Windows Privileges - Impersonate
Note that absolutely none of this is authoritative or directly based on relevant documentation. It’s mostly what I found and figured out and guessed and (in some cases) made up. Some of it may be wrong or dangerous or lead to disaster or confusion. I am not taking responsibility here for anything, not even spelling. Read and digest at your own peril!
A program can at any time logon another user and act on his behalf.
This will logon user benoit and write a file in his name:
// get a new user from a logon
HANDLE hPrimToken = NULL;
ok = LogonUser(L"benoit", NULL, L"BenoitsPassword", LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, &hPrimToken);
Error(L"LogonUser");
// convert the token into an impersonation (thread) token
HANDLE hImpToken = NULL;
DuplicateToken(hPrimToken, SecurityImpersonation, &hImpToken);
Error(L"DuplicateToken");
// impersonate the user
ok = SetThreadToken(NULL, hImpToken);
Error(L"SetThreadToken");
// create a file as this user
hFile = CreateFile(pathImpFile, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if (INVALID_HANDLE_VALUE == hFile) { ok = FALSE; }
Error(L"CreateFile");
CloseHandle(hFile);
Error(L"CloseHandle");
// undo
ok = SetThreadToken(NULL, NULL);
Error(L"SetThreadToken");(Trust me. It does.)
But what if the program should be able to impersonate a user without knowing the user’s credentials?
A process running with the Impersonate privilege can assign an impersonation token to a thread to act as another user if that other user is logged on in the same logon session.
Getting another account to log on in the same logon session can be used to exploit this privilege. I have no idea how to trick another user to log on in my process’ logon session.
All services by default have the Impersonate privilege.
PS C:\> & 'C:\Program Files\ABTokenTools\AccountRights.exe' SERVICE
SeImpersonatePrivilege
SeCreateGlobalPrivilege
2
PS C:\>Services are apparently meant to be doing this on a regular basis.
We can simulate the effect by actually logging on another account in the same logon session using the Secondary Logon service and its client runas.exe.
PS C:\> runas /user:legrand winver
Enter the password for legrand:
Attempting to start winver as user "CHAMPIGNAC\legrand" ...
PS C:\>winver is always a good program to find in the process list.
To “abuse” user legrand’s logon for our purpose we need to make sure that the process’ owner account has SeImpersonatePrivilege.
And then we can run this:
// create a file as the original user
HANDLE hFile = NULL;
hFile = CreateFile(pathFile, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if (INVALID_HANDLE_VALUE == hFile) { ok = FALSE; }
Error(L"CreateFile");
CloseHandle(hFile);
Error(L"CloseHandle");
// get a new user from a process
HANDLE hProcess = NULL;
hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, TRUE, pid);
if (NULL == hProcess) { ok = FALSE; }
Error(L"OpenProcess");
if (NULL == hProcess) { return 1; } // if the process didn't exist, leave
pid = GetProcessId(hProcess);
wprintf(L"Opened process is indeed pid [%d].\n", pid);
HANDLE hPrimToken = NULL;
ok = OpenProcessToken(hProcess, TOKEN_DUPLICATE | TOKEN_QUERY, &hPrimToken);
Error(L"OpenProcessToken");
// convert the token into an impersonation (thread) token
HANDLE hImpToken = NULL;
DuplicateToken(hPrimToken, SecurityImpersonation, &hImpToken);
Error(L"DuplicateToken");
// impersonate the user
ok = SetThreadToken(NULL, hImpToken);
Error(L"SetThreadToken");
// create a file as this user
hFile = CreateFile(pathImpFile, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if (INVALID_HANDLE_VALUE == hFile) { ok = FALSE; }
Error(L"CreateFile");
CloseHandle(hFile);
Error(L"CloseHandle");
// undo
ok = SetThreadToken(NULL, NULL);
Error(L"SetThreadToken");
CloseHandle(hProcess);Running it without Impersonate privilege:
PS C:\> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== ========
SeShutdownPrivilege Shut down the system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
PS C:\> Get-Process winver
Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName
------- ------ ----- ----- ------ -- -- -----------
178 13 2304 16164 0.05 4468 1 winver
PS C:\> .\Impersonate.exe C:\Temp\File 4468 \Temp\ImpFile
CreateFile OK: [1] STATUS: [0], Error: [0]
CloseHandle OK: [1] STATUS: [0], Error: [0]
OpenProcess OK: [1] STATUS: [0], Error: [0]
Opened process is indeed pid [4468].
