Impersonation of user from winlogon logon

Posted on 2003-12-03
Last Modified: 2013-11-13
I've added a entry to the registry to recieve logon events from
Winlogon. In the WLX_NOTIFICATION_INFO control block there is a member
nToken which contains a handle to the newly logged in user. I would like
to pass this handle to other processes which are running as system
services under the SYSTEM account. When the service gets notified about
the login, I would like to impersonate the newly logged on user and
change the security context of the service to that of the user.

I get the handle from the Winlogon event OK. Can play around with it and
all seems OK. When the service tries to use this handle the API calls
get an 'ACCESS DENIED' return code. I'm assuming that I must do
something in the Winlogon code to the token before I can pass it to
other processes. DuplicateTokenEx .. maybe, set other security flags,
not sure what's next.
Question by:xlogic11
  • 2
  • 2
LVL 100

Expert Comment

ID: 9871763
This strikes very much as an attempt to hack a system.  EE cannot provide help or assistance in this area.


Accepted Solution

colmcc earned 125 total points
ID: 9877346
>This strikes very much as an attempt to hack a system.  

I doubt that is the case.  You need to be an administrator of the system to install such a service in the first place.  Don't be alarmed by the word 'impersonate'.  It's standard Microsoft terminology for what a server process does when it needs to do some work on behalf of a client process belonging to a particular user.

I have only a little knowledge in this area.  Probably less than the questioner.  However, I might be able to offer some advice if more details are given.

xlogic11: Perhaps you could try and re-assure people about what it is you are doing, so that I don't get myself into trouble if it turns out that I can help you?


Author Comment

ID: 9880181
You are correct 'Impersonate' is the term used when one user acts as another user. The nice thing is the impersonated user runs at the same or a lower security level as the logged on user. In my case I want the service to run at the same security level as the logged in user. Winlogon allows you to add a call-back of sort which it will call when various system events happen, Logon, logoff, Shell start, Screen Saver start, etc.

First I must register a DLL with the call-backs in the registry. State which events I want and reboot the system to get the new dll hooked into the winlogon event. When an event happens my call-back routine gets called the system hands me a WLX_NOTIFICATION_INFO control block with info about the event. In the case of logon you get the username, domain, a handle to the user's token, and some other stuff.

I can launch off a process (ine the call-back routine) using CreateProcessAsUser using the user token and a process starts as the security context of the newly signed in user. This is GOOD.

What I want to do is pass this token from my call-back to a system service that is already running and have this service run as the context of the user or 'Impersonate' the user. This way the service is lowered from LOCAL-SYSTEM to that of the user so the service acts as a user process. When the user logs off, the service will revert back to the standard system level.

My problem (other than people not understanding winlogon and thinking i'm hacking) is I get a "access denied" from API's in the service when I use the token. I've read that the token is good for all processes in the same machine. You can't pass it to another machine. I'm guessing that I may have to 'Duplicate' the token before I pass it to the service, but I'm not sure what parameters to pass to DuplicateTokenEx (??). Any help would be good.

Expert Comment

ID: 9881763

Which APIs are failing?  I would guess you are passing the token to
ImpersonateLoggedOnUser(hToken).  Is that what is failing?

DuplicateTokenEx() might help, but I'm slightly doubtful.  Since you are able to call CreateProcessAsUser() in the call-backroutine, using the token, it's already a primary token. You could try it though, specifying MAXIMUM_ALLOWED as the value of dwDesiredAccess.

The help for ImpersonateLoggedOnUser() says this -

"If hToken is a primary token, it must have TOKEN_QUERY and TOKEN_DUPLICATE access. If hToken is an impersonation token, it must have TOKEN_QUERY access."

So, it's just possible that your original token does not have TOKEN_QUERY, and that if you duplicate it with MAXIMUM_ALLOWED your new token may gain it.  Unfortunately, if it also does not have TOKEN_DUPLICATE, I guess DuplicateTokenEx() will fail.

Hope this is of some help,


Author Comment

ID: 9886921
When I use the token in processes other than my dll launched by Winlogon, I get RC:6 (invalid handle) for Impersonate and RC:5 (access denied) for CreateProcessAsUser.

I tried duplicating the token on the Winlogon side using DuplicateToken to make an Impersonate token and I couldn't use it either outside of the Winlogon process. This tells me that the token has TOKEN_DUPLICATE access. I'll try DuplicateTokenEx using the MAXIMUM_ALLOWED value.

I wish I knew the rules about passing tokens around the system. When can you just use one and when do you have to duplicate it.


Featured Post

Free Tool: Postgres Monitoring System

A PHP and Perl based system to collect and display usage statistics from PostgreSQL databases.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is meant to give a basic understanding of how to use R Sweave as a way to merge LaTeX and R code seamlessly into one presentable document.
Displaying an arrayList in a listView using the default adapter is rarely the best solution. To get full control of your display data, and to be able to refresh it after editing, requires the use of a custom adapter.
In this fourth video of the Xpdf series, we discuss and demonstrate the PDFinfo utility, which retrieves the contents of a PDF's Info Dictionary, as well as some other information, including the page count. We show how to isolate the page count in a…
With the power of JIRA, there's an unlimited number of ways you can customize it, use it and benefit from it. With that in mind, there's bound to be things that I wasn't able to cover in this course. With this summary we'll look at some places to go…

837 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question