Is it possible for a Windows service impersonate a user without a password?

Question

Is it possible for a C# Windows service running as Local System or Local Service to impersonate another user without needing a password for that user ?

How would this be done?

Note: My motivation for this is to be able to run user specific WMI queries in a service. The WMI calls I'm making (to the OfflineFiles WMI API) are user sensitive, and they only work when I run my service as the user whose data I want to query. I don't want users to have to enter their usernames and passwords when installing the service, so I'd like to just run the service as Local System or something, and impersonate the user I care about.

Answer 1

Assuming you only need start impersonation whilst the relevant user is logged on, you could:

1. Locate relevant user session using EnumProcesses (eg http://msdn.microsoft.com/en-us/library/windows/desktop/ms682623(v=vs.85).aspx ) [winapi]
2. OpenProcessToken() on relevant user process [winapi]
3. DuplicateToken() with impersonation privileges [winapi]
4. Create a new WindowsIdentity() using the result of DuplicateToken
5. Call .Impersonate on your new identity from step 4

Once the token has been duplicated, it doesn't matter if the user logs of - the impersonation in your service remains.

Apparently the API the undocumented ZwCreateToken winapi function can achieve this although also, but I have never used it and may break at anytime in future.

Answer 2

To the best of my knowledge, it can't be done for obvious security reasons. You have to have the password in order to call LogonUser, then WindowsIdentity.Impersonate.

The one exception: if you had an existing WindowsIdentity passed to the service through a remoting call, then you can impersonate that WindowsIdentity in the service, but not too apps operate this way.