CAccessToken Class
This class is a wrapper for an access token.
Important
This class and its members cannot be used in applications that execute in the Windows Runtime.
Syntax
class CAccessToken
Members
Public Constructors
| Name | Description |
|---|---|
| CAccessToken::~CAccessToken | The destructor. |
Public Methods
| Name | Description |
|---|---|
| CAccessToken::Attach | Call this method to take ownership of the given access token handle. |
| CAccessToken::CheckTokenMembership | Call this method to determine if a specified SID is enabled in the CAccessToken object. |
| CAccessToken::CreateImpersonationToken | Call this method to create a new impersonation access token. |
| CAccessToken::CreatePrimaryToken | Call this method to create a new primary token. |
| CAccessToken::CreateProcessAsUser | Call this method to create a new process running in the security context of the user represented by the CAccessToken object. |
| CAccessToken::CreateRestrictedToken | Call this method to create a new, restricted CAccessToken object. |
| CAccessToken::Detach | Call this method to revoke ownership of the access token. |
| CAccessToken::DisablePrivilege | Call this method to disable a privilege in the CAccessToken object. |
| CAccessToken::DisablePrivileges | Call this method to disable one or more privileges in the CAccessToken object. |
| CAccessToken::EnablePrivilege | Call this method to enable a privilege in the CAccessToken object. |
| CAccessToken::EnablePrivileges | Call this method to enable one or more privileges in the CAccessToken object. |
| CAccessToken::GetDefaultDacl | Call this method to return the CAccessToken object's default DACL. |
| CAccessToken::GetEffectiveToken | Call this method to get the CAccessToken object equal to the access token in effect for the current thread. |
| CAccessToken::GetGroups | Call this method to return the CAccessToken object's token groups. |
| CAccessToken::GetHandle | Call this method to retrieve a handle to the access token. |
| CAccessToken::GetImpersonationLevel | Call this method to get the impersonation level from the access token. |
| CAccessToken::GetLogonSessionId | Call this method to get the Logon Session ID associated with the CAccessToken object. |
| CAccessToken::GetLogonSid | Call this method to get the Logon SID associated with the CAccessToken object. |
| CAccessToken::GetOwner | Call this method to get the owner associated with the CAccessToken object. |
| CAccessToken::GetPrimaryGroup | Call this method to get the primary group associated with the CAccessToken object. |
| CAccessToken::GetPrivileges | Call this method to get the privileges associated with the CAccessToken object. |
| CAccessToken::GetProcessToken | Call this method to initialize the CAccessToken with the access token from the given process. |
| CAccessToken::GetProfile | Call this method to get the handle pointing to the user profile associated with the CAccessToken object. |
| CAccessToken::GetSource | Call this method to get the source of the CAccessToken object. |
| CAccessToken::GetStatistics | Call this method to get information associated with the CAccessToken object. |
| CAccessToken::GetTerminalServicesSessionId | Call this method to get the Terminal Services Session ID associated with the CAccessToken object. |
| CAccessToken::GetThreadToken | Call this method to initialize the CAccessToken with the token from the given thread. |
| CAccessToken::GetTokenId | Call this method to get the Token ID associated with the CAccessToken object. |
| CAccessToken::GetType | Call this method to get the token type of the CAccessToken object. |
| CAccessToken::GetUser | Call this method to identify the user associated with the CAccessToken object. |
| CAccessToken::HKeyCurrentUser | Call this method to get the handle pointing to the user profile associated with the CAccessToken object. |
| CAccessToken::Impersonate | Call this method to assign an impersonation CAccessToken to a thread. |
| CAccessToken::ImpersonateLoggedOnUser | Call this method to allow the calling thread to impersonate the security context of a logged-on user. |
| CAccessToken::IsTokenRestricted | Call this method to test if the CAccessToken object contains a list of restricted SIDs. |
| CAccessToken::LoadUserProfile | Call this method to load the user profile associated with the CAccessToken object. |
