ImpersonateAnonymousToken function (securitybaseapi.h)

The ImpersonateAnonymousToken function enables the specified thread to impersonate the system's anonymous logon token. To ensure that a token matches the operating system's concept of anonymous access, this function should be called before attempting network access to generate an anonymous token on the remote server.

Syntax

BOOL ImpersonateAnonymousToken(
  [in] HANDLE ThreadHandle
);

Parameters

[in] ThreadHandle

A handle to the thread to impersonate the system's anonymous logon token. The thread handle must have the THREAD_IMPERSONATE access right in order for the thread to impersonate the system's anonymous logon token.

To grant such access, the thread must be opened by calling OpenThread with the desired access right to THREAD_IMPERSONATE.

Return value

If the function succeeds, the return value is nonzero.

If the function fails, the return value is zero. To get extended error information, call GetLastError.

An error of ACCESS_DENIED might indicate that the token is for a restricted process. Use OpenProcessToken and IsTokenRestricted to check if the process is restricted. ACCESS_DENIED is also returned if the thread handle lacks right access to THREAD_IMPERSONATE.

Remarks

Anonymous tokens do not include the "Everyone" Group SID unless the system default has been overridden by setting the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous registry value to DWORD=1.

To cancel the impersonation, call RevertToSelf.

Requirements

Requirement	Value
Minimum supported client	Windows XP [desktop apps only]
Minimum supported server	Windows Server 2003 [desktop apps only]
Target Platform	Windows
Header	securitybaseapi.h (include Windows.h)
Library	Advapi32.lib
DLL	Advapi32.dll

See also

• Access Control Overview
• Basic Access Control Functions
• Thread Security and Access Rights
• RevertToSelf