system 用户创建的进程创建当前用户（如Administrator）的进程。

//获取当前进程的灵牌
HANDLE hTokenDup = NULL;
HANDLE hThisProcess = GetCurrentProcess();

DWORD dwSessionId = 0;
dwSessionId = ::WTSGetActiveConsoleSessionId();
if(dwSessionId == 0xFFFFFFFF)
{
DWORD f_dwErr = GetLastError();
CString str;
str.Format( _T("%s, %d, GefSvr::CreateUsrProcess WTSGetActiveConsoleSessionId Error, Error is 0x%08x"), __FILE__, __LINE__, f_dwErr );
AfxMessageBox(str);
return FALSE;
}
if(!WTSQueryUserToken(dwSessionId,&hTokenDup))
{
DWORD f_dwErr = GetLastError();
CString str;
str.Format( _T("%s, %d, GefSvr::CreateUsrProcess WTSQueryUserToken Error, Error is 0x%08x"), __FILE__, __LINE__, f_dwErr );
AfxMessageBox(str);
return FALSE;
}
STARTUPINFO si = {'\0'};
PROCESS_INFORMATION pi = {'\0'};
si.cb = sizeof(si);
si.lpDesktop = _T("WinSta0\\Default");

DWORD dwCreationFlag = NORMAL_PRIORITY_CLASS/* | CREATE_NEW_CONSOLE | CREATE_UNICODE_ENVIRONMENT*/;
//LPVOID pEnv = NULL;
//CreateEnvironmentBlock( &pEnv, hTokenDup, FALSE );

//TCHAR szCmd[MAX_PATH * 2] = {'\0'};
//_tcscpy_s( szCmd, _countof(szCmd), lpCmd );

//SvrDebug( _T("%s, %d, GefSvr::CreateProcessAsUser %s"),
//	__FILE__, __LINE__, szCmd );

TCHAR szCurDir[MAX_PATH*2] = {0};
GetModuleFileName(NULL,szCurDir,_countof(szCurDir));
PathRemoveFileSpec(szCurDir);

SetCurrentDirectory(lpWorkDir);
if (!CreateProcessAsUser( hTokenDup,_T("iexplore.exe"),lpCmd,NULL, NULL, FALSE,
dwCreationFlag, NULL,lpWorkDir<span style="font-family: Arial, Helvetica, sans-serif;">, &si, &pi )) </span>
{
DWORD f_dwErr = GetLastError();
CString str;
str.Format( _T("%s, %d, GefSvr::CreateProcessAsUser %s Faile, Err is 0x%08x"),
__FILE__, __LINE__, lpCmd, f_dwErr );
AfxMessageBox(str);
CloseHandle( hTokenDup );
SetLastError( f_dwErr );
}

CloseHandle( pi.hThread );
CloseHandle( pi.hProcess );
CloseHandle( hTokenDup );
SetCurrentDirectory(szCurDir);