Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


How to impersonate a user?

Posted on 2001-06-14
Medium Priority
Last Modified: 2012-06-22
I need to make an application, which would run in the context of a user, whose credentials (username & pass) would be hardcoded in the app. All this work should be done on Win NT.

I tried logonuser () function, but it needs "Act as a part of operating system" right for the user executing the app. The app will be launched by common users and I don't want to assign them this strong right.

Any idea is good.

Question by:untaker
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +2

Expert Comment

ID: 6190850
i think i might have an idea for you, this is not exactly what you want but it might give you some ideas...

the other day i was writing some service apps and service apps all have to run in default user, this means than it is running in a different user profile to the one logged on at the time...

to create the service in the default users profile area ( which is unobtainable by the normal users ) i had to create a registry set of my details for delphi, and then run a task which opened up a dos window ( the run schedule runs tasks in default memory area ) the dos window is then useing a different user to the main user ( NT is quite strict i beleave about users etc).
this meant that i could do work in the default users area , then i had to copy the registry settings i had to this area ( as they are different) and run delphi from this area, this meant that all code was compiled into the defaut users service area.
then log back on to normal user, the service is there running and safe and users cannot do anything to it as its not under there security whatever....

this is only basicly what i did, but the idea ETC came from a delphi mag a couple of months ago.

i know that it wasnt what you wanted but maybe if you cant do what you want maybe you could use a similar method as i did. if you want i will look up the issue number ETC and forward it on..


Expert Comment

ID: 6190988
My approach to this would be to have your application in two parts.  The first is an NT Service that you can have started automatically as your pre-defined user with 'Run as part of system' right granted.  Then have a client utility that your users can use to invoke/query whatever your service is doing.  For this to work you need to get into IPC (Inter process communication).

Alternatlivly, (and this is much easier), use the RunAs command line tool(Win2000 only).  To run your app under the guise of a different user than the current logged in user.  If you dont want your users to see the "Runas Admin Password Program.exe" in a batch file, you'll need a starter application with the command line hard coded.


Author Comment

ID: 6191054

Non of your suggestions are good for me.

1. Systems are WinNT 4.0, so runas is of no use
2. I have many clients. I don't want to go to each of them and install a service at their comps. I just want to make an .exe, which i'll put into their logon scripts.
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.


Expert Comment

ID: 6191373

The SE_TCB_NAME privilege must be assigned to the user that is login to the NT box when they run the application you are writing.
However by assigning this right to a user, it opens a huge security hole and should not be granted. If you assign the right to all users, the call to LogonUser should work.

The best approach is to create a NT service program and let it logon using the local system account. This account has SE_TCB_NAME privilege by default and can do all of the action that you require.

You could install the service program when you install the desktop application.

Also you might reconsider not to hardcode the user credentials. If they decide to change the domain policies or whatever, then you might have to recompile every 45 days to change the user password. The best approach would to encrypt this info in to the registry and provide some dialog to change the account info.

"The process that calls LogonUser must have the SE_TCB_NAME privilege. The privilege does not need to be enabled. The LogonUser function enables the privilege as necessary. The function fails if the calling process does not have the SE_TCB_NAME privilege, and GetLastError returns the error code ERROR_PRIVILEGE_NOT_HELD. For more information about privileges, see Privileges."


Author Comment

ID: 6191449

Sorry, but everything you said had already been written here. In my question I said that I know about the SE_TCB_NAME limitation, and in my comment I said that I don't want to install a service on comps. I just want a one-time-used program, that makes some changes that require administrator privileges, and it will be run from a logonscript.

There must be a way, because there exists a ResKit utility su.exe, that can start a program under different user's credentials.

Expert Comment

ID: 6191669
have you thought about taking a step back and having a maintenance program of your own that controls your privilages in your software, and have the userlogin name as your operator, then depending on what user is logged in just use those privivales, obviosly keeping the privilages program away from general eyes.
it is a simple approach but if written correctly could be as secure as you want it to be...