| CAccessToken::LogonUser | Call this method to create a logon session for the user associated with the given credentials. |
| CAccessToken::OpenCOMClientToken | Call this method from within a COM server handling a call from a client to initialize the CAccessToken with the access token from the COM client. |
| CAccessToken::OpenNamedPipeClientToken | Call this method from within a server taking requests over a named pipe to initialize the CAccessToken with the access token from the client. |
| CAccessToken::OpenRPCClientToken | Call this method from within a server handling a call from an RPC client to initialize the CAccessToken with the access token from the client. |
| CAccessToken::OpenThreadToken | Call this method to set the impersonation level and then initialize the CAccessToken with the token from the given thread. |
| CAccessToken::PrivilegeCheck | Call this method to determine whether a specified set of privileges are enabled in the CAccessToken object. |
| CAccessToken::Revert | Call this method to stop a thread that is using an impersonation token. |
| CAccessToken::SetDefaultDacl | Call this method to set the default DACL of the CAccessToken object. |
| CAccessToken::SetOwner | Call this method to set the owner of the CAccessToken object. |
| CAccessToken::SetPrimaryGroup | Call this method to set the primary group of the CAccessToken object. |
Remarks
An access token is an object that describes the security context of a process or thread and is allocated to each user logged onto a Windows system.
For an introduction to the access control model in Windows, see Access Control in the Windows SDK.
Requirements
Header: atlsecurity.h
CAccessToken::Attach
Call this method to take ownership of the given access token handle.
void Attach(HANDLE hToken) throw();
Parameters
hToken
A handle to the access token.
Remarks
In debug builds, an assertion error will occur if the CAccessToken object already has ownership of an access token.
CAccessToken::~CAccessToken
The destructor.
virtual ~CAccessToken() throw();
Remarks
Frees all allocated resources.
CAccessToken::CheckTokenMembership
Call this method to determine if a specified SID is enabled in the CAccessToken object.
bool CheckTokenMembership(
const CSid& rSid,
bool* pbIsMember) const throw(...);
Parameters
rSid
Reference to a CSid Class object.
pbIsMember
Pointer to a variable that receives the results of the check.
Return Value
Returns TRUE on success, FALSE on failure.
Remarks
The CheckTokenMembership method checks for the presence of the SID in the user and group SIDs of the access token. If the SID is present and has the SE_GROUP_ENABLED attribute, pbIsMember is set to TRUE; otherwise, it is set to FALSE.
In debug builds, an assertion error will occur if pbIsMember is not a valid pointer.
Note
The CAccessToken object must be an impersonation token and not a primary token.
CAccessToken::CreateImpersonationToken
Call this method to create an impersonation access token.
bool CreateImpersonationToken(
CAccessToken* pImp,
SECURITY_IMPERSONATION_LEVEL sil = SecurityImpersonation) const throw(...);
Parameters
pImp
Pointer to the new CAccessToken object.
sil
Specifies a SECURITY_IMPERSONATION_LEVEL enumerated type that supplies the impersonation level of the new token.
Return Value
Returns TRUE on success, FALSE on failure.
Remarks
CreateImpersonationToken calls DuplicateToken to create a new impersonation token.
CAccessToken::CreatePrimaryToken
Call this method to create a new primary token.
bool CreatePrimaryToken(
CAccessToken* pPri,
DWORD dwDesiredAccess = MAXIMUM_ALLOWED,
const CSecurityAttributes* pTokenAttributes = NULL) const throw(...);
Parameters
pPri
Pointer to the new CAccessToken object.
dwDesiredAccess
Specifies the requested access rights for the new token. The default, MAXIMUM_ALLOWED, requests all access rights that are valid for the caller. See Access Rights and Access Masks for more on access rights.
pTokenAttributes
Pointer to a SECURITY_ATTRIBUTES structure that specifies a security descriptor for the new token and determines whether child processes can inherit the token. If pTokenAttributes is NULL, the token gets a default security descriptor and the handle cannot be inherited.
Return Value
Returns TRUE on success, FALSE on failure.
