Giovanni Mascellani (@giomasce) commented about dlls/sapi/token.c:
+ if (FAILED(hr)) + return hr; + + if (FAILED(hr = CoCreateInstance( &clsid, outer, class_context, &IID_IUnknown, (void **)&unk ))) + return hr; + + if (SUCCEEDED(IUnknown_QueryInterface( unk, &IID_ISpObjectWithToken, (void **)&obj_token_iface ))) + { + if (FAILED(hr = ISpObjectWithToken_SetObjectToken( obj_token_iface, iface ))) + goto done; + } + + hr = IUnknown_QueryInterface( unk, riid, object ); + +done: + IUnknown_Release( unk ); Maybe there is some COM subtlety I don't know, but can't you directly query `ISpObjectWithToken` from `CoCreateInstance()`? Or is it intentional that `CreateInstance()` should still succeed when creating something that doesn't implement `ISpObjectWithToken`?
Also, it seems that in the happy path you call `QueryInstance()` twice and `Release()` only once, which would mean that you return a pointer with refcount 2. I don't think that's intended? -- https://gitlab.winehq.org/wine/wine/-/merge_requests/2741#note_31982