AssignProcessToJobObject 拒绝访问

注意红色的部分，如果按照网上的说法还是有错误，加上红色的flag可能就好了。尤其是在win7 64 位中启动32位程序。具体原因msdn已经说得很清楚了。后附一段代码。

Remarks

After you associate a process with a job object using AssignProcessToJobObject, the process is subject to the limits set for the job. To set limits for a job, use the SetInformationJobObject function.

If the job has a user-mode time limit, and the time limit has been exhausted, AssignProcessToJobObject fails and the specified process is terminated. If the time limit would be exceeded by associating the process, AssignProcessToJobObject still succeeds. However, the time limit violation will be reported. If the job has an active process limit, and the limit would be exceeded by associating this process, AssignProcessToJobObject fails, and the specified process is terminated.

Memory operations performed by a process associated with a job that has a memory limit are subject to the memory limit. Memory operations performed by the process before it was associated with the job are not examined by AssignProcessToJobObject.

If the process is already running and the job has security limitations, AssignProcessToJobObject may fail. For example, if the primary token of the process contains the local administrators group, but the job object has the security limitation JOB_OBJECT_SECURITY_NO_ADMIN, the function fails. If the job has the security limitation JOB_OBJECT_SECURITY_ONLY_TOKEN, the process must be created suspended. To create a suspended process, call the CreateProcess function with the CREATE_SUSPENDED flag.

A process can be associated only with a single job. A process inherits limits from the job it is associated with and adds its accounting information to the job. If a process is associated with a job, all processes it creates are associated with that job by default. To create a process that is not part of the same job, call the CreateProcess function with the CREATE_BREAKAWAY_FROM_JOB flag.

If the process is being monitored by the Program Compatibility Assistant (PCA), it is placed into a compatibility job. Therefore, the process must be created using CREATE_BREAKAWAY_FROM_JOB before it can be placed in another job. Alternatively, you can embed an application manifest that specifies a User Account Control (UAC) level in your application and PCA will not add the process to the compatibility job.

To compile an application that uses this function, define _WIN32_WINNT as 0x0500 or later. For more information, see Using the SDK Headers.

    PROCESS_INFORMATION     pi;   
    ZeroMemory(&pi,sizeof(PROCESS_INFORMATION));   
    STARTUPINFO   si;   
    ZeroMemory(&si,sizeof(STARTUPINFO));   
    si.cb=sizeof(STARTUPINFO);   
    si.wShowWindow=SW_SHOW;   
    si.dwFlags=STARTF_USESHOWWINDOW;   
    BOOL   fRet=::CreateProcess(_T("C:\\windows\\explorer.exe"),   
    NULL,   
    NULL,   
    NULL,   
    FALSE,   
    NORMAL_PRIORITY_CLASS|CREATE_SUSPENDED,   
    NULL,   
    NULL,&si,&pi);   
    HANDLE hProcess=pi.hProcess;
    HANDLE hThread=pi.hThread;
    HANDLE hJob=CreateJobObject(NULL,_T("Tr0j4n"));
    BOOL bAss=AssignProcessToJobObject(hJob,hProcess);
    IsProcessInJob(hProcess,hJob,&bAss);
    ResumeThread(hThread);