From 017291290beddc202288e22dc808a9d817598b5a Mon Sep 17 00:00:00 2001
From: DavidXanatos <3890945+DavidXanatos@users.noreply.github.com>
Date: Tue, 11 Jun 2024 08:59:35 +0200
Subject: [PATCH] 1.14.2

---
 CHANGELOG.md                  | 9 +++++++++
 Sandboxie/common/my_version.h | 2 +-
 Sandboxie/core/drv/token.c    | 9 ++++++---
 SandboxiePlus/version.h       | 2 +-
 4 files changed, 17 insertions(+), 5 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index ecdc2f47..de129589 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,15 @@ All notable changes to this project will be documented in this file.
 This project adheres to [Semantic Versioning](http://semver.org/).
 
 
+
+
+## [1.14.2 / 5.69.2] - 2024-06-??
+
+### Fixed
+- fixed security issue with the newly introduced experimental "UseCreateToken=y" machanism
+
+
+
 ## [1.14.1 / 5.69.1] - 2024-06-06
 
 ### Added
diff --git a/Sandboxie/common/my_version.h b/Sandboxie/common/my_version.h
index 4e0ba7ee..d6b5e602 100644
--- a/Sandboxie/common/my_version.h
+++ b/Sandboxie/common/my_version.h
@@ -26,7 +26,7 @@
 
 #define VERSION_MJR		5
 #define VERSION_MIN 	69
-#define VERSION_REV 	1
+#define VERSION_REV 	2
 #define VERSION_UPD 	0
 
 #if VERSION_UPD > 0
diff --git a/Sandboxie/core/drv/token.c b/Sandboxie/core/drv/token.c
index 558f8697..8fc04047 100644
--- a/Sandboxie/core/drv/token.c
+++ b/Sandboxie/core/drv/token.c
@@ -2259,15 +2259,18 @@ _FX void* Token_CreateToken(void* TokenObject, PROCESS* proc)
                     continue;
                 }
 
-                if (KeepLogonSession && (LocalGroups->Groups[i].Attributes & SE_GROUP_LOGON_ID))
-                    continue;
+				if ((LocalGroups->Groups[i].Attributes & SE_GROUP_LOGON_ID)) {
+					if(!KeepLogonSession)
+						LocalGroups->Groups[i].Attributes = SE_GROUP_LOGON_ID | SE_GROUP_USE_FOR_DENY_ONLY;
+					continue;
+				}
 
                 if (RtlEqualSid(LocalGroups->Groups[i].Sid, LocalUser->User.Sid)) {
                     if (KeepUserGroup)
                         continue;
                 }
 
-                LocalGroups->Groups[i].Attributes = 0;
+                LocalGroups->Groups[i].Attributes = SE_GROUP_USE_FOR_DENY_ONLY;
             }
         }
 
diff --git a/SandboxiePlus/version.h b/SandboxiePlus/version.h
index 9f19dc0a..c8f0d5b8 100644
--- a/SandboxiePlus/version.h
+++ b/SandboxiePlus/version.h
@@ -2,7 +2,7 @@
 
 #define VERSION_MJR		1
 #define VERSION_MIN 	14
-#define VERSION_REV 	1
+#define VERSION_REV 	2
 #define VERSION_UPD 	0
 
 #ifndef STR