TOKEN_INFORMATION_CLASS - NtDoc
Native API online documentation, based on the System Informer
(formerly Process Hacker) phnt
headers
#ifndef _NTSEAPI_H
//
// Authz
//
// begin_rev
#if (PHNT_MODE == PHNT_MODE_KERNEL)
typedef enum _TOKEN_INFORMATION_CLASS
{
TokenUser = 1, // q: TOKEN_USER, SE_TOKEN_USER
TokenGroups, // q: TOKEN_GROUPS
TokenPrivileges, // q: TOKEN_PRIVILEGES
TokenOwner, // qs: TOKEN_OWNER
TokenPrimaryGroup, // qs: TOKEN_PRIMARY_GROUP
TokenDefaultDacl, // qs: TOKEN_DEFAULT_DACL
TokenSource, // q: TOKEN_SOURCE
TokenType, // q: TOKEN_TYPE
TokenImpersonationLevel, // q: SECURITY_IMPERSONATION_LEVEL
TokenStatistics, // q: TOKEN_STATISTICS // 10
TokenRestrictedSids, // q: TOKEN_GROUPS
TokenSessionId, // q; s: ULONG (requires SeTcbPrivilege)
TokenGroupsAndPrivileges, // q: TOKEN_GROUPS_AND_PRIVILEGES
TokenSessionReference, // s: ULONG (requires SeTcbPrivilege)
TokenSandBoxInert, // q: ULONG
TokenAuditPolicy, // q; s: TOKEN_AUDIT_POLICY (requires SeSecurityPrivilege/SeTcbPrivilege)
TokenOrigin, // q; s: TOKEN_ORIGIN (requires SeTcbPrivilege)
TokenElevationType, // q: TOKEN_ELEVATION_TYPE
TokenLinkedToken, // q; s: TOKEN_LINKED_TOKEN (requires SeCreateTokenPrivilege)
TokenElevation, // q: TOKEN_ELEVATION // 20
TokenHasRestrictions, // q: ULONG
TokenAccessInformation, // q: TOKEN_ACCESS_INFORMATION
TokenVirtualizationAllowed, // q; s: ULONG (requires SeCreateTokenPrivilege)
TokenVirtualizationEnabled, // q; s: ULONG
TokenIntegrityLevel, // q; s: TOKEN_MANDATORY_LABEL
TokenUIAccess, // q; s: ULONG (requires SeTcbPrivilege)
TokenMandatoryPolicy, // q; s: TOKEN_MANDATORY_POLICY (requires SeTcbPrivilege)
TokenLogonSid, // q: TOKEN_GROUPS
TokenIsAppContainer, // q: ULONG // since WIN8
TokenCapabilities, // q: TOKEN_GROUPS // 30
TokenAppContainerSid, // q: TOKEN_APPCONTAINER_INFORMATION
TokenAppContainerNumber, // q: ULONG
TokenUserClaimAttributes, // q: CLAIM_SECURITY_ATTRIBUTES_INFORMATION
TokenDeviceClaimAttributes, // q: CLAIM_SECURITY_ATTRIBUTES_INFORMATION
TokenRestrictedUserClaimAttributes, // q: CLAIM_SECURITY_ATTRIBUTES_INFORMATION
TokenRestrictedDeviceClaimAttributes, // q: CLAIM_SECURITY_ATTRIBUTES_INFORMATION
TokenDeviceGroups, // q: TOKEN_GROUPS
TokenRestrictedDeviceGroups, // q: TOKEN_GROUPS
TokenSecurityAttributes, // qs: TOKEN_SECURITY_ATTRIBUTES_[AND_OPERATION_]INFORMATION (requires SeTcbPrivilege)
TokenIsRestricted, // q: ULONG // 40
TokenProcessTrustLevel, // q: TOKEN_PROCESS_TRUST_LEVEL // since WINBLUE
TokenPrivateNameSpace, // q; s: ULONG (requires SeTcbPrivilege) // since THRESHOLD
TokenSingletonAttributes, // q: TOKEN_SECURITY_ATTRIBUTES_INFORMATION // since REDSTONE
TokenBnoIsolation, // q: TOKEN_BNO_ISOLATION_INFORMATION // since REDSTONE2
TokenChildProcessFlags, // s: ULONG (requires SeTcbPrivilege) // since REDSTONE3
TokenIsLessPrivilegedAppContainer, // q: ULONG // since REDSTONE5
TokenIsSandboxed, // q: ULONG // since 19H1
TokenIsAppSilo, // q: ULONG // since WIN11 22H2 // previously TokenOriginatingProcessTrustLevel // q: TOKEN_PROCESS_TRUST_LEVEL
TokenLoggingInformation, // q: TOKEN_LOGGING_INFORMATION // since 24H2
TokenLearningMode, // q: // since 25H2
MaxTokenInfoClass
} TOKEN_INFORMATION_CLASS, *PTOKEN_INFORMATION_CLASS;
View code on GitHub#ifndef _NTSEAPI_H
//
// Authz
//
// begin_rev
#if (PHNT_MODE == PHNT_MODE_KERNEL)
// ...
