Prev: All threads in blocked state before vista login window appears
Next: Is GetCurrentThread really a constant?
From: Stefan Kuhr on 13 Oct 2008 11:27 Hello everyone, we are experiencing strange errors on Vista SP1 boxes in scenarios, that worked before on Vista RTM, XP, Server03 and W2K: Our program runs as the interactively logged in user (either a consent admin or unprivileged) and does a LogonUser (for an interacive logon session) for a privileged account, say for user "admin". It then impersonates that user's token and tries to do a write access on resources in the registry or the file system. Now with Vista SP1 these accesses suddenly fail under *one* special condition that I will outline below and we get ERROR_BAD_IMPERSONATION_LEVEL as the last error. In the case of the file system we protect the files with a DACL where members of a local group named "OurTrustedUsers" are granted full access and we make the user "admin" (that we impersonate) a member of this local group. So the administrative user "admin" should have write access even though we only get a restricted token from the interactive logon session that LogonUser gives us on Vista. Now comes the strange thing: We experience these write access errors with ERROR_BAD_IMPERSONATION_LEVEL *only* if we grant that particular privileged user "admin" the right to logon as a *service*. If we remove the service logon right, write accesses succeed. I simply do not understand what the right to logon as a service has to do with the access check that happens if my program impersonates an *interactive* token. Can anyone explain why that is the case or suggest a workaround? One workaround could be to introduce a second user that is a member of the local group "OurTrustedUsers" but who doesn't have the right to logon as a service. But if possible, we would rather stick with the one privileged user. Any help appreciated, -- Stefan Kuhr |