Author Comment

ID: 6191693

I don't understand very much what you wanted to say...
Please try it again and a little bit easier.. :-))

Accepted Solution

bnemmers earned 800 total points
ID: 6191737
Take a look at the document from Micro$oft. It out lines the only two methods to use


LogonUser or
Security Support Provider Interface (SSPI)

I never tried SSPI and I don't know if it will provide the acces you need

Also su.exe ver 2.0 required that the user have these rights
   Act as part of the operating system
   Increase Quotas
   Replace a process level token
   Restore files and directories

For Version 2.99, these privileges are no longer required when using SU. In order to support this, you must install a new service-based component used by SU. The service component is encapsulated in the Suss.exe executable file, and this is installed by using the following command at a command prompt:
suss.exe -install


Expert Comment

ID: 6191745

well if you create a maintenace program that has a list of your users in

then have a table of privilages available

Access to program 1 section A
  "     "    "    1 Section B
  "     "    "    2 Section A

then have a bit that allows you to say that
kristian has access to program 1 section A + B
and UNTAKER has access to program 1 sect' A + prog 2 sect A

then in your program check the current operator and see if (s)he has access to the section you are about to enter.
if not then dont let them...


Expert Comment

ID: 6191930
just in case untaker im off for 6 days (i cant believe it) now so im affraid i wont know if i was any help to you or not but i will now be un-obtainable so good luck, hope the Previous comment made sence, kris.

Expert Comment

ID: 6919350
ADMINISTRATION WILL BE CONTACTING YOU SHORTLY.  Moderators Computer101 or Netminder will return to finalize these if still open in seven days.  Please post closing recommendations before that time.

Question(s) below appears to have been abandoned. Your options are:
1. Accept a Comment As Answer (use the button next to the Expert's name).
2. Close the question if the information was not useful to you, but may help others. You must tell the participants why you wish to do this, and allow for Expert response.  This choice will include a refund to you, and will move this question to our PAQ (Previously Asked Question) database.  If you found information outside this question thread, please add it.
3. Ask Community Support to help split points between participating experts, or just comment here with details and we'll respond with the process.
4. Delete the question (if it has no potential value for others).
   --> Post comments for expert of your intention to delete and why
   --> YOU CANNOT DELETE A QUESTION with comments; special handling by a Moderator is required.

For special handling needs, please post a zero point question in the link below and include the URL (question QID/link) that it regards with details.
Please click the Help Desk link on the left for Member Guidelines, Member Agreement and the Question/Answer process for further information, if needed.  http://www.experts-exchange.com/jsp/cmtyHelpDesk.jsp

Click you Member Profile to view your question history and keep them all current with updates as the collaboration effort continues, to track all your open and locked questions at this site.  If you are an EE KnowledgePro user, use the Power Search option to find them.  Anytime you have questions which are LOCKED with a Proposed Answer but does not serve your needs, please reject it and add comments as to why.  In addition, when you do grade the question, if the grade is less than an A, please add a comment as to why.  This helps all involved, as well as future persons who may access this item in the future to seek help.

To view your open questions, please click the following link(s) and keep them all current with updates.

------------>  EXPERTS:  Please leave your closing recommendations if this item remains inactive another seven (7) days.  If you are interested in the cleanup effort, please click this link http://www.experts-exchange.com/jsp/qManageQuestion.jsp?ta=commspt&qid=20274643 
POINTS FOR EXPERTS awaiting comments are listed here -> http://www.experts-exchange.com/commspt/Q.20277028.html

Moderators will finalize this question if still open in 7 days, by either moving this to the PAQ (Previously Asked Questions) at zero points, deleting it or awarding expert(s) when recommendations are made, or an independent determination can be made.  Expert input is always appreciated to determine the fair outcome.
Thank you everyone.
Moderator @ Experts Exchange

Expert Comment

ID: 7084914
Zero response, finalized.

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction The parallel port is a very commonly known port, it was widely used to connect a printer to the PC, if you look at the back of your computer, for those who don't have newer computers, there will be a port with 25 pins and a small print…
Creating an auto free TStringList The TStringList is a basic and frequently used object in Delphi. On many occasions, you may want to create a temporary list, process some items in the list and be done with the list. In such cases, you have to…
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…
In response to a need for security and privacy, and to continue fostering an environment members can turn to for support, solutions, and education, Experts Exchange has created anonymous question capabilities. This new feature is available to our Pr…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question