From 738304060436812a49f36ed6737b0f2ec318e5a6 Mon Sep 17 00:00:00 2001
From: Fredrik Orderud <fredrik.orderud@gehealthcare.com>
Date: Mon, 20 Oct 2025 12:09:55 +0200
Subject: [PATCH] Document that CreateProcessAsUserW require
 SE_ASSIGNPRIMARYTOKEN_NAME privileges

And add instructions for how PsExec can be used to obtain it though the inbuild System account.
---
 README.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/README.md b/README.md
index 5f71d30..ac4cf15 100644
--- a/README.md
+++ b/README.md
@@ -124,6 +124,8 @@ Otherwise, you can try the flag **--bypass-uac** for an attempt in bypassing the
 By default, the calling process (*RunasCs*) will wait until the end of the execution of the spawned process. 
 If you need to spawn a background or async process, i.e. spawning a reverse shell, you need to set the parameter ``-t timeout`` to ``0``. In this case *RunasCs* won't wait for the end of the newly spawned process execution.
 
+Starting processes with `--function 0` (`CreateProcessAsUserW`) require the `SE_ASSIGNPRIMARYTOKEN_NAME` privileges, which is typically only held by the inbuilt `System` account. One can use [PsExec](https://learn.microsoft.com/en-us/sysinternals/downloads/psexec) and run `PsExec.exe -i -s cmd.exe` to start a command prompt under the `System` account.
+
 ### References
 
 ----