Remarks
CreatePrimaryToken calls DuplicateTokenEx to create a new primary token.
CAccessToken::CreateProcessAsUser
Call this method to create a new process running in the security context of the user represented by the CAccessToken object.
bool CreateProcessAsUser(
LPCTSTR pApplicationName,
LPTSTR pCommandLine,
LPPROCESS_INFORMATION pProcessInformation,
LPSTARTUPINFO pStartupInfo,
DWORD dwCreationFlags = NORMAL_PRIORITY_CLASS,
bool bLoadProfile = false,
const CSecurityAttributes* pProcessAttributes = NULL,
const CSecurityAttributes* pThreadAttributes = NULL,
bool bInherit = false,
LPCTSTR pCurrentDirectory = NULL) throw();
Parameters
pApplicationName
Pointer to a null-terminated string that specifies the module to execute. This parameter may not be NULL.
pCommandLine
Pointer to a null-terminated string that specifies the command line to execute.
pProcessInformation
Pointer to a PROCESS_INFORMATION structure that receives identification information about the new process.
pStartupInfo
Pointer to a STARTUPINFO structure that specifies how the main window for the new process should appear.
dwCreationFlags
Specifies additional flags that control the priority class and the creation of the process. See the Win32 function CreateProcessAsUser for a list of flags.
bLoadProfile
If TRUE, the user's profile is loaded with LoadUserProfile.
pProcessAttributes
Pointer to a SECURITY_ATTRIBUTES structure that specifies a security descriptor for the new process and determines whether child processes can inherit the returned handle. If pProcessAttributes is NULL, the process gets a default security descriptor and the handle cannot be inherited.
pThreadAttributes
Pointer to a SECURITY_ATTRIBUTES structure that specifies a security descriptor for the new thread and determines whether child processes can inherit the returned handle. If pThreadAttributes is NULL, the thread gets a default security descriptor and the handle cannot be inherited.
bInherit
Indicates whether the new process inherits handles from the calling process. If TRUE, each inheritable open handle in the calling process is inherited by the new process. Inherited handles have the same value and access privileges as the original handles.
pCurrentDirectory
Pointer to a null-terminated string that specifies the current drive and directory for the new process. The string must be a full path that includes a drive letter. If this parameter is NULL, the new process will have the same current drive and directory as the calling process.
Return Value
Returns TRUE on success, FALSE on failure.
Remarks
CreateProcessAsUser uses the CreateProcessAsUser Win32 function to create a new process that runs in the security context of the user represented by the CAccessToken object. See the description of the CreateProcessAsUser function for a full discussion of the parameters required.
For this method to succeed, the CAccessToken object must hold AssignPrimaryToken (unless it is a restricted token) and IncreaseQuota privileges.
CAccessToken::CreateRestrictedToken
Call this method to create a new, restricted CAccessToken object.
bool CreateRestrictedToken(
CAccessToken* pRestrictedToken,
const CTokenGroups& SidsToDisable,
const CTokenGroups& SidsToRestrict,
const CTokenPrivileges& PrivilegesToDelete = CTokenPrivileges()) const throw(...);
Parameters
pRestrictedToken
The new, restricted CAccessToken object.
SidsToDisable
A CTokenGroups object that specifies the deny-only SIDs.
SidsToRestrict
A CTokenGroups object that specifies the restricting SIDs.
PrivilegesToDelete
A CTokenPrivileges object that specifies the privileges to delete in the restricted token. The default creates an empty object.
Return Value
Returns TRUE on success, FALSE on failure.
Remarks
CreateRestrictedToken uses the CreateRestrictedToken Win32 function to create a new CAccessToken object, with restrictions.
Important
When using CreateRestrictedToken, ensure the following: the existing token is valid (and not entered by the user) and SidsToDisable and PrivilegesToDelete are both valid (and not entered by the user). If the method returns FALSE, deny functionality.
CAccessToken::Detach
Call this method to revoke ownership of the access token.
HANDLE Detach() throw();
Return Value
Returns the handle to the CAccessToken which has been detached.
