Search notes:

Windows: Access token

When a user logs on, Windows creates an access token for this user. It is used to store a user's identity and privileges.
Such an access token stores the following information
An access token is a kernel object

Primary and impersonation access tokens

There are two types of access tokens:

Primary access tokens

The primary access token is the access token that is created when a user logs on. It is created by the Local Security Authority (LSA).
When the (logged-on) session starts a process or a thread, the primary access token is copied and the copy is attached to that process or thread.

Impersonation access tokens

Impersonation access tokens are typically used in client-server environments where a thread needs to run in a different security context than that of the process that started the thread.
See also process impersonation

Creating access tokens

Using the WinAPI, a new access token can be created with DuplicateTokenEx.

TODO

It appears that the definition of an access token is stored in the struct TOKEN_ACCESS_INFORMATION, found in winnt.h: 
typedef struct _TOKEN_ACCESS_INFORMATION {
    PSID_AND_ATTRIBUTES_HASH SidHash;
    PSID_AND_ATTRIBUTES_HASH RestrictedSidHash;
    PTOKEN_PRIVILEGES Privileges;
    LUID AuthenticationId;
    TOKEN_TYPE TokenType;
    SECURITY_IMPERSONATION_LEVEL ImpersonationLevel;
    TOKEN_MANDATORY_POLICY MandatoryPolicy;
    DWORD Flags;
    DWORD AppContainerNumber;
    PSID PackageSid;
    PSID_AND_ATTRIBUTES_HASH CapabilitiesHash;
    PSID TrustLevelSid;
    PSECURITY_ATTRIBUTES_OPAQUE SecurityAttributes;
} TOKEN_ACCESS_INFORMATION, *PTOKEN_ACCESS_INFORMATION;

See also

Privileges
The Sysinternals tools LogonSessions.

Links

PSAccessToken is a PowerShell module that can query, edit, and create Windows Access Tokens

Index