RtlCheckSandboxedToken - NtDoc
Native API online documentation, based on the System Informer
(formerly Process Hacker) phnt
headers
#ifndef _NTRTL_H
#if (PHNT_VERSION >= PHNT_THRESHOLD)
// rev
NTSYSAPI
NTSTATUS
NTAPI
RtlCheckSandboxedToken(
_In_opt_ HANDLE TokenHandle,
_Out_ PBOOLEAN IsSandboxed
);
View code on GitHubDetermines if a token is considered sandboxed (i.e., has integrity level below medium).
TokenHandle - a handle to the token or one of the supported pseudo-handles (see below). The handle must grant TOKEN_QUERY access.IsSandboxed - a pointer to a variable that receives a boolean indicating whether the token is sandboxed.This function supports the following pseudo-handle values:
NtCurrentProcessToken - performs the query on the primary token of the calling process.NtCurrentThreadToken - performs the query on the impersonation token of the calling thread. The function fails if the thread is not impersonating.NtCurrentThreadEffectiveToken - performs the query on the impersonation token of the calling thread, if present. Otherwise, the function uses the primary token of the calling process.On modern versions of Windows, this function calls NtQueryInformationToken with TokenIsSandboxed info class. Previously, it used to create a security descriptor with a medium mandatory label and perform an access check against it via NtAccessCheck.
This function was introduced in Windows 10 TH1 (1507).