4ef8d20578
Setting lpDesktop on STARTUPINFO forces the child to open that desktop; the LogonUser-derived token in SpecificUser mode usually cannot, since winsta0\default's DACL only grants the currently-logged-in user. The result was STATUS_DLL_INIT_FAILED (exit 0xC0000142) with empty stdio. Only InteractiveUser mode needs the explicit interactive desktop - that whole point of the mode is to land in the user's session. For SpecificUser, leaving lpDesktop null lets the child inherit our service desktop, which works for headless batch tasks (AD reads, file ops, etc.). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>