Export (0) Print
Expand All
Expand Minimize

ImpersonateLoggedOnUser function

The ImpersonateLoggedOnUser function lets the calling thread impersonate the security context of a logged-on user. The user is represented by a token handle.

Syntax


BOOL WINAPI ImpersonateLoggedOnUser(
  _In_  HANDLE hToken
);

Parameters

hToken [in]

A handle to a primary or impersonation access token that represents a logged-on user. This can be a token handle returned by a call to LogonUser, CreateRestrictedToken, DuplicateToken, DuplicateTokenEx, OpenProcessToken, or OpenThreadToken functions. If hToken is a handle to a primary token, the token must have TOKEN_QUERY and TOKEN_DUPLICATE access. If hToken is a handle to an impersonation token, the token must have TOKEN_QUERY and TOKEN_IMPERSONATE access.

Return value

If the function succeeds, the return value is nonzero.

If the function fails, the return value is zero. To get extended error information, call GetLastError.

Remarks

The impersonation lasts until the thread exits or until it calls RevertToSelf.

The calling thread does not need to have any particular privileges to call ImpersonateLoggedOnUser.

If the call to ImpersonateLoggedOnUser fails, the client connection is not impersonated and the client request is made in the security context of the process. If the process is running as a highly privileged account, such as LocalSystem, or as a member of an administrative group, the user may be able to perform actions they would otherwise be disallowed. Therefore, it is important to always check the return value of the call, and if it fails, raise an error; do not continue execution of the client request.

All impersonate functions, including ImpersonateLoggedOnUser allow the requested impersonation if one of the following is true:

  • The requested impersonation level of the token is less than SecurityImpersonation, such as SecurityIdentification or SecurityAnonymous.
  • The caller has the SeImpersonatePrivilege privilege.
  • A process (or another process in the caller's logon session) created the token using explicit credentials through LogonUser or LsaLogonUser function.
  • The authenticated identity is same as the caller.

Windows XP with SP1 and earlier:  The SeImpersonatePrivilege privilege is not supported.

For more information about impersonation, see Client Impersonation.

Requirements

Minimum supported client

Windows XP [desktop apps only]

Minimum supported server

Windows Server 2003 [desktop apps only]

Header

Winbase.h (include Windows.h)

Library

Advapi32.lib

DLL

Advapi32.dll

See also

Client/Server Access Control Overview
Client/Server Access Control Functions
CreateProcessAsUser
CreateRestrictedToken
DuplicateToken
DuplicateTokenEx
LogonUser
OpenProcessToken
OpenThreadToken
RevertToSelf

 

 

Community Additions

ADD
Show:
© 2014 Microsoft