A server application can call the CreateProcessAsUser function to create a new process that runs in a client's security context. When called with a client's access token, CreateProcessAsUser requires the SE_ASSIGNPRIMARYTOKEN_NAME and SE_INCREASE_QUOTA_NAME privileges, which are held by Win32 services running in the LocalSystem account.
CreateProcessAsUser also requires a primary access token. A server can get a primary access token for a client either by starting a logon session for the client, or by impersonating the client and duplicating the impersonation token.
Note that a process created by this technique may not be able to access network resources unless it has the client's credentials.
By default CreateProcessAsUser creates the client process on a noninteractive window station and desktop. To create an interactive process, the server must first set the discretionary access-control lists (DACLs) of the interactive window station and desktop to ensure that the client is allowed access to them. The preferred way to do this is to log the client on, get the security identifier (SID) of the client's logon session, and use that SID in access-allowed ACEs on both the interactive window station and desktop. The server can then call CreateProcessAsUser, specifying the interactive window station and desktop, "winsta0\default". For sample code that shows this procedure, see Starting an Interactive Client Process.