#else
#define TOKEN_INFORMATION_CLASS ULONG
View code on GitHub// ntifs.h
typedef enum _TOKEN_INFORMATION_CLASS {
TokenUser,
TokenGroups,
TokenPrivileges,
TokenOwner,
TokenPrimaryGroup,
TokenDefaultDacl,
TokenSource,
TokenType,
TokenImpersonationLevel,
TokenStatistics,
TokenRestrictedSids,
TokenSessionId,
TokenGroupsAndPrivileges,
TokenSessionReference,
TokenSandBoxInert,
TokenAuditPolicy,
TokenOrigin,
TokenElevationType,
TokenLinkedToken,
TokenElevation,
TokenHasRestrictions,
TokenAccessInformation,
TokenVirtualizationAllowed,
TokenVirtualizationEnabled,
TokenIntegrityLevel,
TokenUIAccess,
TokenMandatoryPolicy,
TokenLogonSid,
TokenIsAppContainer,
TokenCapabilities,
TokenAppContainerSid,
TokenAppContainerNumber,
TokenUserClaimAttributes,
TokenDeviceClaimAttributes,
TokenRestrictedUserClaimAttributes,
TokenRestrictedDeviceClaimAttributes,
TokenDeviceGroups,
TokenRestrictedDeviceGroups,
TokenSecurityAttributes,
TokenIsRestricted,
TokenProcessTrustLevel,
TokenPrivateNameSpace,
TokenSingletonAttributes,
TokenBnoIsolation,
TokenChildProcessFlags,
TokenIsLessPrivilegedAppContainer,
TokenIsSandboxed,
TokenIsAppSilo,
TokenLoggingInformation,
TokenLearningMode,
MaxTokenInfoClass
} TOKEN_INFORMATION_CLASS, *PTOKEN_INFORMATION_CLASS;
View the official Windows Driver Kit DDI referenceThis enumeration defines types of information that can be queried or set for tokens. The enumeration is partially documented in Windows Driver Kit and in Windows SDK.
Retrieves the user SID associated with the token.
| Query | Set | |
|---|---|---|
| Type | TOKEN_USER or SE_TOKEN_USER |
N/A |
| Required access | TOKEN_QUERY |
N/A |
The user SID is considered enabled for granting access checks when its attributes don't include the SE_GROUP_USE_FOR_DENY_ONLY flag. Note that this behavior differs from token groups which explicitly require SE_GROUP_ENABLED flag to be set. In other words, an enabled user has attributes set to zero; a filtered/disabled user (see NtFilterToken) has attributes set to SE_GROUP_USE_FOR_DENY_ONLY.
Retrieves the list of SIDs (group membership) associated with the token.
| Query | Set | |
|---|---|---|
| Type | TOKEN_GROUPS |
N/A |
| Required access | TOKEN_QUERY |
N/A |
A group SID is considered enabled for granting access checks when its attributes include SE_GROUP_ENABLED. A group SID is considered enabled for denying access checks when its attributes include either SE_GROUP_ENABLED or SE_GROUP_USE_FOR_DENY_ONLY.
