On 2 Jul 2004 at 17:42, Magnus Hagander wrote:
> The priv causing the problem is ReplaceProcessLevelToken. And the
> problem is not activagting it, the problem is that it's not granted at
> all by defualt.
> IIRC CreateProcessAsUser is the one being used by 2k/XP with the
> CreateProcessAndLogin() API (I may have misspelled that one, but it's
> something like that)
>
> //Magnus
>
I see.
Privileges and security descriptors in NT+ are a real pain to manipulate in code.
Digging deeper....
I think the call you refer to is CreateProcessWithLogonW(). This is only available with
2000/XP/2003 and not NT. With NT you must use the functions I mentioned earlier and
you need certain privs.
Apprently there is a utility in Windows NT Server 4.0 Resource Kit Supplement 3
(free distribution AFAIK) called ntrights.exe. With this you could call it from
your installer to grant the SeAssignPrimaryTokenPrivilege which corresponds to
the display name "Replace a process level token".
I don't have access to the resource kit at the moment as I am home for the
weekend. If its not downloadable I should be ablt to get it on monday. It's
probably not an ideal solution, but it looks like it should work.
Cheers,
Gary.
