CreateRestrictedToken
関数既存トークンから制限付きアクセストークンを作成する。
シグネチャ
// ADVAPI32.dll
#include <windows.h>
BOOL CreateRestrictedToken(
HANDLE ExistingTokenHandle,
CREATE_RESTRICTED_TOKEN_FLAGS Flags,
DWORD DisableSidCount,
SID_AND_ATTRIBUTES* SidsToDisable, // optional
DWORD DeletePrivilegeCount,
LUID_AND_ATTRIBUTES* PrivilegesToDelete, // optional
DWORD RestrictedSidCount,
SID_AND_ATTRIBUTES* SidsToRestrict, // optional
HANDLE* NewTokenHandle
);パラメーター
| 名前 | 型 | 方向 |
|---|---|---|
| ExistingTokenHandle | HANDLE | in |
| Flags | CREATE_RESTRICTED_TOKEN_FLAGS | in |
| DisableSidCount | DWORD | in |
| SidsToDisable | SID_AND_ATTRIBUTES* | inoptional |
| DeletePrivilegeCount | DWORD | in |
| PrivilegesToDelete | LUID_AND_ATTRIBUTES* | inoptional |
| RestrictedSidCount | DWORD | in |
| SidsToRestrict | SID_AND_ATTRIBUTES* | inoptional |
| NewTokenHandle | HANDLE* | out |
戻り値の型: BOOL
各言語での呼び出し定義
// ADVAPI32.dll
#include <windows.h>
BOOL CreateRestrictedToken(
HANDLE ExistingTokenHandle,
CREATE_RESTRICTED_TOKEN_FLAGS Flags,
DWORD DisableSidCount,
SID_AND_ATTRIBUTES* SidsToDisable, // optional
DWORD DeletePrivilegeCount,
LUID_AND_ATTRIBUTES* PrivilegesToDelete, // optional
DWORD RestrictedSidCount,
SID_AND_ATTRIBUTES* SidsToRestrict, // optional
HANDLE* NewTokenHandle
);[return: MarshalAs(UnmanagedType.Bool)]
[DllImport("ADVAPI32.dll", SetLastError = true, ExactSpelling = true)]
static extern bool CreateRestrictedToken(
IntPtr ExistingTokenHandle, // HANDLE
uint Flags, // CREATE_RESTRICTED_TOKEN_FLAGS
uint DisableSidCount, // DWORD
IntPtr SidsToDisable, // SID_AND_ATTRIBUTES* optional
uint DeletePrivilegeCount, // DWORD
IntPtr PrivilegesToDelete, // LUID_AND_ATTRIBUTES* optional
uint RestrictedSidCount, // DWORD
IntPtr SidsToRestrict, // SID_AND_ATTRIBUTES* optional
IntPtr NewTokenHandle // HANDLE* out
);<DllImport("ADVAPI32.dll", SetLastError:=True, ExactSpelling:=True)>
Public Shared Function CreateRestrictedToken(
ExistingTokenHandle As IntPtr, ' HANDLE
Flags As UInteger, ' CREATE_RESTRICTED_TOKEN_FLAGS
DisableSidCount As UInteger, ' DWORD
SidsToDisable As IntPtr, ' SID_AND_ATTRIBUTES* optional
DeletePrivilegeCount As UInteger, ' DWORD
PrivilegesToDelete As IntPtr, ' LUID_AND_ATTRIBUTES* optional
RestrictedSidCount As UInteger, ' DWORD
SidsToRestrict As IntPtr, ' SID_AND_ATTRIBUTES* optional
NewTokenHandle As IntPtr ' HANDLE* out
) As Boolean
End Function' ExistingTokenHandle : HANDLE
' Flags : CREATE_RESTRICTED_TOKEN_FLAGS
' DisableSidCount : DWORD
' SidsToDisable : SID_AND_ATTRIBUTES* optional
' DeletePrivilegeCount : DWORD
' PrivilegesToDelete : LUID_AND_ATTRIBUTES* optional
' RestrictedSidCount : DWORD
' SidsToRestrict : SID_AND_ATTRIBUTES* optional