Retrieves the list of privileges present in the token.
| Query | Set | |
|---|---|---|
| Type | TOKEN_PRIVILEGES |
N/A |
| Required access | TOKEN_QUERY |
N/A |
A privilege is considered enabled for access checks when its attributes include SE_PRIVILEGE_ENABLED.
Retrieves or sets the default owner SID for newly created objects.
| Query | Set | |
|---|---|---|
| Type | TOKEN_OWNER |
TOKEN_OWNER |
| Required access | TOKEN_QUERY |
TOKEN_ADJUST_DEFAULT |
When changing the value, the provided SID must be either the user of the token or one of the groups that have the SE_GROUP_OWNER flag. Otherwise, the request fails with STATUS_INVALID_OWNER.
Retrieves or sets the default primary group SID for newly created objects.
| Query | Set | |
|---|---|---|
| Type | TOKEN_PRIMARY_GROUP |
TOKEN_PRIMARY_GROUP |
| Required access | TOKEN_QUERY |
TOKEN_ADJUST_DEFAULT |
When changing the value, the provided SID must be either the user or one of the groups of the token. Otherwise, the request fails with STATUS_INVALID_PRIMARY_GROUP.
Retrieves or sets the default discretionary ACL (DACL) for newly created objects.
| Query | Set | |
|---|---|---|
| Type | TOKEN_DEFAULT_DACL |
TOKEN_DEFAULT_DACL |
| Required access | TOKEN_QUERY |
TOKEN_ADJUST_DEFAULT |
Retrieves the string and LUID that identify the source of the token.
| Query | Set | |
|---|---|---|
| Type | TOKEN_SOURCE |
N/A |
| Required access | TOKEN_QUERY_SOURCE |
N/A |
Determines whether the token is a primary token or an impersonation token.
| Query | Set | |
|---|---|---|
| Type | TOKEN_TYPE |
N/A |
| Required access | TOKEN_QUERY |
N/A |
Retrieves the level of impersonation for impersonation-type tokens.
| Query | Set | |
|---|---|---|
| Type | SECURITY_IMPERSONATION_LEVEL |
N/A |
| Required access | TOKEN_QUERY |
N/A |
Retrieves various statistics information for the token such its type, the number of groups and privileges, and the associated logon session LUID.
| Query | Set | |
|---|---|---|
| Type | TOKEN_STATISTICS |
N/A |
| Required access | TOKEN_QUERY |
N/A |
Retrieves the list of restricting groups for the secondary access check added via NtFilterToken.
| Query | Set | |
|---|---|---|
| Type | TOKEN_GROUPS |
N/A |
| Required access | TOKEN_QUERY |
N/A |
Retrieves or sets the session ID of the token.
| Query | Set | |
|---|---|---|
| Type | ULONG |
ULONG |
| Required access | TOKEN_QUERY |
TOKEN_ADJUST_DEFAULT | TOKEN_ADJUST_SESSIONID |
| Required privilege | None | SeTcbPrivilege |
Attempting to change the session ID of a token that is assigned as a primary process token results in STATUS_TOKEN_ALREADY_IN_USE.
Retrieves the list of SIDs, restricting SIDs, and privileges present in the token.
| Query | Set | |
|---|---|---|
| Type | TOKEN_GROUPS_AND_PRIVILEGES |
N/A |
| Required access | TOKEN_QUERY |
N/A |
Allows releasing token's reference to the associated logon session.
| Query | Set | |
|---|---|---|
| Type | N/A | ULONG (0) or BOOL (FALSE) |
| Required access | N/A | N/A |
| Required privilege | None | SeTcbPrivilege |
Retrieves whether the token allows bypassing Software Restriction Policies and AppLocker rules. This info class checks for the TOKEN_SANDBOX_INERT token flag.
| Query | Set | |
|---|---|---|
| Type | ULONG or BOOL |
N/A |
| Required access | TOKEN_QUERY |
N/A |
Retrieves and sets the per-user audit policy overrides for the token.
| Query | Set | |
|---|---|---|
| Type | TOKEN_AUDIT_POLICY |
TOKEN_AUDIT_POLICY |
| Required access | TOKEN_QUERY |
TOKEN_ADJUST_DEFAULT |
| Required privilege | SeSecurityPrivilege |
SeTcbPrivilege |
Audit policy overrides can only be set once per token. Subsequent attempts to modify this information result in STATUS_INVALID_PARAMETER.
