Windows Impersonation from C#

user53794 picture user53794 · Feb 18, 2009 · Viewed 56.7k times · Source

How can a C# program running as LocalSystem impersonate the login identity of another user temporarily? Roughly speaking I have a Windows Service that I'd like to run as LocalSystem but at times impersonate user XYZ (when connecting to a db using windows integrated security).

Most important of all: Is there a way to do this without knowing the other user's password?

Note: if a password is mandatory is there a recommended strategy for storing a password securely (c# and/or vbscript).

Answer

wj32 picture wj32 · Feb 22, 2009

It's possible, although it requires you to do a lot of code. See NtCreateToken and CreateToken. You need SeCreateTokenPrivilege, although that won't be a problem since you're running under NT AUTHORITY\SYSTEM. You can then use the created token to impersonate inside a thread.