Hi,

I have inherited a windows forms app, which automates software updates. It
is reasonably close, in pattern, to the Updater Application block from
Microsoft.

The app needs to register / un-register COM components on the client
machine, as part of the software update process. The logged on user will not
be an administrator on the local machine. What would be the best way of
implementing some form of 'run as...' or windows identity impersonation for
either the whole app or the COM registration functionality.

I have looked at using a service, but the existing app architecture does not
lend itself to this. Either as moving the higher security requirement
functions out to the service, or using the service to launch the app.

Any guidance gratefully appreciated.

Thanks

Justin

You can p/invoke the LogonUser API to create a more privileged token and
impersonate that. You'll need to figure out how to securely store or
transport the privileged credentials, but doing that should work.

However, if your clients aren't all on WinXP (or 2K3 server), then calling
LogonUser will give you trouble since Win2K requires you to be SYSTEM (or
have the "act as part of operating system" privilege, which essentially
makes you SYSTEM) to call LogonUser.

The other problem is that if you are going to use the Process class to call
out to regsrv32, that doesn't inherit impersonation tokens and will use the
process token instead. Therefore, you may need to p/invoke
CreateProcessAsUser instead. Same Win2K restrictions apply as with
LogonUser.

HTH,

Joe K.

"Justin" <justin (AT) discussions (DOT) microsoft.com> wrote