WlanGetProfile(), keyMaterial,CryptUnprotectData() and error NTE_BAD_KEY_STATE

Question

I am getting NTE_BAD_KEY_STATE reported when I call CryptUnprotectData()  to Unprotect the keyMaterial section of the XML returned by WlanGetProfile, how can I program around this please ?
If I run my program as SYSTEM using psexec -i -s <program> (http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx) then it works, so I guess it must be possible to do something in my code.  Looking at http://msdn.microsoft.com/en-us/library/ms706738(VS.85).aspx it says:
By default, the keyMaterial element returned in the profile pointed to by the pstrProfileXml is encrypted. If your process runs in the context of the LocalSystem account on the same computer, then you can unencrypt key material by calling the CryptUnprotectData function.
but it fails to tell me how to set my context to the LocalSystem account.

Answer 1

Hello,

Thanks for your post.

>but it fails to tell me how to set my context to the LocalSystem account.

The LocalSystem account is a predefined local account used by the service control manager and system. If you want to run the application with that user account, we can try to start up the application with windows service.

http://www.codeproject.com/KB/vista-security/VistaSessions.aspx

Thanks,
Rong-Chun Zhang
MSDN Subscriber Support in Forum
If you have any feedback on our support, please contact msdnmg@microsoft.com

---

Please remember to mark the replies as answers if they help and unmark them if they provide no help.
Welcome to the All-In-One Code Framework! If you have any feedback, please tell us.

Answer 2

Thank you for your reply, but I would prefer to set my context to the LocalSystem account on-the-fly, rather than at startup.  Is there a way I can do this ?  What Privilege would I need ?   Failing that can CryptUnprotectData() be called from Kernel mode and will that get round needing to run as the LocalSystem account ?

Answer 3

Hello,

Thanks for your input.

>I would prefer to set my context to the LocalSystem account on-the-fly, rather than at startup.  Is there a way I can do this ? 

By default, local system, local service, and network service are allowed to impersonate callers. To get to be running as any of these user accounts, you've got to have a service installed by an admin.
http://blogs.msdn.com/david_leblanc/archive/2007/03/25/impersonation-isn-t-dangerous.aspx

Thanks,
Rong-Chun Zhang
MSDN Subscriber Support in Forum
If you have any feedback on our support, please contact msdnmg@microsoft.com

---

Please remember to mark the replies as answers if they help and unmark them if they provide no help.
Welcome to the All-In-One Code Framework! If you have any feedback, please tell us.

Answer 4

Thank you for your reply, but I would prefer not to need to run my porgram as LocalSystem, but rather to set my context to LocalSystem just when I call CryptUnprotectData().

I am wondering if it would be possible/sensible to do OpenProcessToken() for say the winlogon.exe process and then use that token in a call to ImpersonateLoggedOnUser() or is there a better way to do this ?

My other idea is to call CryptUnprotectData() from my Kernel mode device driver.  Is this possible/sensible ?

Answer 5

Hello,

>My other idea is to call CryptUnprotectData() from my Kernel mode device driver.  Is this possible/sensible ?

You can post device driver related question on microsoft.public.development.device.drivers newsgroup for better response.

http://www.microsoft.com/communities/newsgroups/en-us/?dg=microsoft.public.development.device.drivers

Thanks,
Rong-Chun Zhang
MSDN Subscriber Support in Forum
If you have any feedback on our support, please contact msdnmg@microsoft.com

---

Please remember to mark the replies as answers if they help and unmark them if they provide no help.
Welcome to the All-In-One Code Framework! If you have any feedback, please tell us.