OpenProcessToken OK: [1] STATUS: [0], Error: [0]
DuplicateToken OK: [1] STATUS: [0], Error: [0]
SetThreadToken OK: [1] STATUS: [0], Error: [0]
CreateFile OK: [0] STATUS: [0], Error: [1346]
CloseHandle OK: [1] STATUS: [0], Error: [0]
SetThreadToken OK: [1] STATUS: [0], Error: [0]
PS C:\> certutil /error 1346
0x542 (WIN32: 1346 ERROR_BAD_IMPERSONATION_LEVEL) -- 1346 (1346)
Error message text: Either a required impersonation level was not provided, or the provided impersonation level is invalid.
CertUtil: -error command completed successfully.
PS C:\> cmd /c dir/q C:\Temp\
Volume in drive C has no label.
Volume Serial Number is B605-A4D0
Directory of C:\Temp
03/31/2025 06:39 PM <DIR> CHAMPIGNAC\benoit .
03/31/2025 06:38 PM 0 CHAMPIGNAC\benoit File
1 File(s) 0 bytes
1 Dir(s) 38,532,575,232 bytes free
PS C:\>We can see that Impersonate.exe can open the winver process, but it cannot create a file using its token.
(But a file C:\Temp\File owned by user benoit did appear.)
And running it with Impersonate privilege:
PS C:\> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeShutdownPrivilege Shut down the system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
PS C:\> .\Impersonate.exe C:\Temp\File 4468 \Temp\ImpFile
CreateFile OK: [1] STATUS: [0], Error: [0]
CloseHandle OK: [1] STATUS: [0], Error: [0]
OpenProcess OK: [1] STATUS: [0], Error: [0]
Opened process is indeed pid [4468].
OpenProcessToken OK: [1] STATUS: [0], Error: [0]
DuplicateToken OK: [1] STATUS: [0], Error: [0]
SetThreadToken OK: [1] STATUS: [0], Error: [0]
CreateFile OK: [1] STATUS: [0], Error: [0]
CloseHandle OK: [1] STATUS: [0], Error: [0]
SetThreadToken OK: [1] STATUS: [0], Error: [0]
PS C:\> cmd /c dir/q C:\Temp\
Volume in drive C has no label.
Volume Serial Number is B605-A4D0
Directory of C:\Temp
03/31/2025 06:42 PM <DIR> CHAMPIGNAC\benoit .
03/31/2025 06:42 PM 0 CHAMPIGNAC\benoit File
03/31/2025 06:42 PM 0 CHAMPIGNAC\legrand ImpFile
2 File(s) 0 bytes
1 Dir(s) 38,531,850,240 bytes free
PS C:\>This time the impersonation succeeded and Impersonate.exe created two files, one C:\Temp\File owned by user benoit and one C:\Temp\ImpFile owned by user legrand.
What is this actually good for?
Impersonate is meant for services that are meant to act on a user’s behalf without having to know the user’s credentials. Windows can handle logins in a service’s logon session and allow a service to act on those logged-on users’ behalfs.
(In OpenVMS, the Impersonate privilege allowed the launching of detached processes as another user. This was before the introduction of multithreading. Windows NT supported multithreading from the beginning, so I assume they figured Impersonate should be applied to threads, not processes. A “detached process” is a process that is independent of its parent process.)
Note: SeImpersonatePrivilege is a system privilege and hence will be removed from a user’s token when UAC is enabled. On a UAC-enabled system this trick might therefor not work without some preparation in a user session. It will obviously still work for services which are not affected by User Account Control.