OdeToCode IC Logo


Wednesday, September 1, 2004
Don Kiely recently pointed to an article on CodeProject with C# code to run a process in a new security context. The code PInvokes CreateProcessWithLogonW, but doesn’t work under ASP.NET.

CreateProcessWithLogonW is one of those tricky APIs that doesn’t pick up and move well from one environment to the next. Unfortunately, there is no way with .NET 1.1 to start a new process under alternate credentials without PInvoke. A spawned process always inherits the token of the creator process, so even if a thread is impersonating when it calls Process.Start, the new process always has the same identity of the current process. The good news is that Microsoft makes it easy in .NET 2.0.

Always approach launching a process on the server with caution. Launching an interactive process or a process under different credentials from a service should usually be avoided. In addition to overcoming all the privilege checks, you also have to deal with windowstations and desktops – not an issue in WinForms programming.

One little note about the code: the call to CreateProcessWithLogonW will fill the ProcessInformation structure with two IntPtr members representing Windows HANDLE types - these should be properly cleaned up with CloseHandle.