CN101359355B - Method for raising user's authority for limitation account under Windows system - Google Patents
Method for raising user's authority for limitation account under Windows system Download PDFInfo
- Publication number
- CN101359355B CN101359355B CN2007100755641A CN200710075564A CN101359355B CN 101359355 B CN101359355 B CN 101359355B CN 2007100755641 A CN2007100755641 A CN 2007100755641A CN 200710075564 A CN200710075564 A CN 200710075564A CN 101359355 B CN101359355 B CN 101359355B
- Authority
- CN
- China
- Prior art keywords
- application program
- authority
- log file
- windows
- service routine
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
Disclosed is a method of promoting the user authority for the limited user account in the Windows system; the method is used for promoting the operation authority of the application and includes the steps: a read-write public directory is created or searched out; a record file under the public directory is specified; a service program is created or imported to monitor the record file in the system and run the application specified by the file; a judgment processing module is added to the entry of the application when the application is programmed; the judgment processing module can detect the running authority of the current program; if the authority is the administrator authority, the application runs normally; otherwise, the application is terminated after the complete path of the application is written into the specified file. The invention is adopted to realize the promotion of the running authority of the specified program and has the advantages of simple, efficient properties and easy implementation.
Description
Technical field the present invention relates to electric numerical data treatment technology, the particularly programmed control of processor, and the programmed control that relates to reading and writing data between itself and the input-output apparatus.
The Windows operating system of background technology Microsoft is widely used on individual and the business computer, existing popular Win2000, and WinXP, versions such as Vista all have the notion of account authority.Wherein the Admin Account has the highest operating right, can carry out the operation of system level.Domestic consumer belongs to limitation account, tool has plenty of restricted operating right, can not carry out the operation of system level, for example read and write registration table, read-write system file or file, carry out some security set of system or control etc., particularly can not read and write external unit.Specifically be example with Fig. 1, Fig. 1 a has illustrated the situation under the Admin Account, and this moment, application program can use Windows API to open the external unit line data read-write of going forward side by side with read-write mode.And same application program is under limitation account, external unit being carried out reading and writing data just be restricted, is can only read (shown in Fig. 1 b) and can not write (shown in Fig. 1 c), therefore basically, shown in Fig. 1 d, also can not open external unit and operation with read-write mode.
Thereby above-mentioned the deficiencies in the prior art part is: at WinXP, under the Win2000 operating system, the user is if login with domestic consumer's identity, and then user right comprises that the user carries out reading and writing data to external unit and will be restricted.Especially under the Vista of the up-to-date release of Microsoft version, because it is than before WinXP, Win2000 has increased a UAC (UserAccount Control, user account control newly; Purpose is that the task with the needs privilege extracts from common task, be convenient to the user and carry out most of task with the authority of domestic consumer, simultaneously carry out special duty with higher authority) function, based on this function, user's login is with the great change of operating system in the past, when the user logins with Admin Account's identity of creating certainly, can obtain Admin Access's token and domestic consumer's access token simultaneously.Wherein domestic consumer's access token is used for starting the Explorer.exe (parent process of all user's initialize processes, these processes can be inherited the access token authority of Explorer.exe), if not UAC carries out privilege-escalation to certain program like this, all application programs will be carried out work with domestic consumer's authority.So in this version operating system,, when running application, can often promote the dialog box of operation authority, the operation of program is affected in the face of the prompting user that system ejected even the user logins with described keeper's identity.
The summary of the invention the technical problem to be solved in the present invention is at above-mentioned the deficiencies in the prior art part, and a kind of method is proposed, permission promotes user's authority under limitation account, especially simple realization is to the reading and writing data of external unit, especially under the limitation account of Vi sta operating system, make user program avoid the interference of dialog box privilege-escalation prompting.
For solving the problems of the technologies described above, of the present inventionly be contemplated that substantially: according to the operating mechanism of Windows, if based on the Windows service routine, design a service routine, in order to distinguish the operation of controlling application program according to the current authority of user, make the Automatic Program of carrying out reading and writing data obtain higher-rights, thereby eliminate the restriction of dialog box or account's authority at external unit.
