C# - Running a new process as a user with blank password

Question

I have a child process I spawn from my main application that needs to be run as another local user on a Windows 7 machine. I would prefer to not set a password on that user account, but it seems that creating a new process with impersonation does not allow for blank passwords or any type of null values. Anyone know if this is possible?

below was my attempt with passing a blank char:

ProcessStartInfo info = new ProcessStartInfo(@"C:\PathToExecutable");
System.Security.SecureString psswd = new System.Security.SecureString();
psswd.AppendChar('\0');
psswd.MakeReadOnly();

info.UseShellExecute = false;
info.UserName = "NewProcessName";
info.Password = psswd;
info.Domain = "LocalMachine";

Process newProc = new Process();
newProc.StartInfo = info;

newProc.Start();

edit: The error message I recieve

Logon failure: user account restriction. Possible reasons are blank passwords not allowed, logon hour restrictions, or a policy restriction has been enforced

score 2 · Answer 1 · answered Aug 16 '20 at 00:53

For to do this you have to disable a security policy

Go to Control Panel → Administrative Tools → Local Security Policy.
Browse the Security Settings → Local Policies → Security Options... Look for "Accounts: Limit local account use of blank password to console logon only".
Select Disabled and APPLY

there is other solution here: https://sites.google.com/site/sqlestream/windows-issue/10-cannot-access-the-shared-folder-due-to-blank-password-not-allowed

ProcessStartInfo procStartInfo = new ProcessStartInfo("File Name", "Argument(Optional)")
{
      UserName = "UserName",
      RedirectStandardError = true,
      RedirectStandardOutput = true,
      UseShellExecute = false,
      CreateNoWindow = true
};
using (Process proc = new Process())
{
       proc.StartInfo = procStartInfo;
       proc.Start();
}

and then you will be able to execute a process without declaring an user password

James King · Answer 2 · 2010-08-30T22:31:10.573

1

What are you using to impersonate? LogonUser() should allow a blank password.

I don't think calling psswd.AppendChar('\0') is the right way to specify a blank password. Try removing the SecureString from your code to see if you can at least make the impersonation work. Then add the SecureString back in to see if your problem lies there.

* Edit *

Try this:

unsafe {
    char* ary = stackalloc char[0];
    SecureString str = new SecureString(ary, 0);
}

set info.Password to your new SecureString... not sure if you'll have to do that within the unsafe context or not.

edited Aug 30 '10 at 22:31

answered Aug 30 '10 at 21:34

James King

6,233
5
42
63

If I either choose to not specify any password (omitting `StartInfo.Password`) I receive the same message. If I go into control panel and modify the User Account and add a password (used the character 'A' for testing), I can pass 'A' as a password through the SecureString and that works fine. Just didn't want to have to set a password... – kmfk Aug 30 '10 at 21:47
Have you tried calling the overloaded Start() that takes a username, pw, and domain, and passing a blank password there? I'd expect the same result, but leaving no stone unturned... – James King Aug 30 '10 at 22:02
The issue is that StartInfo.Password is a `System.Security.SecureString`, so even the overloaded `Start()` requires `System.Security.SecureString` and not just a string, which can not be blank. Im pretty close to just setting the dummy password and moving on, the account doesn't need to be protected, its sole purpose is for this impersonation, so a '123' password is fine. Im just surprised that you can have a User Account with no password, but can not send a blank password here. – kmfk Aug 30 '10 at 22:20
I gave your last edit a shot and got the same error. For the time being, Im gonna assume that you NEED to have a password specified. – kmfk Aug 30 '10 at 23:18
That stinks : ( Sorry I couldn't come up with an answer! – James King Aug 31 '10 at 14:41

score 0 · Answer 3 · edited May 23 '17 at 10:27

0

As this question points out, set LoadUserProfile to true in StartInfo. Try that out, it might help.

edited May 23 '17 at 10:27

Community

1
1

answered Aug 30 '10 at 21:35

Yeah, looked through the other post - the executable I am running is also my own - does not rely on User Profiles. Thanks though. – kmfk Aug 30 '10 at 21:46

score -1 · Accepted Answer · answered Oct 16 '12 at 18:02

-1

This is apparently a known issue that LogonUser() fails with a blank password. I set a generic password for required user accounts in my use case.

answered Oct 16 '12 at 18:02

kmfk

3,821
2
22
32

1

Most likely, this is due to the default security restriction on blank password usage: [Accounts: Limit local account use of blank passwords to console logon only](https://technet.microsoft.com/en-us/library/jj852174.aspx). If you check the error code, it should mean something like "logon denied due to security policy". – ivan_pozdeev Jan 26 '16 at 14:28

C# - Running a new process as a user with blank password

4 Answers4