OpenThreadToken function

Applies to: desktop apps only

The OpenThreadToken function opens the access token associated with a thread.

Syntax

BOOL WINAPI OpenThreadToken(
  __in   HANDLE ThreadHandle,
  __in   DWORD DesiredAccess,
  __in   BOOL OpenAsSelf,
  __out  PHANDLE TokenHandle
);

Parameters

ThreadHandle [in]

A handle to the thread whose access token is opened.

DesiredAccess [in]

Specifies an access mask that specifies the requested types of access to the access token. These requested access types are reconciled against the token's discretionary access control list (DACL) to determine which accesses are granted or denied.

For a list of access rights for access tokens, see Access Rights for Access-Token Objects.

OpenAsSelf [in]

TRUE if the access check is to be made against the process-level security context.

FALSE if the access check is to be made against the current security context of the thread calling the OpenThreadToken function.

The OpenAsSelf parameter allows the caller of this function to open the access token of a specified thread when the caller is impersonating a token at SecurityIdentification level. Without this parameter, the calling thread cannot open the access token on the specified thread because it is impossible to open executive-level objects by using the SecurityIdentification impersonation level.

TokenHandle [out]

A pointer to a variable that receives the handle to the newly opened access token.

Return value

If the function succeeds, the return value is nonzero.

If the function fails, the return value is zero. To get extended error information, call GetLastError. If the token has the anonymous impersonation level, the token will not be opened and OpenThreadToken sets ERROR_CANT_OPEN_ANONYMOUS as the error.

Remarks

Tokens with the anonymous impersonation level cannot be opened.

Close the access token handle returned through the TokenHandle parameter by calling CloseHandle.

Requirements

Minimum supported client	Windows XP
Minimum supported server	Windows Server 2003
Header	Winbase.h (include Windows.h)
Library	Advapi32.lib
DLL	Advapi32.dll

See also

Access Control Overview

Basic Access Control Functions

AccessCheck

AdjustTokenGroups

AdjustTokenPrivileges

CloseHandle

GetTokenInformation

OpenProcessToken

SECURITY_IMPERSONATION_LEVEL

SetThreadToken

SetTokenInformation

 

 

Send comments about this topic to Microsoft

Build date: 3/7/2012

TokenHandle may be set to NULL on failure in some OSs

Following on from this reported issue: http://social.msdn.microsoft.com/Forums/en-US/vcmfcatl/thread/76647a56-d7e6-491c-90d7-7ca1367b653f

For a 32 bit application running under Windows 7 x64 (other OS's may also have the issue), OpenThreadToken may set the TokenHandle value to NULL (rather than leaving it unaffected, or setting it to INVALID_HANDLE_VALUE). So, if like the ATL code mentioned you're assuming the value of TokenHandle is INVALID_HANDLE_VALUE on a failure case, beware!

OpenThreadToken may fail with ERROR_NO_TOKEN

If the thread specified in ThreadHandle does not have an assigned token, OpenThreadToken my fail and set ERROR_NO_TOKEN as the error. In this case use OpenProcessToken to get the process token.
When the thread is not currently impersonating, the thread will not have any token assigned.

Terms & Defs

Access Token - An access token contains the security information for a logon session. The system creates an access token when a user logs on, and every process executed on behalf of the user has a copy of the token. The token identifies the user, the user's groups, and the user's privileges. The system uses the token to control access to securable objects and to control the ability of the user to perform various system-related operations on the local computer. There are two kinds of access token, primary and impersonation.