TOKEN_INFORMATION_CLASS enumeration (winnt.h)
The TOKEN_INFORMATION_CLASS enumeration contains values that specify the type of information being assigned to or retrieved from an access token.
The GetTokenInformation function uses these values to indicate the type of token information to retrieve.
The SetTokenInformation function uses these values to set the token information.
Syntax
typedef enum _TOKEN_INFORMATION_CLASS {
TokenUser = 1,
TokenGroups,
TokenPrivileges,
TokenOwner,
TokenPrimaryGroup,
TokenDefaultDacl,
TokenSource,
TokenType,
TokenImpersonationLevel,
TokenStatistics,
TokenRestrictedSids,
TokenSessionId,
TokenGroupsAndPrivileges,
TokenSessionReference,
TokenSandBoxInert,
TokenAuditPolicy,
TokenOrigin,
TokenElevationType,
TokenLinkedToken,
TokenElevation,
TokenHasRestrictions,
TokenAccessInformation,
TokenVirtualizationAllowed,
TokenVirtualizationEnabled,
TokenIntegrityLevel,
TokenUIAccess,
TokenMandatoryPolicy,
TokenLogonSid,
TokenIsAppContainer,
TokenCapabilities,
TokenAppContainerSid,
TokenAppContainerNumber,
TokenUserClaimAttributes,
TokenDeviceClaimAttributes,
TokenRestrictedUserClaimAttributes,
TokenRestrictedDeviceClaimAttributes,
TokenDeviceGroups,
TokenRestrictedDeviceGroups,
TokenSecurityAttributes,
TokenIsRestricted,
TokenProcessTrustLevel,
TokenPrivateNameSpace,
TokenSingletonAttributes,
TokenBnoIsolation,
TokenChildProcessFlags,
TokenIsLessPrivilegedAppContainer,
TokenIsSandboxed,
TokenIsAppSilo,
TokenLoggingInformation,
MaxTokenInfoClass
} TOKEN_INFORMATION_CLASS, *PTOKEN_INFORMATION_CLASS;
Constants
TokenUserValue: 1 The buffer receives a TOKEN_USER structure that contains the user account of the token. |
TokenGroupsThe buffer receives a TOKEN_GROUPS structure that contains the group accounts associated with the token. |
TokenPrivilegesThe buffer receives a TOKEN_PRIVILEGES structure that contains the privileges of the token. |
TokenOwnerThe buffer receives a TOKEN_OWNER structure that contains the default owner security identifier (SID) for newly created objects. |
TokenPrimaryGroupThe buffer receives a TOKEN_PRIMARY_GROUP structure that contains the default primary group SID for newly created objects. |
TokenDefaultDaclThe buffer receives a TOKEN_DEFAULT_DACL structure that contains the default DACL for newly created objects. |
TokenSourceThe buffer receives a TOKEN_SOURCE structure that contains the source of the token. TOKEN_QUERY_SOURCE access is needed to retrieve this information. |
TokenTypeThe buffer receives a TOKEN_TYPE value that indicates whether the token is a primary or impersonation token. |
TokenImpersonationLevelThe buffer receives a SECURITY_IMPERSONATION_LEVEL value that indicates the impersonation level of the token. If the access token is not an impersonation token, the function fails. |
TokenStatisticsThe buffer receives a TOKEN_STATISTICS structure that contains various token statistics. |
TokenRestrictedSidsThe buffer receives a TOKEN_GROUPS structure that contains the list of restricting SIDs in a restricted token. |
TokenSessionIdThe buffer receives a DWORD value that indicates the Terminal Services session identifier that is associated with the token. If the token is associated with the terminal server client session, the session identifier is nonzero. Windows Server 2003 and Windows XP: If the token is associated with the terminal server console session, the session identifier is zero. In a non-Terminal Services environment, the session identifier is zero. If TokenSessionId is set with SetTokenInformation, the application must have the Act As Part Of the Operating System privilege, and the application must be enabled to set the session ID in a token. |
TokenGroupsAndPrivilegesThe buffer receives a TOKEN_GROUPS_AND_PRIVILEGES structure that contains the user SID, the group accounts, the restricted SIDs, and the authentication ID associated with the token. |
TokenSessionReferenceReserved. |
TokenSandBoxInertThe buffer receives a DWORD value that is nonzero if the token includes the SANDBOX_INERT flag. |
TokenAuditPolicyReserved. |
TokenOriginThe buffer receives a TOKEN_ORIGIN value. If the token resulted from a logon that used explicit credentials, such as passing a name, domain, and password to the LogonUser function, then the TOKEN_ORIGIN structure will contain the ID of the logon session that created it. If the token resulted from network authentication, such as a call to AcceptSecurityContext or a call to LogonUser with dwLogonType set to LOGON32_LOGON_NETWORK or LOGON32_LOGON_NETWORK_CLEARTEXT, then this value will be zero. |
