NtCreateLowBoxToken - NtDoc
Native API online documentation, based on the System Informer
(formerly Process Hacker) phnt
headers
#ifndef _NTSEAPI_H
#if (PHNT_VERSION >= PHNT_WINDOWS_8)
/**
* The NtCreateLowBoxToken routine creates a new lowbox access token based on an existing token.
*
* @param TokenHandle Pointer to a variable that receives the handle to the newly created lowbox token.
* @param ExistingTokenHandle Handle to an existing token to base the new token on.
* @param DesiredAccess Specifies the requested access rights for the new token.
* @param ObjectAttributes Optional pointer to an OBJECT_ATTRIBUTES structure specifying object attributes.
* @param PackageSid Pointer to a SID structure specifying the package SID for the lowbox token.
* @param CapabilityCount Number of capabilities in the Capabilities array.
* @param Capabilities Optional pointer to an array of SID_AND_ATTRIBUTES structures specifying capabilities.
* @param HandleCount Number of handles in the Handles array.
* @param Handles Optional pointer to an array of handles to be associated with the token.
* @return NTSTATUS code indicating success or failure.
* @sa https://learn.microsoft.com/en-us/windows/win32/secauthz/ntcreatelowboxtoken
*/
NTSYSCALLAPI
NTSTATUS
NTAPI
NtCreateLowBoxToken(
_Out_ PHANDLE TokenHandle,
_In_ HANDLE ExistingTokenHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_ PSID PackageSid,
_In_ ULONG CapabilityCount,
_In_reads_opt_(CapabilityCount) PSID_AND_ATTRIBUTES Capabilities,
_In_ ULONG HandleCount,
_In_reads_opt_(HandleCount) HANDLE *Handles
);
View code on GitHub#ifndef _NTZWAPI_H
NTSYSCALLAPI
NTSTATUS
NTAPI
ZwCreateLowBoxToken(
_Out_ PHANDLE TokenHandle,
_In_ HANDLE ExistingTokenHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_ PSID PackageSid,
_In_ ULONG CapabilityCount,
_In_reads_opt_(CapabilityCount) PSID_AND_ATTRIBUTES Capabilities,
_In_ ULONG HandleCount,
_In_reads_opt_(HandleCount) HANDLE *Handles
);
View code on GitHubNTSTATUS NTAPI NtCreateLowBoxToken(
_Out_ PHANDLE TokenHandle,
_In_ HANDLE ExistingTokenHandle,
_In_ ACCESS_MASK DesiredAccess,
_in_ POBJECT_ATTRIBUTES ObjectAttributes,
_in_ PSID PackageSid,
_in_ ULONG CapabilityCount,
_in_ PSID_AND_ATTRIBUTES Capabilities,
_in_ ULONG HandleCount,
_in_ HANDLE* Handles
);
View the official Win32 development documentationCreates an AppContainer/LowBox token based on an existing token. This function is documented in Windows SDK.
TokenHandle - a pointer to a variable that receives a handle to the new token.ExistingTokenHandle - a handle to an existing token to use as a template. The handle must grant TOKEN_DUPLICATE access.DesiredAccess - the access mask to provide on the returned handle. This value is usually TOKEN_ALL_ACCESS.ObjectAttributes - an optional pointer to an OBJECT_ATTRIBUTES structure that specifies attributes of the handle/object.PackageSid - the AppContainer package SID to associate with the token. The SID must satisfy the RtlIsPackageSid check.CapabilityCount - the number of capabilities passed in the Capabilities parameter.Capabilities - an optional pointer to a collection of capability SIDs to add to the token. Each SID must satisfy the RtlIsCapabilitySid check.HandleCount - the number of handles passed in the Handles parameter.Handles - an optional pointer to a collection of handles to reference in the token to extend their lifetime. Currently, the only supported kernel types are Directory, SymbolicLink, and File.STATUS_BAD_IMPERSONATION_LEVEL - the provided token is an impersonation token of either anonymous or identification level.STATUS_INVALID_PACKAGE_SID_LENGTH - the package SID does not have the correct length.The function always returns a primary token.
Note that this function does not support token pseudo-handles such as NtCurrentProcessToken. If you want to filter the current process/thread token, you need to open it first.
AppContainer tokens perform an additional access check against the corresponding AppContainer/Package SID, ALL APPLICATION PACKAGES SID (S-1-15-2-1), and the list of provided capabilities. It is also possible to convert such tokens into Less Privileged AppContainer (LPAC) via a dedicated security attribute. See TOKEN_INFORMATION_CLASS value TokenIsLessPrivilegedAppContainer for more details on LPAC.
This function was introduced in Windows 8.
The NtCreateLowBoxToken function creates a LowBox (AppContainer) token object based on an existing access token and returns the handle opened for access to that token.
TokenHandle [out]
Returns the handle of the newly created LowBox token.
ExistingTokenHandle [in]
The handle of the existing created token. The token must be open for TOKEN_QUERY access.
DesiredAccess [in]
An ACCESS_MASK indicating which access types the handle is to provide to the new object.
ObjectAttributes [in, Optional]
Points to the standard OBJECT_ATTRIBUTES data structure.
PackageSid [in]
The _Package_ that this token will belong to. This must point to a valid SID which must be a member of the LowBox Package SID group.
CapabilityCount [in]
The number of capabilities to include on the token.
Capabilities [in, Optional]
The SID_AND_ATTRIBUTES structure containing the capability SIDs to include on the token.
HandleCount [in]
The number of handles to be included on the token.
Handles [in, Optional]
Handles to the named object directories for the AppContainer.
If the function succeeds, the function returns STATUS_SUCCESS.
If the function fails, it returns an NTSTATUS error code. See NTSTATUS values for a list of error codes and their values.
This API can only be called by medium or higher IL process.
This function has no associated import library or header file; you must call it using the LoadLibrary and GetProcAddress functions.
| Requirement | Value |
|---|---|
| Minimum supported client | Windows 8 [desktop apps only] |
| Minimum supported server | Windows Server 2012 [desktop apps only] |
| DLL | Ntdll.dll |