我有一个从受限制的uac启动进程复制的用户令牌，我想从中删除拒绝组sid。我该怎么做？
如果使用token_groups信息类类型调用settokeninformation，则会得到一个无效的参数错误。
谢谢您。

事实证明，有一种支持的方法可以做到这一点。基本上你需要做一个双重间接的工作。首先，您要使用WTSQueryUserToken获取用户令牌的会话。接下来，您需要使用GetTokenInformation获取关联的管理用户令牌（查找tokenlinkedtoken信息）。既然有了admintokn，就可以用该令牌调用createprocessasuser。如果需要环境块，可以调用CreateEnvironmentBlock来获取正确的环境变量。
下面是我从一个同事那里得到的一段vb代码（他传递了这个技巧）：

Public Function StartAppInSessionAsAdmin(ByVal SessionID As String, ByVal WinstationName As String, ByVal AppName As String) As Integer

    Dim hToken As IntPtr
    Dim hLinkedToken As IntPtr
    Dim bRet As Boolean
    Dim pi As New PROCESS_INFORMATION
    Dim si As New STARTUPINFO
    Dim err As Integer
    Dim iret As Integer
    Dim lpEB As IntPtr


    Dim TLT As New TOKEN_LINKED_TOKEN
    Dim TLTSize As Integer
    Dim retSize As Integer

    si.lpDesktop = WinstationName  '”Winsta0\default”
    si.cb = Marshal.SizeOf(si)

    TLTSize = Marshal.SizeOf(TLT.LinkedToken)

    'get SessionID token
    bRet = WTSQueryUserToken(Integer.Parse(SessionID), hToken)

    'we need to get the TokenLinked Token
    bRet = GetTokenInformation(hToken, TOKEN_INFORMATION_CLASS.TokenLinkedToken, hLinkedToken, TLTSize, retSize)

    'Use CreateEnvironment Block with the original token to create an environment for the new program with the USER Environment
    bRet = CreateEnvironmentBlock(lpEB, hToken, False)

    If bRet Then
        'Call CreateProcessAsUser to create the process using the user's modified Token
        iret = CreateProcessAsUser(hLinkedToken, Nothing, AppName, 0, 0, False, 1072, lpEB, Nothing, si, pi)
        'Give user a feedback
        If iret <> 0 Then
            GiveFeedback(SessionID, "Message from StartAppInSessionAsAdmin", "CreateProcessAsUser succeeded", 2)
        Else
            err = Marshal.GetLastWin32Error
            GiveFeedback(SessionID, "Message from StartAppInSessionAsAdmin", "CreateProcessAsUser failed with error " & err.ToString, 5)
        End If
    End If

End Function