Remarks
This method revokes the CAccessToken's ownership of the access token.
CAccessToken::DisablePrivilege
Call this method to disable a privilege in the CAccessToken object.
bool DisablePrivilege(
LPCTSTR pszPrivilege,
CTokenPrivileges* pPreviousState = NULL) throw(...);
Parameters
pszPrivilege
Pointer to a string containing the privilege to disable in the CAccessToken object.
pPreviousState
Pointer to a CTokenPrivileges object which will contain the previous state of the privileges.
Return Value
Returns TRUE on success, FALSE on failure.
CAccessToken::DisablePrivileges
Call this method to disable one or more privileges in the CAccessToken object.
bool DisablePrivileges(
const CAtlArray<LPCTSTR>& rPrivileges,
CTokenPrivileges* pPreviousState = NULL) throw(...);
Parameters
rPrivileges
Pointer to an array of strings containing the privileges to disable in the CAccessToken object.
pPreviousState
Pointer to a CTokenPrivileges object which will contain the previous state of the privileges.
Return Value
Returns TRUE on success, FALSE on failure.
CAccessToken::EnablePrivilege
Call this method to enable a privilege in the CAccessToken object.
bool EnablePrivilege(
LPCTSTR pszPrivilege,
CTokenPrivileges* pPreviousState = NULL) throw(...);
Parameters
pszPrivilege
Pointer to a string containing the privilege to enable in the CAccessToken object.
pPreviousState
Pointer to a CTokenPrivileges object which will contain the previous state of the privileges.
Return Value
Returns TRUE on success, FALSE on failure.
CAccessToken::EnablePrivileges
Call this method to enable one or more privileges in the CAccessToken object.
bool EnablePrivileges(
const CAtlArray<LPCTSTR>& rPrivileges,
CTokenPrivileges* pPreviousState = NULL) throw(...);
Parameters
rPrivileges
Pointer to an array of strings containing the privileges to enable in the CAccessToken object.
pPreviousState
Pointer to a CTokenPrivileges object which will contain the previous state of the privileges.
Return Value
Returns TRUE on success, FALSE on failure.
CAccessToken::GetDefaultDacl
Call this method to return the CAccessToken object's default DACL.
bool GetDefaultDacl(CDacl* pDacl) const throw(...);
Parameters
pDacl
Pointer to the CDacl Class object which will receive the CAccessToken object's default DACL.
Return Value
Returns TRUE if the default DACL has been recovered, FALSE otherwise.
CAccessToken::GetEffectiveToken
Call this method to get the CAccessToken object equal to the access token in effect for the current thread.
bool GetEffectiveToken(DWORD dwDesiredAccess) throw();
Parameters
dwDesiredAccess
Specifies an access mask that specifies the requested types of access to the access token. These requested access types are compared with the token's DACL to determine which accesses are granted or denied.
Return Value
Returns TRUE on success, FALSE on failure.
CAccessToken::GetGroups
Call this method to return the CAccessToken object's token groups.
bool GetGroups(CTokenGroups* pGroups) const throw(...);
Parameters
pGroups
Pointer to the CTokenGroups Class object which will receive the group information.
Return Value
Returns TRUE on success, FALSE on failure.
CAccessToken::GetHandle
Call this method to retrieve a handle to the access token.
HANDLE GetHandle() const throw();
Return Value
Returns a handle to the CAccessToken object's access token.
CAccessToken::GetImpersonationLevel
Call this method to get the impersonation level from the access token.
bool GetImpersonationLevel(
SECURITY_IMPERSONATION_LEVEL* pImpersonationLevel) const throw(...);
Parameters
pImpersonationLevel
Pointer to a SECURITY_IMPERSONATION_LEVEL enumeration type which will receive the impersonation level information.
Return Value
Returns TRUE on success, FALSE on failure.
CAccessToken::GetLogonSessionId
Call this method to get the Logon Session ID associated with the CAccessToken object.
bool GetLogonSessionId(LUID* pluid) const throw(...);
Parameters
pluid
Pointer to a LUID which will receive the Logon Session ID.
