Restricted Tokens

[This is preliminary documentation and subject to change.]

A restricted token is a primary or impersonation access token that has been modified by the CreateRestrictedToken function. A process or impersonating thread running in the security context of a restricted token is restricted in its ability to access securable objects or perform privileged operations. CreateRestrictedToken can restrict a token in the following ways:

• Remove privileges from the token.
• Apply the deny-only attribute to SIDs in the token so they cannot be used to access secured objects. For more information about the deny-only attribute, see SID Attributes in an Access Token.
• Specify a list of restricting SIDs, which can limit access to securable objects.

The system uses the list of restricting SIDs when it checks the token's access to a securable object. When a restricted process or thread tries to access a securable object, the system performs two access checks: one using the token's enabled SIDs, and another using the list of restricting SIDs. Access is granted only if both access checks allow the requested access rights. For more information about access checks, see Checking a Thread's Access to an Object.

You can use a restricted primary token in a call to the CreateProcessAsUser function. Typically, the process that calls CreateProcessAsUser must have the SE_ASSIGNPRIMARYTOKEN_NAME privilege, which is usually held only by system code or by services running in the LocalSystem account. However, if the CreateProcessAsUser call specifies a restricted version of the caller's primary token, this privilege is not required. This enables ordinary applications to create restricted processes.

You can also use a restricted primary or impersonation token in the ImpersonateLoggedOnUser function.