Hi Dan,
I am sorry that I ahve made a mistake about the LogonUser.
Based on my test, we can use the LogonUser and WindowsIdentity to
impersonate the current thread running at another high rights account .e.g
the administrator.
<PermissionSetA ttribute(Securi tyAction.Demand , Name:="FullTrus t")> _
Private Sub Impersonate()
Dim tokenHandle As New IntPtr(0)
Dim dupeTokenHandle As New IntPtr(0)
Try
Dim userName, domainName As String
domainName = Environment.Mac hineName
userName = "Test"
Const LOGON32_PROVIDE R_DEFAULT As Integer = 0
Const LOGON32_LOGON_I NTERACTIVE As Integer = 2
Const SecurityImperso nation As Integer = 2
tokenHandle = IntPtr.Zero
dupeTokenHandle = IntPtr.Zero
Dim returnValue As Boolean = LogonUser(userN ame, domainName,
"Password01 !", LOGON32_LOGON_I NTERACTIVE, LOGON32_PROVIDE R_DEFAULT,
tokenHandle)
Console.WriteLi ne("LogonUser called.")
If False = returnValue Then
Dim ret As Integer = Marshal.GetLast Win32Error()
Console.WriteLi ne("LogonUser failed with error code : {0}",
ret)
Console.WriteLi ne(ControlChars .Cr + "Error: [{0}] {1}" +
ControlChars.Cr , ret, GetErrorMessage (ret))
Return
End If
Dim success As String
If returnValue Then success = "Yes" Else success = "No"
Console.WriteLi ne(("Did LogonUser succeed? " + success))
Console.WriteLi ne(("Value of Windows NT token: " +
tokenHandle.ToS tring()))
' Check the identity.
Console.WriteLi ne(("Before impersonation: " +
WindowsIdentity .GetCurrent().N ame))
Dim retVal As Boolean = DuplicateToken( tokenHandle,
SecurityImperso nation, dupeTokenHandle )
If False = retVal Then
CloseHandle(tok enHandle)
Console.WriteLi ne("Exception thrown in trying to duplicate
token.")
Return
End If
' TThe token that is passed to the following constructor must
' be a primary token in order to use it for impersonation.
Dim newId As New WindowsIdentity (dupeTokenHandl e)
Dim impersonatedUse r As WindowsImperson ationContext =
newId.Impersona te()
' Check the identity.
System.Diagnost ics.Debug.Write Line(("After impersonation: " +
WindowsIdentity .GetCurrent().N ame))
Test()
' Stop impersonating the user.
impersonatedUse r.Undo()
' Check the identity.
System.Diagnost ics.Debug.Write Line(("After Undo: " +
WindowsIdentity .GetCurrent().N ame))
' Free the tokens.
If Not System.IntPtr.o p_Equality(toke nHandle, IntPtr.Zero) Then
CloseHandle(tok enHandle)
End If
If Not System.IntPtr.o p_Equality(dupe TokenHandle, IntPtr.Zero)
Then
CloseHandle(dup eTokenHandle)
End If
Catch ex As Exception
Console.WriteLi ne(("Exception occurred. " + ex.Message))
End Try
End Sub
Private Sub Test()
Dim subkey As RegistryKey =
Registry.Curren tUser.OpenSubKe y("Software\Mic rosoft\Windows\ CurrentVersion\ P
olicies\Explore r\Test", True)
subkey.SetValue ("Hello", 1)
End Sub
Private Sub Button1_Click(B yVal sender As System.Object, ByVal e As
System.EventArg s) Handles Button1.Click
Try
Test() 'The line will fail, because the current user account
has not permission.
Catch ex As Exception
MsgBox(ex.ToStr ing())
End Try
Impersonate() 'Impersonate to another user to do the registry key
write..
End Sub
Also here is a detailed link about the issue, you may take at look.
How to impersonate a user in .NET (VB.NET, C#)
http://msdn.microsoft.com/library/de...us/cpref/html/
frlrfSystemSecu rityPrincipalWi ndowsIdentityCl assImpersonateT opic2.asp
Best regards,
Peter Huang
Microsoft Online Partner Support
Get Secure! -
www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.