Zitat von
Remko:
I don't mean adding Joe the Administrators group rather the process you started with LsaLogonUser runs with admin permissions!
I know! The newly created process has admin permission. That is not good. Debug privs is only neccessary.
Zitat:
I thought that (zw)NTCreateToken was no longer possible in Vista
Dont know
Zitat:
Please look at my sample again, the way I understand your question it's does precisely what you want! Make it a service so you don't have to give a user SeTcbPrivilege...
It does not work as I want, because I need to add the debug privilege to the users token. The only way I know is to use CreateToken. I already tested it. It works, but it is complicated and dangerous.