Access Tokens

An access token is an object that describes the security context of a process or thread. The information in a token includes the identity and privileges of the user account associated with the process or thread.

After a user authenticates, the system generates an access token for it. Every process executed on behalf of this user gets a copy of this access token.

Even the interactive Windows Session (GUI) started by the user at login gets a copy of the token.

An access token contains:

The security identifier (SID) for the user's account
SIDs for the groups of which the user is a member
A logon SID that identifies the current logon session
A list of the privileges held by either the user or the user's groups
An owner SID
The SID for the primary group
The default DACL that the system uses when the user creates a securable object without specifying a security descriptor
The source of the access token
Whether the token is a primary or impersonation token
An optional list of restricting SIDs
Current impersonation levels
Other statistics

The token is checked when the user starts interacts with securable objects:

There are 2 types of access token:

Primary Token

Assigned to processes. Obtained at login.

Impersonation Token

Assigned to threads. Obtained from processes for temporary (current session) impersonation.

PreviousIntegrity Control Access Control List NextLocal Group Polices & Privileges

Last updated 2 years ago