How can I get a token of a user that isn’t logged in? If the user is logged in, that’s easy; You use WTSQueryUserToken. But if the user isn’t logged in, it seems that the only way is to use LogonUser API. But I analyzed both UAC (svchost.exe -knetsvcs -p -s Appinfo) and PsExec, and they don’t use LogonUser API at all but still get a token from the given user. How is that possible? I thought maybe UAC is using an undocumented API since it’s the Microsoft itself but what about PsExec?

I have a service running as SYSTEM that has to run some applications on users’ sessions. I can run non-elevated processes but I can’t run elevated processes.