Tokens

A token is the kernel object that carries an identity into every system call. Every thread always has one. This page is the map for what a token contains, where it comes from, and how it moves through a process's lifetime.

Tokens are classified along several orthogonal axes — primary vs impersonation, impersonation level, restricted or not, elevation pair. This page covers each axis and walks through the token's fields grouped by purpose.

A token's life starts when authd or peinit mints it and ends when its last reference is released. Between those two points it moves through fork, exec, impersonation, and adjustment. This page walks through every transition.

A restricted token is a token carrying a secondary identity list. AccessCheck runs twice and intersects the results, narrowing what the token can reach. Write-restricted is the same idea applied only to write rights. This page covers both — the model, the creation path, and the typical patterns.

Some principals carry two tokens at once — a non-elevated Limited token and an elevated Full token — linked at the logon session so the system can switch between them on request. This page covers the model, the syscalls, and the privilege rules.

token is the command-line tool for inspecting and manipulating tokens directly — reading a token's contents, adjusting it, duplicating and restricting it, and driving impersonation.