System.Security.Principal.WindowsImpersonation

From: Chet Borg (borgc_at_polarfab.com)
Date: 07/28/03

• Next message: Miha Pihler: "Re: Assigning Certificates"
• Previous message: Joe Kaplan \(MVP - ADSI\): "How to get KeyUsage field given .NET X509Certificate instance?"
• Next in thread: Shel Blauman [MSFT]: "Re: System.Security.Principal.WindowsImpersonation"
• Reply: Shel Blauman [MSFT]: "Re: System.Security.Principal.WindowsImpersonation"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Mon, 28 Jul 2003 14:11:51 -0700

I am writing a application in VB.net which automatically
updates applications on our network. I have everything
working except for registering updated dlls for the vb6
programs on Windows XP workstations (due to the security
settings in Windows XP, non priv users are not allowed to
register dlls) - according to our NT Admin. A colleague
suggested that I use Impersonation, to temporarily
imperonate a priv user.

When I impersonate the user, the new username is
returned - however I do not gain the rights associated
with this new user. I was originally using the Win API
DuplicateToken() but switched to the DuplicateTokenEx(),
after some research on the web.

The code I use for the the function follows.
Any assistance would be appreciated.

    Public Function ImpersonateUserAndRegDLLs(ByVal
MyDLLs As c_DLLs) As String

        Dim sName As String
        Dim token As New IntPtr(0)
        Dim TokenCopy As New IntPtr(0)
        Dim iLogResult As Integer
        Dim newPrincipal As
System.Security.Principal.WindowsPrincipal
        Const SecurityImpersonation As Integer =
System.Management.ImpersonationLevel.Impersonate
        Dim DLL As c_DLL
        Dim TokenAttributes As New SECURITY_ATTRIBUTES
        Try
            'Logs On the User to the Domain
            iLogResult = LogonUser(USERNAME,
Environment.UserDomainName, PWD, LOGON32_LOGON_NETWORK,
LOGON32_PROVIDER_WINNT50, token)

            'Gets name of current user
            sName =
System.Security.Principal.WindowsIdentity.GetCurrent
().Name
            'Create a copy of the Token you are trying to
impersonate
            'Dim retVal As Boolean = DuplicateToken
(token, SecurityImpersonation, TokenCopy)
            Dim iDupResult As Integer = DuplicateTokenEx
(token, MAXIMUM_ALLOWED, TokenAttributes,
SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation,
TOKEN_TYPE.TokenPrimary, TokenCopy)

            sName =
System.Security.Principal.WindowsIdentity.GetCurrent
().Name

            'Tests if DuplicateToken works
            If iDupResult = 0 Or iLogResult = 0 Then
                CloseHandle(token)
                frm.lstFileHist.Items.Add("Error --
Logging on BuildXP")
            Else
                'Creates a new Windows Identity
                Dim NewId As New
System.Security.Principal.WindowsIdentity(TokenCopy)
                'Performs the impersonation
                Dim ImpersonatedUser As
System.Security.Principal.WindowsImpersonationContext =
NewId.Impersonate

                'Used to Chk impersonation worked
                sName =
System.Security.Principal.WindowsIdentity.GetCurrent
().Name

                'Creates a Windows Principal based in the
New Identity
                'Used to check if the Users privs were
impersonated also
                newPrincipal = New
System.Security.Principal.WindowsPrincipal(NewId)

                'Loops through all DLLs and Registers Them
                'Regular User is not a member of
Group "Domain Admins", after the impersonation this
should be returned a true

                MessageBox.Show("The user is a member of
Domain Admins: " & newPrincipal.IsInRole("Domain
Admins").ToString)
                MessageBox.Show("User is " & sName)
                MessageBox.Show("Token: " &
System.Security.Principal.WindowsIdentity.GetCurrent
().Token.ToString)

                '** impersonation works, but the
impersonated user doesn't get any of the
                '** rights of the user it is
impersonating, so it is unable to register the DLLs.

                For Each DLL In MyDLLs
                    frm.lstFileHist.Items.Add("Attempting
to Register - " & DLL.FileName)
                    Dim sResult As String
                    'Next Line uses the Shell function to
execute a regsvr32 cmd
                    sResult = DLL.RegisterDLL()
                    If sResult = "TRUE" Then
                        frm.lstFileHist.Items.Add
("Successfully Executed Regsvr32 for - " & DLL.FileName)
                    Else
                        frm.lstFileHist.Items.Add(sResult)
                    End If
                Next

                'Stop Impersonation
                ImpersonatedUser.Undo()

                'Used to Chk impersonation.undo worked
                sName =
System.Security.Principal.WindowsIdentity.GetCurrent
().Name
                MessageBox.Show("User is " & sName)
                MessageBox.Show("Token: " &
System.Security.Principal.WindowsIdentity.GetCurrent
().Token.ToString)

            End If
        Catch ex As Exception
            MessageBox.Show(ex.ToString)
        Finally
            If Not System.IntPtr.op_Equality(token,
IntPtr.Zero) Then
                CloseHandle(token)
            End If
            If Not System.IntPtr.op_Equality(TokenCopy,
IntPtr.Zero) Then
                CloseHandle(TokenCopy)
            End If
        End Try
    End Function

---

• Next message: Miha Pihler: "Re: Assigning Certificates"
• Previous message: Joe Kaplan \(MVP - ADSI\): "How to get KeyUsage field given .NET X509Certificate instance?"
• Next in thread: Shel Blauman [MSFT]: "Re: System.Security.Principal.WindowsImpersonation"
• Reply: Shel Blauman [MSFT]: "Re: System.Security.Principal.WindowsImpersonation"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: problem porting vb dev apps to new computer ... > created by the "C' project, then do the same for all the ocx from the ... you can select any number of dlls or ocxs in windows ... Register and unregister components with context menus ... > a totally clean system with VS6 that the ocx get built before the parts ... (microsoft.public.vb.general.discussion) Re: Restore of SBS System State ... It does not matter for the error when you register some dlls. ... Unable to view event log and some tabs of user's properties on SBS, ... regsvr32 oleaccrc.dll ... (microsoft.public.windows.server.sbs) Re: Calling .NET COM object from MFC application ... MFC exe calls C# managed DLL which in turn calls other ATL/MFC COM DLLs, ... All the COM and .Net DLLs must be registered on the "clean" machine or they ... assembly (which is properly configured to "Register for COM interop"), ... trying to initialize this "third party" COM. ... (microsoft.public.vc.mfc) Re: SQLDMO with VB6 ... client side functionality without the need to install the SQL Server Client Utilities. ... MDAC does not install the Sqldmo.dll file or any of the many dependent DLLs associated with the ... You need to register COM based DLLs through the Regsvr32 utility. ... (microsoft.public.sqlserver.tools) Re: SQLDMO with VB6 ... This article documents the steps necessary to enable SQL Server Distributed Management Objects client side functionality without the need to install the SQL Server Client Utilities. ... MDAC does not install the Sqldmo.dll file or any of the many dependent DLLs associated with the Sqldmo.dll file. ... You need to register COM based DLLs through the Regsvr32 utility. ... (microsoft.public.sqlserver.tools)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.dotnet.security  > 2003-07