Process.Start and Impersonation

Jeff Atwood

Jeff Atwood

2 min read Comments

Did you know that Process.Start always uses the security context of the parent ASP.NET process? I just found this out the hard way; Using Process.Start on “whoami.exe” always returns the ASPNET worker process no matter what I do. Some searching turned up this entry in Scott’s blog:

I wanted to run these processes with the identity of the client, but this poses a problem. The Process class in System.Diagnostics can start a new process, but the process always inherits the security context of the parent process. Even if the ASP.NET thread invoking the Start method is impersonating a client, the Process still starts with the ASP.NET worker process credentials.

Enter .NET 2.0, which includes the User, Domain, and Password properties on the ProcessStartInfo type. In .NET 2.0 you can start a process under a different set of credentials.

Way to rub salt in my wounds, Whidbey. This is a very unfortunate limitation of .NET 1.1, as it severely limits what I can do with Process.Start in a web app. Scott helpfully provides a bit of sample C# code that calls the Win32 APIs to simulate a stripped down version of the Whidbey behavior today.

If you aren’t calling Process.Start, you may be able to impersonate to get the behavior you want. The MSKB article, How to implement impersonation in an ASP.NET application, provides some nice, relatively painless workarounds:

If you want to impersonate a user on a thread in ASP.NET, you can use one of the following methods, based on your requirements:

Impersonate the IIS authenticated account or user
Impersonate a specific user for all the requests of an ASP.NET application
Impersonate the authenticating user in code
Impersonate a specific user in code

Note: You can use the following code to determine what user the thread is executing as:

System.Security.Principal.WindowsIdentity.GetCurrent().Name

The last method is the most interesting to me – it lets you impersonate an arbitrary user on the fly, execute a specific set of code as that user, then revert back to the ASP.NET credentials. Bear in mind that impersonation is a very expensive operation; it’s not something you want to do often.

Scott’s code assumes we want to impersonate the current user and that we don’t have the password. I want to Process.Start as an arbitrary function account using plaintext account and password information. That requires a more masochistic workaround – calling the newer Win32 API method CreateProcessWithLogonW() directly. The only good sample code I could find was for VB6: How To Start a Process as Another User from Visual Basic. However, I couldn’t get this to work in VB.NET.

Even if I could get that API call to work, I still wouldn’t have the amenities of the Process class that I need. I want to redirect the standard output and standard error output, then capture them into strings, so I can echo the result of my command line operation to the web page.

There’s a good example of command line capture behavior on CodeProject. That’s for WinForms, but the process is similar for ASP.NET. Well, except for that pesky Process.Start credentials problem... another reason to look forward to .NET 2.0, I guess.

.net c# asp.net process.start impersonation

Related posts

Why Ruby?

I've been a Microsoft developer for decades now. I weaned myself on various flavors of home computer Microsoft Basic, and I got my first paid programming gigs in Microsoft FoxPro, Microsoft Access, and Microsoft Visual Basic. I have seen the future of programming, my friends, and it is

By Jeff Atwood ·
Comments

Donating $5,000 to .NET Open Source

Way back in June of last year, I promised to donate a portion of my advertising revenue back to the community: I will be donating a significant percentage of my ad revenue back to the programming community. The programming community is the reason I started this blog in the first

By Jeff Atwood ·
Comments

Do Not Buy This Book

A few friends and I just wrote a book together: The ASP.NET 2.0 Anthology: 101 Essential Tips, Tricks & Hacks. I met K. Scott Allen, Jon Galloway, and Phil Haack through their excellent blogs. That online friendship carried over into real life. We always thought it'd

By Jeff Atwood ·
Comments

Defining Open Source

As I mentioned two weeks ago, my plan is to contribute $10,000 to the .NET open source ecosystem. $5,000 from me, and a matching donation of $5,000 from Microsoft. There's only two ground rules so far: 1. The project must be written in .NET managed

By Jeff Atwood ·
Comments

Recent Posts

Stay Gold, America

Stay Gold, America

We are at an unprecedented point in American history, and I'm concerned we may lose sight of the American Dream.

By Jeff Atwood ·
Comments
The Great Filter Comes For Us All

The Great Filter Comes For Us All

With a 13 billion year head start on evolution, why haven’t any other forms of life in the universe contacted us by now? (Arrival is a fantastic movie. Watch it, but don’t stop there – read the Story of Your Life novella it was based on for so much

By Jeff Atwood ·
Comments
I Fight For The Users

I Fight For The Users

If you haven’t been able to keep up with my blistering pace of one blog post per year, I don’t blame you. There’s a lot going on right now. It’s a busy time. But let’s pause and take a moment to celebrate that Elon Musk

By Jeff Atwood ·
Comments
The 2030 Self-Driving Car Bet

The 2030 Self-Driving Car Bet

It’s my honor to announce that John Carmack and I have initiated a friendly bet of $10,000* to the 501(c)(3) charity of the winner’s choice: By January 1st, 2030, completely autonomous self-driving cars meeting SAE J3016 level 5 will be commercially available for passenger use

By Jeff Atwood ·
Comments