Re: ImpersonateLoggedOnUser & ShellExecute
- From: "Wolfgang Schreiber" <nojunk@xxxxxxxx>
- Date: Wed, 2 Nov 2005 12:40:36 +0100
Kellie,
thanks for your guidance and patience.
I'm pretty new to the Win32 process & token concept, so forgive my
ignorance.
So, now I've made sure that the calling account has the required privileges
(SE_ASSIGNPRIMARYTOKEN_NAME and SE_INCREASE_QUOTA_NAME):
I've set them manually in the control center, and - just to be sure - enable
them with AdjustTokenPrivileges() before calling LogonUser()
What I'm not sure about is, how to set TOKEN_QUERY, TOKEN_DUPLICATE, and
TOKEN_ASSIGN_PRIMARY
I received my token handle with LogonUser()/LogoUserEx() but did not see an
option to set the needed access rights there.
There also are the OpenProcessToken()/OpenThreadToken() functions, where I
can set these privileges - but these APIs create a new token.
Hence, I've tried generating a new token by calling
OpenProcessToken( GetCurrentProcess(),
TOKEN_QUERY OR TOKEN_DUPLICATE OR TOKEN_ASSIGN_PRIMARY,
tokHandle2)
after ImpersonateLoggedOnUser(), but then I get error 5 (Access denied)
Confused,
Wolfgang
"Kellie Fitton" <KELLIEFITTON@xxxxxxxxx> wrote in message
news:1130789102.685736.108930@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> Hi,
>
> The functions LogonUser() and LogonUserEx() are practically the
> same, however, the latter has an advantage of providing the user's
> security identifier (SID), that can be used in a subsequent calls.
>
> The answer to your question depends on the relationship between the
> privileges and the access rights, access rights are having access
> to an object and typically controlled by ACL, on the other hand,
> privileges are granted to a user along with a constructed token,
> to store the user's granted privileges.
>
> According to microSoft, you have to enable or change the granted
> privileges to use a specific function call. Also, it has to do with
> the access rights to the process's access tokens, if you doNot have
> the needed access rights, you can still do whatever you want, as long
> as, you have been granted the special privileges.
>
> Also, once a privilege is granted to the user, it will have two states,
> either Enabled or Disabled. Most privileges are disabled by default,
> and that will require the application program to explicitly turn them
> on, in order to be able to use them.
>
> That said, the function CreateProcessAsUser() had failed because
> the user's token does not have the needed access rights, which are
> the TOKEN_QUERY, TOKEN_DUPLICATE, and TOKEN_ASSIGN_PRIMARY, moreover,
> the process that calls the API CreateProcessAsUser(), must have the
> SE_ASSIGNPRIMARYTOKEN_NAME and SE_INCREASE_QUOTA_NAME privileges.
>
> So, another valid option is using the API CreateProcessWithLogonW(),
> this would spawn your application in the correct security context,
> and the function does exactly the same thing as LogonUserEx() and
> CreateProcessAsUser(), and does not require any special privileges,
> just make sure that the account you specify is allowed to logIn
> interactively to your machine, you check that in the domain/local
> policies.
>
> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dllproc/base/createprocesswithlogonw.asp
>
> Good luck,
>
> Kellie.
>
.
- Prev by Date: Re: setsockopt SO_SNDBUF causes slow performance
- Next by Date: Register new network protocol
- Previous by thread: Re: setsockopt SO_SNDBUF causes slow performance
- Next by thread: Register new network protocol
- Index(es):
Relevant Pages
|
