CreateProcessAsUser - Error 5

Question

I am trying to use CreateProcessAsUser method. But I am getting Error code - 5

This is what I do .

1. LoadUserProfile
2. DuplicateToken
3. Imperso

Answer 1

Since you are also specifying the lpDesktop parameter in the StartupInfo, per the documentation for CreateProcessAsUser:

...you must change the discretionary access control list (DACL) of both the default interactive window station and the default desktop. The DACLs for the window station and desktop must grant access to the user or the logon session represented by the hToken parameter.

My guess is that this is the cause of the Access Denied error.

However, also per the documentation for CreateProcessAsUser, the token passed must be a primary token. You are however creating the token using DuplicateToken which only creates impersonation tokens.

So you will need to create a primary token using DuplicateTokenEx, passing TokenPrimary (= 1) as the 5th parameter, and use this token in your CreateProcessAsUser call if this is to work even after setting the permissions on the Desktop and WindowStation.