注册表之打开SAM子键的提权函数

 1 #include 
 2 BOOL EnableRegSAMPriv()
 3 {
 4     BOOL bRet = TRUE;
 5     DWORD dRet = 0;
 6     PACL pOldDacl = NULL, pNewDacl = NULL;
 7     EXPLICIT_ACCESS eia = {0};
 8     PSECURITY_DESCRIPTOR pSID = NULL;
 9     LPTSTR samName = _T("MACHINE\\SAM\\SAM"); //要修改的SAM项路径
10 
11     dRet = GetNamedSecurityInfo(samName, SE_REGISTRY_KEY, DACL_SECURITY_INFORMATION, NULL, NULL, &pOldDacl, NULL, &pSID); //获取SAM主键的DACL 
12     if(dRet != ERROR_SUCCESS) {
13         bRet = FALSE;
14         goto __Error_End;
15     }
16 
17     //创建一个ACE,允许Administrators组成员完全控制对象,并允许子对象继承此权限
18     BuildExplicitAccessWithName(&eia, _T("Administrators"), KEY_ALL_ACCESS, SET_ACCESS, SUB_CONTAINERS_AND_OBJECTS_INHERIT);
19 
20     // 将新的ACE加入DACL 
21     dRet = SetEntriesInAcl(1, &eia, pOldDacl, &pNewDacl);
22     if(dRet != ERROR_SUCCESS) {
23         bRet = FALSE;
24         goto __Error_End;
25     }
26 
27     // 更新SAM主键的DACL 
28     dRet = SetNamedSecurityInfo(samName, SE_REGISTRY_KEY, DACL_SECURITY_INFORMATION, NULL, NULL, pNewDacl, NULL);
29     if(dRet != ERROR_SUCCESS) {
30         bRet = FALSE;
31         goto __Error_End;
32     }
33 
34 __Error_End:
35     //释放DACL和SID
36     if(pNewDacl) LocalFree(pNewDacl);
37     if(pSID) LocalFree(pSID);
38 
39     return bRet;
40 }