Impersonating a User


Applies To: Windows 10, Windows 7, Windows 8, Windows 8.1, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server Technical Preview, Windows Vista

Message Queuing provides you with a means to impersonate another user when passing authenticated messages that were not sent by you. Typically, this happens when server applications need to pass messages they have received on to other destination queues.

To impersonate another user you must first retrieve the security information of the user you want to impersonate, cache that information in a security context structure, and then later use the information in the security context structure to send the impersonated messages.


You can revert back to the original user as soon as the impersonated information is in the security context structure.

To retrieve the security context of another user

  1. Call LogonUser to log the user whom you want to impersonate on to the local computer, specifying the name of the user account, the user's domain, and the user's password. This function returns a pointer to a handle to the access token of the logged-on user as an out parameter.

  2. Call ImpersonateLoggedOnUser using the handle to the access token obtained in the call to LogonUser.

  3. Run RegEdt32 to load the registry hive of the impersonated user manually.

  4. Call MQGetSecurityContextEx or MSMQMessage.AttachCurrentSecurityContext2 to retrieve the security context information for the internal certificate or an external certificate of the impersonated user and place it in a security context structure for later use.

Once the security information for the impersonated user is retrieved, the sending application can revert back to the original user and later use the impersonated security context information to send messages without needing to impersonate the user again.