Re: SE_ASSIGNPRIMARYTOKEN_NAME

From: Larry (lsmith999999_at_nospam.nospam)
Date: 07/26/05 

Date: Tue, 26 Jul 2005 09:45:03 -0700

> Please note following lines from CreateProcessAsUser remark section:
> <quote>
> Typically, the process that calls the CreateProcessAsUser function must have the SE_ASSIGNPRIMARYTOKEN_NAME and
> SE_INCREASE_QUOTA_NAME privileges. However, if hToken is a restricted version of the caller's primary token, the
> SE_ASSIGNPRIMARYTOKEN_NAME privilege is not required.
> </quote>
>
> You may note the line started with "however" and in my post, steps 3, i suggest you calling the DuplicateTokenEx function
> which converts the token to a primary token. That is why you don't need SE_ASSIGNPRIMARYTOKEN_NAME privileges to
> call CreateProcessAsUser.

That's exactly what I've been doing all along but it only works under XP
Professional. "CreateProcessAsUser()" fails with error 1314 under both
Win2000 Pro and Win2003 Server ("a required privilege is not held by the
client"). It should fail under WinXP also presumably but it doesn't (why?). I
don't see how calling "DuplicateTokenEx()" will help anyway. Does that
actually create a restricted token (assuming that's what the
"CreateProcessAsUser()" docs means when they refer to a "restricted
version"). Even calling "CreateRestrictedToken()" doesn't help (I tried but
error 1314 persists). As soon as I add the SE_ASSIGNPRIMARYTOKEN_NAME
privilege however it then succeeds as expected.