Retrieves and adjusts the LUID of the originating logon session for the token.
| Query | Set | |
|---|---|---|
| Type | TOKEN_ORIGIN |
TOKEN_ORIGIN |
| Required access | TOKEN_QUERY |
TOKEN_ADJUST_DEFAULT |
| Required privilege | None | SeTcbPrivilege |
Determines the elevation type of the logon session associated with the token.
| Query | Set | |
|---|---|---|
| Type | TOKEN_ELEVATION_TYPE |
N/A |
| Required access | TOKEN_QUERY |
N/A |
This information is not per se a property of the token but rather its logon session.
Opens a copy of a token from the linked logon session or links logon sessions of the two tokens.
| Query | Set | |
|---|---|---|
| Type | TOKEN_LINKED_TOKEN |
TOKEN_LINKED_TOKEN |
| Required access | TOKEN_QUERY |
TOKEN_ADJUST_DEFAULT | TOKEN_QUERY (on both handles) |
| Required privilege | None | SeCreateTokenPrivilege |
Querying this information class returns a primary token when the caller has SeTcbPrivilege enabled and an identification-level token otherwise.
Settings linked token requires both tokens to be primary and belong to logon sessions that are not already linked. The token passed in the first parameter to NtSetInformationToken provides the logon session to be marked as elevated while the token passed via the buffer becomes the limited logon session.
Determines whether the token is elevated by checking if it contains any sensitive groups (see RtlIsElevatedRid) or privileges.
| Query | Set | |
|---|---|---|
| Type | TOKEN_ELEVATION |
N/A |
| Required access | TOKEN_QUERY |
N/A |
Determines whether the token has been filtered via NtFilterToken. This info class checks token flags for TOKEN_IS_RESTRICTED | TOKEN_IS_FILTERED.
| Query | Set | |
|---|---|---|
| Type | ULONG or BOOL |
N/A |
| Required access | TOKEN_QUERY |
N/A |
Retrieves various access-related information such as the SID hashes, privileges, and token flags.
| Query | Set | |
|---|---|---|
| Type | TOKEN_ACCESS_INFORMATION |
N/A |
| Required access | TOKEN_QUERY |
N/A |
Retrieves or sets whether the token allows enabling UAC filesystem and registry virtualization. This info class accesses the TOKEN_VIRTUALIZE_ALLOWED token flag.
| Query | Set | |
|---|---|---|
| Type | ULONG or BOOL |
ULONG or BOOL |
| Required access | TOKEN_QUERY |
TOKEN_ADJUST_DEFAULT |
| Required privilege | None | SeCreateTokenPrivilege |
Retrieves or sets whether UAC filesystem and registry virtualization is enabled for the token. This info class accesses the TOKEN_VIRTUALIZE_ENABLED token flag.
| Query | Set | |
|---|---|---|
| Type | ULONG or BOOL |
ULONG or BOOL |
| Required access | TOKEN_QUERY |
TOKEN_ADJUST_DEFAULT |
Retrieves or changes the integrity level of the token.
| Query | Set | |
|---|---|---|
| Type | TOKEN_MANDATORY_LABEL |
TOKEN_MANDATORY_LABEL |
| Required access | TOKEN_QUERY |
TOKEN_ADJUST_DEFAULT |
| Required privilege | None | None to lower; SeTcbPrivilege to raise |
Attempting to raise integrity level of a token that is assigned as a primary process token results in STATUS_TOKEN_ALREADY_IN_USE.
Lowering integrity automatically disables incompatible privileges and prevents them from being enabled.