Return Value
Returns TRUE on success, FALSE on failure.
Remarks
In debug builds, an assertion error will occur if pluid is an invalid value.
CAccessToken::GetLogonSid
Call this method to get the Logon SID associated with the CAccessToken object.
bool GetLogonSid(CSid* pSid) const throw(...);
Parameters
pSid
Pointer to a CSid Class object.
Return Value
Returns TRUE on success, FALSE on failure.
Remarks
In debug builds, an assertion error will occur if pSid is an invalid value.
CAccessToken::GetOwner
Call this method to get the owner associated with the CAccessToken object.
bool GetOwner(CSid* pSid) const throw(...);
Parameters
pSid
Pointer to a CSid Class object.
Return Value
Returns TRUE on success, FALSE on failure.
Remarks
The owner is set by default on any objects created while this access token is in effect.
CAccessToken::GetPrimaryGroup
Call this method to get the primary group associated with the CAccessToken object.
bool GetPrimaryGroup(CSid* pSid) const throw(...);
Parameters
pSid
Pointer to a CSid Class object.
Return Value
Returns TRUE on success, FALSE on failure.
Remarks
The group is set by default on any objects created while this access token is in effect.
CAccessToken::GetPrivileges
Call this method to get the privileges associated with the CAccessToken object.
bool GetPrivileges(CTokenPrivileges* pPrivileges) const throw(...);
Parameters
pPrivileges
Pointer to a CTokenPrivileges Class object which will receive the privileges.
Return Value
Returns TRUE on success, FALSE on failure.
CAccessToken::GetProcessToken
Call this method to initialize the CAccessToken with the access token from the given process.
bool GetProcessToken(DWORD dwDesiredAccess, HANDLE hProcess = NULL) throw();
Parameters
dwDesiredAccess
Specifies an access mask that specifies the requested types of access to the access token. These requested access types are compared with the token's DACL to determine which accesses are granted or denied.
hProcess
Handle to the process whose access token is opened. If the default value of NULL is used, the current process is used.
Return Value
Returns TRUE on success, FALSE on failure.
Remarks
Calls the OpenProcessToken Win32 function.
CAccessToken::GetProfile
Call this method to get the handle pointing to the user profile associated with the CAccessToken object.
HANDLE GetProfile() const throw();
Return Value
Returns a handle pointing to the user profile, or NULL if no profile exists.
CAccessToken::GetSource
Call this method to get the source of the CAccessToken object.
bool GetSource(TOKEN_SOURCE* pSource) const throw(...);
Parameters
pSource
Pointer to a TOKEN_SOURCE structure.
Return Value
Returns TRUE on success, FALSE on failure.
CAccessToken::GetStatistics
Call this method to get information associated with the CAccessToken object.
bool GetStatistics(TOKEN_STATISTICS* pStatistics) const throw(...);
Parameters
pStatistics
Pointer to a TOKEN_STATISTICS structure.
Return Value
Returns TRUE on success, FALSE on failure.
CAccessToken::GetTerminalServicesSessionId
Call this method to get the Terminal Services Session ID associated with the CAccessToken object.
bool GetTerminalServicesSessionId(DWORD* pdwSessionId) const throw(...);
Parameters
pdwSessionId
The Terminal Services Session ID.
Return Value
Returns TRUE on success, FALSE on failure.
CAccessToken::GetThreadToken
Call this method to initialize the CAccessToken with the token from the given thread.
bool GetThreadToken(
DWORD dwDesiredAccess,
HANDLE hThread = NULL,
bool bOpenAsSelf = true) throw();
Parameters
dwDesiredAccess
Specifies an access mask that specifies the requested types of access to the access token. These requested access types are compared with the token's DACL to determine which accesses are granted or denied.
hThread
Handle to the thread whose access token is opened.
bOpenAsSelf
Indicates whether the access check is to be made against the security context of the thread calling the GetThreadToken method or against the security context of the process for the calling thread.
