Email Password Remember me?  Lost your password?

• Download demo project - 5.70 Kb

Introduction

The term "Impersonation" in a programming context refers to a technique that executes the code under another user context than the user who originally started an application, i.e. the user context is temporarily changed once or multiple times during the execution of an application.

The reason for doing this is to perform tasks that the current user context of an application is not allowed to do. Of course you could grant the user executing an application more privileges, but usually this is a bad idea (due to security constraints) or impossible (e.g. if you don't have full administrative access to a machine to do so).

This article presents an easy-to-use class to impersonate a user. While writing this, I found out that Marc Merrit had written an article ("Windows Impersonation using C#") that uses the same Microsoft knowledge base code (from Q306158) that I have used. The code presented in my article differs in the fact that you could use it inside a using-block to safely release resources and that I use slightly more exceptions to report errors. But from a first look, both his and my article do the same job, so it's up to you to decide what to do.

(For the latest changes, please see the History section below).

Background

I wrote the Impersonator class because of a need to write a web page with ASP.NET to make a server reboot. In order to do this, I needed to impersonate the part of my code that does the actual reboot.

The constructor of the class internally calls the Windows function LogonUser through P/Invoke. Please see the MSDN documentation of the function for a full description of all three parameters (username, domain, password) to the constructor.

Please note: The user context that initiates the impersonation (i.e. not the user context to which it is switched to) needs to have the "Act as part of operating system" privilege set.

Using the code

To use the code, you simply construct the Impersonator class and pass the username, the domain and the password to the constructor. If you place an instance of the class inside a using-block, you need no further steps.

The following is a schematic example of how to use the class:

... 
using ( new Impersonator( "myUsername", "myDomainname", "myPassword" ) )
{
   ...
   
   <code that executes under the new context>
  
   ...
}
  
...

An example project demonstrating the technique is included in the download of this article (please look at the "Program.cs" for the main demonstration source file). Also the complete source code of the class is included inside the source file "Impersonator.cs".

To include the Impersonator class into your project, simply copy and add the source file "Impersonator.cs" to your project, so that it gets compiled with your project.

Conclusion

In this article, I've shown you a small class to quickly and easily impersonate a part of your code to run under another user context. Hopefully you'll find this class useful.

For questions, comments and remarks, please use the commenting section at the bottom of this article.

References

In addition to the links in the article, the following references might be of interest:

1. Google search for "Windows Impersonation"

History

• 2005-04-11: Created first version of article.

You must Sign In to use this message board.