Retrieves or sets whether the token allows bypassing User Interface Privilege Isolation (UIPI). This info class accesses the TOKEN_UIACCESS token flag.
| Query | Set | |
|---|---|---|
| Type | ULONG or BOOL |
ULONG or BOOL |
| Required access | TOKEN_QUERY |
TOKEN_ADJUST_DEFAULT |
| Required privilege | None | None to disable; SeTcbPrivilege to enable |
Retrieves or sets mandatory policy for the token.
| Query | Set | |
|---|---|---|
| Type | TOKEN_MANDATORY_POLICY |
TOKEN_MANDATORY_POLICY |
| Required access | TOKEN_QUERY |
TOKEN_ADJUST_DEFAULT |
| Required privilege | None | SeTcbPrivilege |
Attempting to change mandatory policy of a token that is assigned as a primary process token results in STATUS_TOKEN_ALREADY_IN_USE.
Finds (the first) logon SID (a group with SE_GROUP_LOGON_ID flag) in the list of token groups.
| Query | Set | |
|---|---|---|
| Type | TOKEN_GROUPS |
N/A |
| Required access | TOKEN_QUERY |
N/A |
Determines whether the token is an AppContainer/LowBox token.
| Query | Set | |
|---|---|---|
| Type | ULONG or BOOL |
N/A |
| Required access | TOKEN_QUERY |
N/A |
| Minimal version | Windows 8 | N/A |
AppContainer tokens perform an additional access check against the corresponding AppContainer SID, ALL APPLICATION PACKAGES SID (S-1-15-2-1), and the list of provided capabilities.
Retrieves the list of capability SIDs associated with the token.
| Query | Set | |
|---|---|---|
| Type | TOKEN_GROUPS |
N/A |
| Required access | TOKEN_QUERY |
N/A |
| Minimal version | Windows 8 | N/A |
Retrieves the AppContainer/Package SID associated with a LowBox token.
| Query | Set | |
|---|---|---|
| Type | TOKEN_APPCONTAINER_INFORMATION |
N/A |
| Required access | TOKEN_QUERY |
N/A |
| Minimal version | Windows 8 | N/A |
AppContainer tokens perform an additional access check against the AppContainer SID, ALL APPLICATION PACKAGES SID (S-1-15-2-1), and the list of provided capabilities.
Retrieves the token AppContainer/LowBox number.
| Query | Set | |
|---|---|---|
| Type | ULONG |
N/A |
| Required access | TOKEN_QUERY |
N/A |
| Minimal version | Windows 8 | N/A |
Retrieves the list of user claim attributes associated with the token.
| Query | Set | |
|---|---|---|
| Type | CLAIM_SECURITY_ATTRIBUTES_INFORMATION |
N/A |
| Required access | TOKEN_QUERY |
N/A |
| Minimal version | Windows 8 | N/A |
Retrieves the list of device claim attributes associated with the token.
| Query | Set | |
|---|---|---|
| Type | CLAIM_SECURITY_ATTRIBUTES_INFORMATION |
N/A |
| Required access | TOKEN_QUERY |
N/A |
| Minimal version | Windows 8 | N/A |
Retrieves the list of restricted user claim attributes associated with the token.
| Query | Set | |
|---|---|---|
| Type | CLAIM_SECURITY_ATTRIBUTES_INFORMATION |
N/A |
| Required access | TOKEN_QUERY |
N/A |
| Minimal version | Windows 8 | N/A |
Retrieves the list of restricted device claim attributes associated with the token.
| Query | Set | |
|---|---|---|
| Type | CLAIM_SECURITY_ATTRIBUTES_INFORMATION |
N/A |
| Required access | TOKEN_QUERY |
N/A |
| Minimal version | Windows 8 | N/A |
Retrieves the list of device group SIDs device claim attributes associated with the token.
| Query | Set | |
|---|---|---|
| Type | TOKEN_GROUPS |
N/A |
| Required access | TOKEN_QUERY |
N/A |
| Minimal version | Windows 8 | N/A |
Retrieves the list of restricted device group SIDs device claim attributes associated with the token.
