User Impersonation on Win XP SP2

Willy,
As I had mentioned in my first post, I am impersonating as ADMIN user
who has explicit debug privileges.

Main App is launched by regular user and "admin" user is being
impersonated before app tries to launch another exe.

anyway, I will try your suggestion.

Thanks for your help.
~ViPuL

"vipleo" <vn*****@gmail. com> wrote in message
news:11******** *************@o 13g2000cwo.goog legroups.com...
| Willy,
| As I had mentioned in my first post, I am impersonating as ADMIN user
| who has explicit debug privileges.
|
| Main App is launched by regular user and "admin" user is being
| impersonated before app tries to launch another exe.
|
| anyway, I will try your suggestion.
|
| Thanks for your help.
| ~ViPuL
|

Impersonating is not sufficient, you also need to "enable" the privilege,
it's not because a user has debug privileges that they are enabled.

Willy.

Willy,
How i can 'enable' this privilege?

vipleo-
I feel your pain...I spent weeks on this very issue - trying to get an
application updater going when the users didn't have permission to
install it. Our old impersonation broke when users started upgrading
to SP2, so I had to redo it.

It has been over a year, and there were so many issues they all kind of
blend together, but as I recall, impersonating then starting the
install process did not do the job because impersonation only changes
the permissions of the thread, not the process, and the process.start
gets started under the process' permissions. Again, it's a bit fuzzy
so I may be completely off there. I remember testing it by just
impersonating a different user than myself to start a process, then
that process popped a message box indicating what the current user was.

Also noteworthy was that if you had v 2.0, the Process.Start now takes
username, password, and domain parameters - obviously MS noticed this
was sorely missed.

Anyway, the silver bullet was to use WMI to install the new version -
that way the installation could happen on the current thread and the
admin user's privileges were used appropriately. It's been tried and
tested with 2000 users every two weeks, with no problems. I've seen
examples of using WMI to run the process as well, but I never got them
to work for me - I don't remember why.

If this is an option for you let me know and I'll post some code.

Good luck,
Jared

Jared,
Thanks a lot for your help & feeling my pain. <g>

In our implementation, we are not using multiple thread to do app
auto-update.

We are doing auto-update(xCopy deployment) in same thread, so I don't
understand how user context could be different.

Btwn, if you(or anybody else) can post some code sample for 'how to use
wmi to auto-update app' or 'how to launch another process using wmi',
that would be really great!

Thanks,
~ViPuL

We weren't using multi-threading either, but your code still runs on a
thread (even if it's the only one in the process), so it could still be
causing a problem. Read the "Pitfalls to watch for" section at
http://pluralsight.com/wiki/default....sImpersonation.
Note that I'm fairly certain that the suggestion to use
createprocessas user no longer works on SP2 - that's what caused me to
have to do a rewrite in the first place. This is documented on MSDN,
if you care to search for it.

OK...Here's the code that I'm 100% sure works. I've stripped out a lot
of the stuff that was implementation specific, but I think all the
pertinent parts are in here:

Impersonation class: This one does the actual installing and
uninstalling.
using System;
using System.Runtime. InteropServices ;
using System.Diagnost ics;
using System.Windows. Forms;
using System.Manageme nt;
using System.Collecti ons;
using ROOT.CIMV2.Win3 2;
namespace Extensions.Clie nt.ApplicationU pdater
{
public class Impersonate
{
[DllImport("adva pi32.dll", SetLastError=tr ue)]
private static extern bool LogonUser(Strin g lpszUsername, String
lpszDomain, String lpszPassword,
int dwLogonType, int dwLogonProvider , ref IntPtr phToken);

public static void UninstallProduc t(string productCode, string name,
string version)
{
//get error codes at
http://msdn.microsoft.com/library/de...rror_codes.asp
const int ERROR_SUCCESS_R EBOOT_REQUIRED = 3010;
const int ERROR_SUCCESS_R EBOOT_INITIATED = 1641;
const int ERROR_SUCCESS = 0;

