1,183
社区成员
发帖
与我相关
我的任务
分享
BOOL bSuccess = FALSE;
STARTUPINFO si = {0};
// 进程信息
PROCESS_INFORMATION pi = {0};
si.cb = sizeof(si);
si.lpDesktop = "WinSta0\Default";
HANDLE hTokenThis = NULL;
HANDLE hDuplicatedToken = NULL;
LPVOID lpEnvironment = NULL;
DWORD dwSessionID;
HANDLE hThisProcess = GetCurrentProcess();
WriteDebug("GetCurrentProcess - %d",hThisProcess);
OpenProcessToken(hThisProcess, TOKEN_ALL_ACCESS, &hTokenThis);
// 复制令牌
if (DuplicateTokenEx(hTokenThis,MAXIMUM_ALLOWED, NULL,SecurityIdentification,
TokenPrimary,&hDuplicatedToken) == FALSE)
{
DWORD dwError = GetLastError();
WriteDebug("DuplicateTokenEx - %d",dwError);
//goto Cleanup;
}
//更改新令牌的会话id为active console sessionid
SetTokenInformation(hDuplicatedToken, TokenSessionId, &dwSessionID, sizeof(DWORD));
// 获得当前Session ID
dwSessionID = WTSGetActiveConsoleSessionId();
WriteDebug("WTSGetActiveConsoleSessionId - %d",dwSessionID);
// 获得当前Session的用户令牌
if (WTSQueryUserToken(dwSessionID, &hTokenThis) == FALSE)
{
DWORD dwError = GetLastError();
WriteDebug("WTSQueryUserToken - %d",dwError);
//goto Cleanup;
}
// 创建用户Session环境
if (CreateEnvironmentBlock(&lpEnvironment,
hDuplicatedToken, FALSE) == FALSE)
{
DWORD dwError = GetLastError();
WriteDebug("CreateEnvironmentBlock - %d",dwError);
//goto Cleanup;
}
// 在复制的用户Session下执行应用程序,创建进程。
// 通过这个进程,就可以显示各种复杂的用户界面了
if (CreateProcessAsUser(hDuplicatedToken,m_strThePath, NULL, NULL, NULL, FALSE,
NORMAL_PRIORITY_CLASS | CREATE_NEW_CONSOLE |CREATE_UNICODE_ENVIRONMENT,
lpEnvironment, NULL, &si, &pi) == FALSE)
{
DWORD dwError = GetLastError();
WriteDebug("CreateProcessAsUser - %d",dwError);
//goto Cleanup;
}
CloseHandle(pi.hProcess);
CloseHandle(pi.hThread);
bSuccess = TRUE;
// 清理工作
Cleanup:
if (!bSuccess)
{
WriteDebug("无法创建复杂UI");
}
if (hTokenThis != NULL)
CloseHandle(hTokenThis);
if (hDuplicatedToken != NULL)
CloseHandle(hDuplicatedToken);
if (lpEnvironment != NULL)
DestroyEnvironmentBlock(lpEnvironment);
我是这样写的,但是调试时,是有问题的。