Skip to main content
CheckTokenCapability function

The CheckTokenCapability function checks the capabilities of a given token.


BOOL WINAPI CheckTokenCapability(
  _In_opt_ HANDLE TokenHandle,
  _In_     PSID   CapabilitySidToCheck,
  _Out_    PBOOL  HasCapability


TokenHandle [in, optional]

A handle to an access token. The handle must have TOKEN_QUERY access to the token. The token must be an impersonation token.

If TokenHandle is NULL, CheckTokenCapability uses the impersonation token of the calling thread. If the thread is not impersonating, the function duplicates the thread's primary token to create an impersonation token.

CapabilitySidToCheck [in]

A pointer to a capability SID structure. The CheckTokenCapability function checks the capabilities of this access token.

HasCapability [out]

Receives the results of the check. If the access token has the capability, it returns TRUE, otherwise, it returns FALSE.

Return value

If the function succeeds, the return value is nonzero.

If the function fails, the return value is zero. To get extended error information, call GetLastError


Minimum supported client

Windows 8 [desktop apps only]

Minimum supported server

Windows Server 2012 [desktop apps only]