Вопрос
From one application running with USER1 account, I want to access a file that is located under C:\Users\ADMIN
USER1 is limited and ADMIN is an administrator account.
The process has an admin token obtained from LogonUser api and tried with ImpersonateLoggedOnUser and SetThreadToken (using DuplicateToken/SecurityImpersonation) but in both cases I obtain a ERROR_BAD_IMPERSONATION_LEVEL error when I call CreateFile.
I'm almost sure I have to deal with a security issue but no idea how to process.
Решение
Well the problem is that target process needs to have SeImpersonateUser privilege, available only in SYSTEM processes by default.
When the thread is impersonated, because the process hasn't the required privilege, the api will succeed but actual level will be Delegate instead of Impersonate and CreateFile fails because of this.
https://stackoverflow.com/questions/17109305
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian