NtCreateLowBoxToken - NtDoc

Native API online documentation, based on the System Informer (formerly Process Hacker) phnt headers
#ifndef _NTSEAPI_H
#if (PHNT_VERSION >= PHNT_WINDOWS_8)

/**
 * The NtCreateLowBoxToken routine creates a new lowbox access token based on an existing token.
 *
 * @param TokenHandle Pointer to a variable that receives the handle to the newly created lowbox token.
 * @param ExistingTokenHandle Handle to an existing token to base the new token on.
 * @param DesiredAccess Specifies the requested access rights for the new token.
 * @param ObjectAttributes Optional pointer to an OBJECT_ATTRIBUTES structure specifying object attributes.
 * @param PackageSid Pointer to a SID structure specifying the package SID for the lowbox token.
 * @param CapabilityCount Number of capabilities in the Capabilities array.
 * @param Capabilities Optional pointer to an array of SID_AND_ATTRIBUTES structures specifying capabilities.
 * @param HandleCount Number of handles in the Handles array.
 * @param Handles Optional pointer to an array of handles to be associated with the token.
 * @return NTSTATUS code indicating success or failure.
 * @sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-ntcreatelowboxtoken
 */
NTSYSCALLAPI
NTSTATUS
NTAPI
NtCreateLowBoxToken(
    _Out_ PHANDLE TokenHandle,
    _In_ HANDLE ExistingTokenHandle,
    _In_ ACCESS_MASK DesiredAccess,
    _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
    _In_ PSID PackageSid,
    _In_ ULONG CapabilityCount,
    _In_reads_opt_(CapabilityCount) PSID_AND_ATTRIBUTES Capabilities,
    _In_ ULONG HandleCount,
    _In_reads_opt_(HandleCount) HANDLE *Handles
    );

#endif
#endif

View code on GitHub
#ifndef _NTZWAPI_H

NTSYSCALLAPI
NTSTATUS
NTAPI
ZwCreateLowBoxToken(
    _Out_ PHANDLE TokenHandle,
    _In_ HANDLE ExistingTokenHandle,
    _In_ ACCESS_MASK DesiredAccess,
    _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
    _In_ PSID PackageSid,
    _In_ ULONG CapabilityCount,
    _In_reads_opt_(CapabilityCount) PSID_AND_ATTRIBUTES Capabilities,
    _In_ ULONG HandleCount,
    _In_reads_opt_(HandleCount) HANDLE *Handles
    );

#endif

View code on GitHub

Creates an AppContainer/LowBox token based on an existing token. This function is documented in Windows SDK.

Parameters

Notable return values

Remarks

The function always returns a primary token.

Note that this function does not support token pseudo-handles such as NtCurrentProcessToken. If you want to filter the current process/thread token, you need to open it first.

AppContainer tokens perform an additional access check against the corresponding AppContainer/Package SID, ALL APPLICATION PACKAGES SID (S-1-15-2-1), and the list of provided capabilities. It is also possible to convert such tokens into Less Privileged AppContainer (LPAC) via a dedicated security attribute. See TOKEN_INFORMATION_CLASS value TokenIsLessPrivilegedAppContainer for more details on LPAC.

Required OS version

This function was introduced in Windows 8.

See also