WTSQueryUserToken function (wtsapi32.h)

Obtains the primary access token of the logged-on user specified by the session ID. To call this function successfully, the calling application must be running within the context of the LocalSystem account and have the SE_TCB_NAME privilege.

Caution  WTSQueryUserToken is intended for highly trusted services. Service providers must use caution that they do not leak user tokens when calling this function. Service providers must close token handles after they have finished using them.


BOOL WTSQueryUserToken(
  [in]  ULONG   SessionId,
  [out] PHANDLE phToken


[in] SessionId

A Remote Desktop Services session identifier. Any program running in the context of a service will have a session identifier of zero (0). You can use the WTSEnumerateSessions function to retrieve the identifiers of all sessions on a specified RD Session Host server.

To be able to query information for another user's session, you need to have the Query Information permission. For more information, see Remote Desktop Services Permissions. To modify permissions on a session, use the Remote Desktop Services Configuration administrative tool.

[out] phToken

If the function succeeds, receives a pointer to the token handle for the logged-on user. Note that you must call the CloseHandle function to close this handle.

Return value

If the function succeeds, the return value is a nonzero value, and the phToken parameter points to the primary token of the user.

If the function fails, the return value is zero. To get extended error information, call GetLastError.


For information about primary tokens, see Access Tokens. For more information about account privileges, see Remote Desktop Services Permissions and Authorization Constants.

See LocalSystem account for information about the privileges associated with that account.


Requirement Value
Minimum supported client Windows Vista
Minimum supported server Windows Server 2008
Target Platform Windows
Header wtsapi32.h
Library Wtsapi32.lib
DLL Wtsapi32.dll
API set ext-ms-win-session-wtsapi32-l1-1-0 (introduced in Windows 8)

See also