Share via

File access with other credentials returns unexpected Results

Andreas Sander 21 Reputation points
2022-03-24T09:41:13.71+00:00

Hello,

I want to access files with the credentials of another user. This should be possible, if the current user has the SeImpersonatePrivilege. I use this code: 

    login_success = LogonUser(user, domain, Password, LOGON32_LOGON_NETWORK_CLEARTEXT, LOGON32_PROVIDER_DEFAULT, &token);

    if (login_success)
      login_success = DuplicateToken(token, SECURITY_IMPERSONATION_LEVEL::SecurityImpersonation, &impersonate_token);

    if (login_success)
      login_success = ImpersonateLoggedOnUser(impersonate_token);

// Do some file access

Now I get some unexpected results:

If I use this code in a standard application, the file access fails always with ERROR_BAD_IMPERSONATION_LEVEL, even if the user has the SeImpersonatePrivilege.
If I use this code in a service, the file access is always successful, even if the user has not the SeImpersonatePrivilege.

Why is there a difference if the code is executed in an application or a service even if the same user is used?

Windows API - Win32
Windows API - Win32
A core set of Windows application programming interfaces (APIs) for desktop and server applications. Previously known as Win32 API.
2,652 questions
C++
C++
A high-level, general-purpose programming language, created as an extension of the C programming language, that has object-oriented, generic, and functional features in addition to facilities for low-level memory manipulation.
3,761 questions
0 comments
Accepted answer
  1. RLWA32 45,701 Reputation points
    2022-03-24T11:12:46.573+00:00

    Try passing LOGON32_LOGON_INTERACTIVE to LogonUser instead of LOGON32_LOGON_NETWORK_CLEARTEXT.

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.