Windows Internals
intermediate

Privileges (Se*)

Special capabilities in a token beyond normal DACL rights.

Related labs

Hands-on exercises for this area — in the browser or on a Windows machine.

ACL & SDDL Lab

Paste SDDL or pick samples, then see owner, DACL, SACL, and ACE meaning in plain language.

Open lab
View all labs

Guided paths in this branch

Follow a short sequence step by step. Each path links to the first topic; use Read next on each page to continue.

Official Microsoft docs

Closest official references related to this topic on Microsoft Learn.

Microsoft Learn

Privileges

learn.microsoft.com

Microsoft Learn

AdjustTokenPrivileges function

learn.microsoft.com

Why it matters

Some operations bypass or augment DACLs because the token holds SeDebugPrivilege, SeBackupPrivilege, and similar rights.

Mental model

DACLs gate access to objects; privileges gate sensitive global operations. Both live in the access token.

How it works

  1. 1Privileges are represented in the token and may be enabled or disabled per thread.
  2. 2Sensitive APIs check for specific Se* privileges before proceeding.
  3. 3UAC and group policy influence which privileges are granted at logon.

Key terms

SeDebugPrivilege
Allows debugging and opening handles to processes you might not otherwise access.
Privilege enablement
A privilege must often be enabled on the thread before use.

Attaching a debugger to another user's process

Debug privileges can allow handle access that the target process DACL alone would deny.

Common misconception

Administrators do not automatically have every privilege enabled. Many must be explicitly enabled per thread.

You should read next

Ranked from your current topic, related links, branch depth, and any active guided path.

expert

Access checks & Security Reference Monitor

How Windows actually decides allow/deny using tokens, descriptors, and SRM routines.

Related topic

intermediate

Access tokens

SIDs, privileges, impersonation, and the identity payload every process carries.

Related topic

beginner

Processes & threads

How Windows represents work, isolates applications, and schedules execution.

Related topic

Related topics

Access tokens

SIDs, privileges, impersonation, and the identity payload every process carries.

Access checks & Security Reference Monitor

How Windows actually decides allow/deny using tokens, descriptors, and SRM routines.

Processes & threads

How Windows represents work, isolates applications, and schedules execution.

Previous

UAC, integrity levels, and secure desktop

Why elevation prompts exist, what filtered tokens are, and how MIC constrains writes.

Next

AppContainers & capabilities

Modern app isolation using AppContainer SIDs and capability grants.