The following code was copied from here. It allows to indicate a Process ID as argument and a CMD running as the user of the indicated process will be run.
Running in a High Integrity process you can indicate the PID of a process running as System (like winlogon, wininit) and execute a cmd.exe as system.
HANDLE hToken,// access token handle
LPCTSTR lpszPrivilege,// name of privilege to enable/disable
BOOL bEnablePrivilege // to enable or disable privilege
On some occasions you may try to impersonate System and it won't work showing an output like the following:
[-]ImpersonatedLoggedOnUser() Return Code:1
[-]DuplicateTokenEx() Return Code:0
[-] CreateProcessWithTokenW Return Code:0
[-] CreateProcessWithTokenW Error:1326
This means that even if you are running on a High Integrity level you don't have enough permissions.
Let's check current Administrator permissions over svchost.exe processes with processes explorer (or you can also use process hacker):
Select a process of svchost.exe
Right Click --> Properties
Inside "Security" Tab click in the bottom right the button "Permissions"
Click on "Advanced"
Select "Administrators" and click on "Edit"
Click on "Show advanced permissions"
The previous image contains all the privileges that "Administrators" have over the selected process (as you can see in case of svchost.exe they only have "Query" privileges)
See the privileges "Administrators" have over winlogon.exe:
Inside that process "Administrators" can "Read Memory" and "Read Permissions" which probably allows Administrators to impersonate the token used by this process.