Is it possible for a Windows service impersonate a user without a password?

Asked 29/11, 2011 at 0:46 Answered 29/11, 2011 at 1:12

Is it possible for a C# Windows service running as Local System or Local Service to impersonate another user without needing a password for that user?

How would this be done?

Note: My motivation for this is to be able to run user specific WMI queries in a service. The WMI calls I'm making (to the OfflineFiles WMI API) are user sensitive, and they only work when I run my service as the user whose data I want to query. I don't want users to have to enter their usernames and passwords when installing the service, so I'd like to just run the service as Local System or something, and impersonate the user I care about.

Ludwigg answered 29/11, 2011 at 0:46 Comment(3)

I suspect you will have better luck if you explain what you want the service to do once it has impersonated a user. AFAIK, what you are asking for is not possible without stashing credentials (which means the user entering a password at some point) – Kimberli 29/11, 2011 at 0:59

@ChrisShain, I have updated the question as you suggested. – Ludwigg 29/11, 2011 at 1:7

Check out the answers to this question: #560219 – Kimberli 29/11, 2011 at 1:16

Assuming you only need start impersonation whilst the relevant user is logged on, you could:

Locate relevant user session using EnumProcesses (eg http://msdn.microsoft.com/en-us/library/windows/desktop/ms682623(v=vs.85).aspx) [winapi]
OpenProcessToken() on relevant user process [winapi]
DuplicateToken() with impersonation privileges [winapi]
Create a new WindowsIdentity() using the result of DuplicateToken
Call .Impersonate on your new identity from step 4

Once the token has been duplicated, it doesn't matter if the user logs of - the impersonation in your service remains.

Apparently the API the undocumented ZwCreateToken winapi function can achieve this although also, but I have never used it and may break at anytime in future.

Abaft answered 29/11, 2011 at 1:12 Comment(3)

for #1, can also use Process.GetProcesses() – Airborne 1/8, 2016 at 14:23

Indeed there is a kind of technique using S4U (service for user): blogs.msdn.microsoft.com/winsdk/2015/08/28/… msdn.microsoft.com/en-us/library/windows/desktop/… – Use 6/10, 2016 at 5:34

Which process should we use to ensure that it is a process spawned by the currently logged in user? – Peridot 19/3 at 21:42

To the best of my knowledge, it can't be done for obvious security reasons. You have to have the password in order to call LogonUser, then WindowsIdentity.Impersonate.

The one exception: if you had an existing WindowsIdentity passed to the service through a remoting call, then you can impersonate that WindowsIdentity in the service, but not too apps operate this way.

Scoundrel answered 29/11, 2011 at 1:4 Comment(1)

The security reasons are not obvious - if you are a service running with on a Local System account there is really nothing you can't do. – Argentum 18/5, 2016 at 8:50

Recommended topics

Hot tags