When a user logs on, the system verifies the user's password by comparing it with information stored in a security database. If the password is authenticated, the system produces an access token and attaches it to the user's process. This access token identifies the user in all subsequent interactions with securable objects and contains the following information about a process:
·The user's SID
·Group SIDs
·Privileges
·An owner SID
·The SID for the primary group
·The default discretionary access-control list (ACL)
·The source of the access token
·Whether the token is a primary or impersonation token
·Current impersonation levels
·Other statistics
Every process has a primary token that determines the security context in which the process interacts with securable objects. By default, a thread runs in the security context of its process. However, a thread can use impersonation to run in a different security context. In this case, the thread has an impersonation token that determines the security context for most of the thread's actions. For more information, see Impersonation.
For more information about privileges, see Privileges. For more information about security identifiers (SIDs), see Security Identifiers (SIDs). For more information about discretionary ACLs, see Access-control Lists (ACLs). For more information about the components of an access token, see the following token structures and enumerated types.
Structure or enumeration type | Specifies |
TOKEN_CONTROL | Information useful in identifying an access token. |
TOKEN_DEFAULT_DACL | The default discretionary ACL for an access token. |
TOKEN_GROUPS | Specifies the SIDs of the access token's groups and whether any privileges are enabled. |
TOKEN_INFORMATION_CLASS | Information being set in or retrieved from an access token. |
TOKEN_OWNER | The SID of an access token's owner. |
TOKEN_PRIMARY_GROUP | The SID of the access token's primary group. |
TOKEN_PRIVILEGES | The privileges associated with an access token and whether the privileges are enabled. |
TOKEN_SOURCE | The source of an access token. |
TOKEN_STATISTICS | Statistics associated with an access token. |
TOKEN_TYPE | Whether an access token is being used as an impersonation token. |
TOKEN_USER | The SID of an access token's user. |
You can use the following functions to manipulate access tokens.
Following are the functions an application can use to manipulate access tokens.
Function | Description |
AdjustTokenGroups | Changes the group information in an access token. |
AdjustTokenPrivileges | Changes the privileges in an access token. |
DuplicateToken | Creates a new impersonation token that duplicates an existing token. |
DuplicateTokenEx | Creates a new primary token or impersonation token that duplicates an existing token. |
GetTokenInformation | Retrieves information about a token. |
OpenProcessToken | Retrieves the handle of the access token for a process. |
OpenThreadToken | Retrieves the handle of the access token for a thread. |
SetThreadToken | Assigns or removes an impersonation token for a thread. |
SetTokenInformation | Changes a token's owner, primary group, or default discretionary ACL. |