Windows Internals

Guided path: Authentication path

Step 6 of 6

Path complete
intermediateOpen lab →

Access tokens

SIDs, privileges, impersonation, and the identity payload every process carries.

Related labs

Hands-on exercises for this area — in the browser or on a Windows machine.

ACL & SDDL Lab

Paste SDDL or pick samples, then see owner, DACL, SACL, and ACE meaning in plain language.

Open lab

Access check simulator

Step through a simplified DACL vs token decision — same rules as the real algorithm, fewer edge cases.

Open lab
View all labs

Official Microsoft docs

Closest official references related to this topic on Microsoft Learn.

Microsoft Learn

Access tokens

learn.microsoft.com

Microsoft Learn

Impersonation tokens

learn.microsoft.com

Why it matters

Tokens are the security identity of a running process or thread. If you understand tokens, many access and logging behaviors become much easier to explain.

Mental model

A token is the OS' answer to 'who is asking, and what are they allowed to do?'

Go one level deeper

Extra detail for readers who want more precision before opening a child topic.

  • Primary vs impersonation tokens change which identity a thread uses for access checks.
  • Restricted SIDs in a token can further limit granted access even when DACL allows.

How it works

  1. 1Processes are created with a primary token describing identity and privileges.
  2. 2Threads can sometimes impersonate another token for delegated work.
  3. 3Access checks compare the caller token against an object's descriptor.

Key terms

Primary token
The token attached to a process as its main identity.
Impersonation
A thread temporarily acting under another security context.

A service accessing a network resource

The service may impersonate a client token to perform work on that user's behalf rather than under the service identity.

Common misconception

A token is not just a username. It contains groups, privileges, integrity information, and more.

Guided exercise

Use this topic to move from theory into practice.

Open lab
  • 1In Access check simulator, map token presets to SIDs (BU, AU, BA, SY).
  • 2Relate each preset to what you see in Process Explorer or whoami /groups on Windows.

You should read next

Ranked from your current topic, related links, branch depth, and any active guided path.

intermediate

LSASS, SAM, and local security policy

The protected security process and data stores behind local accounts and policy decisions.

Related topic

expert

Access checks & Security Reference Monitor

How Windows actually decides allow/deny using tokens, descriptors, and SRM routines.

Natural next depth in this branch

beginner

Processes & threads

How Windows represents work, isolates applications, and schedules execution.

Related topic

Related topics

Processes & threads

How Windows represents work, isolates applications, and schedules execution.

Providers & channels

Who emits events and where those records are routed inside Windows logging.

LSASS, SAM, and local security policy

The protected security process and data stores behind local accounts and policy decisions.

Previous

CNG, Schannel & crypto plumbing

How Windows centralizes algorithms, keys, and TLS for services and applications.