' NewTokenHandle : HANDLE* out
Declare PtrSafe Function CreateRestrictedToken Lib "advapi32" ( _
ByVal ExistingTokenHandle As LongPtr, _
ByVal Flags As Long, _
ByVal DisableSidCount As Long, _
ByVal SidsToDisable As LongPtr, _
ByVal DeletePrivilegeCount As Long, _
ByVal PrivilegesToDelete As LongPtr, _
ByVal RestrictedSidCount As Long, _
ByVal SidsToRestrict As LongPtr, _
ByVal NewTokenHandle As LongPtr) As Long
' VBA7前提(PtrSafe)。32bit Office では LongPtr→Long。Integer=16bit / Long=32bit / LongLong=64bit。import ctypes
from ctypes import wintypes
CreateRestrictedToken = ctypes.windll.advapi32.CreateRestrictedToken
CreateRestrictedToken.restype = wintypes.BOOL
CreateRestrictedToken.argtypes = [
wintypes.HANDLE, # ExistingTokenHandle : HANDLE
wintypes.DWORD, # Flags : CREATE_RESTRICTED_TOKEN_FLAGS
wintypes.DWORD, # DisableSidCount : DWORD
ctypes.c_void_p, # SidsToDisable : SID_AND_ATTRIBUTES* optional
wintypes.DWORD, # DeletePrivilegeCount : DWORD
ctypes.c_void_p, # PrivilegesToDelete : LUID_AND_ATTRIBUTES* optional
wintypes.DWORD, # RestrictedSidCount : DWORD
ctypes.c_void_p, # SidsToRestrict : SID_AND_ATTRIBUTES* optional
ctypes.c_void_p, # NewTokenHandle : HANDLE* out
]
# GetLastError: use ctypes.GetLastError() (or ctypes.WinDLL(use_last_error=True))require 'fiddle'
require 'fiddle/import'
lib = Fiddle.dlopen('ADVAPI32.dll')
CreateRestrictedToken = Fiddle::Function.new(
lib['CreateRestrictedToken'],
[
Fiddle::TYPE_VOIDP, # ExistingTokenHandle : HANDLE
-Fiddle::TYPE_INT, # Flags : CREATE_RESTRICTED_TOKEN_FLAGS
-Fiddle::TYPE_INT, # DisableSidCount : DWORD
Fiddle::TYPE_VOIDP, # SidsToDisable : SID_AND_ATTRIBUTES* optional
-Fiddle::TYPE_INT, # DeletePrivilegeCount : DWORD
Fiddle::TYPE_VOIDP, # PrivilegesToDelete : LUID_AND_ATTRIBUTES* optional
-Fiddle::TYPE_INT, # RestrictedSidCount : DWORD
Fiddle::TYPE_VOIDP, # SidsToRestrict : SID_AND_ATTRIBUTES* optional
Fiddle::TYPE_VOIDP, # NewTokenHandle : HANDLE* out
],
Fiddle::TYPE_INT)#[link(name = "advapi32")]
extern "system" {
fn CreateRestrictedToken(
ExistingTokenHandle: *mut core::ffi::c_void, // HANDLE
Flags: u32, // CREATE_RESTRICTED_TOKEN_FLAGS
DisableSidCount: u32, // DWORD
SidsToDisable: *mut SID_AND_ATTRIBUTES, // SID_AND_ATTRIBUTES* optional
DeletePrivilegeCount: u32, // DWORD
PrivilegesToDelete: *mut LUID_AND_ATTRIBUTES, // LUID_AND_ATTRIBUTES* optional
RestrictedSidCount: u32, // DWORD
SidsToRestrict: *mut SID_AND_ATTRIBUTES, // SID_AND_ATTRIBUTES* optional
NewTokenHandle: *mut *mut core::ffi::c_void // HANDLE* out
) -> i32;
}
// crates: windows-sys provides ready-made bindings for this API.$sig = @"
[return: MarshalAs(UnmanagedType.Bool)]
[DllImport("ADVAPI32.dll", SetLastError = true)]
