{
	"id": "abb9cea8-c5c1-435d-8f8c-39a50e4e92a2",
	"created_at": "2026-04-06T00:18:31.919944Z",
	"updated_at": "2026-04-10T13:13:08.144037Z",
	"deleted_at": null,
	"sha1_hash": "6339408249345f0cad9e591734813569d3f89408",
	"title": "Replace a process level token - Windows 10",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 46068,
	"plain_text": "Replace a process level token - Windows 10\r\nBy vinaypamnani-msft\r\nArchived: 2026-04-05 14:27:29 UTC\r\nApplies to\r\nWindows 11\r\nWindows 10\r\nDescribes the best practices, location, values, policy management, and security considerations for the Replace a\r\nprocess level token security policy setting.\r\nReference\r\nThis policy setting determines which parent processes can replace the access token that is associated with a child\r\nprocess.\r\nSpecifically, the Replace a process level token setting determines which user accounts can call the\r\nCreateProcessAsUser() application programming interface (API) so that one service can start another. An example\r\nof a process that uses this user right is Task Scheduler, where the user right is extended to any processes that can\r\nbe managed by Task Scheduler.\r\nAn access token is an object that describes the security context of a process or thread. The information in a token\r\nincludes the identity and privileges of the user account that is associated with the process or thread. With this user\r\nright, every child process that runs on behalf of this user account would have its access token replaced with the\r\nprocess level token.\r\nConstant: SeAssignPrimaryTokenPrivilege\r\nPossible values\r\nUser-defined list of accounts\r\nDefaults\r\nNot defined\r\nBest practices\r\nFor member servers, ensure that only the Local Service and Network Service accounts have the Replace a\r\nprocess level token user right.\r\nhttps://docs.microsoft.com/windows/device-security/security-policy-settings/replace-a-process-level-token\r\nPage 1 of 3\n\nLocation\r\nComputer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment\r\nDefault values\r\nBy default this setting is Network Service and Local Service on domain controllers and on stand-alone servers.\r\nThe following table lists the actual and effective default policy values for the most recent supported versions of\r\nWindows. Default values are also listed on the policy’s property page.\r\nServer type or GPO Default value\r\nDefault Domain Policy Not defined\r\nDefault Domain Controller Policy\r\nNetwork Service\r\nLocal Service\r\nStand-Alone Server Default Settings\r\nNetwork Service\r\nLocal Service\r\nDomain Controller Effective Default Settings\r\nNetwork Service\r\nLocal Service\r\nMember Server Effective Default Settings\r\nNetwork Service\r\nLocal Service\r\nClient Computer Effective Default Settings\r\nNetwork Service\r\nLocal Service\r\nPolicy management\r\nThis section describes features, tools, and guidance to help you manage this policy.\r\nA restart of the device is not required for this policy setting to be effective.\r\nAny change to the user rights assignment for an account becomes effective the next time the owner of the account\r\nlogs on.\r\nGroup Policy\r\nSettings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on\r\nthe local computer at the next Group Policy update:\r\n1. Local policy settings\r\n2. Site policy settings\r\n3. Domain policy settings\r\n4. OU policy settings\r\nhttps://docs.microsoft.com/windows/device-security/security-policy-settings/replace-a-process-level-token\r\nPage 2 of 3\n\nWhen a local setting is greyed out, it indicates that a GPO currently controls that setting.\r\nSecurity considerations\r\nThis section describes how an attacker might exploit a feature or its configuration, how to implement the\r\ncountermeasure, and the possible negative consequences of countermeasure implementation.\r\nVulnerability\r\nUsers with the Replace a process level token user right can start processes as another user if they know the user’s\r\ncredentials.\r\nCountermeasure\r\nFor member servers, ensure that only the Local Service and Network Service accounts have the Replace a\r\nprocess level token user right.\r\nPotential impact\r\nOn most computers, restricting the Replace a process level token user right to the Local Service and the Network\r\nService built-in accounts is the default configuration, and there is no negative impact. However, if you have\r\ninstalled optional components such as ASP.NET or IIS, you may need to assign the Replace a process level token\r\nuser right to additional accounts. For example, IIS requires that the Service, Network Service, and\r\nIWAM_\u003cComputerName\u003e accounts be explicitly granted this user right.\r\nUser Rights Assignment\r\nSource: https://docs.microsoft.com/windows/device-security/security-policy-settings/replace-a-process-level-token\r\nhttps://docs.microsoft.com/windows/device-security/security-policy-settings/replace-a-process-level-token\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://docs.microsoft.com/windows/device-security/security-policy-settings/replace-a-process-level-token"
	],
	"report_names": [
		"replace-a-process-level-token"
	],
	"threat_actors": [],
	"ts_created_at": 1775434711,
	"ts_updated_at": 1775826788,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6339408249345f0cad9e591734813569d3f89408.pdf",
		"text": "https://archive.orkl.eu/6339408249345f0cad9e591734813569d3f89408.txt",
		"img": "https://archive.orkl.eu/6339408249345f0cad9e591734813569d3f89408.jpg"
	}
}