{
	"id": "577959d2-adc4-456b-93ed-5565595758e5",
	"created_at": "2026-04-06T02:11:21.868997Z",
	"updated_at": "2026-04-10T03:20:36.438006Z",
	"deleted_at": null,
	"sha1_hash": "8d7c830d0a07c735ec7d3723997fa1c1071fdc1e",
	"title": "LogonUserA function (winbase.h) - Win32 apps",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 74754,
	"plain_text": "LogonUserA function (winbase.h) - Win32 apps\r\nBy GrantMeStrength\r\nArchived: 2026-04-06 02:05:05 UTC\r\nThe LogonUser function attempts to log a user on to the local computer. The local computer is the computer from\r\nwhich LogonUser was called. You cannot use LogonUser to log on to a remote computer. You specify the user\r\nwith a user name and domain and authenticate the user with a plaintext password. If the function succeeds, you\r\nreceive a handle to a token that represents the logged-on user. You can then use this token handle to impersonate\r\nthe specified user or, in most cases, to create a process that runs in the context of the specified user.\r\nBOOL LogonUserA(\r\n [in] LPCSTR lpszUsername,\r\n [in, optional] LPCSTR lpszDomain,\r\n [in, optional] LPCSTR lpszPassword,\r\n [in] DWORD dwLogonType,\r\n [in] DWORD dwLogonProvider,\r\n [out] PHANDLE phToken\r\n);\r\n[in] lpszUsername\r\nA pointer to a null-terminated string that specifies the name of the user. This is the name of the user account to log\r\non to. If you use the user principal name (UPN) format, User@DNSDomainName, the lpszDomain parameter\r\nmust be NULL.\r\n[in, optional] lpszDomain\r\nA pointer to a null-terminated string that specifies the name of the domain or server whose account database\r\ncontains the lpszUsername account. If this parameter is NULL, the user name must be specified in UPN format. If\r\nthis parameter is \".\", the function validates the account by using only the local account database.\r\n[in, optional] lpszPassword\r\nA pointer to a null-terminated string that specifies the plaintext password for the user account specified by\r\nlpszUsername. When you have finished using the password, clear the password from memory by calling the\r\nSecureZeroMemory function. For more information about protecting passwords, see Handling Passwords.\r\n[in] dwLogonType\r\nThe type of logon operation to perform. This parameter can be one of the following values, defined in Winbase.h.\r\nValue Meaning\r\nhttps://msdn.microsoft.com/en-us/library/windows/desktop/aa378184(v=vs.85).aspx\r\nPage 1 of 5\n\nLOGON32_LOGON_BATCH\r\nThis logon type is intended for batch servers, where\r\nprocesses may be executing on behalf of a user\r\nwithout their direct intervention. This type is also for\r\nhigher performance servers that process many\r\nplaintext authentication attempts at a time, such as\r\nmail or web servers.\r\nLOGON32_LOGON_INTERACTIVE\r\nThis logon type is intended for users who will be\r\ninteractively using the computer, such as a user being\r\nlogged on by a terminal server, remote shell, or\r\nsimilar process. This logon type has the additional\r\nexpense of caching logon information for\r\ndisconnected operations; therefore, it is inappropriate\r\nfor some client/server applications, such as a mail\r\nserver.\r\nLOGON32_LOGON_NETWORK\r\nThis logon type is intended for high performance\r\nservers to authenticate plaintext passwords. The\r\nLogonUser function does not cache credentials for\r\nthis logon type.\r\nLOGON32_LOGON_NETWORK_CLEARTEXT\r\nThis logon type preserves the name and password in\r\nthe authentication package, which allows the server\r\nto make connections to other network servers while\r\nimpersonating the client. A server can accept\r\nplaintext credentials from a client, call LogonUser,\r\nverify that the user can access the system across the\r\nnetwork, and still communicate with other servers.\r\nLOGON32_LOGON_NEW_CREDENTIALS\r\nThis logon type allows the caller to clone its current\r\ntoken and specify new credentials for outbound\r\nconnections. The new logon session has the same\r\nlocal identifier but uses different credentials for other\r\nnetwork connections.\r\nThis logon type is supported only by the\r\nLOGON32_PROVIDER_WINNT50 logon provider.\r\nNote: As of January 2023, it is not possible to use the\r\nLOGON32_LOGON_NEW_CREDENTIALS logon\r\ntype with a Group Managed Service Account\r\n(gMSA).\r\nhttps://msdn.microsoft.com/en-us/library/windows/desktop/aa378184(v=vs.85).aspx\r\nPage 2 of 5\n\nLOGON32_LOGON_SERVICE\r\nIndicates a service-type logon. The account provided\r\nmust have the service privilege enabled.\r\nLOGON32_LOGON_UNLOCK\r\nGINAs are no longer supported.\r\nWindows Server 2003 and Windows XP:  This\r\nlogon type is for GINA DLLs that log on users who\r\nwill be interactively using the computer. This logon\r\ntype can generate a unique audit record that shows\r\nwhen the workstation was unlocked.