public static extern bool CreateRestrictedToken(IntPtr ExistingTokenHandle, uint Flags, uint DisableSidCount, IntPtr SidsToDisable, uint DeletePrivilegeCount, IntPtr PrivilegesToDelete, uint RestrictedSidCount, IntPtr SidsToRestrict, IntPtr NewTokenHandle);
"@
$api = Add-Type -MemberDefinition $sig -Name 'ADVAPI32_CreateRestrictedToken' -Namespace Win32 -PassThru
# $api::CreateRestrictedToken(ExistingTokenHandle, Flags, DisableSidCount, SidsToDisable, DeletePrivilegeCount, PrivilegesToDelete, RestrictedSidCount, SidsToRestrict, NewTokenHandle)#uselib "ADVAPI32.dll"
#func global CreateRestrictedToken "CreateRestrictedToken" sptr, sptr, sptr, sptr, sptr, sptr, sptr, sptr, sptr
; CreateRestrictedToken ExistingTokenHandle, Flags, DisableSidCount, varptr(SidsToDisable), DeletePrivilegeCount, varptr(PrivilegesToDelete), RestrictedSidCount, varptr(SidsToRestrict), NewTokenHandle ; 戻り値は stat
; ExistingTokenHandle : HANDLE -> "sptr"
; Flags : CREATE_RESTRICTED_TOKEN_FLAGS -> "sptr"
; DisableSidCount : DWORD -> "sptr"
; SidsToDisable : SID_AND_ATTRIBUTES* optional -> "sptr"
; DeletePrivilegeCount : DWORD -> "sptr"
; PrivilegesToDelete : LUID_AND_ATTRIBUTES* optional -> "sptr"
; RestrictedSidCount : DWORD -> "sptr"
; SidsToRestrict : SID_AND_ATTRIBUTES* optional -> "sptr"
; NewTokenHandle : HANDLE* out -> "sptr"
; ※HSP3.7は #func のため戻り値はシステム変数 stat に格納されます。出力引数:
#uselib "ADVAPI32.dll" #cfunc global CreateRestrictedToken "CreateRestrictedToken" sptr, int, int, var, int, var, int, var, sptr ; res = CreateRestrictedToken(ExistingTokenHandle, Flags, DisableSidCount, SidsToDisable, DeletePrivilegeCount, PrivilegesToDelete, RestrictedSidCount, SidsToRestrict, NewTokenHandle) ; ExistingTokenHandle : HANDLE -> "sptr" ; Flags : CREATE_RESTRICTED_TOKEN_FLAGS -> "int" ; DisableSidCount : DWORD -> "int" ; SidsToDisable : SID_AND_ATTRIBUTES* optional -> "var" ; DeletePrivilegeCount : DWORD -> "int" ; PrivilegesToDelete : LUID_AND_ATTRIBUTES* optional -> "var" ; RestrictedSidCount : DWORD -> "int" ; SidsToRestrict : SID_AND_ATTRIBUTES* optional -> "var" ; NewTokenHandle : HANDLE* out -> "sptr" ; ※出力/バッファ引数は var 方式(変数を直接渡す)。varptr 方式にも切替可。#uselib "ADVAPI32.dll" #cfunc global CreateRestrictedToken "CreateRestrictedToken" sptr, int, int, sptr, int, sptr, int, sptr, sptr ; res = CreateRestrictedToken(ExistingTokenHandle, Flags, DisableSidCount, varptr(SidsToDisable), DeletePrivilegeCount, varptr(PrivilegesToDelete), RestrictedSidCount, varptr(SidsToRestrict), NewTokenHandle) ; ExistingTokenHandle : HANDLE -> "sptr" ; Flags : CREATE_RESTRICTED_TOKEN_FLAGS -> "int" ; DisableSidCount : DWORD -> "int" ; SidsToDisable : SID_AND_ATTRIBUTES* optional -> "sptr" ; DeletePrivilegeCount : DWORD -> "int" ; PrivilegesToDelete : LUID_AND_ATTRIBUTES* optional -> "sptr" ; RestrictedSidCount : DWORD -> "int" ; SidsToRestrict : SID_AND_ATTRIBUTES* optional -> "sptr" ; NewTokenHandle : HANDLE* out -> "sptr" ; ※出力/バッファ引数はポインタ方式(token=sptr / 呼び出しは varptr(変数))。
