Impersonation of user from winlogon logon

I've added a entry to the registry to recieve logon events from
Winlogon. In the WLX_NOTIFICATION_INFO control block there is a member
nToken which contains a handle to the newly logged in user. I would like
to pass this handle to other processes which are running as system
services under the SYSTEM account. When the service gets notified about
the login, I would like to impersonate the newly logged on user and
change the security context of the service to that of the user.

I get the handle from the Winlogon event OK. Can play around with it and
all seems OK. When the service tries to use this handle the API calls
get an 'ACCESS DENIED' return code. I'm assuming that I must do
something in the Winlogon code to the token before I can pass it to
other processes. DuplicateTokenEx .. maybe, set other security flags,
not sure what's next.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

This strikes very much as an attempt to hack a system.  EE cannot provide help or assistance in this area.

>This strikes very much as an attempt to hack a system.  

I doubt that is the case.  You need to be an administrator of the system to install such a service in the first place.  Don't be alarmed by the word 'impersonate'.  It's standard Microsoft terminology for what a server process does when it needs to do some work on behalf of a client process belonging to a particular user.

I have only a little knowledge in this area.  Probably less than the questioner.  However, I might be able to offer some advice if more details are given.

xlogic11: Perhaps you could try and re-assure people about what it is you are doing, so that I don't get myself into trouble if it turns out that I can help you?


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
xlogic11Author Commented:
You are correct 'Impersonate' is the term used when one user acts as another user. The nice thing is the impersonated user runs at the same or a lower security level as the logged on user. In my case I want the service to run at the same security level as the logged in user. Winlogon allows you to add a call-back of sort which it will call when various system events happen, Logon, logoff, Shell start, Screen Saver start, etc.

First I must register a DLL with the call-backs in the registry. State which events I want and reboot the system to get the new dll hooked into the winlogon event. When an event happens my call-back routine gets called the system hands me a WLX_NOTIFICATION_INFO control block with info about the event. In the case of logon you get the username, domain, a handle to the user's token, and some other stuff.

I can launch off a process (ine the call-back routine) using CreateProcessAsUser using the user token and a process starts as the security context of the newly signed in user. This is GOOD.

What I want to do is pass this token from my call-back to a system service that is already running and have this service run as the context of the user or 'Impersonate' the user. This way the service is lowered from LOCAL-SYSTEM to that of the user so the service acts as a user process. When the user logs off, the service will revert back to the standard system level.

My problem (other than people not understanding winlogon and thinking i'm hacking) is I get a "access denied" from API's in the service when I use the token. I've read that the token is good for all processes in the same machine. You can't pass it to another machine. I'm guessing that I may have to 'Duplicate' the token before I pass it to the service, but I'm not sure what parameters to pass to DuplicateTokenEx (??). Any help would be good.

Which APIs are failing?  I would guess you are passing the token to
ImpersonateLoggedOnUser(hToken).  Is that what is failing?

DuplicateTokenEx() might help, but I'm slightly doubtful.  Since you are able to call CreateProcessAsUser() in the call-backroutine, using the token, it's already a primary token. You could try it though, specifying MAXIMUM_ALLOWED as the value of dwDesiredAccess.

The help for ImpersonateLoggedOnUser() says this -

"If hToken is a primary token, it must have TOKEN_QUERY and TOKEN_DUPLICATE access. If hToken is an impersonation token, it must have TOKEN_QUERY access."

So, it's just possible that your original token does not have TOKEN_QUERY, and that if you duplicate it with MAXIMUM_ALLOWED your new token may gain it.  Unfortunately, if it also does not have TOKEN_DUPLICATE, I guess DuplicateTokenEx() will fail.

Hope this is of some help,

xlogic11Author Commented:
When I use the token in processes other than my dll launched by Winlogon, I get RC:6 (invalid handle) for Impersonate and RC:5 (access denied) for CreateProcessAsUser.

I tried duplicating the token on the Winlogon side using DuplicateToken to make an Impersonate token and I couldn't use it either outside of the Winlogon process. This tells me that the token has TOKEN_DUPLICATE access. I'll try DuplicateTokenEx using the MAXIMUM_ALLOWED value.

I wish I knew the rules about passing tokens around the system. When can you just use one and when do you have to duplicate it.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.