Access Tokens
An access token is an object that describes the security context of a process or thread. The information in a token includes the identity and privileges of the user account associated with the process or thread. When a user logs on, the system verifies the user's password by comparing it with information stored in a security database. If the password is authenticated, the system produces an access token. Every process executed on behalf of this user has a copy of this access token.
The system uses an access token to identify the user when a thread interacts with a securable object or tries to perform a system task that requires privileges. Access tokens contain the following information:
- The security identifier (SID) for the user's account
- SIDs for the groups of which the user is a member
- A logon SID that identifies the current logon session
- A list of the privileges held by either the user or the user's groups
- An owner SID
- The SID for the primary group
- The default DACL that the system uses when the user creates a securable object without specifying a security descriptor
- The source of the access token
- Whether the token is a primary or impersonation token
- An optional list of restricting SIDs
- Current impersonation levels
- Other statistics
Every process has a primary token that describes the security context of the user account associated with the process. By default, the system uses the primary token when a thread of the process interacts with a securable object. Moreover, a thread can impersonate a client account. Impersonation allows the thread to interact with securable objects using the client's security context. A thread that is impersonating a client has both a primary token and an impersonation token.
Use the OpenProcessToken function to retrieve a handle to the primary token of a process. Use the OpenThreadToken function to retrieve a handle to the impersonation token of a thread. For more information, see Impersonation.
You can use the following functions to manipulate access tokens.
| Function | Description |
|---|---|
| AdjustTokenGroups | Changes the group information in an access token. |
| AdjustTokenPrivileges | Enables or disables the privileges in an access token. It does not grant new privileges or revoke existing ones. |
| CheckTokenMembership | Determines whether a specified SID is enabled in a specified access token. |
| CreateRestrictedToken | Creates a new token that is a restricted version of an existing token. The restricted token can have disabled SIDs, deleted privileges, and a list of restricted SIDs. |
| DuplicateToken | Creates a new impersonation token that duplicates an existing token. |
| DuplicateTokenEx | Creates a new primary token or impersonation token that duplicates an existing token. |
| GetTokenInformation | Retrieves information about a token. |
| IsTokenRestricted | Determines whether a token has a list of restricting SIDs. |
| OpenProcessToken | Retrieves a handle to the primary access token for a process. |
| OpenThreadToken | Retrieves a handle to the impersonation access token for a thread. |
| SetThreadToken | Assigns or removes an impersonation token for a thread. |
| SetTokenInformation | Changes a token's owner, primary group, or default DACL. |
The access token functions use the following structures to describe the parts of an access token.
| Structure | Description |
|---|---|
| TOKEN_CONTROL | Information that identifies an access token. |
| TOKEN_DEFAULT_DACL | The default DACL that the system uses in the security descriptors of new objects created by a thread. |
| TOKEN_GROUPS | Specifies the SIDs and attributes of the group SIDs in an access token. |
| TOKEN_OWNER | The default owner SID for the security descriptors of new objects. |
| TOKEN_PRIMARY_GROUP | The default primary group SID for the security descriptors of new objects. |
| TOKEN_PRIVILEGES | The privileges associated with an access token. Also determines whether the privileges are enabled. |
| TOKEN_SOURCE | The source of an access token. |
| TOKEN_STATISTICS | Statistics associated with an access token. |
| TOKEN_USER | The SID of the user associated with an access token. |
The access token functions use the following enumeration types.
| Enumeration type | Specifies |
|---|---|
| TOKEN_INFORMATION_CLASS | Identifies the type of information being set or retrieved from an access token. |
| TOKEN_TYPE | Identifies an access token as a primary or impersonation token. |