If this parameter is FALSE, the access check is performed using the security context for the calling thread. If the thread is impersonating a client, this security context can be that of a client process. If this parameter is TRUE, the access check is made using the security context of the process for the calling thread.
Return Value
Returns TRUE on success, FALSE on failure.
CAccessToken::GetTokenId
Call this method to get the Token ID associated with the CAccessToken object.
bool GetTokenId(LUID* pluid) const throw(...);
Parameters
pluid
Pointer to a LUID which will receive the Token ID.
Return Value
Returns TRUE on success, FALSE on failure.
CAccessToken::GetType
Call this method to get the token type of the CAccessToken object.
bool GetType(TOKEN_TYPE* pType) const throw(...);
Parameters
pType
Address of the TOKEN_TYPE variable that, on success, receives the type of the token.
Return Value
Returns TRUE on success, FALSE on failure.
Remarks
The TOKEN_TYPE enumeration type contains values that differentiate between a primary token and an impersonation token.
CAccessToken::GetUser
Call this method to identify the user associated with the CAccessToken object.
bool GetUser(CSid* pSid) const throw(...);
Parameters
pSid
Pointer to a CSid Class object.
Return Value
Returns TRUE on success, FALSE on failure.
CAccessToken::HKeyCurrentUser
Call this method to get the handle pointing to the user profile associated with the CAccessToken object.
HKEY HKeyCurrentUser() const throw();
Return Value
Returns a handle pointing to the user profile, or NULL if no profile exists.
CAccessToken::Impersonate
Call this method to assign an impersonation CAccessToken to a thread.
bool Impersonate(HANDLE hThread = NULL) const throw(...);
Parameters
hThread
Handle to the thread to assign the impersonation token to. This handle must have been opened with TOKEN_IMPERSONATE access rights. If hThread is NULL, the method causes the thread to stop using an impersonation token.
Return Value
Returns TRUE on success, FALSE on failure.
Remarks
In debug builds, an assertion error will occur if CAccessToken does not have a valid pointer to a token.
The CAutoRevertImpersonation class can be used to automatically revert impersonated access tokens.
CAccessToken::ImpersonateLoggedOnUser
Call this method to allow the calling thread to impersonate the security context of a logged-on user.
bool ImpersonateLoggedOnUser() const throw(...);
Return Value
Returns TRUE on success, FALSE on failure.
Remarks
Important
If a call to an impersonation function fails for any reason, the client is not impersonated and the client request is made in the security context of the process from which the call was made. If the process is running as a highly privileged account, or as a member of an administrative group, the user might be able to perform actions he or she would otherwise be disallowed. Therefore, the return value for this function should always be confirmed.
CAccessToken::IsTokenRestricted
Call this method to test if the CAccessToken object contains a list of restricted SIDs.
bool IsTokenRestricted() const throw();
Return Value
Returns TRUE if the object contains a list of restricting SIDs, FALSE if there are no restricting SIDs or if the method fails.
CAccessToken::LoadUserProfile
Call this method to load the user profile associated with the CAccessToken object.
bool LoadUserProfile() throw(...);
Return Value
Returns TRUE on success, FALSE on failure.
Remarks
In debug builds, an assertion error will occur if the CAccessToken does not contain a valid token, or if a user profile already exists.
CAccessToken::LogonUser
Call this method to create a logon session for the user associated with the given credentials.
bool LogonUser(
LPCTSTR pszUserName,
LPCTSTR pszDomain,
LPCTSTR pszPassword,
DWORD dwLogonType = LOGON32_LOGON_INTERACTIVE,
DWORD dwLogonProvider = LOGON32_PROVIDER_DEFAULT) throw();
Parameters
pszUserName
Pointer to a null-terminated string that specifies the user name. This is the name of the user account to log on to.
pszDomain
Pointer to a null-terminated string that specifies the name of the domain or server whose account database contains the pszUserName account.
pszPassword
Pointer to a null-terminated string that specifies the clear-text password for the user account specified by pszUserName.
dwLogonType
Specifies the type of logon operation to perform. See LogonUser for more details.
dwLogonProvider
Specifies the logon provider. See LogonUser for more details.
