0

I am using https://github.com/mj1856/SimpleImpersonation to impersonate an administrator so I can make changes to windows services from an app that's run by a user who is not an administrator. This works on Windows 7 with no issue. On Windows 10 I have to right click on the app and click run as administrator for it to work. Otherwise I get an error code 5(Permission denied) when my app tries to modify the services. The impersonation appears to be working. UAC is turned off. I don't see what to try next.

codenesium
  • 84
  • 2
  • 9
  • When you run your app on Windows 10, how does it appear on the Task Manager? – Josh Part Aug 15 '18 at 16:20
  • If you want users to be able to control particular services, why not **grant them those rights** rather than going "well, admins can do that *by default*, so I'll first force things to run as admin"? – Damien_The_Unbeliever Aug 15 '18 at 16:51

3 Answers3

1

SimpleImpersonation (of which I am the author) is a managed wrapper around the Windows LogonUser API. It doesn't have any magic of its own, other to help you consume that API in an easy way.

When you use this library, you pass a LogonType, which matches those referenced in the LogonUser docs. Each logon type has a different behavior, which is controlled by the operating system. For example, if you are using LogonType.Interactive, that is passing LOGON32_LOGON_INTERACTIVE into the LogonUser API to perform an interactive login.

Interactive login uses UAC for administrative actions. Disabling it is not recommended. Also not that LogonUser returns a restricted token during interactive sessions. You cannot work around that for an interactive login, but you can try one of the other logon types depending on what you are doing.

See also:

Matt Johnson-Pint
  • 230,703
  • 74
  • 448
  • 575
  • Hi Matt , i'm trying to use SimpleImpersonation to impersonate users who enter their Windows ID and Password, and use that impersonation to run a PowerShell script. This is running on an ASP.Net Core WebAPI. Unfortunately it still resorts to use the Application Pool's identity instead of the impersonated identity. Is there anything I'm missing ? – Durairaj Veera Sinnaiah Oct 21 '20 at 13:44
  • `Impersonation.RunAsUser(credentials, LogonType.NewCredentials, () => { Runspace runSpace = RunspaceFactory.CreateRunspace(); runSpace.Open(); using (PowerShell ps = PowerShell.Create()) { ps.Runspace = runSpace; Collection PSOutput = ps.Invoke(); } } ` – Durairaj Veera Sinnaiah Oct 21 '20 at 13:45
  • @DurairajVeeraSinnaiah - Hi. Please do not chain questions in comments like this. Instead, either [create a new Stack Overflow question](https://stackoverflow.com/questions/ask) if you want community responses, or raise a question in [the GitHub issue tracker for SimpleImpersonation](https://github.com/mj1856/SimpleImpersonation/issues) if you are directing your question at me. Thanks. – Matt Johnson-Pint Oct 21 '20 at 17:25
  • Also, I'm not an expert in all things impersonation. I simply wrote a managed wrapper around `LogonUser`. You might need to search more based on that underlying API, rather than my wrapper. – Matt Johnson-Pint Oct 21 '20 at 17:27
0

You have not posted any of your code, so I am going to make an educated guess here, and suggest you try LogonType.NewCredentials. This will make the LogonUser call cache the credentials so they will be used later for the impersonation.

Polyfun
  • 9,479
  • 4
  • 31
  • 39
0

The reason this wasn't working was I had UAC turned on. I had disabled it in windows and rebooted but apparently that's not enough. I had to create the registry key

reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

And reboot to truly disable UAC.

As a note to other developers I was unable to impersonate with c# but I was also not able to impersonate with powershell and psexec which sort of led me to the solution PSEXEC, access denied errors.

codenesium
  • 84
  • 2
  • 9