CheckTokenMembershipEx function (securitybaseapi.h)

The CheckTokenMembershipEx function determines whether the specified SID is enabled in the specified token.


BOOL CheckTokenMembershipEx(
  [in, optional] HANDLE TokenHandle,
  [in]           PSID   SidToCheck,
  [in]           DWORD  Flags,
  [out]          PBOOL  IsMember


[in, optional] TokenHandle

A handle to an access token. If present, this token is checked for the SID. If not present, then the current effective token is used. This must be an impersonation token.

[in] SidToCheck

A pointer to a SID structure. The function checks for the presence of this SID in the presence of the token.

[in] Flags

Flags that affect the behavior of the function. Currently the only valid flag is CTMF_INCLUDE_APPCONTAINER which allows app containers to pass the call as long as the other requirements of the token are met, such as the group specified is present and enabled.

[out] IsMember

TRUE if the SID is enabled in the token; otherwise, FALSE.

Return value

If the function succeeds, it returns TRUE.

If the function fails, it returns zero. To get extended error information, call GetLastError.


Minimum supported client Windows 8 [desktop apps | UWP apps]
Minimum supported server Windows Server 2012 [desktop apps | UWP apps]
Target Platform Windows
Header securitybaseapi.h (include Windows.h)
Library Advapi32.lib
DLL Kernel32.dll