none
Either a required impersonation level was not provided, or the provided impersonation level is invalid RRS feed

  • Question

  • I have a .NET 3.5 Client Profile app, which uses impersonation. The app is run on Win XP and 7. The regular users of the app are not Administrators of their machines. The app runs fine on the XP PCs. However, on Windows 7, when I try to call e.g. System.IO.File.Copy() while impersonating an Admin account, I get an exception with the error, Either a required impersonation level was not provided, or the provided impersonation level is invalid.

    I have tried switching Framework versions and trying different accounts to impersonate, but I still have this problem. (If the Win 7 user is in the Admin group, then the Exception does not occur.) Any suggestions here are appreciated.

    Friday, December 30, 2011 6:15 PM

Answers

  • I found a fix - this page (Solution 1) has some Local Security Policy changes which I made for the affected user, which gets me around the problem. I think I'll go with that.

    • Marked as answer by cgtyoder Thursday, January 5, 2012 1:57 PM
    Wednesday, January 4, 2012 6:44 PM

All replies

  • Impersonation requires the "Act as part of the operating system" privilege. It's possible that this privilege is not assigned to non-admins on Windows 7, so they fail to impersonate correctly.

    However the issue so unds like UAC behavior. If this is a client app being run by a limited user you can't impersonate to an elevated level (like administrator) because elevation requires a prompt to the user, and you can ony prompt the user at process startup. So people detour this with CreateProcessAsUser using an elevated token firing off a new process that will prompt for elevation.

     


    Phil Wilson
    Friday, December 30, 2011 7:12 PM
  • However the issue sounds like UAC behavior.
    UAC is actually turned off on these Windows 7 PCs, so that should not be an issue.

    • Edited by cgtyoder Friday, December 30, 2011 7:18 PM
    Friday, December 30, 2011 7:18 PM
  • Hi cgtyoder,

    Does this issue happen to all files or only some special file/folders?


    Min Zhu [MSFT]
    MSDN Community Support | Feedback to us
    Monday, January 2, 2012 9:21 AM
    Moderator
  • give permission to the directory as read write and delete. For any specific user give rights to the user. it will work.
    Monday, January 2, 2012 1:00 PM
  • Does this issue happen to all files or only some special file/folders?


    It does happen to "all files," AFAICT. What "special file/folders" do you have in mind? (I noticed someone else is having the same problems as I, at http://social.msdn.microsoft.com/Forums/en-US/windowssecurity/thread/7c04747b-104d-412e-9ee4-8a85b0eb7851)

    Monday, January 2, 2012 2:35 PM
  • Hi Cgtyoder,

    From your descprtion, I think the problem is because the file copy action you want to perform requires administrator privilege.

    If you impersonate an admin account from an unelevated process, the impersonation token will be restricted and will not gain you administrator privilege.

    If you want to perform some admin tasks, try to create a new elevated process first. You can check out this article for more information about how to create an elevated process.

    Best regards,


    Min Zhu [MSFT]
    MSDN Community Support | Feedback to us
    Tuesday, January 3, 2012 5:18 AM
    Moderator
  • From your description, I think the problem is because the file copy action you want to perform requires administrator privilege.

    If you impersonate an admin account from an unelevated process, the impersonation token will be restricted and will not gain you administrator privilege.

    If you want to perform some admin tasks, try to create a new elevated process first. You can check out this article for more information about how to create an elevated process

    So are you saying that this is "new functionality" in Windows 7, that I have to create a whole new process?
    Tuesday, January 3, 2012 2:26 PM
  • Hi Cgtyoder,

    A process can only be elevated at the time it is created. As far as I know there is no way to elevate an existing process so the only way to get administrator privilege is to create a new process.

    Best regards,


    Min Zhu [MSFT]
    MSDN Community Support | Feedback to us
    Wednesday, January 4, 2012 5:54 AM
    Moderator
  • A process can only be elevated at the time it is created. As far as I know there is no way to elevate an existing process so the only way to get administrator privilege is to create a new process.

    As I originally stated, this whole situation works perfectly in Windows XP. It is in W7 that Impersonation appears "broken." So are you making your comment above specifically in relation to W7, or are you making the comment generally?
    Wednesday, January 4, 2012 1:02 PM
  • I found a fix - this page (Solution 1) has some Local Security Policy changes which I made for the affected user, which gets me around the problem. I think I'll go with that.

    • Marked as answer by cgtyoder Thursday, January 5, 2012 1:57 PM
    Wednesday, January 4, 2012 6:44 PM
  • Hi cgtyoder,

    Glad to hear you find a solution.

    I am not familiar with these settings but I think this solution elevate your application at the beginning, which gives it admin privilege and solve the problem.

    Best regards,


    Min Zhu [MSFT]
    MSDN Community Support | Feedback to us
    Thursday, January 5, 2012 6:54 AM
    Moderator