0

I have a requirement to run threads under different security context like thread #1 run as SYSTEM, thread #2 run as 'NT Service'. Is this scenario possible in C# 7.0? Note, my service runs under SYSTEM privilege which is where I'll try to spin threads

jbalajkpm
  • 1
  • 1
  • Why do you want such extreme privileges in the first place? You could always execute code by impersonating another account but using *those* specific accounts is *extremely* dangerous. Plus, it requires elevating privileges, which is something end users won't like at all – Panagiotis Kanavos Aug 27 '21 at 16:03
  • `my service runs under SYSTEM privilege` why? Whateve it does, it doesn't have to use `SYSTEM`. And if you think your case is different [Razer ponders how to fix installer that grants admin powers if you plug in a mouse](https://www.theregister.com/2021/08/23/security_in_brief/) – Panagiotis Kanavos Aug 27 '21 at 16:03
  • Thanks @PanagiotisKanavos. here's the background to why its running under SYSTEM privilege. Out tool does 10 different things in a scheduled manner, but only 3 needs SYSTEM privilege (windows patch installation, Restarting a service, Upgrading/Installing an application) other 7 items can run under lower privilege – jbalajkpm Aug 27 '21 at 16:11
  • In any case, to execute code by impersonating another account you need to use [WindowsIdentity.RunImpersonated](https://learn.microsoft.com/en-us/dotnet/api/system.security.principal.windowsidentity.runimpersonated?view=netframework-4.8) or explicitly call `Impersonate` at the start and `Undo` a the end. – Panagiotis Kanavos Aug 27 '21 at 16:11
  • 'Impersonate' works with custom windows users, but I couldn't get any hint around impersonating built-in users like 'NT Service' . My need is to change security context to a thread on the fly from within an already running process. – jbalajkpm Aug 27 '21 at 16:22
  • Impersonate works with any access token. You'll have to find the correct token one way or another. Or find a way to *not* use high-privilege accounts. You still haven't explained why you want to do what you asked. At the very least you could use multiple services each running under a different account – Panagiotis Kanavos Aug 27 '21 at 16:31

0 Answers0