Understanding the Differences Between CreateProcessAsUser and CreateProcessWithTokenW in Windows

Note: This blog post is designed to complement the accompanying video embedded at the top of the page. The video provides an in-depth, visual demonstration of the concepts and code discussed here, making it an invaluable resource for learners.

In this video, we dive into two powerful Windows API functions—CreateProcessAsUser and CreateProcessWithTokenW—that allow you to start a new process under a different user context. You’ll learn when to use each function, what privileges and services they depend on, and how to overcome common pitfalls. The video demonstration includes live coding examples, troubleshooting steps, and insights into managing tokens, sessions, and user profiles.

$1,478

$1182 or $120 X 10 payments

Windows Master Developer

Takes you from a “generic” C programmer to a master Windows programmer in user mode and kernel mode.

Become Windows Master Developer

Video Sections:

1. Introduction to Process Creation APIs
   • Overview of CreateProcess and running processes under the same user
   • Motivation for running processes as a different user
   • Introduction to CreateProcessAsUser and CreateProcessWithTokenW
2. Key Differences Between the Functions
   • CreateProcessAsUser: Requires the AssignPrimaryToken privilege
   • CreateProcessWithTokenW: Relies on the Secondary Logon (seclogon) service
   • The trade-offs: Independence from services vs. higher privilege requirements
3. Demonstration: Using CreateProcessAsUser
   • Setting up a sample project and calling CreateProcessAsUser
   • Handling the logon token with LogonUser
   • Enabling the AssignPrimaryToken privilege
   • Common failure scenarios and error messages (e.g., “privilege not held”)
   • Partial success and the complexities of fully supporting this method
4. Demonstration: Using CreateProcessWithTokenW
   • Simplifying the process with CreateProcessWithLogonW (a helper that combines LogonUser and CreateProcessWithTokenW)
   • Easily starting processes under another account without needing a special privilege
   • How the seclogon service makes it all work behind the scenes
5. Troubleshooting and Edge Cases
   • Issues when the seclogon service is disabled
   • Situations where CreateProcessAsUser is ideal (e.g., running from services)
   • Ensuring user profiles and environments load properly
   • Additional code and steps needed for fully stable process creation
6. Best Practices and Final Thoughts
   • Choosing between CreateProcessAsUser and CreateProcessWithTokenW based on your environment and requirements
   • Understanding privileges and dependencies before deploying code
   • Summary of pros and cons for both approaches

For more insights into Windows internals and advanced programming concepts, keep exploring TrainSec’s Knowledge Library. Stay tuned for more deep dives into topics that empower your technical growth!