2

I have a windows service runs under "LocalSystem" account.

What i can do with this service:

  1. I can get active user token and start a new process to user session interactively by using CreateProcessAsUser.

  2. I can get another user token by LogonUser api, and start a new process by that user. (I know username and password of that account). Its background process running as my test user (not interactive)

I need to replace logged on user by another user that i have credentials of it. I need to switch accounts programmatically.

Can I switch to new user session (with desktop) as interactive? I have that user's username and password.

Purpose i need to do this;

I have a shared user account that is administrator in some test computers. I dont want to share account password of that user account with testers using test computers. I need them to login to their self accounts that are not administrator, after logon i will need to replace user with my shared user with my windows service.

Is this technically possible? Where should i start?

Enigmativity
  • 113,464
  • 11
  • 89
  • 172
candogg
  • 145
  • 7
  • Have you seen [this](https://stackoverflow.com/questions/125341/how-do-you-do-impersonation-in-net) related post? – Axel Kemper Aug 27 '22 at 09:38
  • Yes i can run process impersonated as another user. But i need to switch its active session in operating system. – candogg Aug 27 '22 at 09:51
  • Start with the WTS API stuff, switching is probably undocumented. – Anders Aug 27 '22 at 10:03
  • It is possible to change the token of a process started by one user for a different token (e.g. one for a different user), so that the process then runs with the permissions granted by the replacement token. See e.g. my answer here: https://stackoverflow.com/a/13066468 – Iridium Aug 27 '22 at 14:52
  • Yes I can replace the working process token. But its not my issue. I want to change active logon session. – candogg Aug 27 '22 at 20:10
  • Have a look at this [answer](https://stackoverflow.com/a/48277984/3868464) – Alexander Aug 30 '22 at 13:21

1 Answers1

1

I could switch accounts with or without password using WTSConnectSession. If someone curious about fast switching sessions below is the code runs under windows service (LocalSystem);

[DllImport("wtsapi32.dll", CharSet = CharSet.Auto, SetLastError = true)]
    public static extern int WTSConnectSession(int targetSessionId, int sourceSessionId, string password, bool wait);

WTSConnectSession([TargetSessionId], [CurrentActiveSessionId], "", true);

You can enumerate sessions with;

[DllImport("wtsapi32.dll", SetLastError = true)]
    public static extern bool WTSEnumerateSessions(IntPtr hServer, int Reserved, int Version, out IntPtr ppSessionInfo, out int pCount);
candogg
  • 145
  • 7
  • If the user you want to switch to hasn't logged in yet i.e. no WTS Session exists, how do you create that/login the user first? – tunafish24 Sep 25 '22 at 18:46
  • I create that session by credential provider. I could not find any other way to do that. If you know let me know :) – candogg Sep 27 '22 at 04:49
  • one hacky method I saw in another post was to launch a process in winlogon screen, use FindWindow api to find username/password windows/input fields and simulate logon. Did you look into that? – tunafish24 Sep 27 '22 at 14:26
  • Nope i didnt see that. Can you provide a link for that solution? – candogg Sep 28 '22 at 15:13
  • @candogg one point of criticism regarding the question and the terminology that you wrongly apply in it: the "WTS" sessions (TS for Terminal Services) are _related_ to the [LSA logon sessions](https://learn.microsoft.com/en-us/windows/win32/secauthn/lsa-logon-sessions), but they're **not the same**. When you write "logon session" then the only "entity" on Windows that comes to mind are LSA logon sessions. In the question you seem to _mean_ logon sessions, but in your answer you use the terminal session meaning. This seems a bit odd. I.e. question and answer don't match as it stands. – 0xC0000022L Oct 13 '22 at 08:58
  • May be i asked the question wrong. First i needed to create an interactive user session on computer with an account that i have credentials. Then i needed to switch to it. Anyway, thanks for your reply. – candogg Oct 16 '22 at 17:35