Access tokens are Windows NT objects that describe the security context of a process or thread. They provide information that includes the identity of a user account and a subset of the privileges available to the user account. Every process has a primary access token that describes the security context of the user account associated with the process. By default, the system uses the primary token when a thread of the process interacts with a securable object. However, when a thread impersonates a client, the impersonating thread has both a primary access token and an impersonation token. The impersonation token represents the client's security context, and this access token is the one that is used for access checks during impersonation. When impersonation is over, the thread reverts to using only the primary access token.
You can use the OpenProcessToken function to get a handle to the primary token of a process. Use the OpenThreadToken function to get a handle to the impersonation token of a thread. For more information on getting and setting access tokens, see Access Tokens and The Client's Security Context.