locked
Running processes as another (elevated) user

    Question

  • Hi,

    I'm trying to create a program that will allow a user to login and then run commands using that users credentials.  I can get it to work using the credentials of the user currently logged into the PC (ie, just start the program and then execute commands), but I am having trouble logging in another user and then executing commands using those credentials.  The reson for logging another user on is so elevated permissions can be used so support staff can perform tasks without the need to log a user off and then log on as an admin.  Effectively I'm trying to emulate the runas function in XP.

    I've done some searching and tried out the CreateProcessAsUser and CreateProcessWithLoginW functions but I get different problems with both of them.  I've also found suggestions on using the OpenThreadToken, DuplicateTokenEx then using the CreateProcessAsUser, but that still has the same problem - The user calling the CreateProcessAsUser (the currently logged on user) needs additional permissions to create the process as the elevated user (error 1314).

    For reference I've got the logonUser function working OK and can recognise the token of the elevated user, I just can't work out how to then execute commands as that user!

    What I'm looking for is some advise on which direction I should be taking to get this working.  Am I looking at the right functions, or is there something that I"m completely missing?  Once I'm going in the right direction I should be able to work it out from there.

    I'm using Visual Basic 2008 Express.

    Any advise would be appreciated.
    Damian
    Wednesday, November 19, 2008 1:46 AM

Answers

  • Try using the System.Diagnostics.Process.Start that takes a ProcessStartInfo.

    In the ProcessStartInfo set:

    Domain = your Active Directory domain, if applicable
    UserName = the user name to run as
    Password = the user password
    LoadUserProfile = true
    UseShellExecute = false


    Wednesday, November 19, 2008 2:37 AM

All replies

  • Try using the System.Diagnostics.Process.Start that takes a ProcessStartInfo.

    In the ProcessStartInfo set:

    Domain = your Active Directory domain, if applicable
    UserName = the user name to run as
    Password = the user password
    LoadUserProfile = true
    UseShellExecute = false


    Wednesday, November 19, 2008 2:37 AM
  • That's looking better!  Thanks for the pointer.

    I've got the System.Diagnostics.Process.Start setup to run the commands now which is working great (and much simpler).  It's working great if I pass the credentials while the program is running normally (ie, run as the user logged onto the PC), however, as soon as I use the LogonUser function (from my login form) to log the user on first (used to authenticate the user to AD and to get the credentials once) I get an 'Access denied' when I try to start the process.  Any suggestions?

    Also is it possible to use the token (or similar) of the logged in user so I don't have to keep passing around the user credentials?  Not too big a deal if it's not as I've got the password stored in a secure string, I just thought it might be cleaner.

    Thanks

    Wednesday, November 19, 2008 5:50 AM