NtOpenThreadTokenEx - NtDoc

Native API online documentation, based on the System Informer (formerly Process Hacker) phnt headers
#ifndef _NTSEAPI_H

/**
 * The NtOpenThreadTokenEx routine opens the access token associated with a thread, and returns a handle that can be used to access that token.
 *
 * @param ThreadHandle Handle to the thread whose access token is to be opened. The handle must have THREAD_QUERY_INFORMATION access.
 * @param DesiredAccess ACCESS_MASK structure specifying the requested types of access to the access token.
 * @param OpenAsSelf Boolean value specifying whether the access check is to be made against the security context of the thread calling NtOpenThreadToken or against the security context of the process for the calling thread.
 * @param HandleAttributes Attributes for the created handle. Only OBJ_KERNEL_HANDLE is currently supported.
 * @param TokenHandle Pointer to a caller-allocated variable that receives a handle to the newly opened access token.
 * @return NTSTATUS Successful or errant status.
 * @sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-ntopenthreadtokenex
 */
NTSYSCALLAPI
NTSTATUS
NTAPI
NtOpenThreadTokenEx(
    _In_ HANDLE ThreadHandle,
    _In_ ACCESS_MASK DesiredAccess,
    _In_ BOOLEAN OpenAsSelf,
    _In_ ULONG HandleAttributes,
    _Out_ PHANDLE TokenHandle
    );

#endif

View code on GitHub
#ifndef _NTZWAPI_H

NTSYSCALLAPI
NTSTATUS
NTAPI
ZwOpenThreadTokenEx(
    _In_ HANDLE ThreadHandle,
    _In_ ACCESS_MASK DesiredAccess,
    _In_ BOOLEAN OpenAsSelf,
    _In_ ULONG HandleAttributes,
    _Out_ PHANDLE TokenHandle
    );

#endif

View code on GitHub
// ntifs.h

__kernel_entry NTSYSCALLAPI NTSTATUS NtOpenThreadTokenEx(
  [in]  HANDLE      ThreadHandle,
  [in]  ACCESS_MASK DesiredAccess,
  [in]  BOOLEAN     OpenAsSelf,
  [in]  ULONG       HandleAttributes,
  [out] PHANDLE     TokenHandle
);
View the official Windows Driver Kit DDI reference
// ntifs.h

NTSYSAPI NTSTATUS ZwOpenThreadTokenEx(
  [in]  HANDLE      ThreadHandle,
  [in]  ACCESS_MASK DesiredAccess,
  [in]  BOOLEAN     OpenAsSelf,
  [in]  ULONG       HandleAttributes,
  [out] PHANDLE     TokenHandle
);
View the official Windows Driver Kit DDI reference

NtDoc

Opens a handle to an impersonation token of a thread. This function is documented in Windows Driver Kit here and here.

Parameters

Access masks

Access mask Use
TOKEN_ASSIGN_PRIMARY Allows creating processes with this token and assigning the token as primary via NtSetInformationProcess with ProcessAccessToken.
TOKEN_DUPLICATE Allows duplicating the token via NtDuplicateToken.
TOKEN_IMPERSONATE Allows impersonating the token via NtSetInformationThread with ThreadImpersonationToken.
TOKEN_QUERY Allows querying most information classes via NtQueryInformationToken.
TOKEN_QUERY_SOURCE Allows querying TokenSource via NtQueryInformationToken.
TOKEN_ADJUST_PRIVILEGES Allows adjusting token privileges via NtAdjustPrivilegesToken
TOKEN_ADJUST_GROUPS Allows adjusting token privileges via NtAdjustGroupsToken
TOKEN_ADJUST_DEFAULT Allows setting most information classes via NtSetInformationToken.
TOKEN_ADJUST_SESSIONID Allows setting TokenSessionId via NtSetInformationToken.
TOKEN_ALL_ACCESS_P All of the above except for the TOKEN_ADJUST_SESSIONID right, plus standard rights.
TOKEN_ALL_ACCESS All of the above plus standard rights.

