Solved

Impersonation of user from winlogon logon

Posted on 2003-12-03
6
2,121 Views
Last Modified: 2013-11-13
I've added a entry to the registry to recieve logon events from
Winlogon. In the WLX_NOTIFICATION_INFO control block there is a member
nToken which contains a handle to the newly logged in user. I would like
to pass this handle to other processes which are running as system
services under the SYSTEM account. When the service gets notified about
the login, I would like to impersonate the newly logged on user and
change the security context of the service to that of the user.

I get the handle from the Winlogon event OK. Can play around with it and
all seems OK. When the service tries to use this handle the API calls
get an 'ACCESS DENIED' return code. I'm assuming that I must do
something in the Winlogon code to the token before I can pass it to
other processes. DuplicateTokenEx .. maybe, set other security flags,
not sure what's next.
0
Comment
Question by:xlogic11
  • 2
  • 2
6 Comments
 
LVL 100

Expert Comment

by:mlmcc
Comment Utility
This strikes very much as an attempt to hack a system.  EE cannot provide help or assistance in this area.

mlmcc
0
 
LVL 2

Accepted Solution

by:
colmcc earned 125 total points
Comment Utility
>This strikes very much as an attempt to hack a system.  

I doubt that is the case.  You need to be an administrator of the system to install such a service in the first place.  Don't be alarmed by the word 'impersonate'.  It's standard Microsoft terminology for what a server process does when it needs to do some work on behalf of a client process belonging to a particular user.

I have only a little knowledge in this area.  Probably less than the questioner.  However, I might be able to offer some advice if more details are given.

xlogic11: Perhaps you could try and re-assure people about what it is you are doing, so that I don't get myself into trouble if it turns out that I can help you?

Regards,
Colin
0
 

Author Comment

by:xlogic11
Comment Utility
You are correct 'Impersonate' is the term used when one user acts as another user. The nice thing is the impersonated user runs at the same or a lower security level as the logged on user. In my case I want the service to run at the same security level as the logged in user. Winlogon allows you to add a call-back of sort which it will call when various system events happen, Logon, logoff, Shell start, Screen Saver start, etc.

First I must register a DLL with the call-backs in the registry. State which events I want and reboot the system to get the new dll hooked into the winlogon event. When an event happens my call-back routine gets called the system hands me a WLX_NOTIFICATION_INFO control block with info about the event. In the case of logon you get the username, domain, a handle to the user's token, and some other stuff.

I can launch off a process (ine the call-back routine) using CreateProcessAsUser using the user token and a process starts as the security context of the newly signed in user. This is GOOD.

What I want to do is pass this token from my call-back to a system service that is already running and have this service run as the context of the user or 'Impersonate' the user. This way the service is lowered from LOCAL-SYSTEM to that of the user so the service acts as a user process. When the user logs off, the service will revert back to the standard system level.

My problem (other than people not understanding winlogon and thinking i'm hacking) is I get a "access denied" from API's in the service when I use the token. I've read that the token is good for all processes in the same machine. You can't pass it to another machine. I'm guessing that I may have to 'Duplicate' the token before I pass it to the service, but I'm not sure what parameters to pass to DuplicateTokenEx (??). Any help would be good.
0
 
LVL 2

Expert Comment

by:colmcc
Comment Utility
Hi

Which APIs are failing?  I would guess you are passing the token to
ImpersonateLoggedOnUser(hToken).  Is that what is failing?

DuplicateTokenEx() might help, but I'm slightly doubtful.  Since you are able to call CreateProcessAsUser() in the call-backroutine, using the token, it's already a primary token. You could try it though, specifying MAXIMUM_ALLOWED as the value of dwDesiredAccess.

The help for ImpersonateLoggedOnUser() says this -

"If hToken is a primary token, it must have TOKEN_QUERY and TOKEN_DUPLICATE access. If hToken is an impersonation token, it must have TOKEN_QUERY access."

So, it's just possible that your original token does not have TOKEN_QUERY, and that if you duplicate it with MAXIMUM_ALLOWED your new token may gain it.  Unfortunately, if it also does not have TOKEN_DUPLICATE, I guess DuplicateTokenEx() will fail.

Hope this is of some help,
Colin


0
 

Author Comment

by:xlogic11
Comment Utility
When I use the token in processes other than my dll launched by Winlogon, I get RC:6 (invalid handle) for Impersonate and RC:5 (access denied) for CreateProcessAsUser.

I tried duplicating the token on the Winlogon side using DuplicateToken to make an Impersonate token and I couldn't use it either outside of the Winlogon process. This tells me that the token has TOKEN_DUPLICATE access. I'll try DuplicateTokenEx using the MAXIMUM_ALLOWED value.

I wish I knew the rules about passing tokens around the system. When can you just use one and when do you have to duplicate it.

/Robert
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

Since upgrading to Office 2013 or higher installing the Smart Indenter addin will fail. This article will explain how to install it so it will work regardless of the Office version installed.
If you’re thinking to yourself “That description sounds a lot like two people doing the work that one could accomplish,” you’re not alone.
An introduction to basic programming syntax in Java by creating a simple program. Viewers can follow the tutorial as they create their first class in Java. Definitions and explanations about each element are given to help prepare viewers for future …
In this fourth video of the Xpdf series, we discuss and demonstrate the PDFinfo utility, which retrieves the contents of a PDF's Info Dictionary, as well as some other information, including the page count. We show how to isolate the page count in a…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now