From: SMTP%"kkm@kis.ru" 15-DEC-1997 16:40:07.50 To: ntdev@atria.com CC: Subj: Re: [ntdev] User info in process Return-Path: owner-ntdev@atria.com Received: by arisia.gce.com (UCX V4.1-12C, OpenVMS V7.1 VAX); Mon, 15 Dec 1997 16:33:19 -0500 Received: from gw.atria.com (gw.atria.com [192.88.237.2]) by mercury.mv.net (8.8.8/mem-971025) with SMTP id HAA19511 for ; Sun, 14 Dec 1997 07:37:41 -0500 (EST) Received: by gw.atria.com id Sun, 14 Dec 1997 03:57:34 -0500 Received: from xkis.kis.ru by gw.atria.com id Sun, 14 Dec 1997 03:57:30 -0500 Received: from pajero (ipkkm.kis.ru [195.98.33.68]) by xkis.kis.ru (8.8.5/8.8.5) with SMTP id LAA15799 for ; Sun, 14 Dec 1997 11:57:42 +0300 (MSK) Message-Id: <2.2.32.19971214085740.009e7f18@kis.ru> X-Sender: kkm@kis.ru X-Mailer: Windows Eudora Pro Version 2.2 (32) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Sun, 14 Dec 1997 11:57:40 +0300 To: ntdev@atria.com From: "Kirill M. Katsnelson" Subject: Re: [ntdev] User info in process Sender: owner-ntdev@atria.com Precedence: bulk X-Majordomo-Taboo: ntdev Some time ago, Branimir Buljan wrote... |+ | I have build a print monitor that create process and now I have | a problem. | If I create a process from EndDocPort(), in created process | when I call GetUserName() it returns 'SYSTEM' for user name and it | can not access network drives (access denied). | In print monitor, when I call GetUserName() from EndDocPort() | function, I got name of user currently logged on (the user that have | started printing) and it CAN access network drives as can user that is | logged on. | | Function which I use looks like this: [code snipped] | |- Branimir, The EndDocPort function is called while the print server is impersonating the user. GetUserName() and all access rights are affected by impersonation, although CreateProcess is not. To create process as logged-on user, you do the following: 1. Get the security token of the current thread using OpenThreadToken(). The token you get is an impersonation token. 2. Create a primary token using impersonation token, by calling DuplicateTokenEx (). You cannot pass an impersonation token to the CreateProcessAsUser API. 3. Call CreateProcessAsUser giving it the new primary token. Close both token handles right after CreateProcessAsUser, and enjoy! :) If the user who started the printing is logged on on the local machine, then you are fine. If he/she is not, then your new process may not be able to access network shares on other machines, because tokens only keep the results of user authentication. To logon to another computer, the computer running the print server has to encrypt passed challenge with user's password, and passwords are not known for non- interactive (not owned by winlogon) user sessions. HTH, Kirill +-------------------------------------+-----------------------------------+ + Kirill M. Katsnelson, | Welcome! My WebCounter shows + + Software and Networking Consultant | that you are Abnormal program + + Nizhni Novgorod, Russia | termination in 1997! + + E-mail: kkm@kis.ru | -- a real welcome banner + +-------------------------------------+-----------------------------------+ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - [ To unsubscribe, send email to ntdev-request@atria.com with body UNSUBSCRIBE (the subject is ignored). ]