To my understanding, during logon if the user is part of Administrators group, lsass creates a medium IL filtered token with stripped out privileges and attaches it to the first user process. which then propagates to any subsequent process that user creates.
Now when this user does a "run as Administrator" on something, Explorer makes a call to AppInfo service which then takes user's consent (UAC). If user supplies "yes", Appinfo creates the new process with "High IL Elevated Token" while spoofing it's parent.
I was curious as to how Appinfo obtains this "High IL Elevated Token". Is there a WinAPI for this ?
I know some there are APIs like - CreateProcessWithLogonW or LogonUser that takes username and password and creates a process or returns a token but that seems not to be the case here.
I believe it must be using CreateProcessAsUser (which takes a token as input) but I'm not sure how it is retrieving the token from lsass.
TokenLinkedToken
is the documented way.