uint retValue = 0;
try
{
ManagementScope scope = new ManagementScope ();
ROOT.CIMV2.Win3 2.Product prod = new Product(product Code, name,
version);
prod.Scope = scope;
retValue = prod.Uninstall( );
}
catch(Exception e)
{
MessageBox.Show ("Uninstall failed. Verify that " + name + " is
installed for all users on this machine. Details: " + e.Message);
}
if (retValue != ERROR_SUCCESS_R EBOOT_REQUIRED && retValue !=
ERROR_SUCCESS_R EBOOT_INITIATED && retValue != ERROR_SUCCESS)
{
MessageBox.Show ("Uninstall failed. Please contact helpdesk to get
updates. The returned error was: " + retValue);
}
}

public static void InstallProduct( string path, string options, bool
allUsers)
{
//get error codes at
http://msdn.microsoft.com/library/de...rror_codes.asp
uint retValue = 0;
const int ERROR_SUCCESS_R EBOOT_REQUIRED = 3010;
const int ERROR_SUCCESS_R EBOOT_INITIATED = 1641;
const int ERROR_SUCCESS = 0;

try
{
if (System.IO.File .Exists(path))
{
retValue = Product.Install (allUsers, options, path);
if (retValue != ERROR_SUCCESS_R EBOOT_REQUIRED && retValue !=
ERROR_SUCCESS_R EBOOT_INITIATED && retValue != ERROR_SUCCESS)
{
MessageBox.Show ("Install failed. Please contact helpdesk to get
updates. The returned error was: " + retValue);
}
}
else
MessageBox.Show ("Couldn't find file " + path + ". Please contact
helpdesk to get updates.");
}
catch(Exception e)
{
MessageBox.Show ("Install failed. Please contact helpdesk to get
updates. Details: " + e.Message);
}
}

public static IntPtr LogonUser(strin g UserName, string Password,
string Domain)
{
IntPtr token = IntPtr.Zero;
try
{
// Call LogonUser to obtain a handle to an access token.
LogonUser(UserN ame, Domain, Password, 2, 1, ref token);
return token;
}
catch
{
return IntPtr.Zero;
}
}
}
}

And here how the impersonation class was used to actually install the
product:
private void Install()
{

try
{
if (!System.IO.Fil e.Exists(this.m siPath))
{
MessageBox.Show ("Could not find the installation file " +
this.msiPath + ". Please contact the helpdesk to get updates.", "New
version of " + this.applicatio nTitle + " not found.");
return;
}
StatusWindow statusForm = null;

statusForm = new StatusWindow();
statusForm.Stat us = "Preparing to install " + this.applicatio nTitle +
"...";
statusForm.Show ();

statusForm.Stat us = "Logging On...";
statusForm.Perf ormStep();

IntPtr token = Impersonate.Log onUser(UserName , Password, Domain);

if (token != IntPtr.Zero)
{
WindowsIdentity newId = new WindowsIdentity (token);
WindowsImperson ationContext impersonatedUse r = newId.Impersona te();
//EVERTHING YOU DO FROM HERE ON OUT IS IMPERSONATED

//You probably can ignore all this productCode stuff...It's a long
story. But if your MSI is set to remove previous versions, you don't
need this.
if (this.productCo de != null && this.productCod e.Length > 0)
{
statusForm.Stat us = "Uninstalli ng old version of " +
this.applicatio nTitle + " ...";
statusForm.Perf ormStep();
Impersonate.Uni nstallProduct(t his.productCode ,
this.applicatio nTitle, this.oldVersion );
}

statusForm.Stat us = "Installing new version of " +
this.applicatio nTitle + "...";
statusForm.Perf ormStep();

//The second parameter are the options sent to msiexec.
Impersonate.Ins tallProduct(thi s.msiPath, "REBOOT=R", true);

impersonatedUse r.Undo();
//BACK TO RUNNING UNDER THE ORIGINAL USER
}
else
{
MessageBox.Show ("Impersonat e user failed. Please contact HelpDesk
to obtain the latest version.");
}

statusForm.Clos e();
}
catch(Exception e)
{
MessageBox.Show (this.applicati onTitle + " update failed: " + e);
WriteEvent(e);
}
}

I'll look around for the example of doing it with a process.

