Launch Application as Different User in C# Windows Applicatoin

[cooltoriz]

Hello there,

I am not asking how to impersonate a process within C# windows
application. I already know that, in C# v2.0, you can easily achieve it
using ProcessStartInfo. You can run a process or call external program
as of different user.

The problem of that design is that the mother application is still
running as current user. I know that less privilege is more secure.

I want to launch an application as different user. I can do it by
creating launching application (say launch.exe) and call other main
application(say main.exe) from it. So the main application will run as
different user.

This design requires two executable files (launch.exe and main.exe). I
want to make it simple.


As I mentioned, I know how to impersonate a process. However, I don't
think that I can do it over method or thread. Am I right?

Can I pass an (static or object) method to a process? so that I can use
the impersonation? If I understood correctly, I need to provide
"FileName" in ProcessStartInfo to start a process. It's good when you
call external executable file as of different user. But I don't think
that you can put (static or object) method instead.

I deeply appreciate your help.

 

[Samuel R. Neff]

Look in MSDN help under WindowsIdentity.Impersonate. There's a
complete example there. Using that code as a basis you can do
impersonation over any random block of code.

Although it says XP only so perhaps that can be a concern for you..
Not sure how to do it in 2000 or earlier.

HTH,

Sam

 

[cooltoriz]

Thank you for your answer,

I could be able to find many articles related to
"WindowsIdentity.Impersonate." and I have a question about its security
boundary. Is impersonation applied only within the same process? For
example, if I am running the application under "user1" account and
executing this code..


ImpersonateUser iuser = new ImpersonateUser();

if (iuser.Impersonate(Environment.MachineName, "user2",
"password"))
{

Process notePad = new Process();

notePad.StartInfo.FileName = "notepad.exe";


MessageBox.Show(System.Security.Principal.WindowsIdentity.GetCurrent().Name);

notePad.Start();

iuser.Undo();
}

I see the messagebox saying "user2" as current security context.
However, when I check the process in task manager, I see "user1" for
notepade.exe process.

I know that I can change the security context of the Process using
ProcessStartInfo easily.

However, my question is that changing security context using
WindowsIdentity doesn't affect creating new process? And new process
inherits security from its paraent? This case, I assume that it's
"user1".

Thank you,

 

[Willy Denoyette [MVP]]

Thank you for your answer,

I could be able to find many articles related to
"WindowsIdentity.Impersonate." and I have a question about its security
boundary. Is impersonation applied only within the same process? For
example, if I am running the application under "user1" account and
executing this code..


ImpersonateUser iuser = new ImpersonateUser();

if (iuser.Impersonate(Environment.MachineName, "user2",
"password"))
{

Process notePad = new Process();

notePad.StartInfo.FileName = "notepad.exe";


MessageBox.Show(System.Security.Principal.WindowsIdentity.GetCurrent().Name);

notePad.Start();

iuser.Undo();
}

I see the messagebox saying "user2" as current security context.
However, when I check the process in task manager, I see "user1" for
notepade.exe process.

I know that I can change the security context of the Process using
ProcessStartInfo easily.

However, my question is that changing security context using
WindowsIdentity doesn't affect creating new process? And new process
inherits security from its paraent? This case, I assume that it's
"user1".

Thank you,

The impersonation context is per process per thread. When you spawn another process like you
do in the above code, the child process will inherit the parents security context, that is
it will run in the security account of the parent's process.

Willy.

 

[Samuel R. Neff]

I'm confused. In your original post I thought you said you knew how
to do impersonation for a process but wanted to know how to do
impersonation for a thread. Was that not your question?

Sam

 

[cooltoriz]

Sorry for confusion, I might not be clear about my question.

Yes, I know how to impersonate when I create NEW process using
ProcessStartInfo class. There are many examples over the Internet.

However, I was wondering what if I impersonate a code block using
WindowsIdentity.Impersonate() and the code block contains creating new
process, does new process inherit security context from the
impersonated security context or parents security context?

Per Willy's reply, it seems that new process will still inherit it from
parents security context even though impersonation occured before the
code block.

I hope that this clears my question.

Thank you,