Notable return values

Remarks

To avoid retaining unused resources, call NtClose to close the returned handle when it is no longer required.

Instead of opening the current thread token for query, consider using the NtCurrentThreadToken pseudo-handle on Windows 8 and above.

If you don't want to specify custom handle attributes, you can use NtOpenThreadToken.

To set a thread token, use NtSetInformationThread with ThreadImpersonationToken. See THREADINFOCLASS for more details.

Related Win32 API

See also

Windows Driver Kit DDI reference (nf-ntifs-ntopenthreadtokenex)

NtOpenThreadTokenEx function

Description

The NtOpenThreadTokenEx routine opens the access token associated with a thread.

Parameters

ThreadHandle [in]

Handle to the thread whose access token is to be opened. The handle must have THREAD_QUERY_INFORMATION access. Use the NtCurrentThread macro to specify the current thread.

DesiredAccess [in]

ACCESS_MASK structure specifying the requested types of access to the access token. These requested access types are compared with the token's discretionary access-control list (DACL) to determine which access rights are granted or denied.

OpenAsSelf [in]

Boolean value specifying whether the access check is to be made against the security context of the thread calling NtOpenThreadTokenEx or against the security context of the process for the calling thread.

If this parameter is FALSE, the access check is performed using the security context for the calling thread. If the thread is impersonating a client, this security context can be that of a client process. If this parameter is TRUE, the access check is made using the security context of the process for the calling thread.

HandleAttributes [in]

Attributes for the created handle. Only OBJ_KERNEL_HANDLE is currently supported. If the caller is not running in the system process context, it must specify OBJ_KERNEL_HANDLE for this parameter.

TokenHandle [out]

Pointer to a caller-allocated variable that receives a handle to the newly opened access token.

Return value

NtOpenThreadTokenEx returns STATUS_SUCCESS or an appropriate error status. Possible error status codes include the following:

Return code Description
STATUS_ACCESS_DENIED
ThreadHandle did not have THREAD_QUERY_INFORMATION access.
STATUS_CANT_OPEN_ANONYMOUS The client requested the SecurityAnonymous impersonation level. However, an anonymous token cannot be opened. For more information, see SECURITY_IMPERSONATION_LEVEL.
STATUS_INVALID_HANDLE ThreadHandle was not a valid handle.
STATUS_INVALID_PARAMETER The specified HandleAttributes did not include OBJ_KERNEL_HANDLE.
STATUS_NO_TOKEN An attempt has been made to open a token associated with a thread that is not currently impersonating a client.
STATUS_OBJECT_TYPE_MISMATCH ThreadHandle was not a thread handle.

Remarks

NtOpenThreadTokenEx opens the access token associated with a thread and returns a handle for that token.

The OpenAsSelf parameter allows a server process to open the access token for a client process when the client process has specified the SecurityIdentification impersonation level for the SECURITY_IMPERSONATION_LEVEL enumerated type. Without this parameter, the calling process is not able to open the client's access token using the client's security context because it is impossible to open executive-level objects using the SecurityIdentification impersonation level.

Any handle obtained by calling NtOpenThreadTokenEx must eventually be released by calling NtClose.

Driver routines that run in a process context other than that of the system process must set the OBJ_KERNEL_HANDLE attribute for the HandleAttributes parameter of NtOpenThreadTokenEx. This restricts the use of the handle returned by NtOpenThreadTokenEx to processes running in kernel mode. Otherwise, the handle can be accessed by the process in whose context the driver is running.

For more information about security and access control, see Windows security model for driver developers and the documentation on these topics in the Windows SDK.

For calls from kernel-mode drivers, the Nt*Xxx* and Zw*Xxx* versions of a Windows Native System Services routine can behave differently in the way that they handle and interpret input parameters. For more information about the relationship between the Nt*Xxx* and Zw*Xxx* versions of a routine, see Using Nt and Zw Versions of the Native System Services Routines.

