#ifndef _NTSEAPI_H

/**
 * The NtCompareTokens routine compares two access tokens to determine whether they are equivalent.
 *
 * \param FirstTokenHandle Handle to the first access token to compare. The handle must have TOKEN_QUERY access.
 * \param SecondTokenHandle Handle to the second access token to compare. The handle must have TOKEN_QUERY access.
 * \param Equal Pointer to a BOOLEAN variable that receives TRUE if the tokens are equivalent, or FALSE otherwise.
 * \return NTSTATUS Successful or errant status.
 * \sa https://learn.microsoft.com/en-us/windows/win32/secauthz/ntcomparetokens
 */
NTSYSCALLAPI
NTSTATUS
NTAPI
NtCompareTokens(
    _In_ HANDLE FirstTokenHandle,
    _In_ HANDLE SecondTokenHandle,
    _Out_ PBOOLEAN Equal
    );

#endif
View code on GitHub

#ifndef _NTZWAPI_H

NTSYSCALLAPI
NTSTATUS
NTAPI
ZwCompareTokens(
    _In_ HANDLE FirstTokenHandle,
    _In_ HANDLE SecondTokenHandle,
    _Out_ PBOOLEAN Equal
    );

#endif
View code on GitHub

// ntseapi.h

NTSTATUS NTAPI NtCompareTokens(
  _In_  HANDLE   FirstTokenHandle,
  _In_  HANDLE   SecondTokenHandle,
  _Out_ PBOOLEAN Equal
);
View the official Win32 development documentation

NtDoc

Determines if two tokens are identical for the purpose of access checks. This function is documented in Windows SDK.

Parameters

FirstTokenHandle - a handle to the first token. The handle must grant TOKEN_QUERY access.
SecondTokenHandle - a handle to the second token. The handle must grant TOKEN_QUERY access.
Equal - a pointer to a variable that receives whether the two tokens are equal.

Implementation details

The function compares the user, groups, restricting SIDs, privileges, trust level, mandatory policy, AppContainer SID, capabilities, claims, and security attributes.

Note that this function does not support token pseudo-handles such as NtCurrentProcessToken. If you want to compare the current process/thread token, you need to open it first.

Win32 development documentation (ntcomparetokens)

NtCompareTokens function

The NtCompareTokens function compares two access tokens and determines whether they are equivalent with respect to a call to the AccessCheck function.

Parameters

FirstTokenHandle [in]

A handle to the first access token to compare. The token must be open for TOKEN_QUERY access.

SecondTokenHandle [in]

A handle to the second access token to compare. The token must be open for TOKEN_QUERY access.

Equal [out]

A pointer to a variable that receives a value that indicates whether the tokens represented by the FirstTokenHandle and SecondTokenHandle parameters are equivalent.

Return value

If the function succeeds, the function returns STATUS_SUCCESS.

If the function fails, it returns an NTSTATUS error code.

Remarks

Two access control tokens are considered to be equivalent if all of the following conditions are true:

Every security identifier (SID) that is present in either token is also present in the other token.
Neither or both of the tokens are restricted.
If both tokens are restricted, every SID that is restricted in one token is also restricted in the other token.
Every privilege present in either token is also present in the other token.

This function has no associated import library or header file; you must call it using the LoadLibrary and GetProcAddress functions.

Requirements

Requirement	Value
Minimum supported client	Windows XP [desktop apps only]
Minimum supported server	Windows Server 2003 [desktop apps only]
Header	Ntseapi.h
DLL	Ntdll.dll

View the official Win32 development documentation

Edit description on GitHub

NtCompareTokens - NtDoc

NtDoc

Parameters

Implementation details

See also

Win32 development documentation (ntcomparetokens)

NtCompareTokens function

Parameters

Return value

Remarks

Requirements