#ifndef _NTPSAPI_H
//
// Threads
//
#if (PHNT_MODE != PHNT_MODE_KERNEL)

/**
 * Impersonates a client thread.
 *
 * \param ServerThreadHandle A handle to the server thread.
 * \param ClientThreadHandle A handle to the client thread.
 * \param SecurityQos A pointer to a SECURITY_QUALITY_OF_SERVICE structure that specifies the impersonation level and context tracking mode.
 * \return NTSTATUS Successful or errant status.
 */
NTSYSCALLAPI
NTSTATUS
NTAPI
NtImpersonateThread(
    _In_ HANDLE ServerThreadHandle,
    _In_ HANDLE ClientThreadHandle,
    _In_ PSECURITY_QUALITY_OF_SERVICE SecurityQos
    );

#endif
#endif
View code on GitHub

#ifndef _NTZWAPI_H

NTSYSCALLAPI
NTSTATUS
NTAPI
ZwImpersonateThread(
    _In_ HANDLE ServerThreadHandle,
    _In_ HANDLE ClientThreadHandle,
    _In_ PSECURITY_QUALITY_OF_SERVICE SecurityQos
    );

#endif
View code on GitHub

NtDoc

Copies an effective token of one thread onto another.

Parameters

ServerThreadHandle - a handle to the server thread on which the system will impersonate a copy of the effective token of the client thread. The handle must grant THREAD_IMPERSONATE access. It can also be the NtCurrentThread pseudo-handle.
ClientThreadHandle - a handle to the client thread that provides the token. If this thread doesn't have a token, the system uses the primary token of the process containing this thread. The handle must grant THREAD_DIRECT_IMPERSONATION access. It can also be the NtCurrentThread pseudo-handle.
SecurityQos - a pointer to a structure that specifies the impersonation level to use.

Notable return values

STATUS_BAD_IMPERSONATION_LEVEL - the requested impersonation level is higher than the impersonation level of the client thread's token.

Remarks

Note that if the server process does not have SeImpersonatePrivilege enabled, the system might silently downgrade the token to the identification level of impersonation.

To reset impersonation, use NtSetInformationThread with ThreadImpersonationToken info class and a NULL token handle.

NTinternals.net (undocumented.ntinternals.net)

Function NtImpersonateThread assigns one thread's token to another. If source thread don't have associated Token Object, function use process'es token to impersonate destination thread.

ThreadHandle

HANDLE to source Thread Object.

ThreadToImpersonate

HANDLE to destination Thread Object opened with THREAD_IMPERSONATE access.

SecurityQualityOfService

Pointer to SECURITY_QUALITY_OF_SERVICE structure filled by user.

Documented by

Tomasz Nowak
ReactOS

NtImpersonateThread - NtDoc