NtOpenThreadTokenEx - NtDoc

Native API online documentation, based on the System Informer (formerly Process Hacker) phnt headers
#ifndef _NTSEAPI_H

/**
 * The NtOpenThreadTokenEx routine opens the access token associated with a thread, and returns a handle that can be used to access that token.
 *
 * @param ThreadHandle Handle to the thread whose access token is to be opened. The handle must have THREAD_QUERY_INFORMATION access.
 * @param DesiredAccess ACCESS_MASK structure specifying the requested types of access to the access token.
 * @param OpenAsSelf Boolean value specifying whether the access check is to be made against the security context of the thread calling NtOpenThreadToken or against the security context of the process for the calling thread.
 * @param HandleAttributes Attributes for the created handle. Only OBJ_KERNEL_HANDLE is currently supported.
 * @param TokenHandle Pointer to a caller-allocated variable that receives a handle to the newly opened access token.
 * @return NTSTATUS Successful or errant status.
 * @remarks https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-ntopenthreadtokenex
 */
NTSYSCALLAPI
NTSTATUS
NTAPI
NtOpenThreadTokenEx(
    _In_ HANDLE ThreadHandle,
    _In_ ACCESS_MASK DesiredAccess,
    _In_ BOOLEAN OpenAsSelf,
    _In_ ULONG HandleAttributes,
    _Out_ PHANDLE TokenHandle
    );

#endif

View code on GitHub
#ifndef _NTZWAPI_H

NTSYSCALLAPI
NTSTATUS
NTAPI
ZwOpenThreadTokenEx(
    _In_ HANDLE ThreadHandle,
    _In_ ACCESS_MASK DesiredAccess,
    _In_ BOOLEAN OpenAsSelf,
    _In_ ULONG HandleAttributes,
    _Out_ PHANDLE TokenHandle
    );

#endif

View code on GitHub

Opens a handle to an impersonation token of a thread. This function is documented in Windows Driver Kit here and here.

Parameters

Access masks

Access mask Use
TOKEN_ASSIGN_PRIMARY Allows creating processes with this token and assigning the token as primary via NtSetInformationProcess with ProcessAccessToken.
TOKEN_DUPLICATE Allows duplicating the token via NtDuplicateToken.
TOKEN_IMPERSONATE Allows impersonating the token via NtSetInformationThread with ThreadImpersonationToken.
TOKEN_QUERY Allows querying most information classes via NtQueryInformationToken.
TOKEN_QUERY_SOURCE Allows querying TokenSource via NtQueryInformationToken.
TOKEN_ADJUST_PRIVILEGES Allows adjusting token privileges via NtAdjustPrivilegesToken
TOKEN_ADJUST_GROUPS Allows adjusting token privileges via NtAdjustGroupsToken
TOKEN_ADJUST_DEFAULT Allows setting most information classes via NtSetInformationToken.
TOKEN_ADJUST_SESSIONID Allows setting TokenSessionId via NtSetInformationToken.
TOKEN_ALL_ACCESS_P All of the above except for the TOKEN_ADJUST_SESSIONID right, plus standard rights.
TOKEN_ALL_ACCESS All of the above plus standard rights.

Notable return values

Remarks

To avoid retaining unused resources, call NtClose to close the returned handle when it is no longer required.

Instead of opening the current thread token for query, consider using the NtCurrentThreadToken pseudo-handle on Windows 8 and above.

If you don't want to specify custom handle attributes, you can use NtOpenThreadToken.

To set a thread token, use NtSetInformationThread with ThreadImpersonationToken. See THREADINFOCLASS for more details.

Related Win32 API

See also