0

When I try to perform Directory.Move() I get error

System.IO.IOException ... Access Denied

Steps to reproduce:

  1. Run Visual Studio 2013 at console with PsExec.exe -s -d -i which could assign system privilege to my program. (When running System.Security.Principal.WindowsIdentity.GetCurrent().Name gives NT AUTHORITY\\SYSTEM)
  2. LogonUser with LOGON32_LOGON_INTERACTIVE and invoke ImpersonateLoggedOnUser() - no error returned
  3. Directory.Move(myfolderAtProgramData,myfolderAtProgramData+"_")
  4. VS throws a System.IO.IOException - 'Access Denied'

If LogonUser with LOGON32_LOGON_NEW_CREDENTIALS then it works. Why??

Below are references for my implementation:

  1. What is the difference: LoadUserProfile -vs- RegOpenCurrentUser
  2. Impersonation to get user HKEY_CURRENT_USER does not work?
  3. Access CurrentUser Registry Key for Impersonated User - Compatibility with .NET 3.5
  4. https://social.msdn.microsoft.com/Forums/vstudio/en-US/fd531413-1ea9-4141-bba8-c1c5e9270001/access-currentuser-registry-key-for-impersonated-user-compatibility-with-net-35?forum=csharpgeneral

Environment:

Win10 Pro 64bit ,EN ,Visual Studio 2013 , .Net4.0 , c#
A folder at ProgramData (allow modification only with administrator privilege)

Community
  • 1
  • 1
H Marcus
  • 21
  • 4
  • It doesn't work because [the token you get from LogonUser doesn't have administrator access](http://stackoverflow.com/q/39403050/886887). But since the program is running as local system, and therefore already has the necessary access to move the folder in question, why are you impersonating at all? – Harry Johnston Dec 02 '16 at 05:56
  • Harry, really fast response ,Thanks !! I type "System.Security.WindowsIdentity.GetCurrentName()" after impersonation , "DESKTOP-3FGNMSD\\Admin" is returned ,which is my adminstrator account. Why can't i move directory ??DO you think some privileges are removed than that from LogonUser() with Interactive ?? (Even i know System account could, i want to figure out) – H Marcus Dec 02 '16 at 06:47
  • Yes. As described in the question and answer I linked to, LogonUser() is affected by UAC; administrator rights are removed. If you need a token with admin privilege, use `LOGON32_LOGON_BATCH` instead. – Harry Johnston Dec 02 '16 at 10:27
  • Harry , Thanks . Your suggest would be tried. – H Marcus Dec 05 '16 at 08:16

0 Answers0