="top" colspan="2"> <p class="tt"> Log on as a batch job</p> </td> <td valign="top" colspan="2"> <p class="tt"> Nothing. This right has no effect in current versions of Windows NT.</p> </td> <td valign="top" colspan="2"> <p class="tt"> (None)</p> </td> </tr> <tr> <td valign="top" colspan="2"> <p class="tt"> Log on as a service</p> </td> <td valign="top" colspan="2"> <p class="tt"> A process to register with the system as a service.</p> </td> <td valign="top" colspan="2"> <p class="tt"> (None)</p> </td> </tr> <tr> <td valign="top" colspan="2"> <p class="tt"> Log on locally</p> </td> <td valign="top" colspan="2"> <p class="tt"> A user to log on at the computer from the computer keyboard.</p> </td> <td valign="top" colspan="2"> <p class="tt"> Administrators, Backup Operators, Guests, Power Users, Users</p> </td> </tr> <tr> <td valign="top"> <p class="tt"> Manage auditing and security log <br /> (SeSecurityPrivilege)</p> </td> <td valign="top" colspan="2"> <p class="tt"> A user to specify what types of resource access (such as file access) are to be audited, and to view and clear the security log. This right does not allow a user to set system auditing policy using <b>Audit</b> on the User Manager<b> Policy</b> menu. Members of the Administrators group can always view and clear the security log.</p> </td> <td valign="top" colspan="2"> <p class="tt"> Administrators</p> </td> </tr> <tr> <td valign="top"> <p class="tt"> Modify firmware environment variables <br /> (SeSystemEnvironmentPrivilege)</p> </td> <td valign="top" colspan="2"> <p class="tt"> A user to modify system- environment variables stored in nonvolatile RAM on systems that support this type of configuration.</p> </td> <td valign="top" colspan="2"> <p class="tt"> Administrators</p> </td> </tr> <tr> <td valign="top"> <p class="tt"> Profile single process <br /> (SeProfSingleProcess)</p> </td> <td valign="top" colspan="2"> <p class="tt"> A user to perform profiling (performance sampling) on a process.</p> </td> <td valign="top" colspan="2"> <p class="tt"> Administrators, Power Users</p> </td> </tr> <tr> <td valign="top"> <p class="tt"> Profile system performance<br /> (SeSystemProfilePrivilege)</p> </td> <td valign="top" colspan="2"> <p class="tt"> A user to perform profiling (performance sampling) on the system.</p> </td> <td valign="top" colspan="2"> <p class="tt"> Administrators</p> </td> </tr> <tr> <td valign="top"> <p class="tt"> Replace a process-level token<br /> (SeAssignPrimaryTokenPrivilege)</p> </td> <td valign="top" colspan="2"> <p class="tt"> A user to modify a process's security-access token. This is a powerful right, used only by the system.</p> </td> <td valign="top" colspan="2"> <p class="tt"> (None)</p> </td> </tr> <tr> <td valign="top"> <p class="tt"> Restore files and directories <br /> (SeRestorePrivilege)</p> </td> <td valign="top" colspan="2"> <p class="tt"> A user to restore backed-up files and directories. This right supersedes file and directory permissions.</p> </td> <td valign="top" colspan="2"> <p class="tt"> Administrators, Backup Operators</p> </td> </tr> <tr> <td valign="top"> <p class="tt"> Shut down the system <br /> (SeShutdownPrivilege)</p> </td> <td valign="top" colspan="2"> <p class="tt"> A user to shut down Windows NT.</p> </td> <td valign="top" colspan="2"> <p class="tt"> Administrators, Backup Operators, Power Users, Users</p> </td> </tr> <tr> <td valign="top"> <p class="tt"> Take ownership of files or other objects <br /> (SeTakeOwnershipPrivilege)</p> </td> <td valign="top" colspan="2"> <p class="tt"> A user to take ownership of files, directories, printers, and other objects on the computer. This right supersedes permissions protecting objects.</p> </td> <td valign="top" colspan="2"> <p class="tt"> Administrators</p> </td> </tr> </table> <h1 class="title"> <p class="spacing"> <hr /> </p> </h1> <h1 class="title"> HOWTO: How to Obtain a Handle to Any Process with SeDebugPrivilege</h1> <div class="section"> <h2 class="subTitle"> <a name="kb1">SUMMARY</a></h2> <div class="sbody"> In Windows NT, you can retrieve a handle to any process in the system by enabling the SeDebugPrivilege in the calling process. The calling process can then call the OpenProcess() Win32 API to obtain a handle with PROCESS_ALL_ACCESS. </div> <h2 class="subTitle"> <a name="kb2">MORE INFORMATION</a></h2> <div class="sbody"> This functionality is provided for system-level debugging purposes. For debugging non-system processes, it is not necessary to grant or enable this privilege. <br /> <br /> This privilege allows the caller all access to