Understanding the Differences Between CreateProcessAsUser and CreateProcessWithTokenW in Windows

Author

Pavel Yosifovich
Pavel Yosifovich has 25+ years as Software developer, trainer, consultant, author, and speaker. Co-author of “Windows Internals”. Author of “Windows Kernel Programming”, “Windows 10 System Programming, as well as System and kernel programming courses and “Windows Internals” series.

Note: This blog post is designed to complement the accompanying video embedded at the top of the page. The video provides an in-depth, visual demonstration of the concepts and code discussed here, making it an invaluable resource for learners.

In this video, we dive into two powerful Windows API functions—CreateProcessAsUser and CreateProcessWithTokenW—that allow you to start a new process under a different user context. You’ll learn when to use each function, what privileges and services they depend on, and how to overcome common pitfalls. The video demonstration includes live coding examples, troubleshooting steps, and insights into managing tokens, sessions, and user profiles.

Windows master developer badge 1

$1,478

$1182 or $120 X 10 payments

Windows Master Developer

Takes you from a “generic” C programmer to a master Windows programmer in user mode and kernel mode.

Become Windows Master Developer

Video Sections:

  1. Introduction to Process Creation APIs
    • Overview of CreateProcess and running processes under the same user
    • Motivation for running processes as a different user
    • Introduction to CreateProcessAsUser and CreateProcessWithTokenW
  2. Key Differences Between the Functions
    • CreateProcessAsUser: Requires the AssignPrimaryToken privilege
    • CreateProcessWithTokenW: Relies on the Secondary Logon (seclogon) service
    • The trade-offs: Independence from services vs. higher privilege requirements
  3. Demonstration: Using CreateProcessAsUser
    • Setting up a sample project and calling CreateProcessAsUser
    • Handling the logon token with LogonUser
    • Enabling the AssignPrimaryToken privilege
    • Common failure scenarios and error messages (e.g., “privilege not held”)
    • Partial success and the complexities of fully supporting this method
  4. Demonstration: Using CreateProcessWithTokenW
    • Simplifying the process with CreateProcessWithLogonW (a helper that combines LogonUser and CreateProcessWithTokenW)
    • Easily starting processes under another account without needing a special privilege
    • How the seclogon service makes it all work behind the scenes
  5. Troubleshooting and Edge Cases
    • Issues when the seclogon service is disabled
    • Situations where CreateProcessAsUser is ideal (e.g., running from services)
    • Ensuring user profiles and environments load properly
    • Additional code and steps needed for fully stable process creation
  6. Best Practices and Final Thoughts
    • Choosing between CreateProcessAsUser and CreateProcessWithTokenW based on your environment and requirements
    • Understanding privileges and dependencies before deploying code
    • Summary of pros and cons for both approaches

Liked the content?

Subscribe to the free TrainSec knowledge library, and get insider access to new content, discounts and additional materials.

For more insights into Windows internals and advanced programming concepts, keep exploring TrainSec’s Knowledge Library. Stay tuned for more deep dives into topics that empower your technical growth!

blue depth

About the author

Pavel Yosifovich
Pavel Yosifovich has 25+ years as Software developer, trainer, consultant, author, and speaker. Co-author of “Windows Internals”. Author of “Windows Kernel Programming”, “Windows 10 System Programming, as well as System and kernel programming courses and “Windows Internals” series.
All courses and publications