If you are writing a Windows service, using LOGON32_LOGON_SERVICE
instead of LOGON32_LOGON_INTERACTIVE
or LOGON32_LOGON_NEW_CREDENTIALS
will result in a privileged token, as long as the user you want to impersonate has 'log on as a service' permissions.
This doesn't provide a general solution (it won't work if you're writing a user-facing application), but is sufficient to solve the specific problem I had.