NtCreateTokenEx - NtDoc
Native API online documentation, based on the System Informer
(formerly Process Hacker) phnt
headers
#ifndef _NTSEAPI_H
#if (PHNT_VERSION >= PHNT_WINDOWS_8)
/**
* The NtCreateTokenEx routine creates a new access token with extended attributes.
*
* @param TokenHandle Pointer to a variable that receives the handle to the newly created token.
* @param DesiredAccess Specifies the requested access rights for the new token.
* @param ObjectAttributes Optional pointer to an OBJECT_ATTRIBUTES structure specifying object attributes.
* @param Type Specifies the type of token to be created (primary or impersonation).
* @param AuthenticationId Pointer to a locally unique identifier (LUID) for the token.
* @param ExpirationTime Pointer to a LARGE_INTEGER specifying the expiration time of the token.
* @param User Pointer to a TOKEN_USER structure specifying the user account for the token.
* @param Groups Pointer to a TOKEN_GROUPS structure specifying the group accounts for the token.
* @param Privileges Pointer to a TOKEN_PRIVILEGES structure specifying the privileges for the token.
* @param UserAttributes Optional pointer to a TOKEN_SECURITY_ATTRIBUTES_INFORMATION structure specifying user claims.
* @param DeviceAttributes Optional pointer to a TOKEN_SECURITY_ATTRIBUTES_INFORMATION structure specifying device claims.
* @param DeviceGroups Optional pointer to a TOKEN_GROUPS structure specifying device groups.
* @param MandatoryPolicy Optional pointer to a TOKEN_MANDATORY_POLICY structure specifying the mandatory policy.
* @param Owner Optional pointer to a TOKEN_OWNER structure specifying the owner SID for the token.
* @param PrimaryGroup Pointer to a TOKEN_PRIMARY_GROUP structure specifying the primary group SID for the token.
* @param DefaultDacl Optional pointer to a TOKEN_DEFAULT_DACL structure specifying the default DACL for the token.
* @param Source Pointer to a TOKEN_SOURCE structure specifying the source of the token.
* @return NTSTATUS code indicating success or failure.
* @sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-ntcreatetokenex
*/
NTSYSCALLAPI
NTSTATUS
NTAPI
NtCreateTokenEx(
_Out_ PHANDLE TokenHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_ TOKEN_TYPE Type,
_In_ PLUID AuthenticationId,
_In_ PLARGE_INTEGER ExpirationTime,
_In_ PTOKEN_USER User,
_In_ PTOKEN_GROUPS Groups,
_In_ PTOKEN_PRIVILEGES Privileges,
_In_opt_ PTOKEN_SECURITY_ATTRIBUTES_INFORMATION UserAttributes,
_In_opt_ PTOKEN_SECURITY_ATTRIBUTES_INFORMATION DeviceAttributes,
_In_opt_ PTOKEN_GROUPS DeviceGroups,
_In_opt_ PTOKEN_MANDATORY_POLICY MandatoryPolicy,
_In_opt_ PTOKEN_OWNER Owner,
_In_ PTOKEN_PRIMARY_GROUP PrimaryGroup,
_In_opt_ PTOKEN_DEFAULT_DACL DefaultDacl,
_In_ PTOKEN_SOURCE Source
);
View code on GitHub#ifndef _NTZWAPI_H
NTSYSCALLAPI
NTSTATUS
NTAPI
ZwCreateTokenEx(
_Out_ PHANDLE TokenHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_ TOKEN_TYPE Type,
_In_ PLUID AuthenticationId,
_In_ PLARGE_INTEGER ExpirationTime,
_In_ PTOKEN_USER User,
_In_ PTOKEN_GROUPS Groups,
_In_ PTOKEN_PRIVILEGES Privileges,
_In_opt_ PTOKEN_SECURITY_ATTRIBUTES_INFORMATION UserAttributes,
_In_opt_ PTOKEN_SECURITY_ATTRIBUTES_INFORMATION DeviceAttributes,
_In_opt_ PTOKEN_GROUPS DeviceGroups,
_In_opt_ PTOKEN_MANDATORY_POLICY MandatoryPolicy,
_In_opt_ PTOKEN_OWNER Owner,
_In_ PTOKEN_PRIMARY_GROUP PrimaryGroup,
_In_opt_ PTOKEN_DEFAULT_DACL DefaultDacl,
_In_ PTOKEN_SOURCE Source
);
View code on GitHubCreates a new token from scratch. Calling this function requires SeCreateTokenPrivilege.
TokenHandle - a pointer to a variable that receives a handle to the new token.DesiredAccess - the access mask to provide on the returned handle. This value is usually TOKEN_ALL_ACCESS.ObjectAttributes - an optional pointer to an OBJECT_ATTRIBUTES structure that specifies attributes of the handle/object. The SecurityQualityOfService->ImpersonationLevel field is especially meaningful for this function because it controls the impersonation level of the new token.Type - the type of the new token, either primary or impersonation.AuthenticationId - the LUID of the logon session to associate with the token.ExpirationTime - the expiration time in the 100-nanosecond format to associate with the token.User - a pointer to the user SID for the token.Groups - a pointer to a collection of group SIDs to add into the token.Privileges - a pointer to a collection of privilege LUIDs to add into the token.UserAttributes - an optional pointer to a collection of user attributes to associate with the token.DeviceAttributes - an optional pointer to a collection of device attributes to associate with the token.DeviceGroups - an optional pointer to a collection of device groups to associate with the token.MandatoryPolicy - an optional pointer to a mandatory policy to set on the token.Owner - an optional pointer to the default owner SID for newly created objects. The owner must be the user or a group with SE_GROUP_OWNER attribute.PrimaryGroup - a pointer to the default primary group SID for newly created objects. The primary group must be the user or a group from the Groups parameter.DefaultDacl - an optional pointer to the default discretionary ACL (DACL) for newly created objects.Source - a pointer to a buffer that identifies the creator of the token. You can use NtAllocateLocallyUniqueId to reserve a unique ID for this parameter.STATUS_NO_SUCH_LOGON_SESSION - the provided logon session LUID does not exist.STATUS_INVALID_OWNER - the provided owner is not the user or a group with a SE_GROUP_OWNER flag.STATUS_INVALID_PRIMARY_GROUP - the provided primary group is not the user and is not in the list of groups.STATUS_INVALID_LABEL - the SID marked as SE_GROUP_INTEGRITY_ENABLED exceeds the range of integrity levels.To avoid retaining unused resources, call NtClose to close the returned handle when it is no longer required.
This function was introduced in Windows 8.