Restricted Tokens

A restricted token is a primary or impersonation access token that has been modified by the CreateRestrictedToken function. A process or impersonating thread running in the security context of a restricted token is restricted in its ability to access securable objects or perform privileged operations. The CreateRestrictedToken function can restrict a token in the following ways:

  • Remove privileges from the token.
  • Apply the deny-only attribute to SIDs in the token so that they cannot be used to access secured objects. For more information about the deny-only attribute, see SID Attributes in an Access Token.
  • Specify a list of restricting SIDs, which can limit access to securable objects.

The system uses the list of restricting SIDs when it checks the token's access to a securable object. When a restricted process or thread tries to access a securable object, the system performs two access checks: one using the token's enabled SIDs, and another using the list of restricting SIDs. Access is granted only if both access checks allow the requested access rights. For more information about access checks, see How DACLs Control Access to an Object.

You can use a restricted primary token in a call to the CreateProcessAsUser function. Typically, the process that calls CreateProcessAsUser must have the SE_ASSIGNPRIMARYTOKEN_NAME privilege, which is usually held only by system code or by services running in the LocalSystem account. However, if the CreateProcessAsUser call specifies a restricted version of the caller's primary token, this privilege is not required. This enables ordinary applications to create restricted processes.

You can also use a restricted primary or impersonation token in the ImpersonateLoggedOnUser function.

To determine whether a token has a list of restricting SIDs, call the IsTokenRestricted function.

Note

Applications that use restricted tokens should run the restricted application on desktops other than the default desktop. This is necessary to prevent an attack by a restricted application, using SendMessage or PostMessage, to unrestricted applications on the default desktop. If necessary, switch between desktops for your application purposes.