Return Value
Returns TRUE on success, FALSE on failure.
Remarks
The access token resulting from the logon will be associated with the CAccessToken. For this method to succeed, the CAccessToken object must hold SE_TCB_NAME privileges, identifying the holder as part of the trusted computer base. See LogonUser for more information regarding the privileges required.
CAccessToken::OpenCOMClientToken
Call this method from within a COM server handling a call from a client to initialize the CAccessToken with the access token from the COM client.
bool OpenCOMClientToken(
DWORD dwDesiredAccess,
bool bImpersonate = false,
bool bOpenAsSelf = true) throw(...);
Parameters
dwDesiredAccess
Specifies an access mask that specifies the requested types of access to the access token. These requested access types are compared with the token's DACL to determine which accesses are granted or denied.
bImpersonate
If TRUE, the current thread will impersonate the calling COM client if this call completes successfully. If FALSE, the access token will be opened, but the thread will not have an impersonation token when this call completes.
bOpenAsSelf
Indicates whether the access check is to be made against the security context of the thread calling the GetThreadToken method or against the security context of the process for the calling thread.
If this parameter is FALSE, the access check is performed using the security context for the calling thread. If the thread is impersonating a client, this security context can be that of a client process. If this parameter is TRUE, the access check is made using the security context of the process for the calling thread.
Return Value
Returns TRUE on success, FALSE on failure.
Remarks
The CAutoRevertImpersonation Class can be used to automatically revert impersonated access tokens created by setting the bImpersonate flag to TRUE.
CAccessToken::OpenNamedPipeClientToken
Call this method from within a server taking requests over a named pipe to initialize the CAccessToken with the access token from the client.
bool OpenNamedPipeClientToken(
HANDLE hPipe,
DWORD dwDesiredAccess,
bool bImpersonate = false,
bool bOpenAsSelf = true) throw(...);
Parameters
hPipe
Handle to a named pipe.
dwDesiredAccess
Specifies an access mask that specifies the requested types of access to the access token. These requested access types are compared with the token's DACL to determine which accesses are granted or denied.
bImpersonate
If TRUE, the current thread will impersonate the calling pipe client if this call completes successfully. If FALSE, the access token will be opened, but the thread will not have an impersonation token when this call completes.
bOpenAsSelf
Indicates whether the access check is to be made against the security context of the thread calling the GetThreadToken method or against the security context of the process for the calling thread.
If this parameter is FALSE, the access check is performed using the security context for the calling thread. If the thread is impersonating a client, this security context can be that of a client process. If this parameter is TRUE, the access check is made using the security context of the process for the calling thread.
Return Value
Returns TRUE on success, FALSE on failure.
Remarks
The CAutoRevertImpersonation Class can be used to automatically revert impersonated access tokens created by setting the bImpersonate flag to TRUE.
CAccessToken::OpenRPCClientToken
Call this method from within a server handling a call from an RPC client to initialize the CAccessToken with the access token from the client.
bool OpenRPCClientToken(
RPC_BINDING_HANDLE BindingHandle,
DWORD dwDesiredAccess,
bool bImpersonate = false,
bool bOpenAsSelf = true) throw(...);
Parameters
BindingHandle
Binding handle on the server that represents a binding to a client.
dwDesiredAccess
Specifies an access mask that specifies the requested types of access to the access token. These requested access types are compared with the token's DACL to determine which accesses are granted or denied.
bImpersonate
If TRUE, the current thread will impersonate the calling RPC client if this call completes successfully. If FALSE, the access token will be opened, but the thread will not have an impersonation token when this call completes.
bOpenAsSelf
Indicates whether the access check is to be made against the security context of the thread calling the GetThreadToken method or against the security context of the process for the calling thread.
If this parameter is FALSE, the access check is performed using the security context for the calling thread. If the thread is impersonating a client, this security context can be that of a client process. If this parameter is TRUE, the access check is made using the security context of the process for the calling thread.
