Guest user restriction

Hi everyone...

I'm developing an application in C++/QT mainly for Windows, but I want to be able to make it cross platform in the near future.
When I user starts my app, I want it to detect if it is a guest user trying to run it. If the user is a guest, the application would then "gracefully" exit.

How could I implement that?


thanks for your help

Code:

---

void IsGuest(){
    char username[100];
    if (!GetUserName(sizeof(username), &username)) exit(0);  //couldn't figure it out, probably wanna exit
    if (strcmp(username, "Guest") == 0) exit(0);
}

---

?

Thanks for your answer, Ninja. However I don't know if I could use it. I want to block users that have privileges as guest users, not only the name.
I've found out this code below:

Code:

---

using namespace System;
using namespace System::Security::Principal;

int main(int argc, char **argv)
{
    // Retrieve the Windows account token for the current user.
    IntPtr logonToken = WindowsIdentity::GetCurrent()->Token;

    // Construct a WindowsIdentity object using the input account token.
    WindowsIdentity^ windowsIdentity = gcnew WindowsIdentity( logonToken );
    // Verify that the user account is considered to be a Guest account
    // by the system.
    if ( windowsIdentity->IsGuest )
    {
      exit(1);
    }
}

---

However, I don't know how to add the Common Language Runtime Support (/clr) into QT Creator - the IDE I'm using, that manages the build scripts...


PS: also, I was getting a compiler error on Ninja's code (GetUserNameW: cannot convert parameter 1 from 'unsigned int' to 'LPWSTR')

Quote:

---

Originally Posted by ninja9578

Code:

---

void IsGuest(){
    char username[100];
    if (!GetUserName(sizeof(username), &username)) exit(0);  //couldn't figure it out, probably wanna exit
    if (strcmp(username, "Guest") == 0) exit(0);
}

---

?

---

This is a completely wrong approach. The reason being is that one has to rely on the information provided in the token for a process and not on the user's name. What would happen if you ran this code on a machine with French installed as a default language?

The correct way would be to get the token of a current process, and then see if its SID contains RID_GUESTS. Here's how it may be implemented (sample taken off the web):

Code:

---

#include <tchar.h>
#include <Windows.h>

int _tmain(int argc, _TCHAR* argv[])
{
    bool isOk = false;
    bool userIsGuest;

    HANDLE process = GetCurrentProcess();
    HANDLE userToken = NULL;
    HANDLE userTokenDupe = NULL;

    PSID guestsGroupSid = NULL;

    do
    {
        if (!OpenProcessToken(process, TOKEN_DUPLICATE | TOKEN_QUERY, &userToken))
        {
            _tprintf(_T("OpenProcessToken failed (&#37;d).\n"), GetLastError());
            break;
        }

        if (!DuplicateToken(
            userToken,
            SecurityIdentification,
            &userTokenDupe))
        {
            _tprintf(_T("DuplicateToken failed (%d).\n"), GetLastError());
            break;
        }

        SID_IDENTIFIER_AUTHORITY ntAuth = SECURITY_NT_AUTHORITY;
        if (!AllocateAndInitializeSid(
            &ntAuth,
            2,
            SECURITY_BUILTIN_DOMAIN_RID,
            DOMAIN_ALIAS_RID_GUESTS,
            0, 0, 0, 0, 0, 0,
            &guestsGroupSid))
        {
            _tprintf(_T("AllocateAndInitializeSid failed (%d).\n"), GetLastError());
            break;
        }

        BOOL isMember;
        if (!CheckTokenMembership(userTokenDupe, guestsGroupSid, &isMember))
        {
            _tprintf(_T("CheckTokenMembership failed (%d).\n"), GetLastError());
            break;
        }

        userIsGuest = (isMember != 0) ? true : false;
        isOk = true;
    } while (false);

    if (guestsGroupSid)
    {
        FreeSid(guestsGroupSid);
    }

    if (userTokenDupe)
    {
        CloseHandle(userTokenDupe);
    }

    if (userToken)
    {
        CloseHandle(userToken);
    }

    if (!isOk)
    {
        _tprintf(_T("Nope, that didn't work.\n"));
        return 1;
    }

    _tprintf(
        _T("User (of this process) %s a member of the Guests group.\n"),
        (userIsGuest ? _T("is") : _T("is not")));
        return 0;
}

---

Keep in mind though that if an admin requests elevation of your process it will no longer be running in a context of a Guests group.

Thanks a lot ahmd,
I've tested your code opening a clean project in VS2008 and it worked fine (I've just needed to add <stdio.h> for the printf).
However, inside the project I'm working, I've got these compiler errors:

Code:

---

error:  unresolved external symbol __imp__FreeSid@4 referenced in function _main
error:  unresolved external symbol __imp__CheckTokenMembership@12 referenced in function _main
error:  unresolved external symbol __imp__AllocateAndInitializeSid@44 referenced in function _main
error:  unresolved external symbol __imp__DuplicateToken@12 referenced in function _main
error:  unresolved external symbol __imp__OpenProcessToken@12 referenced in function _main
error:  5 unresolved externals

---

I believe there might be missing some lib. Could you (or somebody else) help me solve these errors?

Add this line into the header file:

Code:

---

#pragma comment(lib, "Advapi32.lib")

---