Impersonation of user from winlogon logon
Posted on 2003-12-03
I've added a entry to the registry to recieve logon events from
Winlogon. In the WLX_NOTIFICATION_INFO control block there is a member
nToken which contains a handle to the newly logged in user. I would like
to pass this handle to other processes which are running as system
services under the SYSTEM account. When the service gets notified about
the login, I would like to impersonate the newly logged on user and
change the security context of the service to that of the user.
I get the handle from the Winlogon event OK. Can play around with it and
all seems OK. When the service tries to use this handle the API calls
get an 'ACCESS DENIED' return code. I'm assuming that I must do
something in the Winlogon code to the token before I can pass it to
other processes. DuplicateTokenEx .. maybe, set other security flags,
not sure what's next.