Platform SDK: Access Control

Processes in the Client's Security Context

A server application can call the CreateProcessAsUser function to create a new process that runs in a client's security context. When called with a client's access token, CreateProcessAsUser requires the SE_ASSIGNPRIMARYTOKEN_NAME and SE_INCREASE_QUOTA_NAME privileges, which are held by Win32 services running in the LocalSystem account.

CreateProcessAsUser also requires a primary access token. A server can get a primary access token for a client either by starting a logon session for the client, or by impersonating the client and duplicating the impersonation token.

To create a client process by logging on the client

  1. Use the client's credentials in a call to the LogonUser function to log the client on to the local computer. LogonUser produces a primary token for the client's logon session.
  2. If the server needs to use the client's security context to get access to the executable file for the client process, it can use the primary token in a call to the ImpersonateLoggedOnUser function.
  3. Use the primary token in a call to the CreateProcessAsUser function to create a process in the client's security context.

To create a client process by impersonating the client

Note  A process created by this technique may not be able to access network resources unless it has the client's credentials.

  1. Use an impersonation function, such as ImpersonateNamedPipeClient, to start the impersonation.
  2. Call the OpenThreadToken function to get an impersonation token that has the security context of the client.
  3. Call the DuplicateTokenEx function to convert the impersonation token into a primary token.
  4. Use the primary token in a call to the CreateProcessAsUser function to create a process in the client's security context.

By default CreateProcessAsUser creates the client process on a noninteractive window station and desktop. To create an interactive process, the server must first set the discretionary access-control lists (DACLs) of the interactive window station and desktop to ensure that the client is allowed access to them. The preferred way to do this is to log the client on, get the security identifier (SID) of the client's logon session, and use that SID in access-allowed ACEs on both the interactive window station and desktop. The server can then call CreateProcessAsUser, specifying the interactive window station and desktop, "winsta0\default". For sample code that shows this procedure, see Starting an Interactive Client Process.