出力引数:
; BOOL CreateRestrictedToken(HANDLE ExistingTokenHandle, CREATE_RESTRICTED_TOKEN_FLAGS Flags, DWORD DisableSidCount, SID_AND_ATTRIBUTES* SidsToDisable, DWORD DeletePrivilegeCount, LUID_AND_ATTRIBUTES* PrivilegesToDelete, DWORD RestrictedSidCount, SID_AND_ATTRIBUTES* SidsToRestrict, HANDLE* NewTokenHandle) #uselib "ADVAPI32.dll" #cfunc global CreateRestrictedToken "CreateRestrictedToken" intptr, int, int, var, int, var, int, var, intptr ; res = CreateRestrictedToken(ExistingTokenHandle, Flags, DisableSidCount, SidsToDisable, DeletePrivilegeCount, PrivilegesToDelete, RestrictedSidCount, SidsToRestrict, NewTokenHandle) ; ExistingTokenHandle : HANDLE -> "intptr" ; Flags : CREATE_RESTRICTED_TOKEN_FLAGS -> "int" ; DisableSidCount : DWORD -> "int" ; SidsToDisable : SID_AND_ATTRIBUTES* optional -> "var" ; DeletePrivilegeCount : DWORD -> "int" ; PrivilegesToDelete : LUID_AND_ATTRIBUTES* optional -> "var" ; RestrictedSidCount : DWORD -> "int" ; SidsToRestrict : SID_AND_ATTRIBUTES* optional -> "var" ; NewTokenHandle : HANDLE* out -> "intptr" ; ※出力/バッファ引数は var 方式(変数を直接渡す)。varptr 方式にも切替可。; BOOL CreateRestrictedToken(HANDLE ExistingTokenHandle, CREATE_RESTRICTED_TOKEN_FLAGS Flags, DWORD DisableSidCount, SID_AND_ATTRIBUTES* SidsToDisable, DWORD DeletePrivilegeCount, LUID_AND_ATTRIBUTES* PrivilegesToDelete, DWORD RestrictedSidCount, SID_AND_ATTRIBUTES* SidsToRestrict, HANDLE* NewTokenHandle) #uselib "ADVAPI32.dll" #cfunc global CreateRestrictedToken "CreateRestrictedToken" intptr, int, int, intptr, int, intptr, int, intptr, intptr ; res = CreateRestrictedToken(ExistingTokenHandle, Flags, DisableSidCount, varptr(SidsToDisable), DeletePrivilegeCount, varptr(PrivilegesToDelete), RestrictedSidCount, varptr(SidsToRestrict), NewTokenHandle) ; ExistingTokenHandle : HANDLE -> "intptr" ; Flags : CREATE_RESTRICTED_TOKEN_FLAGS -> "int" ; DisableSidCount : DWORD -> "int" ; SidsToDisable : SID_AND_ATTRIBUTES* optional -> "intptr" ; DeletePrivilegeCount : DWORD -> "int" ; PrivilegesToDelete : LUID_AND_ATTRIBUTES* optional -> "intptr" ; RestrictedSidCount : DWORD -> "int" ; SidsToRestrict : SID_AND_ATTRIBUTES* optional -> "intptr" ; NewTokenHandle : HANDLE* out -> "intptr" ; ※出力/バッファ引数はポインタ方式(token=intptr / 呼び出しは varptr(変数))。
import (
"golang.org/x/sys/windows"
"unsafe"
)
var (
advapi32 = windows.NewLazySystemDLL("ADVAPI32.dll")
procCreateRestrictedToken = advapi32.NewProc("CreateRestrictedToken")
