How to get Calling-Process Windows User Access Token

Asked 14/9, 2011 at 15:22 Answered 27/9, 2018 at 13:2

Solved .net windows winapi impersonation

How can I get the Access Token for the user that created the process that called my application?

I need to use that Token for impersonation, the idea is to access a file in that users applicationData.

P.S. The application that will be impersonating the user is a service running under System.

Sequoia answered 14/9, 2011 at 15:22 Comment(2)

Hard to see how this could work, a service doesn't get called nor launched by a user application. A service doesn't have any trouble accessing appdata files, you just need to tell it where to look. – Ostend 15/9, 2011 at 14:42

I'm well aware about that, still you can use ExecuteCommand on Services and so I thought maybe I could use that (despite the long shot) to get the executing process. – Sequoia 16/9, 2011 at 2:46

Check MSDN, all this API is well documented. You probably want to do something like this:

HANDLE thisToken, thisProcess;

thisProcess = OpenProcess( PROCESS_ALL_ACCESS, FALSE, GetCurrentProcessId() );
OpenProcessToken( thisProcess, TOKEN_ALL_ACCESS, &thisToken );

http://msdn.microsoft.com/en-us/library/aa379295(v=vs.85).aspx

Though you probably want less access than that. This will get you the token for the current process.

Brook answered 15/9, 2011 at 14:35 Comment(3)

thank you, that code is really useful, but still what I need is the user token of the process that invoked the current one. I'll see if I can dig something with code you gave me :) – Sequoia 16/9, 2011 at 2:52

something else you could try is to use the process status api link to search for the current process. from there you can get it's parent's process id and then pass that to OpenProcess(..). That will probably fail if you attempt to use PROCESS_ALL_ACCESS though, it's safer to use PROCESS_QUERY_INFORMATION instead. – Brook 26/9, 2011 at 5:1

Your code was extremely useful, in the end I still couldn't get the process that invoked the ExecuteCommand() on a Service but help was great. – Sequoia 27/9, 2011 at 20:12

We've been looking for a way to peek into a user's access token as well, for security reasons.

We recently had a situation where we needed to find out whether one of the employees may had modify access to one of our files on a shared file-server. We initially tried looking at the ACL of the file, but with all the nested memberships in place, that approach quickly become impractical.

One of our devs then suggested trying to peek into the user's access token, and comparing it to the ACL on the file, as that's a fairly simple process and could yield accurate results immediately.

So we started looking for a way to peek into a user's access token. Initially we didn't find much. Came across a few sites that had devs discussing how to get a user's token, and a few that suggested using Microsoft's "whoami", but that too didn't help, as it could only be used to view one's own token.

Having almost given up, one day i just googled "Windows Access Token Viewer" and was surprised to come across a tool called Gold Finger for AD, that amongst a few other security analysis capabilities, had a capability called "Access Token Viewer".

Excited by the find, got my hands on an eval, and gave it a shot. It worked as claimed and let us see any user's access token, especially that of the employee we were interested in. I only wish it also offered the same ability in an API format, so our devs could use it for our in-house apps.

Nonetheless, it served our purpose. The technical details are over at - Windows Access Token Viewer.

Tracheid answered 3/7, 2012 at 0:8 Comment(0)

You can use wcf to communicate between the client and service. There are explanation and examples in "Delegation and Impersonation with WCF"

Plight answered 15/9, 2011 at 14:37 Comment(0)

If your application is a service, then it's most likely being invoked via COM or DCOM.

Your server needs to do a CoGetCallContext to retrieve an IServerSecurity interface that lets it check the client's authentication and impersonate the client, if needed.

For more information, see http://www.drdobbs.com/examining-dcom-security/184416352

(Yes, I know this is an incredibly old question... but seriously, someone should have figured this out before now.)

Carrelli answered 27/9, 2018 at 13:2 Comment(0)

Recommended topics

Hot tags