NtOpenProcessToken - NtDoc
Native API online documentation, based on the System Informer
(formerly Process Hacker) phnt
headers
#ifndef _NTSEAPI_H
/**
* The NtOpenProcessToken routine opens the access token associated with a process, and returns a handle that can be used to access that token.
*
* @param ProcessHandle Handle to the process whose access token is to be opened. The handle must have PROCESS_QUERY_INFORMATION access.
* @param DesiredAccess ACCESS_MASK structure specifying the requested types of access to the access token.
* @param TokenHandle Pointer to a caller-allocated variable that receives a handle to the newly opened access token.
* @return NTSTATUS Successful or errant status.
* @sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-ntopenprocesstoken
*/
NTSYSCALLAPI
NTSTATUS
NTAPI
NtOpenProcessToken(
_In_ HANDLE ProcessHandle,
_In_ ACCESS_MASK DesiredAccess,
_Out_ PHANDLE TokenHandle
);
View code on GitHub#ifndef _NTZWAPI_H
NTSYSCALLAPI
NTSTATUS
NTAPI
ZwOpenProcessToken(
_In_ HANDLE ProcessHandle,
_In_ ACCESS_MASK DesiredAccess,
_Out_ PHANDLE TokenHandle
);
View code on GitHub// ntifs.h
__kernel_entry NTSYSCALLAPI NTSTATUS NtOpenProcessToken(
[in] HANDLE ProcessHandle,
[in] ACCESS_MASK DesiredAccess,
[out] PHANDLE TokenHandle
);
View the official Windows Driver Kit DDI referenceOpens a handle to a primary token of a process. This function is documented in Windows Driver Kit.
ProcessHandle - a handle to the process or the NtCurrentProcess pseudo-handle. The handle must grant PROCESS_QUERY_LIMITED_INFORMATION access.DesiredAccess - the requested access mask.TokenHandle - a pointer to a variable that receives a handle to the token.| Access mask | Use |
|---|---|
TOKEN_ASSIGN_PRIMARY |
Allows creating processes with this token and assigning the token as primary via NtSetInformationProcess with ProcessAccessToken. |
TOKEN_DUPLICATE |
Allows duplicating the token via NtDuplicateToken. |
TOKEN_IMPERSONATE |
Allows impersonating the token via NtSetInformationThread with ThreadImpersonationToken. |
TOKEN_QUERY |
Allows querying most information classes via NtQueryInformationToken. |
TOKEN_QUERY_SOURCE |
Allows querying TokenSource via NtQueryInformationToken. |
TOKEN_ADJUST_PRIVILEGES |
Allows adjusting token privileges via NtAdjustPrivilegesToken |
TOKEN_ADJUST_GROUPS |
Allows adjusting token privileges via NtAdjustGroupsToken |
TOKEN_ADJUST_DEFAULT |
Allows setting most information classes via NtSetInformationToken. |
TOKEN_ADJUST_SESSIONID |
Allows setting TokenSessionId via NtSetInformationToken. |
TOKEN_ALL_ACCESS_P |
All of the above except for the TOKEN_ADJUST_SESSIONID right, plus standard rights. |
TOKEN_ALL_ACCESS |
All of the above plus standard rights. |
To avoid retaining unused resources, call NtClose to close the returned handle when it is no longer required.
Instead of opening the current process token for query, consider using the NtCurrentProcessToken pseudo-handle on Windows 8 and above.
To specify handle attributes, use NtOpenProcessTokenEx.
The NtOpenProcessToken routine opens the access token associated with a process, and returns a handle that can be used to access that token.
ProcessHandle [in]Handle to the process whose access token is to be opened. The handle must have PROCESS_QUERY_INFORMATION access. Use the NtCurrentProcess macro, defined in Ntddk.h, to specify the current process.
DesiredAccess [in]ACCESS_MASK structure specifying the requested types of access to the access token. These requested access types are compared with the token's discretionary access-control list (DACL) to determine which accesses are granted or denied.
TokenHandle [out]Pointer to a caller-allocated variable that receives a handle to the newly opened access token.
NtOpenProcessToken returns STATUS_SUCCESS or an appropriate error status. Possible error status codes include the following:
| Return code | Description |
|---|---|
| STATUS_ACCESS_DENIED | ProcessHandle did not have PROCESS_QUERY_INFORMATION access. |
| STATUS_INSUFFICIENT_RESOURCES | A new token handle could not be allocated. |
| STATUS_INVALID_HANDLE | ProcessHandle was not a valid handle. |
| STATUS_OBJECT_TYPE_MISMATCH | ProcessHandle was not a process handle. |
| STATUS_PRIVILEGE_NOT_HELD | The caller does not have the privilege (SeSecurityPrivilege) necessary to create a token handle with the access specified in the DesiredAccess parameter. |
| STATUS_QUOTA_EXCEEDED | The process's memory quota is not sufficient to allocate the token handle. |
| STATUS_UNSUCCESSFUL | The token handle could not be created. |
To specify attributes for the access token handle, use NtOpenProcessTokenEx instead.
The handle can be accessed by the process in whose context the driver is running.
Any handle obtained by calling NtOpenProcessToken must eventually be released by calling NtClose.
For more information about security and access control, see Windows security model for driver developers and the documentation on these topics in the Windows SDK.
For calls from kernel-mode drivers, the Nt*Xxx* and Zw*Xxx* versions of a Windows Native System Services routine can behave differently in the way that they handle and interpret input parameters. For more information about the relationship between the Nt*Xxx* and Zw*Xxx* versions of a routine, see Using Nt and Zw Versions of the Native System Services Routines.
This function is documented in Windows Driver Kit.
HANDLE to Process Object.
Access mask for opened Token Object.
Result of call - HANDLE to Token Object associated with process specified by ProcessHandle parameter.
See also PROCESS_INFORMATION_CLASS with ProcessAccessToken information class.
NtCreateTokenNtOpenThreadTokenNtQueryInformationProcessNtSetInformationProcessPROCESS_INFORMATION_CLASS