views:

44

answers:

2

Trying to start process with another access token, without success, it runs as the non-impersonated user.

using (WindowsIdentity identity = new WindowsIdentity(token))
using (identity.Impersonate())
{
    Process.Start("blabla.txt");
}

How to make this work properly?

A: 

Try this example from http://msdn.microsoft.com/en-us/library/w070t6ka.aspx

private static void ImpersonateIdentity(IntPtr logonToken)
{
    // Retrieve the Windows identity using the specified token.
    WindowsIdentity windowsIdentity = new WindowsIdentity(logonToken);

    // Create a WindowsImpersonationContext object by impersonating the
    // Windows identity.
    WindowsImpersonationContext impersonationContext =
        windowsIdentity.Impersonate();

    Console.WriteLine("Name of the identity after impersonation: "
        + WindowsIdentity.GetCurrent().Name + ".");

    //Start your process here
    Process.Start("blabla.txt");

    Console.WriteLine(windowsIdentity.ImpersonationLevel);
    // Stop impersonating the user.
    impersonationContext.Undo();

    // Check the identity name.
    Console.Write("Name of the identity after performing an Undo on the");
    Console.WriteLine(" impersonation: " +
        WindowsIdentity.GetCurrent().Name);
}

You can also use CreateProcessAsUser windows function.

http://www.pinvoke.net/default.aspx/advapi32/createprocessasuser.html

Keivan
Thanks, but this code has exactly the same result.
DxCK
added another solution
Keivan
`CreateProcessAsUser` can't start non-exe files like blabla.txt, so this option is not good for me.
DxCK
+1  A: 

You need to set the ProcessStartInfo.UserName and Password properties. With UseShellExecute set to false. If you only have a token then pinvoke CreateProcessAsUser().

Hans Passant
When setting UseShellExecute to false, I can't start non-exe files like blabla.txt, so this option is not good for me.
DxCK
Well, getting the path to the .exe that is associated with the filename extension is an entirely different question. Well covered by other SO threads, no need to repeat it here. ShellExecuteEx() just doesn't support creating a process with a different (restricted) user token. That option is not good for you.
Hans Passant