As the technical scheme that realizes the present invention's design be, the method for a kind of Windows system raising user's authority for limitation account under be provided, be used for the lifting of application program operating right, especially, comprise step:
A. set up or seek a read-write public directory, and under described public directory, specify a log file;
B. set up or import a service routine of setting up based on the Kernel layer and move this service routine, in system, to monitor described log file and to move the specified application program of this document; Described service routine provides a function that can move described application program with foreground mode;
When C. working out described application program, add a judging treatmenting module at the inlet of this application program; This module will detect the operation authority of present procedure, if administrator right is then normally moved this application program, otherwise, toward described record
Write the operation that finishes this application program behind the complete trails of this application program in the file.
In the such scheme, described service routine is set to automatic operational mode.
In the such scheme, the operation of described service routine is also created a circulatory monitoring and is read the monitor thread of the content of described log file in system; If the complete trails of every increase by one application program of described content, then this application program obtains operation by described function.
In the such scheme, described log file is by need set up with the application program of administrator right operation temporarily, and this document will obtain the operation back by described function in the application program by this log file appointment and be deleted by described service routine.
In the such scheme, described application program is carried out the operation or the task of read-write external unit.
Adopt technique scheme, simply and effectively realized the lifting of designated program operation authority, solved also that application program under the Windows system limitation account needs and external unit carries out data read-write operation because Insufficient privilege and the problem that can't support also can be avoided the prompting frame that the UAC setting brings under the Vi sta system simultaneously; Also has advantage easy to implement simultaneously.
Description of drawings Fig. 1 is the limited case synoptic diagram of the different account's authorities of prior art to the external unit read-write operation
Fig. 2 is the implementation framework synoptic diagram in the windows system of the inventive method
Fig. 3 is the operational flowchart of service routine and application program in the inventive method
Fig. 4 is the operating process synoptic diagram of self-defining function in the service routine of the present invention
Fig. 5 is the inventive method realization flow synoptic diagram
Below the embodiment, the most preferred embodiment shown in is further set forth the present invention in conjunction with the accompanying drawings.
Implementation framework of the present invention as shown in Figure 2, application program is used for carrying out specific operation based on the windows system, comprises that read-write registration table, visit connect the external unit of computing machine etc. with the various interface form; Service routine is used to provide non-productive operation based on the windows system, for example promote described application program authority, make it to move with foreground mode.Set up contact by the log file under the public directory that can write between described service routine and the application program.Therefore, the inventive method comprises step:
A. set up or seek a read-write public directory, and under described public directory, specify a log file;
B. set up or import a service routine and operation, in system, to monitor described log file and to move the specified application program of this document;
C. during application programming, add a judging treatmenting module at the inlet of application program; Shown in Fig. 3 b, this module will detect the operation authority of present procedure in system, if administrator right is then normally moved this application program, otherwise, write the operation that finishes this application program behind the complete trails of this application program in the described specified file.
In embodiments of the present invention, the described public directory of steps A can be one of path that obtains by following code:
TCHAR?szPubPath[MAX_PATH]={0};
SHGetSpecial?FolderPath(NULL,szPubPath,CSIDL_COMMON_APPDATA,0);
SHGetSpecial?FolderPath(NULL,szPubPath,CSIDL_COMMON_DOCUMENTS,0);
Wherein, szPubPath is user-defined TCHAR categorical variable, the function that SHGetSpecialFolderPath provides for the Windows system, and this function will return different path values according to the difference of input parameter.In the present embodiment, carry out
SHGetSpecialFolderPath(NULL,szPubPath,CSIDL_COMMON_APPDATA,0);
In windows XP system, can obtain the path
szPubPath=C:\Documents?and?Settings\All?Users\Application?Data
In windows Vi sta system, can obtain the path
szPubPath=C:\ProgramData
And execution SHGetSpecialFolderPath (NULL, szPubPath, CSIDL_COMMON_DOCUMENTS, 0);
The path that obtains in windows XP system is
szPubPath=C:\Documents?and?Settings\All?Users\Documents
The path that obtains in windows Vista is
szPubPath=C:\ProgramData\Documents
These shared paths are all readable writing under any account's authority.