See also

ACCESS_MASK

ACL

PsDereferencePrimaryToken

SECURITY_IMPERSONATION_LEVEL

ZwClose

ZwOpenProcessTokenEx


Windows Driver Kit DDI reference (nf-ntifs-zwopenthreadtokenex)

ZwOpenThreadTokenEx function

Description

The ZwOpenThreadTokenEx routine opens the access token associated with a thread.

Parameters

ThreadHandle [in]

Handle to the thread whose access token is to be opened. The handle must have THREAD_QUERY_INFORMATION access. Use the NtCurrentThread macro to specify the current thread.

DesiredAccess [in]

ACCESS_MASK structure specifying the requested types of access to the access token. These requested access types are compared with the token's discretionary access-control list (DACL) to determine which access rights are granted or denied.

OpenAsSelf [in]

Boolean value specifying whether the access check is to be made against the security context of the thread calling ZwOpenThreadTokenEx or against the security context of the process for the calling thread.

If this parameter is FALSE, the access check is performed using the security context for the calling thread. If the thread is impersonating a client, this security context can be that of a client process. If this parameter is TRUE, the access check is made using the security context of the process for the calling thread.

HandleAttributes [in]

Attributes for the created handle. Only OBJ_KERNEL_HANDLE is currently supported. If the caller is not running in the system process context, it must specify OBJ_KERNEL_HANDLE for this parameter.

TokenHandle [out]

Pointer to a caller-allocated variable that receives a handle to the newly opened access token.

Return value

ZwOpenThreadTokenEx returns STATUS_SUCCESS or an appropriate error status. Possible error status codes include the following:

Return code Description
STATUS_ACCESS_DENIED ThreadHandle did not have THREAD_QUERY_INFORMATION access.
STATUS_CANT_OPEN_ANONYMOUS The client requested the SecurityAnonymous impersonation level. However, an anonymous token cannot be opened. For more information, see SECURITY_IMPERSONATION_LEVEL.
STATUS_INVALID_HANDLE ThreadHandle was not a valid handle.
STATUS_INVALID_PARAMETER The specified HandleAttributes did not include OBJ_KERNEL_HANDLE.
STATUS_NO_TOKEN An attempt has been made to open a token associated with a thread that is not currently impersonating a client.
STATUS_OBJECT_TYPE_MISMATCH ThreadHandle was not a thread handle.

Remarks

ZwOpenThreadTokenEx opens the access token associated with a thread and returns a handle for that token.

The OpenAsSelf parameter allows a server process to open the access token for a client process when the client process has specified the SecurityIdentification impersonation level for the SECURITY_IMPERSONATION_LEVEL enumerated type. Without this parameter, the calling process is not be able to open the client's access token using the client's security context because it is impossible to open executive-level objects using the SecurityIdentification impersonation level.

Any handle obtained by calling ZwOpenThreadTokenEx must eventually be released by calling ZwClose.

Driver routines that run in a process context other than that of the system process must set the OBJ_KERNEL_HANDLE attribute for the HandleAttributes parameter of ZwOpenThreadTokenEx. This restricts the use of the handle returned by ZwOpenThreadTokenEx to processes running in kernel mode. Otherwise, the handle can be accessed by the process in whose context the driver is running.

For more information about security and access control, see Windows security model for driver developers and the documentation on these topics in the Windows SDK.

[!NOTE] If the call to the ZwOpenThreadTokenEx function occurs in user mode, you should use the name "NtOpenThreadTokenEx" instead of "ZwOpenThreadTokenEx".

For calls from kernel-mode drivers, the Nt*Xxx* and Zw*Xxx* versions of a Windows Native System Services routine can behave differently in the way that they handle and interpret input parameters. For more information about the relationship between the Nt*Xxx* and Zw*Xxx* versions of a routine, see Using Nt and Zw Versions of the Native System Services Routines.

See also

<ACCESS_MASK

ACL

PsDereferencePrimaryToken

SECURITY_IMPERSONATION_LEVEL

Using Nt and Zw Versions of the Native System Services Routines

ZwClose

ZwOpenProcessTokenEx