Note that absolutely none of this is authoritative or directly based on relevant documentation. It’s mostly what I found and figured out and guessed and (in some cases) made up. Some of it may be wrong or dangerous or lead to disaster or confusion. I am not taking responsibility here for anything, not even spelling. Read and digest at your own peril!

A program can start a process as another user, if it holds SeAssignPrimaryTokenPrivilege.

Look at this code, which is somewhat similar to the code used in Impersonate Privilege. It acquires a token from another process in the same logon session, makes it assignable, does not convert it into an impersonation (thread) token and uses it to create a process as that user.

// get a new user from a process
HANDLE hProcess = NULL;
hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, TRUE, pid);
if (NULL == hProcess) { ok = FALSE; }
Error(L"OpenProcess");
if (NULL == hProcess) { return 1; } // if the process didn't exist, leave
pid = GetProcessId(hProcess);
wprintf(L"Opened process is indeed pid [%d].\n", pid);
HANDLE hPrimToken = NULL;
ok = OpenProcessToken(hProcess, TOKEN_DUPLICATE | TOKEN_QUERY | TOKEN_ASSIGN_PRIMARY, &hPrimToken);
Error(L"OpenProcessToken");
CloseHandle(hProcess);

// start process as new user
LPWSTR pathImage = L"C:\\Windows\\System32\\whoami.exe";
STARTUPINFO si;
PROCESS_INFORMATION pi;
ZeroMemory(&si, sizeof(si));
si.cb = sizeof(si);
ZeroMemory(&pi, sizeof(pi));
EnablePrivilege(L"SeAssignPrimaryTokenPrivilege");
ok = CreateProcessAsUser(hPrimToken, pathImage, NULL, NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi);
Error(L"CreateProcessAsUser");

// finish up
CloseHandle(pi.hProcess);
CloseHandle(pi.hThread);

Running this targeting user legrand’s winver process (started using runas.exe for it to share the logon session) without the Assign Primary Token privilege does not result in much:

PS C:\> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== ========
SeShutdownPrivilege           Shut down the system           Disabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
PS C:\> Get-Process winver

Handles  NPM(K)    PM(K)      WS(K)     CPU(s)     Id  SI ProcessName
-------  ------    -----      -----     ------     --  -- -----------
    178      13     2308      16044       0.06   1248   1 winver


PS C:\> .\AssignPrimaryToken.exe 1248
OpenProcess     OK: [1] STATUS: [0], Error: [0]
Opened process is indeed pid [1248].
OpenProcessToken        OK: [1] STATUS: [0], Error: [0]
LookupPrivilegeValue    OK: [1] STATUS: [0], Error: [0]
AdjustTokenPrivileges   OK: [1] STATUS: [0], Error: [0]
CreateProcessAsUser     OK: [0] STATUS: [0], Error: [1314]
PS C:\> certutil /error 1314
0x522 (WIN32: 1314 ERROR_PRIVILEGE_NOT_HELD) -- 1314 (1314)
Error message text: A required privilege is not held by the client.
CertUtil: -error command completed successfully.
PS C:\>

Note that “a required privilege is not held by the client”. The client is user benoit’s process. User benoit does not hold Assign Primary Token privilege. (And as well he shouldn’t.)

After granting user benoit the SeAssignPrimaryTokenPrivilege, it looks differently and whoami.exe is started (in the same console too):

PS C:\> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== ========
SeAssignPrimaryTokenPrivilege Replace a process level token  Disabled
SeShutdownPrivilege           Shut down the system           Disabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
PS C:\>  .\AssignPrimaryToken.exe 1248
OpenProcess     OK: [1] STATUS: [0], Error: [0]
Opened process is indeed pid [1248].
OpenProcessToken        OK: [1] STATUS: [0], Error: [0]
LookupPrivilegeValue    OK: [1] STATUS: [0], Error: [0]
AdjustTokenPrivileges   OK: [1] STATUS: [0], Error: [0]
CreateProcessAsUser     OK: [1] STATUS: [0], Error: [0]
champignac\legrand
PS C:\>

whoami.exe is being executed as user legrand.

(Note that it usually not a good idea to start a detached console-based program without creating a new console. It is possible but leads ultimately to weird results as both programs use the same terminal at the same time. For whoami.exe it works as all it does is write some output.)

SeAssignPrimaryToken is by default held by the SYSTEM account as well as LocalService and NetworkService.

PS C:\Program Files\ABTokenTools> .\AccountRights.exe LocalService
SeAuditPrivilege
SeChangeNotifyPrivilege
SeImpersonatePrivilege
SeCreateGlobalPrivilege
SeIncreaseQuotaPrivilege
SeAssignPrimaryTokenPrivilege
SeSystemtimePrivilege
SeTimeZonePrivilege
8
PS C:\Program Files\ABTokenTools> .\AccountRights.exe NetworkService
SeAuditPrivilege
SeChangeNotifyPrivilege
SeImpersonatePrivilege
SeCreateGlobalPrivilege
SeIncreaseQuotaPrivilege
SeAssignPrimaryTokenPrivilege
SeServiceLogonRight
7
PS C:\Program Files\ABTokenTools>

What is it good for?

The ability to start processes as another user without knowing the user’s credentials (i.e. leaving the logon to Windows) is probably useful for task schedulers.

Note: SeAssignPrimaryTokenPrivilege is a system privilege and hence will likely be removed from a user’s token when UAC is enabled.

Next: Files and Directories