The log file of described appointment can not limit file layout, as long as read and write by a pre-defined rule (these regular even can be self-defined).Come access such as but not limited to ini file form commonly used.Present embodiment agreement this document be above-mentioned catalogue C: ProgramData under the Documents _ the UpgradeToAdmin_.ini file.Like this, the user will use this document to come records application program from the complete trails in operating system when application programming in the described judging treatmenting module.
Described service routine is set up based on Kernel (core) layer, in order to exempt the trouble of manual execution, preferably this service routine is set at automatic operational mode, when os starting, starts automatically, thereby this service routine can move under the system level authority after starting the operating system.In the present embodiment, this service routine provides a function that can move other application program with foreground mode, such as but not limited to called after
bool?LaunchAppEx(TCHAR*pPath)
Self-defining function, wherein, TCHAR*pPath is the complete trails of the application program that need to promote authority.A plurality of Windows api functions that this function reference Microsoft provides comprise OpenProcessToken, DuplicateTokenEx, WTSGetActiveConsoleSessionId etc., carry out following flow process shown in Figure 4 and finish above-mentioned task:
Utilize api function to obtain the handle of current process earlier, utilize this handle to obtain the handle of this handle token (Token), duplicate the token handle that this token handle produces called after TokenDup; Utilize api function to obtain the session id of the control desk of current active again, with the session id information that described TokenDup token handle is set, and create an environment piece by this token handle; Come to create the appointment process by this token handle and this environment piece at last, thereby move the application program of described complete trails appointment with foreground mode with current system user authority.Then return true (successful logical signal) if move described application program success, otherwise return false (failure logical signal).
Like this, after computer booting system start-up, shown in Fig. 3 a, described service routine moves and creates the monitor thread of the described specified file of a circulatory monitoring in system, and the content of described specified file _ UpgradeToAdmin_.ini file is read in this monitor thread monitoring; In confirming this document, exist need be with the complete trails (or complete trails of every increase by one application program of this document content) of the application program of administrator right operation the time, to delete this complete trails, this service routine calls described LaunchAppEx function and moves this application program with foreground mode simultaneously, because this service routine has the system level authority, thereby this application program gets a promotion because of current authority, can skip the prompting frame processing links and normal operation, need write the application program of external unit and also can directly visit external unit to carry out reading and writing data.Described complete trails can be not deleted yet, and indicate with the executed mark, and correspondingly, it is the complete trails of the application program that is not performed as yet that described monitor thread will be monitored what find out.Can also adopt the method for the described _ UpgradeToAdmin_.ini file of deletion, and this document will be by need set up with the application program of administrator right operation temporarily.
Described service routine can also come that the user is made corresponding prompt according to the operation result information that described LaunchAppEx function is returned to be handled.
Like this, application program is an example with the read-write external unit, as shown in Figure 5, when the user signs in to the windows system, after this application program of operation, if the user has administrator right, this application program will be able to normal operation under limitation account, allow the user to open external unit, and carry out read-write operation with read-write mode; Otherwise this application program will withdraw from, thereby and be registered as simultaneously and need promote operation authority complete trails and be recorded to specified file, this program obtains operation by service routine at last.
For prevent under the common path _ the UpgradeToAdmin_.ini file content obtained easily by the people, can also increase the enciphering/deciphering module in the methods of the invention as shown in Figure 2.When described application program writes complete trails in described specified file, will store in this document after the described complete trails data encryption, to guarantee the security of program.Correspondingly, when described service routine reads described complete trails, will be again for the system call operation behind the data decryption.Described enciphering/deciphering can adopt but be not limited to the AES256 algorithm, because of it is a prior art, does not give unnecessary details at this.
Present embodiment is an example with the fingerprint equipment of band USB interface, on the code base of application program by this fingerprint equipment of read-write of prior art establishment, increase described judging treatmenting module, can under Windows system limitation account, read and write through this application program of verification experimental verification fingerprint equipment, especially under the Vista edition system, can avoid occurring prompting frame, carry out the authority upgrading and the successful access external unit of this application program automatically.
Claims (8)
1. the method for a Windows system raising user's authority for limitation account under is used for the lifting of application program operating right, it is characterized in that, comprises step:
A. set up or seek a read-write public directory, and under described public directory, specify a log file;
B. set up or import a service routine of setting up based on the Kernel layer and move this service routine, in system, to monitor described log file and to move the specified application program of this log file; Described service routine provides a function that can move described application program with foreground mode;
When C. working out described application program, add a judging treatmenting module at the inlet of this application program; This module will detect the operation authority of present procedure, if administrator right is then normally moved this application program, otherwise, write the operation that finishes this application program behind the complete trails of this application program in the described log file.
