NtOpenThreadToken - NtDoc
Native API online documentation, based on the System Informer
(formerly Process Hacker) phnt
headers
#ifndef _NTSEAPI_H
/**
* The NtOpenThreadToken routine opens the access token associated with a thread, and returns a handle that can be used to access that token.
*
* @param ThreadHandle Handle to the thread whose access token is to be opened. The handle must have THREAD_QUERY_INFORMATION access.
* @param DesiredAccess ACCESS_MASK structure specifying the requested types of access to the access token.
* @param OpenAsSelf Boolean value specifying whether the access check is to be made against the security context of the thread calling NtOpenThreadToken or against the security context of the process for the calling thread.
* @param TokenHandle Pointer to a caller-allocated variable that receives a handle to the newly opened access token.
* @return NTSTATUS Successful or errant status.
* @sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-ntopenthreadtoken
*/
NTSYSCALLAPI
NTSTATUS
NTAPI
NtOpenThreadToken(
_In_ HANDLE ThreadHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ BOOLEAN OpenAsSelf,
_Out_ PHANDLE TokenHandle
);
View code on GitHub#ifndef _NTZWAPI_H
NTSYSCALLAPI
NTSTATUS
NTAPI
ZwOpenThreadToken(
_In_ HANDLE ThreadHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ BOOLEAN OpenAsSelf,
_Out_ PHANDLE TokenHandle
);
View code on GitHub// ntifs.h
__kernel_entry NTSYSCALLAPI NTSTATUS NtOpenThreadToken(
[in] HANDLE ThreadHandle,
[in] ACCESS_MASK DesiredAccess,
[in] BOOLEAN OpenAsSelf,
[out] PHANDLE TokenHandle
);
View the official Windows Driver Kit DDI referenceOpens a handle to an impersonation token of a thread. This function is documented in Windows Driver Kit.
ThreadHandle - a handle to the thread or the NtCurrentThread pseudo-handle. The handle must grant THREAD_QUERY_LIMITED_INFORMATION access.DesiredAccess - the requested access mask.OpenAsSelf - a boolean determining whether the system should perform the access check on the target token using the effective security context of the calling thread (FALSE) or ignore impersonation and use the security context of the calling process (TRUE).TokenHandle - a pointer to a variable that receives a handle to the token.| Access mask | Use |
|---|---|
TOKEN_ASSIGN_PRIMARY |
Allows creating processes with this token and assigning the token as primary via NtSetInformationProcess with ProcessAccessToken. |
TOKEN_DUPLICATE |
Allows duplicating the token via NtDuplicateToken. |
TOKEN_IMPERSONATE |
Allows impersonating the token via NtSetInformationThread with ThreadImpersonationToken. |
TOKEN_QUERY |
Allows querying most information classes via NtQueryInformationToken. |
TOKEN_QUERY_SOURCE |
Allows querying TokenSource via NtQueryInformationToken. |
TOKEN_ADJUST_PRIVILEGES |
Allows adjusting token privileges via NtAdjustPrivilegesToken |
TOKEN_ADJUST_GROUPS |
Allows adjusting token privileges via NtAdjustGroupsToken |
TOKEN_ADJUST_DEFAULT |
Allows setting most information classes via NtSetInformationToken. |
TOKEN_ADJUST_SESSIONID |
Allows setting TokenSessionId via NtSetInformationToken. |
TOKEN_ALL_ACCESS_P |
All of the above except for the TOKEN_ADJUST_SESSIONID right, plus standard rights. |
TOKEN_ALL_ACCESS |
All of the above plus standard rights. |
STATUS_NO_TOKEN - the thread is not impersonating at the moment.STATUS_CANT_OPEN_ANONYMOUS - the caller attempted to open a token that has anonymous level of impersonation.To avoid retaining unused resources, call NtClose to close the returned handle when it is no longer required.
Instead of opening the current thread token for query, consider using the NtCurrentThreadToken pseudo-handle on Windows 8 and above.
To specify handle attributes, use NtOpenThreadTokenEx.
To set a thread token, use NtSetInformationThread with ThreadImpersonationToken. See THREADINFOCLASS for more details.
The NtOpenThreadToken routine opens the access token associated with a thread, and returns a handle that can be used to access that token.
ThreadHandle [in]Handle to the thread whose access token is to be opened. The handle must have THREAD_QUERY_INFORMATION access. Use the NtCurrentThread macro to specify the current thread.
DesiredAccess [in]ACCESS_MASK structure specifying the requested types of access to the access token. These requested access types are compared with the token's discretionary access-control list (DACL) to determine which access rights are granted or denied.
OpenAsSelf [in]Boolean value specifying whether the access check is to be made against the security context of the thread calling NtOpenThreadToken or against the security context of the process for the calling thread.
If this parameter is FALSE, the access check is performed using the security context for the calling thread. If the thread is impersonating a client, this security context can be that of a client process. If this parameter is TRUE, the access check is made using the security context of the process for the calling thread.
TokenHandle [out]Pointer to a caller-allocated variable that receives a handle to the newly opened access token.
NtOpenThreadToken returns STATUS_SUCCESS or an appropriate error status. Possible error status codes include the following:
| Return code | Description |
|---|---|
| STATUS_ACCESS_DENIED | |
| ThreadHandle did not have THREAD_QUERY_INFORMATION access. | |
| STATUS_CANT_OPEN_ANONYMOUS | The client requested the SecurityAnonymous impersonation level. However, an anonymous token cannot be opened. For more information, see SECURITY_IMPERSONATION_LEVEL. |
| STATUS_INVALID_HANDLE | ThreadHandle was not a valid handle. |
| STATUS_NO_TOKEN | An attempt has been made to open a token associated with a thread that is not currently impersonating a client. |
| STATUS_OBJECT_TYPE_MISMATCH | ThreadHandle was not a thread handle. |
NtOpenThreadToken opens the access token associated with a thread and returns a handle for that token.
The OpenAsSelf parameter allows a server process to open the access token for a client process when the client process has specified the SecurityIdentification impersonation level for the SECURITY_IMPERSONATION_LEVEL enumerated type. Without this parameter, the calling process is not able to open the client's access token using the client's security context because it is impossible to open executive-level objects using the SecurityIdentification impersonation level.
Any handle obtained by calling NtOpenThreadToken must eventually be released by calling NtClose.
For more information about security and access control, see Windows security model for driver developers and the documentation on these topics in the Windows SDK.
For calls from kernel-mode drivers, the Nt*Xxx* and Zw*Xxx* versions of a Windows Native System Services routine can behave differently in the way that they handle and interpret input parameters. For more information about the relationship between the Nt*Xxx* and Zw*Xxx* versions of a routine, see Using Nt and Zw Versions of the Native System Services Routines.
This function is documented in Windows Driver Kit.
HANDLE to thread object.
Access mask for opened Token Object.
???
Result of call - HANDLE to Token Object associated with ThreadHandle thread.
Usually Win32 threads don't have associated Tokens. If you want to associate Token for Thread Object, use
NtSetInformationThread with ThreadImpersonationToken information class.
NtCreateTokenNtOpenProcessTokenNtOpenThreadNtSetInformationThreadTHREAD_INFORMATION_CLASS