这段代码展示了如何获取 UIAccess 权限,使脚本能够覆盖具有高权限的窗口,例如任务管理器和开始菜单。

 

if !A_IsAdmin && !(DllCall("GetCommandLine", "str") ~= " /restart(?!\S)")
  RunWait('*RunAs "' (A_IsCompiled ? A_ScriptFullPath '" /restart' : A_AhkPath '" /restart "' A_ScriptFullPath '"'))

; By Tebayaki
RunWithUIAccess()
; 获取UIAccess权限后可以覆盖任务管理器和开始菜单等窗口
topWin := Gui("AlwaysOnTop")
topWin.Show("w200 h200")

RunWithUIAccess() {
  try {
    hCurrentToken := hProcess := hWinLogonToken := hSystemToken := hUIAccessToken := 0
    ; Check if we have UIAccess
    if !DllCall("OpenProcessToken", "ptr", DllCall("GetCurrentProcess", "ptr"), "uint", 8 | 2, "ptr*", &hCurrentToken) {
      throw OSError()
    }
    if !DllCall("Advapi32\GetTokenInformation", "ptr", hCurrentToken, "int", 26, "uint*", &hasUIAccess := 0, "uint", 4, "uint*", 0) {
      throw OSError()
    }
    if hasUIAccess {
      return
    }
    ; Get system token from winlogon
    DllCall("Ntdll\RtlAdjustPrivilege", "uint", 0x14, "char", 1, "char", 0, "ptr*", 0)
    if !hProcess := DllCall("OpenProcess", "uint", 0x1000, "int", 1, "uint", ProcessExist("winlogon.exe")) {
      throw OSError()
    }
    if !DllCall("OpenProcessToken", "ptr", hProcess, "uint", 0x0002 | 0x0008, "ptr*", &hWinLogonToken) {
      throw OSError()
    }
    if !DllCall("Advapi32\ImpersonateLoggedOnUser", "ptr", hWinLogonToken) {
      throw OSError()
    }
    DllCall("Advapi32\RevertToSelf")
    if !DllCall("Advapi32\DuplicateTokenEx", "ptr", hWinLogonToken, "uint", 4, "ptr", 0, "uint", 2, "uint", 2, "ptr*", &hSystemToken) {
      throw OSError()
    }
    if !DllCall("SetThreadToken", "ptr", 0, "ptr", hSystemToken) {
      throw OSError()
    }
    if !DllCall("Advapi32\DuplicateTokenEx", "ptr", hCurrentToken, "uint", 8 | 2 | 1 | 0x80, "ptr", 0, "uint", 0, "uint", 1, "ptr*", &hUIAccessToken) {
      throw OSError()
    }
    if !DllCall("Advapi32\SetTokenInformation", "ptr", hUIAccessToken, "uint", 26, "uint*", 1, "uint", 4) {
      throw OSError()
    }
    startInfo := Buffer(104)
    processInfo := Buffer(24)
    DllCall("GetStartupInfoW", "ptr", startInfo)
    if !DllCall("CreateProcessAsUserW", "ptr", hUIAccessToken, "ptr", 0, "ptr", DllCall("GetCommandLineW", "ptr"), "ptr", 0, "ptr", 0, "int", false, "uint", 0, "ptr", 0, "ptr", 0, "ptr", startInfo, "ptr", processInfo) {
      throw OSError()
    }
    DllCall("CloseHandle", "ptr", NumGet(processInfo, "ptr"))
    DllCall("CloseHandle", "ptr", NumGet(processInfo, A_PtrSize, "ptr"))
  }
  catch as e {
    throw e
  }
  finally {
    if hCurrentToken
      DllCall("CloseHandle", "ptr", hCurrentToken)
    if hProcess
      DllCall("CloseHandle", "ptr", hProcess)
    if hWinLogonToken
      DllCall("CloseHandle", "ptr", hWinLogonToken)
    if hSystemToken
      DllCall("CloseHandle", "ptr", hSystemToken)
    if hUIAccessToken
      DllCall("CloseHandle", "ptr", hUIAccessToken)
  }
  ExitApp
}

 

声明:站内资源为整理优化好的代码上传分享与学习研究,如果是开源代码基本都会标明出处,方便大家扩展学习路径。请不要恶意搬运,破坏站长辛苦整理维护的劳动成果。本站为爱好者分享站点,所有内容不作为商业行为。如若本站上传内容侵犯了原著者的合法权益,请联系我们进行删除下架。