2. according to the method for the described Windows of claim 1 system raising user's authority for limitation account under, it is characterized in that:
Described log file is the INI formatted file.
3. according to the method for the described Windows of claim 1 system raising user's authority for limitation account under, it is characterized in that:
Described service routine is set to automatic operational mode.
4. according to the method for the described Windows of claim 1 system raising user's authority for limitation account under, it is characterized in that:
The operation of described service routine is also created a circulatory monitoring and is read the monitor thread of the content of described log file in system; If the complete trails of every increase by one application program of described content, then this application program obtains operation by described function.
5. according to the method for the described Windows of claim 4 system raising user's authority for limitation account under, it is characterized in that:
Described log file is by need set up with the application program of administrator right operation temporarily, and this log file will obtain the operation back by described function in the application program by this log file appointment and be deleted by described service routine.
6. according to the method for the described Windows of claim 1 system raising user's authority for limitation account under, it is characterized in that:
Described application program is carried out the operation or the task of read-write external unit.
7. according to the method for the described Windows of claim 6 system raising user's authority for limitation account under, it is characterized in that:
Described external unit comprises fingerprint equipment.
8. according to the method for the described Windows of claim 1 system raising user's authority for limitation account under, it is characterized in that:
Described complete trails is that the form with enciphered data is written into described log file.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2007100755641A CN101359355B (en) | 2007-08-02 | 2007-08-02 | Method for raising user's authority for limitation account under Windows system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2007100755641A CN101359355B (en) | 2007-08-02 | 2007-08-02 | Method for raising user's authority for limitation account under Windows system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101359355A CN101359355A (en) | 2009-02-04 |
| CN101359355B true CN101359355B (en) | 2010-07-14 |
Family
ID=40331802
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2007100755641A Expired - Fee Related CN101359355B (en) | 2007-08-02 | 2007-08-02 | Method for raising user's authority for limitation account under Windows system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101359355B (en) |
Families Citing this family (21)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9043877B2 (en) | 2009-10-06 | 2015-05-26 | International Business Machines Corporation | Temporarily providing higher privileges for computing system to user identifier |
| CN103065098B (en) * | 2011-10-24 | 2018-01-19 | 联想(北京)有限公司 | Access method and electronic equipment |
| CN102591639B (en) * | 2011-12-14 | 2014-12-24 | 广东威创视讯科技股份有限公司 | Method for setting permission of Windows folders |
| CN103246833A (en) * | 2012-02-01 | 2013-08-14 | 精品科技股份有限公司 | Method for executing high-authorization software in low-authorization mode |
| KR101195292B1 (en) * | 2012-03-08 | 2012-10-26 | 윤종선 | Apparatus and method for managing identity |
| CN103377042B (en) * | 2012-04-24 | 2016-04-13 | 深圳市腾讯计算机系统有限公司 | Power of carrying method and system under the class Unix environment of windows system |
| CN103970601B (en) * | 2013-02-06 | 2019-03-05 | 北京壹人壹本信息科技有限公司 | Execute operational order method and apparatus |
| CN104239107A (en) * | 2014-09-23 | 2014-12-24 | 三星电子(中国)研发中心 | Application customizing method and application customizing device |
| CN104268011A (en) * | 2014-09-25 | 2015-01-07 | 北京网秦天下科技有限公司 | Instruction processing method, device and system of mobile device |
| CN104732127B (en) * | 2015-03-18 | 2018-08-31 | 深圳市九洲电器有限公司 | Set-top box application procedure management method and system |
| RU2635271C2 (en) * | 2015-03-31 | 2017-11-09 | Закрытое акционерное общество "Лаборатория Касперского" | Method of categorizing assemblies and dependent images |
| US9367686B1 (en) * | 2015-07-21 | 2016-06-14 | AO Kaspersky Lab | System and method for antivirus checking of native images of software assemblies |
