C++, Visual C++ and MFC - Tips and Tricks

Once I got a task: perform administrator specific operations from the application been run by ordinary user (OK, that was Power User group user, Windows NT/2000). Of course, I knew the admin name and password and I thought I could use one of LogonUser() or CreateProcessAsUser() functions. But that was a trap.

Usually you are not able to use LogonUser() function in WinNT/2K (WinXP is an exception) because the user must have very powerful privilege SE_TCB_NAME. By default it's disabled and if it's enabled it means the big hole in the system. NEVER enable it! In this case the Security Service Provider Interface (SSPI) can help us.

I found a lot of samples how to use SSPI for user credentials validation (authentication) but how to switch to another user's security context - nobody told me. (You know Windows NT/2K Security is a huge amount of unknow metters and it's takes a lot of time to understand how this stuff works...) And finally I found Tomas Restrepo's page with his library. (If the link is dead I got a backup for you).

I had modified it a bit to be more simple to use and now you can see how easy it is to turn into the user's security context you want and switch back:

#include "wsspi.h"

   int errorCode = wsspi::changeUser(name, password, domain);

   if (!errorCode) {
      // Context changed.
      // Doing something specific for the user
      // ...
      errorCode = wsspi::restoreUser();
   } else {
      // Context change failed. Error code is errorCode
      // ...
   }

Sample project with the updated library is available both for VS6.0 and VS7.0. Reading MSDN's Q180548 could be useful as well.

Created: 2003-05-13
Updated: 2005-07-26