I've been using CreateProcessWithLogonW for a while now, and until today, it was working fine. We
rolled out XP SP2 in-house this weekend and, lo and behold, SP2 changed how CreateProcessWithLogonW
works....
Per MSDN:
"Windows XP SP2 and Windows Server 2003: You cannot call CreateProcessWithLogonW from a process
that is running under the LocalSystem account, because the function uses the logon SID in the caller
token, and the token for the LocalSystem account does not contain this SID. As an alternative, use
the CreateProcessAsUser and LogonUser functions."
I've got a service that installs on all of our machines as a LocalSystem service. We use the
CreatePWLW API call to kick-off software installations as the network administrator so they have
full rights to the network.
I've tried changing the routine to use CreateProcessAsUser and LogonUser, but am running into one
problem after another.
1) Just calling LogonUser (LOGON32_LOGON_INTERACTIVE) gives me a token that I duplicate with
DuplicateTokenEx (MAXIMUM_ALLOWED). When I finally call CreateProcessAsUser with the duplicated
token, I get the following error: "System Error. Code: 1314.A required privilege is not held by the
client."
2) Based on this error message, I need to adjust /my/ privileges (i.e. the "user") before calling
CreateProcessAsUser. Ummm kay. I've tried to assign myself SE_INCREASE_QUOTA_NAME,
SE_ASSUGNPRIMARYTOKEN_NAME, and SE_TCB_NAME rights, but every time I call AdjustTokenPrivileges, I
get the stock "Access Denied" non-descript error message.
3) I've also tried assigning the 3 privileges to the DUPLICATED token, with no luck.
Is this really as hard as it seems? Any examples of a WORKING LogonUser/CreateProcessAsUser call in
ANY language that you're aware of???
Eric