Return Value
Returns TRUE on success, FALSE on failure.
Remarks
The CAutoRevertImpersonation Class can be used to automatically revert impersonated access tokens created by setting the bImpersonate flag to TRUE.
CAccessToken::OpenThreadToken
Call this method to set the impersonation level and then initialize the CAccessToken with the token from the given thread.
bool OpenThreadToken(
DWORD dwDesiredAccess,
bool bImpersonate = false,
bool bOpenAsSelf = true,
SECURITY_IMPERSONATION_LEVEL sil = SecurityImpersonation) throw(...);
Parameters
dwDesiredAccess
Specifies an access mask that specifies the requested types of access to the access token. These requested access types are compared with the token's DACL to determine which accesses are granted or denied.
bImpersonate
If TRUE, the thread will be left at the requested impersonation level after this method completes. If FALSE, the thread will revert to its original impersonation level.
bOpenAsSelf
Indicates whether the access check is to be made against the security context of the thread calling the GetThreadToken method or against the security context of the process for the calling thread.
If this parameter is FALSE, the access check is performed using the security context for the calling thread. If the thread is impersonating a client, this security context can be that of a client process. If this parameter is TRUE, the access check is made using the security context of the process for the calling thread.
sil
Specifies a SECURITY_IMPERSONATION_LEVEL enumerated type that supplies the impersonation level of the token.
Return Value
Returns TRUE on success, FALSE on failure.
Remarks
OpenThreadToken is similar to CAccessToken::GetThreadToken, but sets the impersonation level before initializing the CAccessToken from the thread's access token.
The CAutoRevertImpersonation Class can be used to automatically revert impersonated access tokens created by setting the bImpersonate flag to TRUE.
CAccessToken::PrivilegeCheck
Call this method to determine whether a specified set of privileges are enabled in the CAccessToken object.
bool PrivilegeCheck(
PPRIVILEGE_SET RequiredPrivileges,
bool* pbResult) const throw();
Parameters
RequiredPrivileges
Pointer to a PRIVILEGE_SET structure.
pbResult
Pointer to a value the method sets to indicate whether any or all of the specified privilege are enabled in the CAccessToken object.
Return Value
Returns TRUE on success, FALSE on failure.
Remarks
When PrivilegeCheck returns, the Attributes member of each LUID_AND_ATTRIBUTES structure is set to SE_PRIVILEGE_USED_FOR_ACCESS if the corresponding privilege is enabled. This method calls the PrivilegeCheck Win32 function.
CAccessToken::Revert
Call this method to stop a thread from using an impersonation token.
bool Revert(HANDLE hThread = NULL) const throw();
Parameters
hThread
Handle to the thread to revert from impersonation. If hThread is NULL, the current thread is assumed.
Return Value
Returns TRUE on success, FALSE on failure.
Remarks
The reversion of impersonation tokens can be performed automatically with the CAutoRevertImpersonation Class.
CAccessToken::SetDefaultDacl
Call this method to set the default DACL of the CAccessToken object.
bool SetDefaultDacl(const CDacl& rDacl) throw(...);
Parameters
rDacl
The new default CDacl Class information.
Return Value
Returns TRUE on success, FALSE on failure.
Remarks
The default DACL is the DACL that is used by default when new objects are created with this access token in effect.
CAccessToken::SetOwner
Call this method to set the owner of the CAccessToken object.
bool SetOwner(const CSid& rSid) throw(...);
Parameters
rSid
The CSid Class object containing the owner information.
Return Value
Returns TRUE on success, FALSE on failure.
Remarks
The owner is the default owner that is used for new objects created while this access token is in effect.
CAccessToken::SetPrimaryGroup
Call this method to set the primary group of the CAccessToken object.
bool SetPrimaryGroup(const CSid& rSid) throw(...);
Parameters
rSid
The CSid Class object containing the primary group information.
Return Value
Returns TRUE on success, FALSE on failure.
Remarks
The primary group is the default group for new objects created while this access token is in effect.
See also
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for