This documentation is archived and is not being maintained.

Marshal.SecureStringToGlobalAllocUnicode Method

Updated: September 2010

Copies the contents of a managed SecureString object into unmanaged memory.

Namespace:  System.Runtime.InteropServices
Assembly:  mscorlib (in mscorlib.dll)

Public Shared Function SecureStringToGlobalAllocUnicode ( _
	s As SecureString _
) As IntPtr


Type: System.Security.SecureString
The managed object to copy.

Return Value

Type: System.IntPtr
The address, in unmanaged memory, where s was copied, or 0 if s is a SecureString object whose length is 0.


The s parameter is Nothing.


The current computer is not running Windows 2000 Service Pack 3 or later.


There is insufficient memory available.

The SecureStringToGlobalAllocUnicode method is useful for custom marshaling or for use when mixing managed and unmanaged code. Because this method allocates the unmanaged memory required for a string, always free the memory by calling the ZeroFreeGlobalAllocUnicode method.

Notes to Callers

This method is supported only on computers running Windows 2000 Service Pack 3 or later.

The following example demonstrates how to use the SecureStringToGlobalAllocUnicode method with the unmanaged LogonUser function to perform impersonation with the SecureString class. The example then uses the ZeroFreeGlobalAllocUnicode method to zero out and free the unmanaged string reference.

Imports System
Imports System.Diagnostics
Imports System.Runtime.InteropServices
Imports System.Security
Imports System.Security.Principal
Imports System.Text

Module ImpersonationExample

    ' PInvoke into the Win32 API to provide access to the 
    ' LogonUser and CloseHandle functions.
    <DllImport("advapi32.dll", SetLastError:=True, CharSet:=CharSet.Unicode)> Function LogonUser(ByVal username As String, ByVal domain As String, ByVal password As IntPtr, ByVal logonType As Integer, ByVal logonProvider As Integer, ByRef token As IntPtr) As Boolean

    End Function

    <DllImport("kernel32.dll", CharSet:=CharSet.Auto)> Function CloseHandle(ByVal handle As IntPtr) As Boolean

    End Function

    ' Define the required LogonUser enumerations.
    Const LOGON32_PROVIDER_DEFAULT As Integer = 0
    Const LOGON32_LOGON_INTERACTIVE As Integer = 2

    Sub Main(ByVal args() As String)
            ' Display the current user before impersonation.
            Console.WriteLine("Before impersonation: " + WindowsIdentity.GetCurrent().Name)

            ' Ask the user for a network domain.
            Console.Write("Please enter your domain:")

            Dim domain As String = Console.ReadLine()

            ' Ask the user for a user name.
            Console.Write("Please enter your user name:")

            Dim username As String = Console.ReadLine()

            ' Ask the user for a password.
            Console.Write("Please enter your password:")

            Dim passWord As SecureString = GetPassword()

            ' Impersonate the account provided by the user.
            Dim userContext As WindowsImpersonationContext = ImpersonateUser(passWord, username, domain)

            ' Display the current user after impersonation.
            Console.WriteLine("After impersonation: " + WindowsIdentity.GetCurrent().Name)
        Catch e As Exception
        End Try


    End Sub

    Function GetPassword() As SecureString
        Dim password As New SecureString()

        ' get the first character of the password
        Dim nextKey As ConsoleKeyInfo = Console.ReadKey(True)

        While nextKey.Key <> ConsoleKey.Enter
            If nextKey.Key = ConsoleKey.BackSpace Then
                If password.Length > 0 Then
                    password.RemoveAt(password.Length - 1)

                    ' erase the last * as well
                    Console.Write(" ")
                End If
            End If

            nextKey = Console.ReadKey(True)
        End While


        ' lock the password down
        Return password

    End Function

    Function ImpersonateUser(ByVal password As SecureString, ByVal userName As String, ByVal domainName As String) As WindowsImpersonationContext
        Dim tokenHandle As IntPtr = IntPtr.Zero

        Dim passwordPtr As IntPtr = IntPtr.Zero

        Dim returnValue As Boolean = False

            ' Marshal the SecureString to unmanaged memory.
            passwordPtr = Marshal.SecureStringToGlobalAllocUnicode(password)

            ' Call LogonUser, passing the unmanaged (and decrypted) copy of
            ' the SecureString password.
            returnValue = LogonUser(userName, domainName, passwordPtr, LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, tokenHandle)

            ' Zero-out and free the unmanaged string reference.

            ' Close the token handle.
        End Try

        ' Get the Last win32 Error and throw an exception.
        If Not returnValue AndAlso tokenHandle = IntPtr.Zero Then
            Dim [error] As Integer = Marshal.GetLastWin32Error()

            Throw New System.ComponentModel.Win32Exception([error])
        End If
        ' The token that is passed to the following constructor must 
        ' be a primary token in order to use it for impersonation.
        Dim newId As New WindowsIdentity(tokenHandle)

        Return newId.Impersonate()

    End Function
End Module

.NET Framework

Supported in: 4, 3.5, 3.0, 2.0

.NET Framework Client Profile

Supported in: 4, 3.5 SP1

  • SecurityCriticalAttribute 

    requires full trust for the immediate caller. This member cannot be used by partially trusted or transparent code.

Windows 7, Windows Vista SP1 or later, Windows XP SP3, Windows XP SP2 x64 Edition, Windows Server 2008 (Server Core not supported), Windows Server 2008 R2 (Server Core supported with SP1 or later), Windows Server 2003 SP2

The .NET Framework does not support all versions of every platform. For a list of the supported versions, see .NET Framework System Requirements.




September 2010

Clarified that 0 is returned if the length of s is 0.

Customer feedback.