The following code exploits the privileges SeDebug and SeImpersonate to copy the token from a process running as SYSTEM and with all the token privileges.
In this case, this code can be compiled and used as a Windows service binary to check that it's working.
However, the main part of the code where the elevation occurs is inside the Exploitfunction.
Inside of that function you can see that the process lsass.exe is searched, then it's token is copied, and finally that token is used to spawn a new cmd.exe with all the privileges of the copied token.
Other processes running as SYSTEM with all or most of the token privileges are: services.exe, svhost.exe (on of the firsts ones), wininit.exe, csrss.exe... (remember that you won't be able to copy a token from a Protected process). Moreover, you can use the tool Process Hacker running as administrator to see the tokens of a process.
TCHAR* serviceName =TEXT("TokenDanceSrv");
SERVICE_STATUS_HANDLE serviceStatusHandle =0;
HANDLE stopServiceEvent =0;
//This function will find the pid of a process by name