| CN105138899A (en) * | 2015-07-27 | 2015-12-09 | 北京金山安全软件有限公司 | Application program starting method and device |
| CN106897078A (en) * | 2015-12-17 | 2017-06-27 | 珠海市君天电子科技有限公司 | Information obtaining method and device |
| CN106778089B (en) * | 2016-12-01 | 2021-07-13 | 联信摩贝软件(北京)有限公司 | System and method for safely managing and controlling software authority and behavior |
| CN108874696B (en) * | 2017-12-29 | 2022-09-30 | 安天科技集团股份有限公司 | Automatic testing method and device for multi-authority safety storage equipment and electronic equipment |
| CN108681662B (en) * | 2018-05-17 | 2022-04-29 | 创新先进技术有限公司 | Method and device for installing program |
| CN110197064B (en) * | 2019-02-18 | 2023-08-25 | 腾讯科技(深圳)有限公司 | Process processing method and device, storage medium and electronic device |
| CN111079122B (en) * | 2019-11-01 | 2022-03-22 | 广州视源电子科技股份有限公司 | Administrator authority execution method, device, equipment and storage medium |
| CN111143084B (en) * | 2019-11-19 | 2023-05-09 | 厦门天锐科技股份有限公司 | Interaction method, device, equipment and medium of service program and interface program |
| CN111414603A (en) * | 2020-03-17 | 2020-07-14 | 用友网络科技股份有限公司 | Application based on communication mechanism between named pipelines |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1485746A (en) * | 2002-09-27 | 2004-03-31 | 鸿富锦精密工业(深圳)有限公司 | Management system and method for user safety authority limit |
| CN1558354A (en) * | 2004-01-13 | 2004-12-29 | 威盛电子股份有限公司 | User authority setting system, setting method and recording medium thereof |
-
2007
- 2007-08-02 CN CN2007100755641A patent/CN101359355B/en not_active Expired - Fee Related
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1485746A (en) * | 2002-09-27 | 2004-03-31 | 鸿富锦精密工业(深圳)有限公司 | Management system and method for user safety authority limit |
| CN1558354A (en) * | 2004-01-13 | 2004-12-29 | 威盛电子股份有限公司 | User authority setting system, setting method and recording medium thereof |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101359355A (en) | 2009-02-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101359355B (en) | Method for raising user's authority for limitation account under Windows system | |
| EP1950682B1 (en) | Computer data management method, program, and recording medium | |
| US10078754B1 (en) | Volume cryptographic key management | |
| US20120011354A1 (en) | Boot loading of secure operating system from external device | |
| CN104484625B (en) | A kind of computer and its implementation with dual operating systems | |
| CN100419620C (en) | Method for command interaction and two-way data transmission on USB mass storage equipment by program and USB mass storage equipment | |
| US10817211B2 (en) | Method for completing a secure erase operation | |
| CA2773095A1 (en) | Computer with flexible operating system | |
| US20090089588A1 (en) | Method and apparatus for providing anti-theft solutions to a computing system | |
| CN106909848A (en) | A kind of computer security strengthening system and its method based on BIOS extensions | |
| WO2008001823A1 (en) | Computer data management method, program, and recording medium | |
| CN102194079B (en) | File access filtering method | |
| CN1853173A (en) | Electronic data management device, control program, and data management method | |
| CN110135130B (en) | Method and system for preventing embedded equipment software from being modified | |
| CN105005721A (en) | Computer authorization starting control system and method based on computer starting key | |
| CN105447397A (en) | File security level identification method based on kernel module | |
| CN106326733A (en) | Method and apparatus for managing applications in mobile terminal | |
| US20170206371A1 (en) | Apparatus and method for managing document based on kernel | |
| CN102222189A (en) | Method for protecting operating system | |
| CN108287988B (en) | Security management system and method for mobile terminal file | |
| CN102968359B (en) | Registration table transparent penetration method under disk operating system | |
| US9158558B1 (en) | Methods and systems for providing application manifest information | |
| JP6949338B2 (en) | Electronic data management equipment, electronic data management system, programs and recording media for that purpose | |
| JP2002304231A (en) | Computer system | |
| CN102222185A (en) | Method for preventing operating system starting file from being infected |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C17 | Cessation of patent right | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20100714 Termination date: 20110802 |