CreateProcessAsUser error 1314

Question

I want create a process under another user. So I use LogonUser and CreateProcessAsUser. But my problem is, that CreatePtocessAsUser always returns the errorcode 1314, which

Answer 1

The local account that is running your app must have these privileges enabled in the Local Security Policy:

• Act as part of the operating system
• Create a token object
• Log on as a batch job

Edit: Please see Patel's answer below. The correct privilege in this case should be:

• "Replace a process level token"

Answer 2

I checked the links, and it worked good. Check this

void main()
{

DWORD dwSessionId;
HANDLE hToken = NULL;

TOKEN_PRIVILEGES tp;
PROCESS_INFORMATION pi;
STARTUPINFOW si;

// Initialize structures.
ZeroMemory(&tp, sizeof(tp));
ZeroMemory(&pi, sizeof(pi));
ZeroMemory(&si, sizeof(si));
si.cb = sizeof(si);


LPTSTR lpszUsername = "user\0";
LPTSTR lpszDomain = ".";//"bgt\0";
LPTSTR lpszPassword = "password\0";

if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY
| TOKEN_ADJUST_PRIVILEGES , &hToken)) {

MyError();
}



// Look up the LUID for the TCB Name privilege.
if (!LookupPrivilegeValue(NULL,SE_TCB_NAME, //SE_SHUTDOWN_NAME ,
//SE_TCB_NAME,
&tp.Privileges[0].Luid)) {
MyError();
}


tp.PrivilegeCount = 1;
tp.Privileges[0].Attributes =
SE_PRIVILEGE_ENABLED;//SE_PRIVILEGE_ENABLED;
if (!AdjustTokenPrivileges(hToken, FALSE, &tp, 0, NULL, 0)) {

MyError();
}


if(LogonUser(lpszUsername,lpszDomain,lpszPassword,
LOGON32_LOGON_INTERACTIVE,LOGON32_PROVIDER_DEFAULT,&hToken) == 0)
{
MyError();
}
else
{
STARTUPINFO sInfo;
PROCESS_INFORMATION ProcessInfo;
memset(&sInfo,0,sizeof(STARTUPINFO));
sInfo.cb = sizeof(STARTUPINFO);
sInfo.dwX = CW_USEDEFAULT;
sInfo.dwY = CW_USEDEFAULT;
sInfo.dwXSize = CW_USEDEFAULT;
sInfo.dwYSize = CW_USEDEFAULT;


bool bRet = CreateProcessAsUser(hToken,
"c:\\windows\\system32\\notepad.exe",
NULL,
NULL,
NULL,
TRUE,
CREATE_NEW_CONSOLE,
NULL,
NULL,
&sInfo,
&ProcessInfo);

if(bRet == 0)
MyError();
}

Answer 3

Your code adds the SE_TCB_NAME privilege to your token.

MSDN says "Typically, the process that calls the CreateProcessAsUser function must have the SE_ASSIGNPRIMARYTOKEN_NAME and SE_INCREASE_QUOTA_NAME privileges."

Answer 4

After looking for answer for hours, I finally found it in following link from MSDN. Hope it may help someone in future.

https://social.msdn.microsoft.com/Forums/vstudio/en-US/c905c900-cae1-4081-b0c9-00f10238e7ad/createprocessasuser-failed?forum=clr

"To resolve this problem, you'll need to elevate the rights of the account calling CreateProcessAsUser with the "Replace a process level token" right. To do so, open the Control Panel / Administrative Tools / Local Security Policy and add the user account to the "Replace a process level token" right. (You may have to logout or even reboot to have this change take effect.)"