How to get security token of a windows service's LogOn user?

Question

I need to impersonate the LogOn user account of a particular windows service.

I have been able to get the username using WMI (sadly the LogOn user identity doesn't seem to be exposed using any of the regular windows service related .NET classes). But, armed with only the username (which could be either a local or domain account) how do I get the token for that windows identity?

The LogonUser WinAPI call which can provide the token expects the password as an argument, which obviously is not available. User input is not an option.

Any insight will be appreciated.

Do you want to impersonate the user under whose account the service is running ? If so you can use CreateRemoteThread — parapura rajkumar, Mar 23 '13 at 00:43
Let me get this straight, you want to impersonate the user that the service is running as? Or a completely different user? — Steven V, Mar 23 '13 at 00:43
@parapurarajkumar Thanks. Will explore. It just occurred to me that perhaps I could also use OpenProcessToken. — Manas, Mar 23 '13 at 00:46
@StevenVondruska I want to impersonate the user account that the windows service is running under. — Manas, Mar 23 '13 at 00:51

Manas · Accepted Answer · 2013-03-26T00:26:18.623

3

Ended up doing the following:

Check if service is running. If not start service.
Get PID from service name using WMI.
Get process handle from PID using .NET Process class.
Get process token using OpenProcessHandle
Duplicate token using DuplicateToken, to verify sufficient privilege.
Create new WindowsIdentity using token obtained in step 4.
Impersonate this new WindowsIdentity, do operation under impersonation, then undo impersonation, using WindowsImpersonationContext.

Hope this is useful to anyone else who needs to impersonate the user account that a service is running under.

edited Mar 26 '13 at 00:26

answered Mar 25 '13 at 23:16

Manas

521
8
26

The code I am afraid is proprietary. I may however be able to give pointers depending on which step you need clarification on... – Manas May 12 '14 at 21:37

Joshua · Answer 2 · 2023-05-03T16:37:52.950

1

While this is completely undocumented by Microsoft because they want to pretend that service logon doesn't require a plaintext password at logon time, it in fact does and services.exe calls LogonUser with the correct password.

The password is shoved somewhere deep in the registry in a place that only SYSTEM has access to and encrypted to boot, but the SYSTEM account can obtain the machine key and decrypt the password.

(defunct source) http:// www.computersecurityarticles.info/security/decrypting-lsa-secrets/

(new source) https://gist.github.com/jborean93/58bba8236fac313e3d4b3970b8213cb6

Please note that because this is undocumented, you should not use it.

edited May 03 '23 at 16:37

answered Mar 26 '13 at 00:32

Joshua

40,822
8
72
132

link is gone... – selganor May 03 '23 at 15:23
@selganor: Enjoy your repalcement – Joshua May 03 '23 at 16:38

How to get security token of a windows service's LogOn user?

2 Answers2