OpenProcessToken fails after ImpersonateLoggedOnUser

I have a service that is impersonating a user. The service is running as Local System. The user is a local administrator and domain administrator. After impersonation, it's necessary for me to adjust the token privileges of the process. I hoped to do it using OpenProcessToken and then AdjustTokenPrivileges on the returned token handle.

After calling LogonUser and ImpersonateLoggedOnUser the followin开发者_如何学JAVAg call is failing with access denied.

HANDLE hToken;
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken))
{
      Log("Error=%d", GetLastError());
}

I'm logging on the user using LOGON32_LOGON_INTERACTIVE and LOGON32_PROVIDER_DEFAULT.

Adjusting the same privilege on the user token succeeds.

This is a two-part answer, depending on what you are trying to do:

1) If you want to adjust the privileges for the impersonation token, you need to use the OpenThreadToken function, not OpenProcessToken. Impersonation affects the thread, not the process as a whole. Try this:

OpenThreadToken(GetCurrentThread(), TOKEN_READ | TOKEN_ADJUST_PRIVILEGES, TRUE, &hToken)

2) If you really did want to adjust the privileges for the process token, you should probably do this at a point when you are not impersonating the client. You can turn impersonation on and off as necessary.