Reputation: 3829
How to get Calling-Process Windows User Access Token
How can I get the Access Token for the user that created the process that called my application?
I need to use that Token for impersonation, the idea is to access a file in that users applicationData.
P.S. The application that will be impersonating the user is a service running under System.
Upvotes: 1
Views: 5594
Answers (4)
Reputation: 649
If your application is a service, then it's most likely being invoked via COM or DCOM.
Your server needs to do a CoGetCallContext to retrieve an IServerSecurity interface that lets it check the client's authentication and impersonate the client, if needed.
For more information, see http://www.drdobbs.com/examining-dcom-security/184416352
(Yes, I know this is an incredibly old question... but seriously, someone should have figured this out before now.)
Upvotes: 0
Reputation: 21
We've been looking for a way to peek into a user's access token as well, for security reasons.
We recently had a situation where we needed to find out whether one of the employees may had modify access to one of our files on a shared file-server. We initially tried looking at the ACL of the file, but with all the nested memberships in place, that approach quickly become impractical.
One of our devs then suggested trying to peek into the user's access token, and comparing it to the ACL on the file, as that's a fairly simple process and could yield accurate results immediately.
So we started looking for a way to peek into a user's access token. Initially we didn't find much. Came across a few sites that had devs discussing how to get a user's token, and a few that suggested using Microsoft's "whoami", but that too didn't help, as it could only be used to view one's own token.
Having almost given up, one day i just googled "Windows Access Token Viewer" and was surprised to come across a tool called Gold Finger for AD, that amongst a few other security analysis capabilities, had a capability called "Access Token Viewer".
Excited by the find, got my hands on an eval, and gave it a shot. It worked as claimed and let us see any user's access token, especially that of the employee we were interested in. I only wish it also offered the same ability in an API format, so our devs could use it for our in-house apps.
Nonetheless, it served our purpose. The technical details are over at - Windows Access Token Viewer.
Upvotes: 1
Reputation: 10684
You can use wcf to communicate between the client and service. There are explanation and examples in "Delegation and Impersonation with WCF"
Upvotes: 0
Reputation: 1244
Check MSDN, all this API is well documented. You probably want to do something like this:
HANDLE thisToken, thisProcess;
thisProcess = OpenProcess( PROCESS_ALL_ACCESS, FALSE, GetCurrentProcessId() );
OpenProcessToken( thisProcess, TOKEN_ALL_ACCESS, &thisToken );
http://msdn.microsoft.com/en-us/library/aa379295(v=vs.85).aspx
Though you probably want less access than that. This will get you the token for the current process.
Upvotes: 3
Related Questions
- Can't read privileges from process access token
- Win32 API : User Impersonation technique to run a process as some other user?
- Is it possible to impersonate a process's access token?
- Process.Start() impersonation problem
- c++ get process owner / current user token
- How to call LogonUser() to get a non-restricted full token inside a Windows Service with UAC enabled?
- Impersonate a thread with user's filtered token
- Get current process identity and authentication information
- Win32 User Impersonation Curiosity
- How to use Win32 API to get HANDLE of a process for an application in Windows