> ptoken=PsReferencePrimaryToken(exist);
This is wrong, since some paths - like CREATE called from SRV - are
using impersonation, and you will end with LocalSystem account each
time. You must try impersonation token, and, if none, try the primary
one.
Second, using Parameters.Create.SecurityContext is a much better idea
then using the thread’s current token.
Max