Processes in the Client Security Context
A server application can call the CreateProcessAsUser function to create a new process that runs in a client's security context. When called with a client's access token, CreateProcessAsUser requires the SE_ASSIGNPRIMARYTOKEN_NAME and SE_INCREASE_QUOTA_NAME privileges, which are held by Windows services running in the LocalSystem Account.
The CreateProcessAsUser function also requires a primary access token. A server can get a primary access token for a client either by starting a logon session for the client or by impersonating the client and duplicating the impersonation token.
The following procedures describe two ways to create a client process.
To create a client process by logging on to the client
- Log the client on to the local computer using the client's credentials in a call to LogonUser. LogonUser produces a primary token for the client's logon session.
- If the server needs to use the client's security context, get access to the executable file for the client process by using the primary token in a call to the ImpersonateLoggedOnUser function.
- Create a process in the client's security context by using the primary token in a call to CreateProcessAsUser.
A process created by using the following technique may not be able to access network resources unless it has the client's credentials.
To create a client process by impersonating the client
- Start the impersonation by using an impersonation function, such as ImpersonateNamedPipeClient.
- Call the OpenThreadToken function to get an impersonation token that has the security context of the client.
- Call the DuplicateTokenEx function to convert the impersonation token into a primary token.
- Use the primary token in a call to the CreateProcessAsUser function to create a process in the client's security context.
By default, CreateProcessAsUser creates the client process on a noninteractive window station and desktop. To create an interactive process, the server must first set the discretionary access control lists (DACLs) of the interactive window station and desktop to ensure that the client is allowed access to them. The preferred way to do this is to log the client on, get the security identifier (SID) of the client's logon session, and then use that SID in access-allowed ACEs on both the interactive window station and desktop. The server can then call CreateProcessAsUser, specifying the interactive window station and desktop winsta0\default. For an example that shows this procedure, see Starting an Interactive Client Process in C++.