From: Jeff McKay on
Would it be true that CreateProcessWithLogonW() is exactly the same as doing
LogonUser(), ImpersonateLoggedOnUser(), CreateProcessAsUser()?

I am tryingto use CreateProcessWithLogonW() to start an application that
runs
under a service account for Microsoft Exchange. The process does get
started but does not
have the rights that it needs.

So I'm wondering if the 3 calls starting with LogonUser() is a better idea.
I have not
been able to test this, since CreateProcessAsUser() fails with error 1314.
The MSDN documentation
says if this happens, use CreateProcessWithLogonW() instead. If I want to
use CreateProcessAsUser(),
how would I go about assigning the privileges needed to my first process?
It is just an .exe file that I am
starting from the command line.

From: Remy Lebeau on

"Jeff McKay" <jeff.mckay(a)comaxis.com> wrote in message news:vuSdnSc78bwY84nWnZ2dnUVZ_sSdnZ2d(a)supernews.com...

> Would it be true that CreateProcessWithLogonW() is exactly the same as
> doing LogonUser(), ImpersonateLoggedOnUser(), CreateProcessAsUser()?

Not exactly, no. CreateProcessWithLogonW() does not have the calling thread impersonate the user account.

> I have not been able to test this, since CreateProcessAsUser() fails with
> error 1314.

That means your calling thread does not hold a privilege that CreateProcessAsUser() itself requires, typically either SE_INCREASE_QUOTA_NAME or SE_ASSIGNPRIMARYTOKEN_NAME. Look at AdjustTokenPrivileges().

--
Remy Lebeau (TeamB)
From: Jeff McKay on
Well I just tried AdjustTokenPrivileges() adding both of your suggested
privileges. The call worked, but
CreateProcessAsUser() still fails with error 1314. Is there a way to figure
out what privileges are required?
Below is my code, in case you can see something obvious wrong:

Privs.PrivilegeCount = 2;
Privs.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
bret = LookupPrivilegeValue(NULL, SE_INCREASE_QUOTA_NAME,
&Privs.Privileges[0].Luid);
if (!bret) return(0);

Privs.Privileges[1].Attributes = SE_PRIVILEGE_ENABLED;
bret = LookupPrivilegeValue(NULL, SE_ASSIGNPRIMARYTOKEN_NAME,
&Privs.Privileges[1].Luid);
if (!bret) return(0);

bret = AdjustTokenPrivileges(hToken, FALSE, &Privs, 0, NULL, NULL);
if (!bret) return(0);

// we get here, so all setup calls worked OK
bret = CreateProcessAsUser(hToken, procname, cmdline, NULL, NULL,
FALSE, NORMAL_PRIORITY_CLASS,
NULL, NULL, &si, &pi);


> I have not been able to test this, since CreateProcessAsUser() fails with
> error 1314.

That means your calling thread does not hold a privilege that
CreateProcessAsUser() itself requires, typically either
SE_INCREASE_QUOTA_NAME or SE_ASSIGNPRIMARYTOKEN_NAME. Look at
AdjustTokenPrivileges().