Search notes:

Windows: Access token

When a user logs on, Windows creates an access token for this user. It is used to store a user's identity and privileges.

Such an access token stores the following information

The user's SID (security identifier)
The SIDs of the groups that the user belonged to when the user was authenticated
A logon SID which identifies the current logon session
The user's and groups' privileges
An owner SID
The SID for the primary group
The default discretionary access control list (DACL) that is used when the user creates a securable object (without an explicit security descriptor)
The source of the access token
A flag that indicates if the token is a primary or an impersonation token
A list of restricting SIDs (optional)
Current impersonation levels
Other statistics

An access token is a kernel object

Primary and impersonation access tokens

There are two types of access tokens:

primary
impersonation

Primary access tokens

The primary access token is the access token that is created when a user logs on. It is created by the Local Security Authority (LSA).

When the (logged-on) session starts a process or a thread, the primary access token is copied and the copy is attached to that process or thread.

Impersonation access tokens

Impersonation access tokens are typically used in client-server environments where a thread needs to run in a different security context than that of the process that started the thread.

Creating access tokens

Using the WinAPI, a new access token can be created with DuplicateTokenEx.

TODO

It appears that the definition of an access token is stored in the struct TOKEN_ACCESS_INFORMATION, found in winnt.h:

typedef struct _TOKEN_ACCESS_INFORMATION {
    PSID_AND_ATTRIBUTES_HASH SidHash;
    PSID_AND_ATTRIBUTES_HASH RestrictedSidHash;
    PTOKEN_PRIVILEGES Privileges;
    LUID AuthenticationId;
    TOKEN_TYPE TokenType;
    SECURITY_IMPERSONATION_LEVEL ImpersonationLevel;
    TOKEN_MANDATORY_POLICY MandatoryPolicy;
    DWORD Flags;
    DWORD AppContainerNumber;
    PSID PackageSid;
    PSID_AND_ATTRIBUTES_HASH CapabilitiesHash;
    PSID TrustLevelSid;
    PSECURITY_ATTRIBUTES_OPAQUE SecurityAttributes;
} TOKEN_ACCESS_INFORMATION, *PTOKEN_ACCESS_INFORMATION;

Links

PSAccessToken is a PowerShell module that can query, edit, and create Windows Access Tokens

Index

Fatal error: Uncaught PDOException: SQLSTATE[HY000]: General error: 8 attempt to write a readonly database in /home/httpd/vhosts/renenyffenegger.ch/php/web-request-database.php:78 Stack trace: #0 /home/httpd/vhosts/renenyffenegger.ch/php/web-request-database.php(78): PDOStatement->execute(Array) #1 /home/httpd/vhosts/renenyffenegger.ch/php/web-request-database.php(30): insert_webrequest_('/notes/Windows/...', 1745354007, '160.79.110.251', 'Mozilla/5.0 App...', NULL) #2 /home/httpd/vhosts/renenyffenegger.ch/httpsdocs/notes/Windows/security/access-token/index(110): insert_webrequest() #3 {main} thrown in /home/httpd/vhosts/renenyffenegger.ch/php/web-request-database.php on line 78