Per page 102550

FirstPrevNext

Nice work, but help turbohansen 14:10 21 Aug '09   I have used your class alot.. BUT, now I want to do reach a Computer in another domain!!! with a domain account in the second domain, and there is no trust... I can see that it tries to authenticate me on my own domain, instead of trying the other one! I'am lost.. any idea!? modified on Monday, August 24, 2009 9:48 AM Sign In·View Thread·PermaLink Re: Nice work, but help Bit-Smacker 11:00 17 Sep '09   turbohansen wrote: I can see that it tries to authenticate me on my own domain, instead of trying the other one! Have you tried including the domain prefix in the username? ex: domain\username Sign In·View Thread·PermaLink Nice one fluectho 4:56 24 Jun '09   Your artivle is straigth forward, easy to understand an easy to adapt! Thanks a lot for that pice of code! Sign In·View Thread·PermaLink 5.00/5 Great job Richard Hollis 12:43 20 Mar '09   A really nice piece of work. Thanks for sharing. I originally went down the Interop route for the MPR stuff (WNetAddConnectionXX etc) but actually impersonation was what I should have used in the first place. This really saved me a lot of time, so thanks again. Sign In·View Thread·PermaLink Re: Great job Member 1752718 12:19 8 Apr '09   Thank you for sharing this. It works perfectly. Now my thread can happily IO. Converted straight to .Net 2.0 automatically. Sign In·View Thread·PermaLink This does not seem to work if a Win XP workstation is on a WorkGroup... danvmn 5:44 2 Mar '09   Is there a way to call call the impersonator() code with same credentials in both of these situations? 1. I want to get files from the local PC (not part of Domain, only part of WorkGroup) 2. I want to get files from the server which is on a domain. Sign In·View Thread·PermaLink 1.10/5 Thanks carladinmc 5:20 26 Feb '09   NICE JOB Sign In·View Thread·PermaLink 5.00/5 Can I use this C# class in Vb project Member 3481590 6:43 2 Feb '09   I am new to this, but when I try to use the class in vb.net project, it is not finding the Impersonator class? Sign In·View Thread·PermaLink How do you use Impersonator without the using clause? danvmn 5:58 23 Jan '09   I use this great code on Windows, but can't on Mono for Mac OSX. So I would like to not use the using clause, as there will be common code inside it. How do I use it the other way? In a try finally block ? Do I call dispose myself? Thanks for the Enhanced Version - I did not notice it till a few months later. Sign In·View Thread·PermaLink Re: How do you use Impersonator without the using clause? Uwe Keim 6:02 23 Jan '09   Correct, Dan. using is a shortcut for try...finally...Dispose. • My personal 24/7 webcam - Always live • Zeta Producer Desktop CMS - Intuitive, completely easy-to-use. Try out and download here now! • Zeta Uploader - Easily send large files by e-mail. Windows and web client available. Sign In·View Thread·PermaLink Re: How do you use Impersonator without the using clause? danvmn 9:20 23 Jan '09   Do you have any ideas on how to sometimes run Impersonator code and call dispose depending on an if statement? This c# code fails with error: "The name 'mImper' does not exist in the current context". if (!IsRunningOnMono()) // if not on mono (i.e. Windows OS) call Impersonator { Impersonator mImper = new Impersonator(sUser, sDomain, sPassword); } try // run common code for Windows and Mac OS X with mono { dir = Directory.GetFiles(sPath, "*"); } finally { if (!IsRunningOnMono()) { if (mImper != null) mImper.Undo(); } } Sign In·View Thread·PermaLink Re: How do you use Impersonator without the using clause? danvmn 9:50 23 Jan '09   Again, the solution comes soon after a posting... hHis works well. Impersonator mImper = null; // must call outside if statement so is useable in try finally clause if (!IsRunningOnMono()) mImper = new Impersonator(sUser, sDomain, sPassword); try // run common .NET and mono code { dir = Directory.GetFiles(sPath, "*"); // works } finally { if (!IsRunningOnMono()) { if (mImper != null) mImper.Undo(); } } Sign In·View Thread·PermaLink Re: How do you use Impersonator without the using clause? danvmn 6:57 23 Jan '09   This seems to work: Impersonator myCred = new Impersonator( "myUsername", "myDomainname", "myPassword" ); try { string[] dir = Directory.GetFiles(sPath, "*"); } finally { myCred.Undo(); } Now just have to figure out a way to Impersonate if Windows and a different way if Mac OS X.... Sign In·View Thread·PermaLink Security Risk RobinVossen 21:51 11 Jan '09   This is quite neat. But lots of people should know that this brings a security risk. Since decompiling C# Applications isn't that hard. It's way to easy. And lost of people don't know about that. So if you want to use this, you should KNOW that you have to 'hide' the Passwd of your Admin. Cheers, Robin Sign In·View Thread·PermaLink OpenFileDialog RugbyLeague 5:54 15 Dec '08   If i have a call to OpenFileDialog within a using Impersonator block the OpenFileDialog browsing seems to have the same permissions as my own login rather than the impersonated login. Sign In·View Thread·PermaLink Well done!!! uhcl 12:20 5 Nov '08   Save my day. Sign In·View Thread·PermaLink Nice job Jugortha 8:08 16 Sep '08   Very clean and nice! Every one among us was a beginner once Sign In·View Thread·PermaLink Re: Nice job Uwe Keim 9:25 16 Sep '08   Thank you! • My personal 24/7 webcam - Always live • Zeta Producer Desktop CMS - Intuitive, completely easy-to-use CMS for Windows. • Zeta Helpdesk - Open Source ticket software for Windows and web. • Zeta Uploader - Easily send large files by e-mail. Windows and web client. Sign In·View Thread·PermaLink 2.00/5 Re: Nice job finiduck 2:32 30 Oct '08   Thanks! Works great! This has saved me from an awful debugging task! Sign In·View Thread·PermaLink Excellent RVW 7:58 11 Sep '08   You get my five, too! Sign In·View Thread·PermaLink Great Job netizenk 14:32 27 Aug '08   Just to say thanks... This little class saved me a ton of time when I needed this functionality. Dean Sign In·View Thread·PermaLink Could not find a part of the path RugbyLeague 3:35 15 Aug '08   I always get a DirectoryNotFoundException with "could not find part of the path 'y:\xxx\xxx'" Sign In·View Thread·PermaLink Re: Could not find a part of the path finiduck 2:27 30 Oct '08   Use the full UNC path eg. string path = @"\\machinename\dir\file.txt"; Sign In·View Thread·PermaLink Excellent Emad Attia 8:04 30 Jul '08   Excellent work Uwe... Thanks Emad Sign In·View Thread·PermaLink Doesn't work on Windows 2000 weitech 22:50 12 Jun '08   the app works on windows xp, but not on 2000. Does anyone know why? Sign In·View Thread·PermaLink 1.67/5

Last Visit: 1:48 24 Nov '09     Last Update: 1:48 24 Nov '09 1234 Next »