\r\n[in] dwLogonProvider\r\nSpecifies the logon provider. This parameter can be one of the following values.\r\nValue Meaning\r\nLOGON32_PROVIDER_DEFAULT\r\nUse the standard logon provider for the system. The default\r\nsecurity provider is negotiate, unless you pass NULL for the\r\ndomain name and the user name is not in UPN format. In this case,\r\nthe default provider is NTLM.\r\nLOGON32_PROVIDER_WINNT50 Use the negotiate logon provider.\r\nLOGON32_PROVIDER_WINNT40 Use the NTLM logon provider.\r\n[out] phToken\r\nA pointer to a handle variable that receives a handle to a token that represents the specified user.\r\nYou can use the returned handle in calls to the ImpersonateLoggedOnUser function.\r\nIn most cases, the returned handle is a primary token that you can use in calls to the CreateProcessAsUser\r\nfunction. However, if you specify the LOGON32_LOGON_NETWORK flag, LogonUser returns an\r\nimpersonation token that you cannot use in CreateProcessAsUser unless you call DuplicateTokenEx to convert it\r\nto a primary token.\r\nWhen you no longer need this handle, close it by calling the CloseHandle function.\r\nIf the function succeeds, the function returns nonzero.\r\nIf the function fails, it returns zero. To get extended error information, call GetLastError.\r\nThe LOGON32_LOGON_NETWORK logon type is fastest, but it has the following limitations:\r\nhttps://msdn.microsoft.com/en-us/library/windows/desktop/aa378184(v=vs.85).aspx\r\nPage 3 of 5\n\nThe function returns an impersonation token, not a primary token. You cannot use this token directly in the\r\nCreateProcessAsUser function. However, you can call the DuplicateTokenEx function to convert the token\r\nto a primary token, and then use it in CreateProcessAsUser.\r\nIf you convert the token to a primary token and use it in CreateProcessAsUser to start a process, the new\r\nprocess cannot access other network resources, such as remote servers or printers, through the redirector.\r\nAn exception is that if the network resource is not access controlled, then the new process will be able to\r\naccess it.\r\nThe SE_TCB_NAME privilege is not required for this function unless you are logging onto a Passport account.\r\nThe account specified by lpszUsername, must have the necessary account rights. For example, to log on a user\r\nwith the LOGON32_LOGON_INTERACTIVE flag, the user (or a group to which the user belongs) must have the\r\nSE_INTERACTIVE_LOGON_NAME account right. For a list of the account rights that affect the various logon\r\noperations, see Account Rights Constants.\r\nA user is considered logged on if at least one token exists. If you call CreateProcessAsUser and then close the\r\ntoken, the system considers the user as still logged on until the process (and all child processes) have ended.\r\nIf the LogonUser call is successful, the system notifies network providers that the logon occurred by calling the\r\nprovider's NPLogonNotify entry-point function.\r\nYou can generate a LocalService token by using the following code.\r\nLogonUser(L\"LocalService\", L\"NT AUTHORITY\", NULL, LOGON32_LOGON_SERVICE, LOGON32_PROVIDER_DEFAULT, \u0026hToken)\r\nNote\r\nThe winbase.h header defines LogonUser as an alias that automatically selects the ANSI or Unicode version of\r\nthis function based on the definition of the UNICODE preprocessor constant. Mixing usage of the encoding-neutral alias with code that is not encoding-neutral can lead to mismatches that result in compilation or runtime\r\nerrors. For more information, see Conventions for Function Prototypes.\r\nRequirement Value\r\nMinimum supported client Windows XP [desktop apps only]\r\nMinimum supported server Windows Server 2003 [desktop apps only]\r\nTarget Platform Windows\r\nHeader winbase.h (include Windows.h)\r\nLibrary Advapi32.lib\r\nDLL Advapi32.dll\r\nhttps://msdn.microsoft.com/en-us/library/windows/desktop/aa378184(v=vs.85).aspx\r\nPage 4 of 5\n\nClient/Server Access Control\r\nClient/Server Access Control Functions\r\nCloseHandle\r\nCreateProcessAsUser\r\nDuplicateTokenEx\r\nImpersonateLoggedOnUser\r\nSource: https://msdn.microsoft.com/en-us/library/windows/desktop/aa378184(v=vs.85).aspx\r\nhttps://msdn.microsoft.com/en-us/library/windows/desktop/aa378184(v=vs.85).aspx\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://msdn.microsoft.com/en-us/library/windows/desktop/aa378184(v=vs.85).aspx"
	],
	"report_names": [
		"aa378184(v=vs.85).aspx"
	],
	"threat_actors": [],
	"ts_created_at": 1775441481,
	"ts_updated_at": 1775791236,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8d7c830d0a07c735ec7d3723997fa1c1071fdc1e.pdf",
		"text": "https://archive.orkl.eu/8d7c830d0a07c735ec7d3723997fa1c1071fdc1e.txt",
		"img": "https://archive.orkl.eu/8d7c830d0a07c735ec7d3723997fa1c1071fdc1e.jpg"
	}
}