J
JP
Hello,
we have an app developed with VS.NET and C#. The user interface has a
login-screen, which performs login and impersonation of given
Windows-user. The impersonation token is created with a P/Invoke on
::LogonUser() and the actual impersonation is accomplished by .NET
framework's WindowsIdentity.Impersonate(). This part works OK.
However, when impersonation is active, and a link label control is
drawn onscreen, a SecurityException is thrown stating: "Requested
registry access is not allowed". From the call stack (shown below) we
can see, that the control attempts to read some values from the
computer's registry -- and fails.
The impersonated user belongs in Users-group, plus a few custom groups
we have created for the application. If the same user logs into
Windows and starts the app without impersonation, everything works OK,
no exceptions are thrown.
If the user is added to Administrators-group, the impersonation works.
However, this is no solution.
I have read Q820637 from the MS Knowledge Base, but it did not solve
the problem.
Does anybody else have similar experiences? Any thoughts on why the
registry access fails when impersonating, but works when logged in?
Could it be that the original user context has somehow locked the rows
in the registry, so that when the impersonated user tries to access
them, a sharing violation occurs.
Thx,
-JP
---clip---
System.Security.SecurityException: Requested registry access is not
allowed.
at Microsoft.Win32.RegistryKey.OpenSubKey(String name, Boolean
writable)
at Microsoft.Win32.RegistryKey.OpenSubKey(String name)
at System.Windows.Forms.LinkLabel.GetIEColor(String name)
at System.Windows.Forms.LinkLabel.get_IELinkColor()
at System.Windows.Forms.LinkLabel.get_LinkColor()
at System.Windows.Forms.LinkLabel.OnPaint(PaintEventArgs e)
at System.Windows.Forms.Control.PaintWithErrorHandling(PaintEventArgs
e, Int16 layer, Boolean disposeEventArgs)
at System.Windows.Forms.Control.WmPaint(Message& m)
at System.Windows.Forms.Control.WndProc(Message& m)
at System.Windows.Forms.Label.WndProc(Message& m)
at System.Windows.Forms.LinkLabel.WndProc(Message& msg)
at System.Windows.Forms.ControlNativeWindow.OnMessage(Message& m)
at System.Windows.Forms.ControlNativeWindow.WndProc(Message& m)
at System.Windows.Forms.NativeWindow.DebuggableCallback(IntPtr
hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)
at System.Windows.Forms.UnsafeNativeMethods.DispatchMessageW(MSG&
msg)
at System.Windows.Forms.ComponentManager.System.Windows.Forms.UnsafeNativeMethods+IMsoComponentManager.FPushMessageLoop(Int32
dwComponentID, Int32 reason, Int32 pvLoopData)
at System.Windows.Forms.ThreadContext.RunMessageLoopInner(Int32
reason, ApplicationContext context)
at System.Windows.Forms.ThreadContext.RunMessageLoop(Int32 reason,
ApplicationContext context)
at System.Windows.Forms.Application.Run(Form mainForm)
we have an app developed with VS.NET and C#. The user interface has a
login-screen, which performs login and impersonation of given
Windows-user. The impersonation token is created with a P/Invoke on
::LogonUser() and the actual impersonation is accomplished by .NET
framework's WindowsIdentity.Impersonate(). This part works OK.
However, when impersonation is active, and a link label control is
drawn onscreen, a SecurityException is thrown stating: "Requested
registry access is not allowed". From the call stack (shown below) we
can see, that the control attempts to read some values from the
computer's registry -- and fails.
The impersonated user belongs in Users-group, plus a few custom groups
we have created for the application. If the same user logs into
Windows and starts the app without impersonation, everything works OK,
no exceptions are thrown.
If the user is added to Administrators-group, the impersonation works.
However, this is no solution.
I have read Q820637 from the MS Knowledge Base, but it did not solve
the problem.
Does anybody else have similar experiences? Any thoughts on why the
registry access fails when impersonating, but works when logged in?
Could it be that the original user context has somehow locked the rows
in the registry, so that when the impersonated user tries to access
them, a sharing violation occurs.
Thx,
-JP
---clip---
System.Security.SecurityException: Requested registry access is not
allowed.
at Microsoft.Win32.RegistryKey.OpenSubKey(String name, Boolean
writable)
at Microsoft.Win32.RegistryKey.OpenSubKey(String name)
at System.Windows.Forms.LinkLabel.GetIEColor(String name)
at System.Windows.Forms.LinkLabel.get_IELinkColor()
at System.Windows.Forms.LinkLabel.get_LinkColor()
at System.Windows.Forms.LinkLabel.OnPaint(PaintEventArgs e)
at System.Windows.Forms.Control.PaintWithErrorHandling(PaintEventArgs
e, Int16 layer, Boolean disposeEventArgs)
at System.Windows.Forms.Control.WmPaint(Message& m)
at System.Windows.Forms.Control.WndProc(Message& m)
at System.Windows.Forms.Label.WndProc(Message& m)
at System.Windows.Forms.LinkLabel.WndProc(Message& msg)
at System.Windows.Forms.ControlNativeWindow.OnMessage(Message& m)
at System.Windows.Forms.ControlNativeWindow.WndProc(Message& m)
at System.Windows.Forms.NativeWindow.DebuggableCallback(IntPtr
hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)
at System.Windows.Forms.UnsafeNativeMethods.DispatchMessageW(MSG&
msg)
at System.Windows.Forms.ComponentManager.System.Windows.Forms.UnsafeNativeMethods+IMsoComponentManager.FPushMessageLoop(Int32
dwComponentID, Int32 reason, Int32 pvLoopData)
at System.Windows.Forms.ThreadContext.RunMessageLoopInner(Int32
reason, ApplicationContext context)
at System.Windows.Forms.ThreadContext.RunMessageLoop(Int32 reason,
ApplicationContext context)
at System.Windows.Forms.Application.Run(Form mainForm)