Impersonation of user from winlogon logon

Posted on 2003-12-03
Medium Priority
Last Modified: 2013-11-13
I've added a entry to the registry to recieve logon events from
Winlogon. In the WLX_NOTIFICATION_INFO control block there is a member
nToken which contains a handle to the newly logged in user. I would like
to pass this handle to other processes which are running as system
services under the SYSTEM account. When the service gets notified about
the login, I would like to impersonate the newly logged on user and
change the security context of the service to that of the user.

I get the handle from the Winlogon event OK. Can play around with it and
all seems OK. When the service tries to use this handle the API calls
get an 'ACCESS DENIED' return code. I'm assuming that I must do
something in the Winlogon code to the token before I can pass it to
other processes. DuplicateTokenEx .. maybe, set other security flags,
not sure what's next.
Question by:xlogic11
  • 2
  • 2
LVL 101

Expert Comment

ID: 9871763
This strikes very much as an attempt to hack a system.  EE cannot provide help or assistance in this area.


Accepted Solution

colmcc earned 375 total points
ID: 9877346
>This strikes very much as an attempt to hack a system.  

I doubt that is the case.  You need to be an administrator of the system to install such a service in the first place.  Don't be alarmed by the word 'impersonate'.  It's standard Microsoft terminology for what a server process does when it needs to do some work on behalf of a client process belonging to a particular user.

I have only a little knowledge in this area.  Probably less than the questioner.  However, I might be able to offer some advice if more details are given.

xlogic11: Perhaps you could try and re-assure people about what it is you are doing, so that I don't get myself into trouble if it turns out that I can help you?


Author Comment

ID: 9880181
You are correct 'Impersonate' is the term used when one user acts as another user. The nice thing is the impersonated user runs at the same or a lower security level as the logged on user. In my case I want the service to run at the same security level as the logged in user. Winlogon allows you to add a call-back of sort which it will call when various system events happen, Logon, logoff, Shell start, Screen Saver start, etc.

First I must register a DLL with the call-backs in the registry. State which events I want and reboot the system to get the new dll hooked into the winlogon event. When an event happens my call-back routine gets called the system hands me a WLX_NOTIFICATION_INFO control block with info about the event. In the case of logon you get the username, domain, a handle to the user's token, and some other stuff.

I can launch off a process (ine the call-back routine) using CreateProcessAsUser using the user token and a process starts as the security context of the newly signed in user. This is GOOD.

What I want to do is pass this token from my call-back to a system service that is already running and have this service run as the context of the user or 'Impersonate' the user. This way the service is lowered from LOCAL-SYSTEM to that of the user so the service acts as a user process. When the user logs off, the service will revert back to the standard system level.

My problem (other than people not understanding winlogon and thinking i'm hacking) is I get a "access denied" from API's in the service when I use the token. I've read that the token is good for all processes in the same machine. You can't pass it to another machine. I'm guessing that I may have to 'Duplicate' the token before I pass it to the service, but I'm not sure what parameters to pass to DuplicateTokenEx (??). Any help would be good.

Expert Comment

ID: 9881763

Which APIs are failing?  I would guess you are passing the token to
ImpersonateLoggedOnUser(hToken).  Is that what is failing?

DuplicateTokenEx() might help, but I'm slightly doubtful.  Since you are able to call CreateProcessAsUser() in the call-backroutine, using the token, it's already a primary token. You could try it though, specifying MAXIMUM_ALLOWED as the value of dwDesiredAccess.

The help for ImpersonateLoggedOnUser() says this -

"If hToken is a primary token, it must have TOKEN_QUERY and TOKEN_DUPLICATE access. If hToken is an impersonation token, it must have TOKEN_QUERY access."

So, it's just possible that your original token does not have TOKEN_QUERY, and that if you duplicate it with MAXIMUM_ALLOWED your new token may gain it.  Unfortunately, if it also does not have TOKEN_DUPLICATE, I guess DuplicateTokenEx() will fail.

Hope this is of some help,


Author Comment

ID: 9886921
When I use the token in processes other than my dll launched by Winlogon, I get RC:6 (invalid handle) for Impersonate and RC:5 (access denied) for CreateProcessAsUser.

I tried duplicating the token on the Winlogon side using DuplicateToken to make an Impersonate token and I couldn't use it either outside of the Winlogon process. This tells me that the token has TOKEN_DUPLICATE access. I'll try DuplicateTokenEx using the MAXIMUM_ALLOWED value.

I wish I knew the rules about passing tokens around the system. When can you just use one and when do you have to duplicate it.


Featured Post

The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Today, the web development industry is booming, and many people consider it to be their vocation. The question you may be asking yourself is – how do I become a web developer?
No other job is as rewarding and demanding as building an iPhone app is. It is not really in the hands of the developer for the success of an iPhone app. Many factors operate jointly for every iOS application's success in the market.
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
Screencast - Getting to Know the Pipeline

599 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question