process token privilege is store in EProcess structure:
Win2000: EProcess+$12C
WinXP SP2: EProcess+$C8
Win2003 SP2 EProcess+$D8
Vista: EProcess+$E0

WinLogo.Exe is running under system privilege, so read its EProcess+$12C
and then overwrite the DWORD to target EProcess,
now your process is running under system account

Example code: (Win2003SP2)
ReadVirtualMemory(WinLogonEProcess+$D8, @Token, 4);
WriteVirtualMemory(TargetEProcess+$D8, @Token, 4)

----------------------------------------
以系统权限执行程序:
WinLogon肯定是运行在System权限下的
Token都保存在进程的EProcess结构中
读取WinLogon的EProcess+$12C (Win2003)
写入到目标进程的EProcess+$12C,即可

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课