Programmatically secure logon dialog RRS feed

  • Question

  • Hello

    If you executing a program which needs higher rights, you get a secure login dialog for credentials. So far, so well.

    A common and simple way for software products are to move the required code to a external executable which requires higher rights.  But this requires a (perhaps) difficult interprocess communication.

    Is there a way to call the secure logon dialog programmatically to get a token which can be used for to impersonate a internal thread?

    I found SspiPromptForCredentials, but I can't use the returned token for LogonUser or LsaLogonUser, because these API needs priviledges, which a user in general don't have. Okay, I could install an additional service, which can do this in Local System context, but this requires additional system resources, too. Not very pretty solution.

    Of course, all this restrictions was made to increase security and with the typical secure login screen it should impossible to grab keystrokes etc. But I don't see any security leaks if a programmer can explicitly call the secure logon dialog like SspiPromptForCredentials to get an token which can be used  to impersonate threds. Every user should question himself, did I this action or could be a virus which like to grand access to my machine.

    Do you have an solution or suggestion, please take a minute and write me!

    Saturday, April 6, 2019 2:07 PM

All replies