views:

457

answers:

2

I have a process which is running within the security context of the local system account. From C#, how can I start (using System.Diagnostics.Process.Start) a process that will run within the security context of the currently logged-on user, not the system account?

A: 

I believe you will need to determine/evaluate which session is logged on locally - see WTSEnumerateSessions/WTSQuerySessionInformation/WTSQueryUserToken and I think you are limited to the Win32 API, I don't think theres a managed code wrapper.

Cade Roux
A: 

You will need to get the token of the currently logged on user and call CreateProcessAsUser. Remember with Fast-User-Switching (FUS) that more than one user may be logged in to the machine, so you have to choose which user you want to start your process as.

To enumerate user sessions, you can use the WTSEnumerateSessions API. Use this to find the current session identifiers. Then call WTSQueryUserToken to obtain the token for the currently logged on user. Using this token, you can use CreateProcessAsUser.

Unfortunately, you will need to use P/Invoke for all of these method calls. If you have the username and password, then you can simply use the System.Diagnostics.Process.Start() overload.

Chris Clark
Thanks Chris. I have coded it and it fails; Marshal.GetLastWin32Error() reports the error code as 3 (I believe this means insufficient privileges). Any idea what might be causing the failure (long shot question).
DEH