TokenElevationTypeThe buffer receives a TOKEN_ELEVATION_TYPE value that specifies the elevation level of the token. |
TokenLinkedTokenThe buffer receives a TOKEN_LINKED_TOKEN structure that contains a handle to another token that is linked to this token. |
TokenElevationThe buffer receives a TOKEN_ELEVATION structure that specifies whether the token is elevated. |
TokenHasRestrictionsThe buffer receives a DWORD value that is nonzero if the token has ever been filtered. |
TokenAccessInformationThe buffer receives a TOKEN_ACCESS_INFORMATION structure that specifies security information contained in the token. |
TokenVirtualizationAllowedThe buffer receives a DWORD value that is nonzero if virtualization is allowed for the token. |
TokenVirtualizationEnabledThe buffer receives a DWORD value that is nonzero if virtualization is enabled for the token. |
TokenIntegrityLevelThe buffer receives a TOKEN_MANDATORY_LABEL structure that specifies the token's integrity level. |
TokenUIAccessThe buffer receives a DWORD value that is nonzero if the token has the UIAccess flag set. |
TokenMandatoryPolicyThe buffer receives a TOKEN_MANDATORY_POLICY structure that specifies the token's mandatory integrity policy. |
TokenLogonSidThe buffer receives a TOKEN_GROUPS structure that specifies the token's logon SID. |
TokenIsAppContainerThe buffer receives a DWORD value that is nonzero if the token is an app container token. Any callers who check the TokenIsAppContainer and have it return 0 should also verify that the caller token is not an identify level impersonation token. If the current token is not an app container but is an identity level token, you should return AccessDenied. |
TokenCapabilitiesThe buffer receives a TOKEN_GROUPS structure that contains the capabilities associated with the token. |
TokenAppContainerSidThe buffer receives a TOKEN_APPCONTAINER_INFORMATION structure that contains the AppContainerSid associated with the token. If the token is not associated with an app container, the TokenAppContainer member of the TOKEN_APPCONTAINER_INFORMATION structure points to NULL. |
TokenAppContainerNumberThe buffer receives a DWORD value that includes the app container number for the token. For tokens that are not app container tokens, this value is zero. |
TokenUserClaimAttributesThe buffer receives a CLAIM_SECURITY_ATTRIBUTES_INFORMATION structure that contains the user claims associated with the token. |
TokenDeviceClaimAttributesThe buffer receives a CLAIM_SECURITY_ATTRIBUTES_INFORMATION structure that contains the device claims associated with the token. |
TokenRestrictedUserClaimAttributesThis value is reserved. |
TokenRestrictedDeviceClaimAttributesThis value is reserved. |
TokenDeviceGroupsThe buffer receives a TOKEN_GROUPS structure that contains the device groups that are associated with the token. |
TokenRestrictedDeviceGroupsThe buffer receives a TOKEN_GROUPS structure that contains the restricted device groups that are associated with the token. |
TokenSecurityAttributesThis value is reserved. |
TokenIsRestrictedThis value is reserved. |
TokenProcessTrustLevel |
TokenPrivateNameSpace |
TokenSingletonAttributes |
TokenBnoIsolation |
TokenChildProcessFlags |
TokenIsLessPrivilegedAppContainerRefers to a Least Privileged AppContainer (LPAC). An LPAC is effectively an AppContainer that's disregarded by the ALL_APPLICATION_PACKAGES SID. For info about what an AppContainer is, see AppContainer for legacy apps. Many resources across Windows are ACL'd with ALL_APPLICATION_PACKAGES, as described in DoNotAddAllApplicationPackagesToRestrictions. In scenarios where you want a process running with no rights to any resources except what you explicitly grant (for example, a web browser sandboxing a child worker process), an AppContaoiner has too much access to the system because of ALL_APPLICATION_PACKAGES. That's where an LPAC comes in. You can create an LPAC only imperatively via APIs; not declaratively via appxmanifest.xml. |
MaxTokenInfoClassThe maximum value for this enumeration. |
Requirements
| Requirement | Value |
|---|---|
| Minimum supported client | Windows XP [desktop apps only] |
| Minimum supported server | Windows Server 2003 [desktop apps only] |
| Header | winnt.h (include Windows.h) |
See also
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for