5

I want to launch a process under another username's credentials. This is what I have now:

        /// <summary>
        /// Do actions under another username's credentials
        /// </summary>
        /// <param name="username">Username to inpersonate</param>
        /// <param name="domain">Domain/Machine</param>
        /// <param name="password">Password </param>
        public static void Action(string username,string domain, string password )
        {
            try
            {
                if (LogonUser(username, domain, password, LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, ref hToken))
                {
                    if (DuplicateToken(hToken, 2, ref hTokenDuplicate))
                    {

                        WindowsIdentity windowsIdentity = new WindowsIdentity(hTokenDuplicate);

                        WindowsImpersonationContext impersonationContext = windowsIdentity.Impersonate();

                        // Check the identity but it could do any other action under given username credentials
                      try
                        {
                            ProcessStartInfo info = new ProcessStartInfo("cmd.exe");
                            info.UseShellExecute = false;
                            info.RedirectStandardInput = true;
                            info.RedirectStandardError = true;
                            info.RedirectStandardOutput = true;
                            info.UserName = "dummy"; // see the link mentioned at the top
                            // Define the string value to assign to a new secure string.
                            char[] chars = { 'p', 'a', 's', 's','1','2','3','4','/' };
                            // Instantiate the secure string.
                            SecureString testString = new SecureString();
                            // Assign the character array to the secure string.
                            foreach (char ch in chars)
                                testString.AppendChar(ch);

                            info.Password = testString;

                            Process.Start(info);

                        }
                        catch (Exception ex)
                        {
                            Console.WriteLine("Exception Occurred :{0},{1}",ex.Message, ex.StackTrace.ToString());
                        }

                        // Stop impersonating the user
                        impersonationContext.Undo();
                    }
                }
                // Free the tokens
                if (hToken != IntPtr.Zero) 
                    CloseHandle(hToken);
                if (hTokenDuplicate != IntPtr.Zero)
                    CloseHandle(hTokenDuplicate);

        }catch(Exception ex)
         {
             Console.WriteLine("Exception occurred. " + ex);
          }

It does not seem to work and I get an "Access denied". Any ideas of how to do it? If we ask for the credentials, we get the right ones, so it should execute any program under that credentials. i.e:

               if (DuplicateToken(hToken, 2, ref hTokenDuplicate))
                    {

                        WindowsIdentity windowsIdentity = new WindowsIdentity(hTokenDuplicate);                      
                        WindowsImpersonationContext impersonationContext = windowsIdentity.Impersonate();

                        // Check the identity but it could do any other action under given username credentials
                        Console.WriteLine("After impersonation: {0}", WindowsIdentity.GetCurrent().Name);

                        // Stop impersonating the user
                        impersonationContext.Undo();
                    }

And the answer is right, we get "dummy".

We could make it even simpler:

 public static void Run()
        {
            try
            {
                const string file = "cmd.exe";

                var sspw = new SecureString();

                foreach (var c in "pass1234/")
                    sspw.AppendChar(c);

                var proc = new Process();

                proc.StartInfo.UseShellExecute = false;

                proc.StartInfo.WorkingDirectory = Path.GetDirectoryName(file);

                proc.StartInfo.FileName = Path.GetFileName(file);

                proc.StartInfo.Domain = "WIN08";
                proc.StartInfo.Arguments = "";
                proc.StartInfo.UserName = "dummy";
                proc.StartInfo.Password = sspw;
                proc.StartInfo.LoadUserProfile = false;
                proc.Start();
            }catch(Exception e)
            {
                Console.WriteLine(e);
             }

However, I still get exceptions...

Manolete
  • 3,431
  • 7
  • 54
  • 92

3 Answers3

9

It might be weird for some people, my apologies, I am Linux developer... Tested:

    /// <summary>
    /// Class that deals with another username credentials
    /// </summary>
    class Credentials
    {
        /// <summary>
        /// Constructor of SecureString password, to be used by RunAs
        /// </summary>
        /// <param name="text">Plain password</param>
        /// <returns>SecureString password</returns>
        private static SecureString MakeSecureString(string text)
        {
            SecureString secure = new SecureString();
            foreach (char c in text)
            {
                secure.AppendChar(c);
            }

            return secure;
        }

        /// <summary>
        /// Run an application under another user credentials.
        /// Working directory set to C:\Windows\System32
        /// </summary>
        /// <param name="path">Full path to the executable file</param>
        /// <param name="username">Username of desired credentials</param>
        /// <param name="password">Password of desired credentials</param>
        public static void RunAs(string path, string username, string password)
        {
            try
            {
                ProcessStartInfo myProcess = new ProcessStartInfo(path);
                myProcess.UserName = username;
                myProcess.Password = MakeSecureString(password);
                myProcess.WorkingDirectory = @"C:\Windows\System32";
                myProcess.UseShellExecute = false;
                Process.Start(myProcess);
            }
            catch (Win32Exception w32E)
            {
                // The process didn't start.
                Console.WriteLine(w32E);
            }
        }

    }
Manolete
  • 3,431
  • 7
  • 54
  • 92
6

I don't think you need to login the user and duplicate the handle. All you need to do is set the username, domain, and password in the ProcessStartInfo object. That's been available since .NET 3.0 if I recall correctly.

EDIT:

Also for more information, this is what really happens when you give username/domain/password to ProcessStartInfo: http://support.microsoft.com/kb/165194. The reason for access denied is probably that you don't have access to the user's desktop or windowstation. Just calling LoginUser is not sufficient.

Kevin
  • 24,871
  • 19
  • 102
  • 158
4

May be you forgot to make read only secure string? My method works fine for me:

Process proc = new Process
        {
            StartInfo =
            {
                CreateNoWindow = true,
                UseShellExecute = false,
                RedirectStandardOutput = true,
                RedirectStandardInput = true,
                FileName = "cmd.exe",
                UserName = "user",
                Domain = "myDomain",
                Password = GetSecureString("Password"),
                Arguments = "/c ipconfig"                   
            }
        };
        proc.Start();

GetSecureString() function: 

public static SecureString GetSecureString(string str)
    {
        SecureString secureString = new SecureString();
        foreach (char ch in str)
        {
            secureString.AppendChar(ch);
        }
        secureString.MakeReadOnly();
        return secureString;
    }
thezar
  • 1,278
  • 13
  • 17