| Query | Set | |
|---|---|---|
| Type | TOKEN_GROUPS |
N/A |
| Required access | TOKEN_QUERY |
N/A |
| Minimal version | Windows 8 | N/A |
Retrieves or modifies the list of security attributes associated with the token.
| Query | Set | |
|---|---|---|
| Type | TOKEN_SECURITY_ATTRIBUTES_INFORMATION |
TOKEN_SECURITY_ATTRIBUTES_AND_OPERATION_INFORMATION |
| Required access | TOKEN_QUERY |
TOKEN_ADJUST_DEFAULT |
| Required privilege | None | SeTcbPrivilege |
| Minimal version | Windows 8 | Windows 8 |
Determines if the token is restricted (i.e., requires a secondary access check against the list of restricting SIDs). This info class checks token flags for TOKEN_IS_RESTRICTED | TOKEN_WRITE_RESTRICTED.
| Query | Set | |
|---|---|---|
| Type | ULONG or BOOL |
N/A |
| Required access | TOKEN_QUERY |
N/A |
| Minimal version | Windows 8 | N/A |
Retrieves the process trust level (protection/PPL) SID associated with the token.
| Query | Set | |
|---|---|---|
| Type | TOKEN_PROCESS_TRUST_LEVEL |
N/A |
| Required access | TOKEN_QUERY |
N/A |
| Minimal version | Windows 8.1 | N/A |
This info class accesses the TOKEN_PRIVATE_NAMESPACE token flag.
| Query | Set | |
|---|---|---|
| Type | ULONG or BOOL |
ULONG or BOOL |
| Required access | TOKEN_QUERY |
TOKEN_ADJUST_DEFAULT |
| Required privilege | None | SeTcbPrivilege |
| Minimal version | Windows 10 TH1 (1507) | Windows 10 TH1 (1507) |
Retrieves the list of singleton attributes associated with the token.
| Query | Set | |
|---|---|---|
| Type | TOKEN_SECURITY_ATTRIBUTES_INFORMATION |
N/A |
| Required access | TOKEN_QUERY |
N/A |
| Minimal version | Windows 10 RS1 (1607) | N/A |
Retrieves the Base Named Object Isolation rules for the token.
| Query | Set | |
|---|---|---|
| Type | TOKEN_BNO_ISOLATION_INFORMATION |
N/A |
| Required access | TOKEN_QUERY |
N/A |
| Minimal version | Windows 10 RS2 (1703) | N/A |
Removes the child process creation restriction from the token.
| Query | Set | |
|---|---|---|
| Type | N/A | ULONG (0) or BOOL (FALSE) |
| Required access | N/A | TOKEN_ADJUST_DEFAULT |
| Minimal version | N/A | Windows 10 RS3 (1709) |
| Required privilege | N/A | SeTcbPrivilege |
To check the existing child process creation restrictions, query token flags and test them for TOKEN_NO_CHILD_PROCESS, TOKEN_NO_CHILD_PROCESS_UNLESS_SECURE, and TOKEN_AUDIT_NO_CHILD_PROCESS.
NtQueryInformationProcess with PROCESSINFOCLASS value of ProcessChildProcessInformation (73)PS_ATTRIBUTE_CHILD_PROCESS_POLICYDetermines if the token is a Less Privileged AppContainer (LPAC) token.
| Query | Set | |
|---|---|---|
| Type | ULONG or BOOL |
N/A |
| Required access | TOKEN_QUERY |
N/A |
| Minimal version | Windows 10 RS5 (1809) | N/A |
The LPAC flag replaces a regular AppContainer access check against ALL APPLICATION PACKAGES (S-1-15-2-1) with a check against ALL RESTRICTED APPLICATION PACKAGES (S-1-15-2-2).
Alternatively, you can query the WIN://NOALLAPPPKG attribute via the NtQuerySecurityAttributesToken function or the TokenSecurityAttributes info class and test for a non-zero value.
