If is a restricted version of the caller's primary token, the SE_ASSIGNPRIMARYTOKEN_NAME privilege is not required.
If the necessary privileges are not already enabled, Create Process As User enables them for the duration of the call.
If the file name does not contain a directory path, the system searches for the executable file in the following sequence: parameter.
This security descriptor may not allow access for the caller, in which case the process may not be opened again after it is run.
Alternatively, you can call the Duplicate Token Ex function to convert an impersonation token into a primary token.
Therefore, this parameter cannot be a pointer to read-only memory (such as a const variable or a literal string).
The user represented by the token must have read and execute access to the application specified by the parameter.
To get a primary token that represents the specified user, call the Logon User function.
Generally, it is best to use Create Process With Logon W to create a process with alternate credentials.
BOOL WINAPI Create Process As User( _In_opt_ HANDLE h Token, _In_opt_ LPCTSTR lp Application Name, _Inout_opt_ LPTSTR lp Command Line, _In_opt_ LPSECURITY_ATTRIBUTES lp Process Attributes, _In_opt_ LPSECURITY_ATTRIBUTES lp Thread Attributes, _In_ BOOL b Inherit Handles, _In_ DWORD dw Creation Flags, _In_opt_ LPVOID lp Environment, _In_opt_ LPCTSTR lp Current Directory, _In_ LPSTARTUPINFO lp Startup Info, _Out_ LPPROCESS_INFORMATION lp Process Information ); A handle to the primary token that represents a user.