I have a forever-running process running in a system session. There is a need where I impersonate a thread (let's call it t1) to the current standard user session to access certain files in the mapped drive, and also other file operations, etc.

From the impersonated thread, another thread is invoked (let's call it t2). t2 uses CreateProcess() to create a process with default values. The created process from t2 runs in the system session.

I don't want to know how to run the child process in the user session. Rather I am trying to understand why the child process runs in the system session even though the invoker thread is in user session.

Does CreateProcess() take the token of the parent process rather than the thread?

CodePudding user response：

Per the CreateProcess documentation:

Creates a new process and its primary thread. The new process runs in the security context of the calling process.

If the calling process is impersonating another user, the new process uses the token for the calling process, not the impersonation token. To run the new process in the security context of the user represented by the impersonation token, use the CreateProcessAsUser  or CreateProcessWithLogonW function.

As for your claim that t2 is running in the user session because t1 is impersonating the user when creating t2, that is false, according to Creating new threads from an impersonated thread...:

Prior to Windows XP SP2 and Windows Server 2003, the new thread would be assigned the DACL from the impersonation token of the creator if the calling thread is impersonating or from the primary token if it is not. Starting with Windows XP SP2 and Windows Server 2003 the behavior is always the same: the new thread is assigned the DACL from the primary token regardless of the impersonation state of the caller.

Which means t2 is actually running in the system session, not the user session. t2 will need to do its own impersonation of the user as needed.