Impersonating in a thread

vipul_jain · December 25, 2009, 10:17pm

Hi All,

I am trying to create a thread in a service and
want to make the newly created thread impersonate in the context of the
calling RPC call in the service…

But the newly created thread is not impersonating *:(*
Is there special care i need to take care before creating the thread *?*

Regards,
-Vipul.

Doron_Holan · December 25, 2009, 10:26pm

Code?

d

From: Vipul
Sent: Friday, December 25, 2009 7:16 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] Impersonating in a thread

Hi All,

I am trying to create a thread in a service and
want to make the newly created thread impersonate in the context of the calling RPC call in the service…

But the newly created thread is not impersonating
Is there special care i need to take care before creating the thread ?

Regards,
-Vipul.
— NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

vipul_jain · December 25, 2009, 10:48pm

well, to be specific with the issue…

I have created a thread in the service which is created in the context of
the RPC caller and it using the token of the Rpc caller . I used !token to
verify that…

But :-

Using ImpersonateLoggedOnUser() and try to create the process, it is
still using the service token
Using CreateProcessAsUser() with the caller’s token , still it is using
the service token.

In what cases it will not use the impersonating token of the thread ??

regards,
-Vipul.

On Sat, Dec 26, 2009 at 8:55 AM, Doron Holan wrote:

> Code?
>
> d
>
>
>
> ------------------------------
> From: Vipul
> Sent: Friday, December 25, 2009 7:16 PM
> To: Windows System Software Devs Interest List
> Subject: [ntdev] Impersonating in a thread
>
> Hi All,
>
> I am trying to create a thread in a service and
> want to make the newly created thread impersonate in the context of the
> calling RPC call in the service…
>
> But the newly created thread is not impersonating
> Is there special care i need to take care before creating the thread ?
>
> Regards,
> -Vipul.
> — NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and
> other seminars visit: http://www.osr.com/seminars To unsubscribe, visit
> the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

Maxim_S_Shatskih · December 26, 2009, 12:08am

>But the newly created thread is not impersonating

First, you should call OpenThreadToken(GetCurrentThread(), ) in the context of the RPC method called by the RPC server framework. This will give you the token to impersonate.

Then try CreateProcessAsUser or ImpersonateLoggedOnUser in another thread.

Also you can try to play with DuplicateTokenEx to convert the impersonation token to the primary token (CreateProcessAsUser wants so), and also with RPC call parameters of security level - Identify, Impersonate etc - must be Impersonate or Delegate.

If all of this will fail - tell us the error codes from CreateProcessAsUser and ImpersonateLoggedOnUser.

–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

vipul_jain · December 29, 2009, 2:17am

Thanks Maxim for the pointers.

After delving further into the issue, the issue was the service was running
without “SE_ASSIGNPRIMARYTOKEN_NAME” privilege.

But one thing of curiosity is CreateProcessAsUser() succeeded even without
the privilege…
Ideally shouldn’t it fail when it is not having the privilege ?
Or am I missing something here?

regards,
-Vipul.

On Sat, Dec 26, 2009 at 10:38 AM, Maxim S. Shatskih
wrote:

> >But the newly created thread is not impersonating
>
> First, you should call OpenThreadToken(GetCurrentThread(), ) in the context
> of the RPC method called by the RPC server framework. This will give you the
> token to impersonate.
>
> Then try CreateProcessAsUser or ImpersonateLoggedOnUser in another thread.
>
> Also you can try to play with DuplicateTokenEx to convert the impersonation
> token to the primary token (CreateProcessAsUser wants so), and also with RPC
> call parameters of security level - Identify, Impersonate etc - must be
> Impersonate or Delegate.
>
> If all of this will fail - tell us the error codes from CreateProcessAsUser
> and ImpersonateLoggedOnUser.
>
> –
> Maxim S. Shatskih
> Windows DDK MVP
> xxxxx@storagecraft.com
> http://www.storagecraft.com
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

Tim_Roberts · December 29, 2009, 12:18pm

Vipul wrote:

After delving further into the issue, the issue was the service was
running without “SE_ASSIGNPRIMARYTOKEN_NAME” privilege.

But one thing of curiosity is CreateProcessAsUser() succeeded even
without the privilege…
Ideally shouldn’t it fail when it is not having the privilege ?
Or am I missing something here?

Did you read the documentation? CreateProcessAsUser only needs the
privilege under certain circumstances, and it will go enable them if
necessary, assuming the account is allowed to acquire that privilege.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.