![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(12.8, 6%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPG%3C/text%3E%3C/svg%3E)
Windows API - Win32
A core set of Windows application programming interfaces (APIs) for desktop and server applications. Previously known as Win32 API.
2,426 questions
The default security descriptor for a file system object (e.g., folder/file) is inherited from its parent folder. If the elevated process is creating the new files in a location where the other user already has the desired access permissions then the security descriptors for the newly created files will permit access to the other user. In this case the only difference between the security descriptor created by the thread in the elevated process (running as Administrator) and a thread that is impersonating the other user will be the Owner of the files. For example, an elevated process created two files in the Documents folder of User Bozo.
If you intend for the elevated process to create files in a location to which the other user ordinarily would not have access then you must construct a security descriptor that permits the desired access and pass it to CreateFile using a SECURITY_ATTRIBUTES structure. Alternatively, you can allow the system to create a default security descriptor when the file is created and then modify it afterwards to grant the desired access permissions to the other user.