diff --git a/CHANGELOG.md b/CHANGELOG.md
index d925b4f1..5d7bf3e8 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -10,6 +10,8 @@ This project adheres to [Semantic Versioning](http://semver.org/).
 
 ### Changed
 - improved SandboxieCrypto startup
+- improved Sandboxed RPCSS startup
+- Set tab orders and buddies of UI controls [#4300](https://github.com/sandboxie-plus/Sandboxie/pull/4300) (thanks gexgd0419)
 
 
 
diff --git a/Sandboxie/core/svc/ProcessServer.cpp b/Sandboxie/core/svc/ProcessServer.cpp
index e66bf0ed..dc6b8dfe 100644
--- a/Sandboxie/core/svc/ProcessServer.cpp
+++ b/Sandboxie/core/svc/ProcessServer.cpp
@@ -855,20 +855,35 @@ HANDLE ProcessServer::RunSandboxedGetToken(
 
     if (CallerInSandbox) {
 
-        if ((wcscmp(cmd, L"*RPCSS*") == 0 /* || wcscmp(cmd, L"*DCOM*") == 0 */) 
-          && ProcessServer__RunRpcssAsSystem(boxname, CompartmentMode)) {
+        if ((wcscmp(cmd, L"*RPCSS*") == 0 /* || wcscmp(cmd, L"*DCOM*") == 0 */)) {
             
-            //
-            // use our system token
-            //
+            if (ProcessServer__RunRpcssAsSystem(boxname, CompartmentMode)) {
+
+                //
+                // use our system token
+                //
+
+                ok = OpenProcessToken(
+                    GetCurrentProcess(), TOKEN_RIGHTS, &OldTokenHandle);
+
+                ShouldAdjustDacl = true;
+            }
+            else {
+
+                //
+                // use the session token
+                //
+
+                ULONG SessionId = PipeServer::GetCallerSessionId();
+
+                ok = WTSQueryUserToken(SessionId, &OldTokenHandle);
+
+                ShouldAdjustSessionId = false;
+            }
 
-            ok = OpenProcessToken(
-                        GetCurrentProcess(), TOKEN_RIGHTS, &OldTokenHandle);
             if (! ok)
                 return NULL;
 
-            ShouldAdjustDacl = true;
-
         }
         else
         // OriginalToken BEGIN
diff --git a/Sandboxie/core/svc/serviceserver2.cpp b/Sandboxie/core/svc/serviceserver2.cpp
index 2a2ca22f..a28e7b84 100644
--- a/Sandboxie/core/svc/serviceserver2.cpp
+++ b/Sandboxie/core/svc/serviceserver2.cpp
@@ -31,6 +31,7 @@
 #include "core/dll/sbiedll.h"
 #include <aclapi.h>
 #include "ProcessServer.h"
+#include <wtsapi32.h>
 
 #define MISC_H_WITHOUT_WIN32_NTDDK_H
 #include "misc.h"
@@ -353,7 +354,11 @@ ULONG ServiceServer::RunHandler2(
             // use our system token
             ok = OpenProcessToken(GetCurrentProcess(), TOKEN_RIGHTS, &hOldToken);
         }
-        // OriginalToken BEGIN
+        else {
+            // use the users default token
+            ok = WTSQueryUserToken(idSession, &hOldToken);
+        }
+        /*// OriginalToken BEGIN
         else if (CompartmentMode || SbieApi_QueryConfBool(boxname, L"OriginalToken", FALSE)) {
             HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, (ULONG)(ULONG_PTR)idProcess);
             if (!hProcess)
@@ -369,7 +374,7 @@ ULONG ServiceServer::RunHandler2(
         else {
             // use the callers original token
             hOldToken = (HANDLE)SbieApi_QueryProcessInfo(idProcess, 'ptok');
-        }
+        }*/
     }
 
     if (ok) {