From 1f54ff7c9c4a992caf064dd03f4b0735db9f4e77 Mon Sep 17 00:00:00 2001 From: David Hall Date: Wed, 5 Sep 2018 07:31:39 -0600 Subject: [PATCH] Added ImpersonateLoggedOnUser. --- PInvoke/Security/AdvApi32/SecurityBaseApi.cs | 70 ++++++++++++++++++++++++++++ 1 file changed, 70 insertions(+) create mode 100644 PInvoke/Security/AdvApi32/SecurityBaseApi.cs diff --git a/PInvoke/Security/AdvApi32/SecurityBaseApi.cs b/PInvoke/Security/AdvApi32/SecurityBaseApi.cs new file mode 100644 index 00000000..cacd5bd7 --- /dev/null +++ b/PInvoke/Security/AdvApi32/SecurityBaseApi.cs @@ -0,0 +1,70 @@ +using System; +using System.ComponentModel; +using System.Runtime.InteropServices; +using Vanara.InteropServices; + +namespace Vanara.PInvoke +{ + public static partial class AdvApi32 + { + /// + /// + /// The ImpersonateLoggedOnUser function lets the calling thread impersonate the security context of a logged-on user. The + /// user is represented by a token handle. + /// + /// + /// + /// + /// A handle to a primary or impersonation access token that represents a logged-on user. This can be a token handle returned by a + /// call to LogonUser, CreateRestrictedToken, DuplicateToken, DuplicateTokenEx, OpenProcessToken, or OpenThreadToken functions. If + /// hToken is a handle to a primary token, the token must have TOKEN_QUERY and TOKEN_DUPLICATE access. If hToken is a + /// handle to an impersonation token, the token must have TOKEN_QUERY and TOKEN_IMPERSONATE access. + /// + /// + /// + /// If the function succeeds, the return value is nonzero. + /// If the function fails, the return value is zero. To get extended error information, call GetLastError. + /// + /// + /// The impersonation lasts until the thread exits or until it calls RevertToSelf. + /// The calling thread does not need to have any particular privileges to call ImpersonateLoggedOnUser. + /// + /// If the call to ImpersonateLoggedOnUser fails, the client connection is not impersonated and the client request is made in + /// the security context of the process. If the process is running as a highly privileged account, such as LocalSystem, or as a + /// member of an administrative group, the user may be able to perform actions they would otherwise be disallowed. Therefore, it is + /// important to always check the return value of the call, and if it fails, raise an error; do not continue execution of the client request. + /// + /// + /// All impersonate functions, including ImpersonateLoggedOnUser allow the requested impersonation if one of the following is true: + /// + /// + /// + /// + /// The requested impersonation level of the token is less than SecurityImpersonation, such as SecurityIdentification + /// or SecurityAnonymous. + /// + /// + /// + /// The caller has the SeImpersonatePrivilege privilege. + /// + /// + /// + /// A process (or another process in the caller's logon session) created the token using explicit credentials through LogonUser or + /// LsaLogonUser function. + /// + /// + /// + /// The authenticated identity is same as the caller. + /// + /// + /// Windows XP with SP1 and earlier: The SeImpersonatePrivilege privilege is not supported. + /// For more information about impersonation, see Client Impersonation. + /// + // https://docs.microsoft.com/en-us/windows/desktop/api/securitybaseapi/nf-securitybaseapi-impersonateloggedonuser + // BOOL ImpersonateLoggedOnUser( HANDLE hToken ); + [DllImport(Lib.AdvApi32, SetLastError = true, ExactSpelling = true)] + [PInvokeData("securitybaseapi.h", MSDNShortId = "cf5c31ae-6749-45c2-888f-697060cc8c75")] + [return: MarshalAs(UnmanagedType.Bool)] + public static extern bool ImpersonateLoggedOnUser(SafeTokenHandle hToken); + } +}