NtCreateToken - NtDoc
Native API online documentation, based on the System Informer
(formerly Process Hacker) phnt
headers
#ifndef _NTSEAPI_H
//
// Tokens
//
/**
* The NtCreateToken routine creates a new access token.
*
* @param TokenHandle Pointer to a variable that receives the handle to the newly created token.
* @param DesiredAccess Specifies the requested access rights for the new token.
* @param ObjectAttributes Optional pointer to an OBJECT_ATTRIBUTES structure specifying object attributes.
* @param Type Specifies the type of token to be created (primary or impersonation).
* @param AuthenticationId Pointer to a locally unique identifier (LUID) for the token.
* @param ExpirationTime Pointer to a LARGE_INTEGER specifying the expiration time of the token.
* @param User Pointer to a TOKEN_USER structure specifying the user account for the token.
* @param Groups Pointer to a TOKEN_GROUPS structure specifying the group accounts for the token.
* @param Privileges Pointer to a TOKEN_PRIVILEGES structure specifying the privileges for the token.
* @param Owner Optional pointer to a TOKEN_OWNER structure specifying the owner SID for the token.
* @param PrimaryGroup Pointer to a TOKEN_PRIMARY_GROUP structure specifying the primary group SID for the token.
* @param DefaultDacl Optional pointer to a TOKEN_DEFAULT_DACL structure specifying the default DACL for the token.
* @param Source Pointer to a TOKEN_SOURCE structure specifying the source of the token.
* @return NTSTATUS code indicating success or failure.
* @sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-ntcreatetoken
*/
NTSYSCALLAPI
NTSTATUS
NTAPI
NtCreateToken(
_Out_ PHANDLE TokenHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_ TOKEN_TYPE Type,
_In_ PLUID AuthenticationId,
_In_ PLARGE_INTEGER ExpirationTime,
_In_ PTOKEN_USER User,
_In_ PTOKEN_GROUPS Groups,
_In_ PTOKEN_PRIVILEGES Privileges,
_In_opt_ PTOKEN_OWNER Owner,
_In_ PTOKEN_PRIMARY_GROUP PrimaryGroup,
_In_opt_ PTOKEN_DEFAULT_DACL DefaultDacl,
_In_ PTOKEN_SOURCE Source
);
View code on GitHub#ifndef _NTZWAPI_H
NTSYSCALLAPI
NTSTATUS
NTAPI
ZwCreateToken(
_Out_ PHANDLE TokenHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_ TOKEN_TYPE Type,
_In_ PLUID AuthenticationId,
_In_ PLARGE_INTEGER ExpirationTime,
_In_ PTOKEN_USER User,
_In_ PTOKEN_GROUPS Groups,
_In_ PTOKEN_PRIVILEGES Privileges,
_In_opt_ PTOKEN_OWNER Owner,
_In_ PTOKEN_PRIMARY_GROUP PrimaryGroup,
_In_opt_ PTOKEN_DEFAULT_DACL DefaultDacl,
_In_ PTOKEN_SOURCE Source
);
View code on GitHubCreates a new token from scratch. Calling this function requires SeCreateTokenPrivilege.
TokenHandle - a pointer to a variable that receives a handle to the new token.DesiredAccess - the access mask to provide on the returned handle. This value is usually TOKEN_ALL_ACCESS.ObjectAttributes - an optional pointer to an OBJECT_ATTRIBUTES structure that specifies attributes of the handle/object. The SecurityQualityOfService->ImpersonationLevel field is especially meaningful for this function because it controls the impersonation level of the new token.Type - the type of the new token, either primary or impersonation.AuthenticationId - the LUID of the logon session to associate with the token.ExpirationTime - the expiration time in the 100-nanosecond format to associate with the token.User - a pointer to the user SID for the token.Groups - a pointer to a collection of group SIDs to add into the token.Privileges - a pointer to a collection of privilege LUIDs to add into the token.Owner - an optional pointer to the default owner SID for newly created objects. The owner must be the user or a group with SE_GROUP_OWNER attribute.PrimaryGroup - a pointer to the default primary group SID for newly created objects. The primary group must be the user or a group from the Groups parameter.DefaultDacl - an optional pointer to the default discretionary ACL (DACL) for newly created objects.Source - a pointer to a buffer that identifies the creator of the token. You can use NtAllocateLocallyUniqueId to reserve a unique ID for this parameter.STATUS_NO_SUCH_LOGON_SESSION - the provided logon session LUID does not exist.STATUS_INVALID_OWNER - the provided owner is not the user or a group with a SE_GROUP_OWNER flag.STATUS_INVALID_PRIMARY_GROUP - the provided primary group is not the user and is not in the list of groups.STATUS_INVALID_LABEL - the SID marked as SE_GROUP_INTEGRITY_ENABLED exceeds the range of integrity levels.You might want to enable the no-write-up policy on the new token after creation since the function does not do it.
To avoid retaining unused resources, call NtClose to close the returned handle when it is no longer required.