Determines if the token is considered sandboxed (i.e., has integrity level below medium).
| Query | Set | |
|---|---|---|
| Type | ULONG or BOOL |
N/A |
| Required access | TOKEN_QUERY |
N/A |
| Minimal version | Windows 10 19H1 (1903) | N/A |
Determines if the token has the AppSilo capability (S-1-15-3-65536).
| Query | Set | |
|---|---|---|
| Type | ULONG or BOOL |
N/A |
| Required access | TOKEN_QUERY |
N/A |
| Minimal version | Windows 11 22H2 | N/A |
This info class value was previously known as TokenOriginatingProcessTrustLevel.
Returns logging information associated with the token.
| Query | Set | |
|---|---|---|
| Type | TOKEN_LOGGING_INFORMATION |
N/A |
| Required access | TOKEN_QUERY |
N/A |
| Minimal version | Windows 11 24H2 | N/A |
The TOKEN_INFORMATION_CLASS enumeration type contains values that specify the type of information being assigned to or retrieved from an access token.
SeQueryInformationToken and ZwQueryInformationToken use TOKEN_INFORMATION_CLASS values to indicate the type of token information to retrieve.
TokenUserThe buffer receives a TOKEN_USER structure containing the token's user account.
TokenGroupsThe buffer receives a TOKEN_GROUPS structure containing the group accounts associated with the token.
TokenPrivilegesThe buffer receives a TOKEN_PRIVILEGES structure containing the token's privileges.
TokenOwnerThe buffer receives a TOKEN_OWNER structure containing the default owner SID for newly created objects.
TokenPrimaryGroupThe buffer receives a TOKEN_PRIMARY_GROUP structure containing the default primary group SID for newly created objects.
TokenDefaultDaclThe buffer receives a TOKEN_DEFAULT_DACL structure containing the default discretionary ACL (DACL) for newly created objects.
TokenSourceThe buffer receives a TOKEN_SOURCE structure containing the source of the token. TOKEN_QUERY_SOURCE access is needed to retrieve this information.
TokenTypeThe buffer receives a TOKEN_TYPE value indicating whether the token is a primary or impersonation token.
TokenImpersonationLevelThe buffer receives a SECURITY_IMPERSONATION_LEVEL value indicating the impersonation level of the token. If the access token is not an impersonation token, the call to SeQueryInformationToken or ZwQueryInformationToken fails.
TokenStatisticsThe buffer receives a TOKEN_STATISTICS structure containing various token statistics.
TokenRestrictedSidsThe buffer receives a TOKEN_GROUPS structure containing the list of restricting SIDs in a restricted token. This value is valid starting with Windows Vista.
TokenSessionIdThe buffer receives a DWORD value that indicates the Terminal Services session identifier associated with the token. If the token is associated with the Terminal Server console session, the session identifier is zero. A nonzero session identifier indicates a Terminal Services client session. In a non-Terminal Services environment, the session identifier is zero. This value is valid starting with Windows Vista.
TokenGroupsAndPrivilegesThe buffer receives a TOKEN_GROUPS_AND_PRIVILEGES structure that contains the user SID, the group accounts, the restricted SIDs, and the authentication ID associated with the token. This value is valid starting with Windows Vista.
TokenSessionReferenceReserved for system use.
TokenSandBoxInertThe buffer receives a DWORD value that is nonzero if the token includes the SANDBOX_INERT flag. This value is valid starting with Windows Vista.
TokenAuditPolicyReserved for system use.
TokenOriginThe buffer receives a TOKEN_ORIGIN value.
If the token resulted from a logon that used explicit credentials, such as passing a name, domain, and password to the user-mode LogonUser function, then the TOKEN_ORIGIN structure will contain the ID of the logon session that created it.
If the token resulted from network authentication, such as a call to user-mode AcceptSecurityContext function or a call to user-mode LogonUser function with dwLogonType set to LOGON32_LOGON_NETWORK or LOGON32_LOGON_NETWORK_CLEARTEXT, then this value will be zero.
This value is valid starting with Windows Server 2003.
