来自 C# 的 Windows 模拟
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/559719/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Windows Impersonation from C#
提问by user53794
How can a C# program running as LocalSystem impersonate the login identity of another user temporarily? Roughly speaking I have a Windows Service that I'd like to run as LocalSystem but at times impersonate user XYZ (when connecting to a db using windows integrated security).
作为 LocalSystem 运行的 C# 程序如何临时模拟另一个用户的登录身份?粗略地说,我有一个 Windows 服务,我想作为 LocalSystem 运行,但有时会模拟用户 XYZ(使用 Windows 集成安全连接到数据库时)。
Most important of all: Is there a way to do this without knowing the other user's password?
最重要的是:有没有办法在不知道其他用户密码的情况下做到这一点?
Note: if a password is mandatory is there a recommended strategy for storing a password securely (c# and/or vbscript).
注意:如果密码是强制性的,是否有推荐的安全存储密码策略(c# 和/或 vbscript)。
采纳答案by wj32
It's possible, although it requires you to do a lot of code. See NtCreateTokenand CreateToken. You need SeCreateTokenPrivilege, although that won't be a problem since you're running under NT AUTHORITY\SYSTEM. You can then use the created token to impersonate inside a thread.
这是可能的,尽管它需要您编写大量代码。参见NtCreateToken和CreateToken。您需要 SeCreateTokenPrivilege,尽管这不会成为问题,因为您在 NT AUTHORITY\SYSTEM 下运行。然后,您可以使用创建的令牌在线程内模拟。
回答by Renaud Bompuis
For the password storing part, you may want to have a look at this questionasked recently.
对于密码存储部分,您可能想看看最近提出的这个问题。
This was my answer:
这是我的回答:
You could/should use the DPAPI, the Data Protection APIthat provides storage encryption.
It's there just for this type of problem.
您可以/应该使用DPAPI,即提供存储加密的数据保护 API。
它只是针对此类问题。
Encryption of the storage is based on either:
存储加密基于:
- the user account, so only the logged-in user can access the data. This makes the data transferable to another PC with the exact same user credentials.
- the machine, making the data only accessible on that particular machine setup and not transferable to another PC.
- 用户帐户,因此只有登录用户才能访问数据。这使得数据可以使用完全相同的用户凭据传输到另一台 PC。
- 机器,使数据只能在该特定机器设置上访问,而不能传输到另一台 PC。
There is a dnrTV show with Karl Franklinshowing exactly what's needed to implement this, and other encryption functions.
The source code from the show is also available on the page.
Karl Franklin在dnrTV 节目中准确展示了实现此功能和其他加密功能所需的条件。
该节目的源代码也可在页面上找到。
There are, of course, lots of other articleson that subject.
当然,还有很多关于这个主题的文章。
回答by Franci Penov
Short answer: you can't without the user password or the user calling your service through COM.
简短回答:您不能没有用户密码或用户通过 COM 调用您的服务。
To impersonate another user in your process, you have to call ImpersonateLoggedOnUser. ImpersonateLoggedOnUserrequires a token handle. There are several ways you can obtain token handle:
要在您的流程中模拟另一个用户,您必须调用ImpersonateLoggedOnUser。ImpersonateLoggedOnUser需要一个令牌句柄。您可以通过多种方式获取令牌句柄:
- by logging on as the user with
LogonUser. This however requires you to know the user password. - by duplicating an existing token with
CreateRestrictedToken,DuplicateToken, orDuplicateTokenEx. - by opening the token from another process or thread, that already is loggen on as the user, with
OpenProcessTokenorOpenThreadToken
- 通过以用户身份登录
LogonUser。但是,这需要您知道用户密码。 - 通过复制现有令牌与
CreateRestrictedToken,DuplicateToken,或DuplicateTokenEx。 - 通过从另一个进程或线程打开令牌,该进程或线程已经以用户身份登录,使用
OpenProcessToken或OpenThreadToken
