Why is impersonation not working? RRS feed

  • General discussion

  • Folks,

    My .NET application is an NT service running under LocalSystem account. From this application, I need to spawn a process running under a specific user account.

    Class ProcessStartInfo takes parameters for username and password. However, it appears you cannot create a process with specific credentials when you use "LocalSystem" account. I can an "Access Denied" message.

    As a workaround, I spawn a thread to run the process. Within this thread, I impersonate the user using LogonUser and other APIs.

    LogonUser(userName, domain, password, LOGON32_LOGON_BATCH, LOGON32_PROVIDER_DEFAULT, ref token);

    DuplicateToken(token, 2, ref tokenDuplicate);

    WindowsIdentity tempWindowsIdentity = new WindowsIdentity(tokenDuplicate);

    WindowsImpersonationContext impersonationContext = tempWindowsIdentity.Impersonate();

    // now spawn the process

    However, I still get "Access Denied" error although the username/password is valid. The user is a local system administrator.

    I would appreciate it if anyone has any insight on why I could be getting this error.

    Thank you in advance for your help.



    • Changed type Zhi-Xin Ye Monday, September 15, 2008 7:30 AM change to comment since no response for more than 3 days
    Tuesday, September 9, 2008 12:21 AM

All replies

  • According to this thread:, System.Diagnostics.Process.Start calls CreateProcessWithLogonW and looking at the documentation on MSDN (

    "Windows XP SP2 and Windows Server 2003:  You cannot call CreateProcessWithLogonW from a process that is running under the LocalSystem account, because the function uses the logon SID in the caller token, and the token for the LocalSystem account does not contain this SID. As an alternative, use the CreateProcessAsUser and LogonUser functions."

    Sorry that doesn't actually help but at least it may explain the problem!
    Wednesday, September 10, 2008 11:20 PM
  • Peter Taps said:

    I can an "Access Denied" message.


    To be clear: do you get an exception in your program trying to start the process or does the process you started get this error?  If the latter, what does this process do that fails with this error?

    Hans Passant.
    Thursday, September 11, 2008 9:25 AM