Windows Internals
beginnerStart Here Step 7Open lab →

Security

Access tokens, privileges, integrity, and how Windows decides who can do what.

In 30 seconds

Every access decision combines who you are (token), what the object allows (DACL), and optional policy (integrity, AppContainer, privileges).

You understand this if…

  • You can read a simple SDDL string (O, G, D, S prefixes).
  • You know when UAC filters an admin token vs elevates it.

Related labs

Hands-on exercises for this area — in the browser or on a Windows machine.

ACL & SDDL Lab

Paste SDDL or pick samples, then see owner, DACL, SACL, and ACE meaning in plain language.

Open lab

Access check simulator

Step through a simplified DACL vs token decision — same rules as the real algorithm, fewer edge cases.

Open lab
View all labs

Guided paths in this branch

Follow a short sequence step by step. Each path links to the first topic; use Read next on each page to continue.

Official Microsoft docs

Closest official references related to this topic on Microsoft Learn.

Microsoft Learn

Parts of the access control model

learn.microsoft.com

Microsoft Learn

Mandatory integrity control

learn.microsoft.com

Why it matters

Windows security internals show up everywhere: process creation, file access, services, UAC prompts, and many event log records.

Mental model

Security decisions in Windows are attached to identities and objects. Tokens describe who you are; descriptors describe what an object allows.

Schematic

Click a highlighted zone to understand the layer and jump deeper into the tree.
Security access checkEvery access attempt: token context meets object policy in kernel mode.Access tokenSIDs, groups, privilegesSRMSeAccessCheckDescriptorDACL / SACLAllow / Deny (+ optional audit via SACL)

Access token

The caller identity: user SIDs, groups, privileges, and integrity level. Every process and impersonating thread carries this context.

Open related topic

Windows building blocks

Names and paths you can look for in Task Manager, Explorer, or documentation.

  • Processlsass.exe

    Local Security Authority host process

  • Filelsasrv.dll

    LSA server interfaces

Go one level deeper

Extra detail for readers who want more precision before opening a child topic.

  • Authorization combines token identity, object DACL/SACL, privileges, and integrity policy.
  • Audit records land in the Security event log when SACL auditing is configured.

How it works

  1. 1A token carries SIDs, privileges, and integrity context.
  2. 2Objects carry security descriptors describing allowed access.
  3. 3The kernel checks the relationship between token and object before granting access.

Key terms

SID
Security Identifier representing a user, group, or principal.
Privilege
A special capability inside a token that enables sensitive operations.
Integrity level
A mechanism used by Windows to restrict interactions across trust boundaries.

Why admin membership is not the whole story

A user can belong to Administrators yet still run with a filtered token until elevation happens.

Common misconception

Security is not only file permissions. Tokens, privileges, integrity, and object checks all matter together.

Guided exercise

Use this topic to move from theory into practice.

Open lab
  • 1Open ACL & SDDL Lab and load a sample security descriptor.
  • 2Read the parsed Owner, DACL, and ACE table — note Allow vs Deny trustees.
  • 3Open Access check simulator with the same mental model: token SIDs vs DACL order.
  • 4On Windows, run icacls on a test file and compare output to the SDDL samples.

Go deeper

Access tokens

SIDs, privileges, impersonation, and the identity payload every process carries.

Security descriptors & ACLs

Owners, DACL/SACL, ACE ordering, and the object-side policy Windows enforces.

Access checks & Security Reference Monitor

How Windows actually decides allow/deny using tokens, descriptors, and SRM routines.

UAC, integrity levels, and secure desktop

Why elevation prompts exist, what filtered tokens are, and how MIC constrains writes.

Privileges (Se*)

Special capabilities in a token beyond normal DACL rights.

AppContainers & capabilities

Modern app isolation using AppContainer SIDs and capability grants.

You should read next

Ranked from your current topic, related links, branch depth, and any active guided path.

intermediate

Access tokens

SIDs, privileges, impersonation, and the identity payload every process carries.

Next step in your guided path

intermediate

Security descriptors & ACLs

Owners, DACL/SACL, ACE ordering, and the object-side policy Windows enforces.

Go deeper in this branch

intermediate

UAC, integrity levels, and secure desktop

Why elevation prompts exist, what filtered tokens are, and how MIC constrains writes.

Go deeper in this branch

Related topics

Access tokens

SIDs, privileges, impersonation, and the identity payload every process carries.

Security descriptors & ACLs

Owners, DACL/SACL, ACE ordering, and the object-side policy Windows enforces.

UAC, integrity levels, and secure desktop

Why elevation prompts exist, what filtered tokens are, and how MIC constrains writes.

Kernel objects

Handles, object manager, names, and reference counting basics.

Providers & channels

Who emits events and where those records are routed inside Windows logging.

Previous

EVTX file format

64 KB chunks, binary XML, templates, and the durable storage layout behind Event Viewer.