TokenElevationTypeTokenLinkedTokenThe buffer receives a TOKEN_LINKED_TOKEN structure that contains a handle to another token that is linked to this token. This value is valid starting with Windows Vista.
TokenElevationThe buffer receives a TOKEN_ELEVATION structure that specifies whether the token is elevated. This value is valid starting with Windows Vista.
TokenHasRestrictionsThe buffer receives a DWORD value that is nonzero if the token has ever been filtered. This value is valid starting with Windows Vista.
TokenAccessInformationThe buffer receives a TOKEN_ACCESS_INFORMATION structure that specifies security information contained in the token. This value is valid starting with Windows Vista.
TokenVirtualizationAllowedThe buffer receives a DWORD value that is nonzero if virtualization is allowed for the token. This value is valid starting with Windows Vista.
TokenVirtualizationEnabledThe buffer receives a DWORD value that is nonzero if virtualization is enabled for the token. This value is valid starting with Windows Vista.
TokenIntegrityLevelThe buffer receives a TOKEN_MANDATORY_LABEL structure that specifies the token's integrity level. This value is valid starting with Windows Vista. For SeQueryInformationToken the output is the actual integrity level (DWORD).
TokenUIAccessThe buffer receives a DWORD value that is nonzero if the token has the UIAccess flag set. This value is valid starting with Windows Vista.
TokenMandatoryPolicyThe buffer receives a TOKEN_MANDATORY_POLICY structure that specifies the token's mandatory integrity policy. This value is valid starting with Windows Vista.
TokenLogonSidThe buffer receives a TOKEN_GROUPS structure that specifies the token's logon SID. This value is valid starting with Windows Vista.
TokenIsAppContainerThe buffer receives a DWORD value that is nonzero if the token has the application container flag set. This value is valid starting with Windows 8.
TokenCapabilitiesThe buffer receives a TOKEN_GROUPS structure and an array of SID_AND_ATTRIBUTES structures for each token capability. This value is valid starting with Windows 8.
TokenAppContainerSidThe buffer receives a TOKEN_APPCONTAINER_INFORMATION structure that contains the AppContainerSid associated with the token. If the token is not associated with an app container, the TokenAppContainer member of the TOKEN_APPCONTAINER_INFORMATION structure points to NULL. This value is valid starting with Windows 8.
TokenAppContainerNumberThe buffer receives a DWORD value that is the application container number. This value is valid starting with Windows 8.
TokenUserClaimAttributesThe buffer receives a CLAIM_SECURITY_ATTRIBUTES_INFORMATION structure that specifies the user's claim attributes. This value is valid starting with Windows 8.
TokenDeviceClaimAttributesThe buffer receives a CLAIM_SECURITY_ATTRIBUTES_INFORMATION structure that specifies the device's claim attributes. This value is valid starting with Windows 8.
TokenRestrictedUserClaimAttributesReserved for system use.
TokenRestrictedDeviceClaimAttributesReserved for system use.
TokenDeviceGroupsThe buffer receives a TOKEN_GROUPS structure and an array of SID_AND_ATTRIBUTES structures for each device group. This value is valid starting with Windows 8.
TokenRestrictedDeviceGroupsReserved for system use.
TokenSecurityAttributesReserved for system use.
TokenIsRestrictedReserved for system use.
TokenProcessTrustLevelReserved for system use.
TokenPrivateNameSpaceReserved for system use.
TokenSingletonAttributesReserved for system use.
TokenBnoIsolationReserved for system use.
TokenChildProcessFlagsReserved for system use.
TokenIsLessPrivilegedAppContainerReturns a DWORD value that is nonzero if the token is for a less privileged app container.
TokenIsSandboxedReturns a DWORD value that is nonzero if the token is for a sandboxed process or app.
TokenIsAppSiloReturns a DWORD value that is nonzero if the token is associated with an app silo.
TokenLoggingInformationThe buffer receives a TOKEN_LOGGING_INFORMATION structure with logging information associated with the token.
MaxTokenInfoClassThe maximum value for this enumeration.