Reputation: 84
.NET Impersonation not working
I am using https://github.com/mj1856/SimpleImpersonation to impersonate an administrator so I can make changes to windows services from an app that's run by a user who is not an administrator. This works on Windows 7 with no issue. On Windows 10 I have to right click on the app and click run as administrator for it to work. Otherwise I get an error code 5(Permission denied) when my app tries to modify the services. The impersonation appears to be working. UAC is turned off. I don't see what to try next.
Upvotes: 0
Views: 2612
Answers (3)
Reputation: 241450
SimpleImpersonation (of which I am the author) is a managed wrapper around the Windows LogonUser API. It doesn't have any magic of its own, other to help you consume that API in an easy way.
When you use this library, you pass a LogonType, which matches those referenced in the LogonUser docs. Each logon type has a different behavior, which is controlled by the operating system. For example, if you are using LogonType.Interactive, that is passing LOGON32_LOGON_INTERACTIVE into the LogonUser API to perform an interactive login.
Interactive login uses UAC for administrative actions. Disabling it is not recommended. Also not that LogonUser returns a restricted token during interactive sessions. You cannot work around that for an interactive login, but you can try one of the other logon types depending on what you are doing.
See also:
- How to call LogonUser() to get a non-restricted full token inside a Windows Service with UAC enabled?
- How can I get elevated permissions (UAC) via impersonation under a non-interactive login?
- How can my application work when UAC is enabled and fail when it is disabled?
- How to launch a process as a Full Administrator when UAC is enabled?
Upvotes: 1
Reputation: 84
The reason this wasn't working was I had UAC turned on. I had disabled it in windows and rebooted but apparently that's not enough. I had to create the registry key
reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
And reboot to truly disable UAC.
As a note to other developers I was unable to impersonate with c# but I was also not able to impersonate with powershell and psexec which sort of led me to the solution PSEXEC, access denied errors.
Upvotes: 0
Reputation: 9639
You have not posted any of your code, so I am going to make an educated guess here, and suggest you try LogonType.NewCredentials. This will make the LogonUser call cache the credentials so they will be used later for the impersonation.
Upvotes: 0
Related Questions
- Impersonation works with local shared file, but does not work with remote one
- Set up impersonation with ASP.NET
- Windows Impersonation from C#
- Impersonation for Local Machine Succeeding when it should fail
- Why might this user impersonation code fail to grant me permission?
- Windows impersonation LogonUser error
- impersonation problem
- Impersonation Error
- c# impersonation problem
- C# Winform Impersonation fail to work