Upgrade your Internet Experience
Microsoft.com
Welcome Sign in
Microsoft Developer Network
Click to Rate and Give Feedback
MSDN
MSDN Library
Security
Authorization
 GetTokenInformation Function

  Switch on low bandwidth view
GetTokenInformation Function

The GetTokenInformation function retrieves a specified type of information about an access token. The calling process must have appropriate access rights to obtain the information.

To determine if a user is a member of a specific group, use the CheckTokenMembership function.

Syntax

C++
BOOL WINAPI GetTokenInformation(
  __in       HANDLE TokenHandle,
  __in       TOKEN_INFORMATION_CLASS TokenInformationClass,
  __out_opt  LPVOID TokenInformation,
  __in       DWORD TokenInformationLength,
  __out      PDWORD ReturnLength
);

Parameters

TokenHandle [in]

A handle to an access token from which information is retrieved. If TokenInformationClass specifies TokenSource, the handle must have TOKEN_QUERY_SOURCE access. For all other TokenInformationClass values, the handle must have TOKEN_QUERY access.

TokenInformationClass [in]

Specifies a value from the TOKEN_INFORMATION_CLASS enumerated type to identify the type of information the function retrieves.

TokenInformation [out, optional]

A pointer to a buffer the function fills with the requested information. The structure put into this buffer depends upon the type of information specified by the TokenInformationClass parameter, as shown in the following table.

ValueMeaning
NULL

The function returns FALSE and stores the size required for the buffer in ReturnLength. A call to the GetLastError function returns ERROR_INSUFFICIENT_BUFFER. The caller can then allocate a buffer with the required size and pass the address of the buffer as TokenInformation in another call to this function.

TokenDefaultDacl

The buffer receives a TOKEN_DEFAULT_DACL structure containing the default DACL for newly created objects.

TokenGroups

The buffer receives a TOKEN_GROUPS structure containing the group accounts associated with the token.

TokenGroupsAndPrivileges

The buffer receives a TOKEN_GROUPS_AND_PRIVILEGES structure containing the user SID, the group accounts, the restricted SIDs, and the authentication ID associated with the token.

TokenImpersonationLevel

The buffer receives a SECURITY_IMPERSONATION_LEVEL value indicating the impersonation level of the token. If the access token is not an impersonation token, the function fails.

TokenOrigin

The buffer receives a TOKEN_ORIGIN value that contains information about the logon session ID.

TokenOwner

The buffer receives a TOKEN_OWNER structure containing the default owner SID for newly created objects.

TokenPrimaryGroup

The buffer receives a TOKEN_PRIMARY_GROUP structure containing the default primary group SID for newly created objects.

TokenPrivileges

The buffer receives a TOKEN_PRIVILEGES structure containing the token's privileges.

TokenRestrictedSids

The buffer receives a TOKEN_GROUPS structure containing the list of restricting SIDs in a restricted token.

TokenSandBoxInert

The buffer receives a DWORD value that is nonzero if the token includes the SANDBOX_INERT flag.

TokenSessionId

The buffer receives a DWORD value that contains the Terminal Services session identifier associated with the token.

TokenSource

The buffer receives a TOKEN_SOURCE structure containing the source of the token. TOKEN_QUERY_SOURCE access is needed to retrieve this information.

TokenStatistics

The buffer receives a TOKEN_STATISTICS structure containing various token statistics.

TokenType

The buffer receives a TOKEN_TYPE value indicating whether the token is a primary or impersonation token.

TokenUser

The buffer receives a TOKEN_USER structure containing the token's user account.

 

TokenInformationLength [in]

Specifies the size, in bytes, of the buffer pointed to by the TokenInformation parameter. If TokenInformation is NULL, this parameter must be zero.

ReturnLength [out]

A pointer to a variable that receives the number of bytes needed for the buffer pointed to by the TokenInformation parameter. If this value is larger than the value specified in the TokenInformationLength parameter, the function fails and stores no data in the buffer.

If the value of the TokenInformationClass parameter is TokenDefaultDacl and the token has no default DACL, the function sets the variable pointed to by ReturnLength to sizeof(TOKEN_DEFAULT_DACL) and sets the DefaultDacl member of the TOKEN_DEFAULT_DACL structure to NULL.

Return Value

If the function succeeds, the return value is nonzero.

If the function fails, the return value is zero. To get extended error information, call GetLastError.

Examples

For an example that uses this function, see Getting the Logon SID or Searching for a SID in an Access Token.

Requirements

Minimum supported clientWindows 2000 Professional
Minimum supported serverWindows 2000 Server
HeaderWinbase.h (include Windows.h)
LibraryAdvapi32.lib
DLLAdvapi32.dll

See Also

Access Control Overview
Basic Access Control Functions
AdjustTokenGroups
AdjustTokenPrivileges
CheckTokenMembership
OpenProcessToken
OpenThreadToken
SECURITY_IMPERSONATION_LEVEL
SetTokenInformation
TOKEN_DEFAULT_DACL
TOKEN_GROUPS
TOKEN_GROUPS_AND_PRIVILEGES
TOKEN_INFORMATION_CLASS
TOKEN_OWNER
TOKEN_PRIMARY_GROUP
TOKEN_PRIVILEGES
TOKEN_SOURCE
TOKEN_STATISTICS
TOKEN_TYPE
TOKEN_USER

Send comments about this topic to Microsoft

Build date: 6/26/2009

Tags What's this?: Add a tag
Community Content   What is Community Content?
Add new content RSS  Annotations
GetTokenInformation may fail if TokenSessionId was specified on a Windows XP System      Dezipaitor   |   Edit   |   Show History

On Windows XP (SP2!, SP1?) only
GetTokenInformation returns an error (24) if the user wants to get the required size of class TokenSessionId (=sizeof DWORD). It sets ReturnLength to zero (0). TokenSessionId can only be retrieved by directly calling GetTokenInformation with TokenInformationLength = sizeof DWORD.
Maybe other class type can have the same effect. (Please report also here)


On Vista it works fine.

Please direct questions to the microsoft.public.platformsdk.security newsgroup      eslesar-MSFT   |   Edit   |   Show History

The Community Content section of an MSDN library topic provides an area where developers can collaborate on additional information related to that topic. Use this section to contribute code examples, tips and tricks, and links to other relevant content.

You can use the MSDN Forums (http://forums.microsoft.com/msdn/) or the Microsoft public security newsgroups (http://www.microsoft.com/technet/community/newsgroups/security/) to ask questions or participate in discussions about the APIs.

To submit feedback on the documentation, use the feedback link on this page (see the "Send comments about this topic to Microsoft" link).

If you receive useful information from the forums that you want to share with other developers, you can post the information here in the community content.

Thank you.

Tags What's this?: Add a tag
Flag as ContentBug
© 2009 Microsoft Corporation. All rights reserved. Terms of Use  |  Trademarks  |  Privacy Statement
Page view tracker