You can get an unfiltered token from LogonUser() by using the LOGON32_LOGON_BATCH
option instead of the LOGON32_LOGON_INTERACTIVE
option.
There is some sample code in this answer which shows the use of LOGON32_LOGON_BATCH
and the LogonUser() function to obtain an administrative token.
Addendum:
If you have SeTcbPrivilege, you have another option: you can use LOGON32_LOGON_INTERACTIVE
when calling LogonUser() and then use the TokenLinkedToken
option in GetTokenInformation() to obtain a handle to the elevated token that is linked to the filtered token.
SeTcbPrivilege is also known as “Act as part of the operating system” and is usually only available when you are running in local system context.
If you do not have SeTcbPrivilege, you can still call GetTokenInformation() to fetch a copy of the linked token, but in this case you get an impersonation token at SecurityIdentification
level so it is of no use if you are wanting to create a new process. (Credit to RbMm for pointing this out.)