Good luck,
Jared

Here's the example that served as my bible for much of the time I spent
working on this issue:
http://www.dotnet247.com/247referenc...55/275561.aspx

Even though WMI may not be your solution, the concept may still work
for you. Instead of using the Process.Start, you need to duplicate the
action in-process (or, more accurately, in-thread.) So if you were
xcopying the files over, I believe that just using the
System.IO.File. Copy method will accomplish the same thing, while
allowing you to do it under the impersonated user's credentials.

Good luck,
Jared

"vipleo" <vn*****@gmail. com> wrote in message
news:11******** *************@f 14g2000cwb.goog legroups.com...
| Willy,
| How i can 'enable' this privilege?
|

You have to call AdjustTokenPriv ileges through PInvoke to do this from C#,
but you also need to get at the Process token because this fnction needs
this token, and you need to do this before impersonating, because once you
are impersonating you can't open the process to get at the token, see what I
mean? You can do all this using PInvoke, but it's not trivial, you better do
it in C++, or just don't do it at all and do as I said, get the module name
before you impersonate.

Willy.

As I said to vipleo, impersonation isn't the issue here, and is probably not
related to your problem. The OP's problem is that he tries to open the
'current process' while impersonating, this isn't allowed, unless the
impersonating user has Debug Privileges (he isn't the owner of the process)
and that these are explicitely enabled.
Willy.

"JaredHite1 " <ja***@sharingd s.org> wrote in message
news:11******** **************@ f14g2000cwb.goo glegroups.com.. .
| vipleo-
| I feel your pain...I spent weeks on this very issue - trying to get an
| application updater going when the users didn't have permission to
| install it. Our old impersonation broke when users started upgrading
| to SP2, so I had to redo it.
|
| It has been over a year, and there were so many issues they all kind of
| blend together, but as I recall, impersonating then starting the
| install process did not do the job because impersonation only changes
| the permissions of the thread, not the process, and the process.start
| gets started under the process' permissions. Again, it's a bit fuzzy
| so I may be completely off there. I remember testing it by just
| impersonating a different user than myself to start a process, then
| that process popped a message box indicating what the current user was.
|
| Also noteworthy was that if you had v 2.0, the Process.Start now takes
| username, password, and domain parameters - obviously MS noticed this
| was sorely missed.
|
| Anyway, the silver bullet was to use WMI to install the new version -
| that way the installation could happen on the current thread and the
| admin user's privileges were used appropriately. It's been tried and
| tested with 2000 users every two weeks, with no problems. I've seen
| examples of using WMI to run the process as well, but I never got them
| to work for me - I don't remember why.
|
| If this is an option for you let me know and I'll post some code.
|
| Good luck,
| Jared
|

"vipleo" <vn*****@gmail. com> wrote in message
news:11******** **************@ o13g2000cwo.goo glegroups.com.. .
| Jared,
| Thanks a lot for your help & feeling my pain. <g>
|
| In our implementation, we are not using multiple thread to do app
| auto-update.
|
| We are doing auto-update(xCopy deployment) in same thread, so I don't
| understand how user context could be different.
|
| Btwn, if you(or anybody else) can post some code sample for 'how to use
| wmi to auto-update app' or 'how to launch another process using wmi',
| that would be really great!
|
| Thanks,
| ~ViPuL
|

I don't think this will help you anyway, what you are after is the filename
of the current executable, right? Well, you should get this one before
impersonating and you are done.
Also, you shouldn't even use Process.GetCurr entProcess().Ma inModule.FileNa me
to get the exe name of the current process, you simply have to get the name
of the default application domain, this one is by default the same as the
..exe assembly name.

Willy.