Awhile back I was posting on the trials and tribulations I've been going through in trying to replace the functionality of a Winlogon Notification DLL and a third party product for rights elevation. After some helpful pointers from Microsoft, I now have a minimalist version of this working. It's been painful, but instructive. The main things that were missing were the dwFlags of the STARTUPINFO structure was not set to STARF_USESHOWWINDOW (all that means is 1), and in the client piece I needed to set the "Global\" prefix specifier in front of the name of the memory mapped file I was using. In Windows XP you didn't need to do this because everything essentially ran in session 0 and hence defaulted to Global. It was only if you were doing something for terminal services that you needed to watch out for the proper use of "Global\" and "Local\" for your kernel objects (like memory mapped files).
Thanks to Eric for straightening me out on those two issues.
So far, the replacement service does a nearly adequate job of replacing the third-party rights elevation tool. I still have to incorporate a callback in the service to get notified of winlogon messages so that I can finish the functionality of the rights elevation (noticing a new user logon is important there) and add the piece that replaces the Winlogon Notification DLL. Remember, those DLL's got notified of startup, shutdown, shellstart, logon, logoff, lock, unlock, screensaverstart, screensaverstop and about 2 others. Under Windows XP, we used our custom notification dll to be able to run arbitrary code either as local system or as the end user during any of those events. (by arbitrary, I mean an administrator could make registry entries to cause code to run).
I'll post updates on how the additions to the service come as I add them.