)
// ExistingTokenHandle (HANDLE), Flags (CREATE_RESTRICTED_TOKEN_FLAGS), DisableSidCount (DWORD), SidsToDisable (SID_AND_ATTRIBUTES* optional), DeletePrivilegeCount (DWORD), PrivilegesToDelete (LUID_AND_ATTRIBUTES* optional), RestrictedSidCount (DWORD), SidsToRestrict (SID_AND_ATTRIBUTES* optional), NewTokenHandle (HANDLE* out)
r1, _, err := procCreateRestrictedToken.Call(
uintptr(ExistingTokenHandle),
uintptr(Flags),
uintptr(DisableSidCount),
uintptr(SidsToDisable),
uintptr(DeletePrivilegeCount),
uintptr(PrivilegesToDelete),
uintptr(RestrictedSidCount),
uintptr(SidsToRestrict),
uintptr(NewTokenHandle),
)
_ = err // syscall.Errno (valid when the call sets last-error)
_ = r1 // BOOLfunction CreateRestrictedToken(
ExistingTokenHandle: THandle; // HANDLE
Flags: DWORD; // CREATE_RESTRICTED_TOKEN_FLAGS
DisableSidCount: DWORD; // DWORD
SidsToDisable: Pointer; // SID_AND_ATTRIBUTES* optional
DeletePrivilegeCount: DWORD; // DWORD
PrivilegesToDelete: Pointer; // LUID_AND_ATTRIBUTES* optional
RestrictedSidCount: DWORD; // DWORD
SidsToRestrict: Pointer; // SID_AND_ATTRIBUTES* optional
NewTokenHandle: Pointer // HANDLE* out
): BOOL; stdcall;
external 'ADVAPI32.dll' name 'CreateRestrictedToken';result := DllCall("ADVAPI32\CreateRestrictedToken"
, "Ptr", ExistingTokenHandle ; HANDLE
, "UInt", Flags ; CREATE_RESTRICTED_TOKEN_FLAGS
, "UInt", DisableSidCount ; DWORD
, "Ptr", SidsToDisable ; SID_AND_ATTRIBUTES* optional
, "UInt", DeletePrivilegeCount ; DWORD
, "Ptr", PrivilegesToDelete ; LUID_AND_ATTRIBUTES* optional
, "UInt", RestrictedSidCount ; DWORD
, "Ptr", SidsToRestrict ; SID_AND_ATTRIBUTES* optional
, "Ptr", NewTokenHandle ; HANDLE* out
, "Int") ; return: BOOL●CreateRestrictedToken(ExistingTokenHandle, Flags, DisableSidCount, SidsToDisable, DeletePrivilegeCount, PrivilegesToDelete, RestrictedSidCount, SidsToRestrict, NewTokenHandle) = DLL("ADVAPI32.dll", "bool CreateRestrictedToken(void*, dword, dword, void*, dword, void*, dword, void*, void*)")
# 呼び出し: CreateRestrictedToken(ExistingTokenHandle, Flags, DisableSidCount, SidsToDisable, DeletePrivilegeCount, PrivilegesToDelete, RestrictedSidCount, SidsToRestrict, NewTokenHandle)
# ExistingTokenHandle : HANDLE -> "void*"
# Flags : CREATE_RESTRICTED_TOKEN_FLAGS -> "dword"
# DisableSidCount : DWORD -> "dword"
# SidsToDisable : SID_AND_ATTRIBUTES* optional -> "void*"
# DeletePrivilegeCount : DWORD -> "dword"
# PrivilegesToDelete : LUID_AND_ATTRIBUTES* optional -> "void*"
# RestrictedSidCount : DWORD -> "dword"
# SidsToRestrict : SID_AND_ATTRIBUTES* optional -> "void*"
# NewTokenHandle : HANDLE* out -> "void*"
# なでしこ1は32bit・ANSI(Shift_JIS)。文字列=char*(ANSI)、ポインタ/ハンドル=void*(4byte)。