I want to get a handle on the current logon session of processes whose parent is explorer.exe.
If we run a process as administrator or a service it won't have a logon session. The reason I want to get the logon session is that I have a program (.exe) which I want to restrict opening when a user tries to open it via (right click on the .exe--> run as administrator) and when a user opens it via administrator we don't have a logon session associated with it whereas when a user opens it by double clicking on it, it has a logon session associated with it.
I searched quite some places, but I just get the process for getting the logon SID. If someone wants more information, you can download http://technet.microsoft.com/en-us/sysinternals/bb896653 and under the explorer --> right click on any program executing --> security. Here you will find the logon session.
You can get the logon session associated with a process by using OpenProcessToken followed by GetTokenInformation with the TokenStatistics option. However, this is not a sensible way of finding out whether or not a process was launched using "run as administrator" because there is no straightforward way to determine whether a particular logon session is elevated or not. It is not true that a process launched with "run as administrator" will not have a logon session.
To find out whether a process was "run as administrator" use the TokenElevationType option. This should return TokenElevationTypeFull if and only if "run as administrator" was used.
(One caveat: I'm not certain what TokenElevationType will return if a non-administrative user uses "run as administrator" and then enters an administrator username and password. You should test this scenario. You might want to use TokenElevation rather than TokenElevationType.)
If what you really want to know is whether the process has administrative privilege, you should use CheckTokenMembership instead. Look for the Administrators group. The MSDN documentation has sample code that does exactly this.
The distinction here is what you want to happen if UAC is disabled (and the user is an administrator) or if the user is the local Administrator. In these cases there is no "run as administrator" option, all processes are run with administrator privilege automatically. If you want to detect these cases, use CheckTokenMembership. If you only want to detect the cases where the user explicitly said "run as administrator" use TokenElevationType.
You can call GetCurrentProcess to get a handle to the current process, then use that to call OpenProcessToken to have an access token for the current process. Once you have that, you can call GetTokenInformation to request the TokenSessionId.
Edit:
I just thought of something else you can try: Instead of the session ID, you can request the TokenOwner, and once you have that, you have a security descriptor. You can then call LookupAccountSid to get the account name associated with the descriptor. Then, you can check that against "Administrator" or some such.
来源:https://stackoverflow.com/questions/12718578/get-the-logon-session-of-a-user-in-c