Solved

Impersonation of user from winlogon logon

Posted on 2003-12-03
6
2,151 Views
Last Modified: 2013-11-13
I've added a entry to the registry to recieve logon events from
Winlogon. In the WLX_NOTIFICATION_INFO control block there is a member
nToken which contains a handle to the newly logged in user. I would like
to pass this handle to other processes which are running as system
services under the SYSTEM account. When the service gets notified about
the login, I would like to impersonate the newly logged on user and
change the security context of the service to that of the user.

I get the handle from the Winlogon event OK. Can play around with it and
all seems OK. When the service tries to use this handle the API calls
get an 'ACCESS DENIED' return code. I'm assuming that I must do
something in the Winlogon code to the token before I can pass it to
other processes. DuplicateTokenEx .. maybe, set other security flags,
not sure what's next.
0
Comment
Question by:xlogic11
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
6 Comments
 
LVL 101

Expert Comment

by:mlmcc
ID: 9871763
This strikes very much as an attempt to hack a system.  EE cannot provide help or assistance in this area.

mlmcc
0
 
LVL 2

Accepted Solution

by:
colmcc earned 125 total points
ID: 9877346
>This strikes very much as an attempt to hack a system.  

I doubt that is the case.  You need to be an administrator of the system to install such a service in the first place.  Don't be alarmed by the word 'impersonate'.  It's standard Microsoft terminology for what a server process does when it needs to do some work on behalf of a client process belonging to a particular user.

I have only a little knowledge in this area.  Probably less than the questioner.  However, I might be able to offer some advice if more details are given.

xlogic11: Perhaps you could try and re-assure people about what it is you are doing, so that I don't get myself into trouble if it turns out that I can help you?

Regards,
Colin
0
 

Author Comment

by:xlogic11
ID: 9880181
You are correct 'Impersonate' is the term used when one user acts as another user. The nice thing is the impersonated user runs at the same or a lower security level as the logged on user. In my case I want the service to run at the same security level as the logged in user. Winlogon allows you to add a call-back of sort which it will call when various system events happen, Logon, logoff, Shell start, Screen Saver start, etc.

First I must register a DLL with the call-backs in the registry. State which events I want and reboot the system to get the new dll hooked into the winlogon event. When an event happens my call-back routine gets called the system hands me a WLX_NOTIFICATION_INFO control block with info about the event. In the case of logon you get the username, domain, a handle to the user's token, and some other stuff.

I can launch off a process (ine the call-back routine) using CreateProcessAsUser using the user token and a process starts as the security context of the newly signed in user. This is GOOD.

What I want to do is pass this token from my call-back to a system service that is already running and have this service run as the context of the user or 'Impersonate' the user. This way the service is lowered from LOCAL-SYSTEM to that of the user so the service acts as a user process. When the user logs off, the service will revert back to the standard system level.

My problem (other than people not understanding winlogon and thinking i'm hacking) is I get a "access denied" from API's in the service when I use the token. I've read that the token is good for all processes in the same machine. You can't pass it to another machine. I'm guessing that I may have to 'Duplicate' the token before I pass it to the service, but I'm not sure what parameters to pass to DuplicateTokenEx (??). Any help would be good.
0
 
LVL 2

Expert Comment

by:colmcc
ID: 9881763
Hi

Which APIs are failing?  I would guess you are passing the token to
ImpersonateLoggedOnUser(hToken).  Is that what is failing?

DuplicateTokenEx() might help, but I'm slightly doubtful.  Since you are able to call CreateProcessAsUser() in the call-backroutine, using the token, it's already a primary token. You could try it though, specifying MAXIMUM_ALLOWED as the value of dwDesiredAccess.

The help for ImpersonateLoggedOnUser() says this -

"If hToken is a primary token, it must have TOKEN_QUERY and TOKEN_DUPLICATE access. If hToken is an impersonation token, it must have TOKEN_QUERY access."

So, it's just possible that your original token does not have TOKEN_QUERY, and that if you duplicate it with MAXIMUM_ALLOWED your new token may gain it.  Unfortunately, if it also does not have TOKEN_DUPLICATE, I guess DuplicateTokenEx() will fail.

Hope this is of some help,
Colin


0
 

Author Comment

by:xlogic11
ID: 9886921
When I use the token in processes other than my dll launched by Winlogon, I get RC:6 (invalid handle) for Impersonate and RC:5 (access denied) for CreateProcessAsUser.

I tried duplicating the token on the Winlogon side using DuplicateToken to make an Impersonate token and I couldn't use it either outside of the Winlogon process. This tells me that the token has TOKEN_DUPLICATE access. I'll try DuplicateTokenEx using the MAXIMUM_ALLOWED value.

I wish I knew the rules about passing tokens around the system. When can you just use one and when do you have to duplicate it.

/Robert
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you’re thinking to yourself “That description sounds a lot like two people doing the work that one could accomplish,” you’re not alone.
This article will inform Clients about common and important expectations from the freelancers (Experts) who are looking at your Gig.
Simple Linear Regression
Six Sigma Control Plans

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question