I am having some problems with some of the long written classes that perform thread level personification and spawning process. The problem is that my use of these utility classes is higher and higher than what someone tried to do with them.
The first does thread level impersonation using OpenThreadToken and DuplicateToken along with ImpersonateLoggedOnUser.
The second attempt to create a process using CreateProcessAsUser with a token obtained using OpenThreadToken / DuplicateToken.
The problem I am facing is that I have:
Thread 1 running in IIS with the correct user
Thread 2 that is created by Thread 1 - which is impersonated
Thread 3 that is created by Thread 2 - which is impersonated
Process 1 that is spawned by Thread 3 - which I attempt to impersonate
Spawning process 1 fails with error code 5 from OpenThreadToken. If I start process 1 from Thread 1, OpenThreadToken does not give me any right. I ask TOKEN_ACCESS_ALL from OpenThreadToken and DuplicateToken, and it won’t work until I actually do it from Thread 3. Does anyone have any idea what permissions I really need here?
Here is the code for spawning a process:
(Impersonating a stream is simply related to processing the stream marker and calling ImpersonateLoggedOnUser ...)
if (!::OpenThreadToken(::GetCurrentThread(),
TOKEN_ALL_ACCESS,
false,
&hThreadUserToken))
{
Handle hNewProcessUserToken;
if (!DuplicateTokenEx(
hThreadUserToken,
TOKEN_ALL_ACCESS,
NULL,
SecurityDelegation,
TokenPrimary ,
&hNewProcessUserToken))
{
m_dwCreateError = ::GetLastError();
return false;
}
bReturnValue = ::CreateProcessAsUserA(
hNewProcessUserToken,
AppName,
cmdLine,
NULL,
NULL,
TRUE,
0,
m_lpEnvironment,
cwdStr
&m_StartupInfo,
&piProcInfo);
Anything obvious I'm doing wrong here? I really can’t spawn a process from Thread 1 - it just doesn’t have the necessary information that it needs and having a link back to it from Thread 3 is not a good solution and not a good design.