I have an upvoted @dyared answer because it helped me find the complete answer. First of all, I must mention that I do not specialize in this issue, and this is only a summary of my findings.
It seems that the MSDN example does not work with the specified SID string because it sets the integrity level too low. From Chromium Source Code , the SATA identifier S-1-16-1024 used in the example is between INTEGRITY_LEVEL_BELOW_LOW and INTEGRITY_LEVEL_UNTRUSTED :
const wchar_t* GetIntegrityLevelString(IntegrityLevel integrity_level) { switch (integrity_level) { case INTEGRITY_LEVEL_SYSTEM: return L"S-1-16-16384"; case INTEGRITY_LEVEL_HIGH: return L"S-1-16-12288"; case INTEGRITY_LEVEL_MEDIUM: return L"S-1-16-8192"; case INTEGRITY_LEVEL_MEDIUM_LOW: return L"S-1-16-6144"; case INTEGRITY_LEVEL_LOW: return L"S-1-16-4096"; case INTEGRITY_LEVEL_BELOW_LOW: return L"S-1-16-2048"; case INTEGRITY_LEVEL_UNTRUSTED: return L"S-1-16-0"; case INTEGRITY_LEVEL_LAST: return NULL; }
In addition, it seems that SID S-1-16-4096 , proposed by @dyared, is also used when starting Internet Explorer in protected mode, as stated in Creating a Protected Mode Process in Windows Vista on MSDN blogs.
However, since this was enough to get an example of work, this does not mean that it is strict enough for each situation, and the choice of an appropriate level of integrity should be understood its consequences.