the process, including the ability to call TerminateProcess(), CreateRemoteThread(), and other potentially dangerous Win32 APIs on the target process. <br /> <br /> Take great care when granting SeDebugPrivilege to users or groups. <h3> Sample Code</h3> The following source code illustrates how to obtain SeDebugPrivilege in order to get a handle to a process with PROCESS_ALL_ACCESS. The sample code then calls TerminateProcess on the resultant process handle. <code> <br /> <br /> #define RTN_OK 0<br /> #define RTN_USAGE 1<br /> #define RTN_ERROR 13<br /> <br /> #include <windows.h><br /> #include <stdio.h><br /> <br /> BOOL SetPrivilege(<br /> HANDLE hToken, // token handle<br /> LPCTSTR Privilege, // Privilege to enable/disable<br /> BOOL bEnablePrivilege // TRUE to enable. FALSE to disable<br /> );<br /> <br /> void DisplayError(LPTSTR szAPI);<br /> <br /> int main(int argc, char *argv[])<br /> {<br /> HANDLE hProcess;<br /> HANDLE hToken;<br /> int dwRetVal=RTN_OK; // assume success from main()<br /> <br /> // show correct usage for kill<br /> if (argc != 2)<br /> {<br /> fprintf(stderr,"Usage: %s [ProcessId]\n", argv[0]);<br /> return RTN_USAGE;<br /> }<br /> <br /> if(!OpenProcessToken(<br /> GetCurrentProcess(),<br /> TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,<br /> &hToken<br /> )) return RTN_ERROR;<br /> <br /> // enable SeDebugPrivilege<br /> if(!SetPrivilege(hToken, SE_DEBUG_NAME, TRUE))<br /> {<br /> DisplayError("SetPrivilege");<br /> <br /> // close token handle<br /> CloseHandle(hToken);<br /> <br /> // indicate failure<br /> return RTN_ERROR;<br /> }<br /> <br /> // open the process<br /> if((hProcess = OpenProcess(<br /> PROCESS_ALL_ACCESS,<br /> FALSE,<br /> atoi(argv[1]) // PID from commandline<br /> )) == NULL)<br /> {<br /> DisplayError("OpenProcess");<br /> return RTN_ERROR;<br /> }<br /> <br /> // disable SeDebugPrivilege<br /> SetPrivilege(hToken, SE_DEBUG_NAME, FALSE);<br /> <br /> if(!TerminateProcess(hProcess, 0xffffffff))<br /> {<br /> DisplayError("TerminateProcess");<br /> dwRetVal=RTN_ERROR;<br /> }<br /> <br /> // close handles<br /> CloseHandle(hToken);<br /> CloseHandle(hProcess);<br /> <br /> return dwRetVal;<br /> }<br /> <br /> BOOL SetPrivilege(<br /> HANDLE hToken, // token handle<br /> LPCTSTR Privilege, // Privilege to enable/disable<br /> BOOL bEnablePrivilege // TRUE to enable. FALSE to disable<br /> )<br /> {<br /> TOKEN_PRIVILEGES tp;<br /> LUID luid;<br /> TOKEN_PRIVILEGES tpPrevious;<br /> DWORD cbPrevious=sizeof(TOKEN_PRIVILEGES);<br /> <br /> if(!LookupPrivilegeValue( NULL, Privilege, &luid )) return FALSE;<br /> <br /> //<br /> // first pass. get current privilege setting<br /> //<br /> tp.PrivilegeCount = 1;<br /> tp.Privileges[0].Luid = luid;<br /> tp.Privileges[0].Attributes = 0;<br /> <br /> AdjustTokenPrivileges(<br /> hToken,<br /> FALSE,<br /> &tp,<br /> sizeof(TOKEN_PRIVILEGES),<br /> &tpPrevious,<br /> &cbPrevious<br /> );<br /> <br /> if (GetLastError() != ERROR_SUCCESS) return FALSE;<br /> <br /> //<br /> // second pass. set privilege based on previous setting<br /> //<br /> tpPrevious.PrivilegeCount = 1;<br /> tpPrevious.Privileges[0].Luid = luid;<br /> <br /> if(bEnablePrivilege) {<br /> tpPrevious.Privileges[0].Attributes |= (SE_PRIVILEGE_ENABLED);<br /> }<br /> else {<br /> tpPrevious.Privileges[0].Attributes ^= (SE_PRIVILEGE_ENABLED &<br /> tpPrevious.Privileges[0].Attributes);<br /> }<br /> <br /> AdjustTokenPrivileges(<br /> hToken,<br /> FALSE,<br /> &tpPrevious,<br /> cbPrevious,<br /> NULL,<br /> NULL<br /> );<br /> <br /> if (GetLastError() != ERROR_SUCCESS) return FALSE;<br /> <br /> return TRUE;<br /> }<br /> <br /> void DisplayError(<br /> LPTSTR szAPI // pointer to failed API name<br /> )<br /> {<br /> LPTSTR MessageBuffer;<br /> DWORD dwBufferLength;<br /> <br /> fprintf(stderr,"%s() error!\n", szAPI);<br /> <br /> if(dwBufferLength=FormatMessage(<br /> FORMAT_MESSAGE_ALLOCATE_BUFFER |<br /> FORMAT_MESSAGE_FROM_SYSTEM,<br /> NULL,<br /> GetLastError(),<br /> GetSystemDefaultLangID(),<br /> (LPTSTR) &MessageBuffer,<br /> 0,<br /> NULL<br /> ))<br /> {<br /> DWORD dwBytesWritten;<br /> <br /> //<br /> // Output message string on stderr<br /> //<br /> WriteFile(<br /> GetStdHandle(STD_ERROR_HANDLE),<br /> MessageBuffer,<br /> dwBufferLength,<br /> &dwBytesWritten,<br /> NULL<br /> );<br /> <br /> //<br /> // free the buffer allocated by the system<br /> //<br /> LocalFree(MessageBuffer);<br /> }<br /> }<br /> <br /><p class="spacing"> </p> <!--Footer Start--> </code> </div> </div>
첨부파일
스팸 방지용 인증 번호
7328
(왼쪽의 숫자를 입력해야 합니다.)