{
	"id": "026bfa75-79f4-4c7f-8d72-345c32c00df9",
	"created_at": "2026-04-06T00:14:25.128402Z",
	"updated_at": "2026-04-10T03:22:02.391308Z",
	"deleted_at": null,
	"sha1_hash": "e125ac0e684bf2cc37041ac859a1da8b01908282",
	"title": "DuplicateTokenEx function (securitybaseapi.h) - Win32 apps",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 68288,
	"plain_text": "DuplicateTokenEx function (securitybaseapi.h) - Win32 apps\r\nBy GrantMeStrength\r\nArchived: 2026-04-05 19:58:08 UTC\r\nThe DuplicateTokenEx function creates a new access token that duplicates an existing token. This function can\r\ncreate either a primary token or an impersonation token.\r\nSyntax\r\nBOOL DuplicateTokenEx(\r\n [in] HANDLE hExistingToken,\r\n [in] DWORD dwDesiredAccess,\r\n [in, optional] LPSECURITY_ATTRIBUTES lpTokenAttributes,\r\n [in] SECURITY_IMPERSONATION_LEVEL ImpersonationLevel,\r\n [in] TOKEN_TYPE TokenType,\r\n [out] PHANDLE phNewToken\r\n);\r\nParameters\r\n[in] hExistingToken\r\nA handle to an access token opened with TOKEN_DUPLICATE access.\r\n[in] dwDesiredAccess\r\nSpecifies the requested access rights for the new token. The DuplicateTokenEx function compares the requested\r\naccess rights with the existing token's discretionary access control list (DACL) to determine which rights are\r\ngranted or denied. To request the same access rights as the existing token, specify zero. To request all access rights\r\nthat are valid for the caller, specify MAXIMUM_ALLOWED.\r\nFor a list of access rights for access tokens, see Access Rights for Access-Token Objects.\r\n[in, optional] lpTokenAttributes\r\nA pointer to a SECURITY_ATTRIBUTES structure that specifies a security descriptor for the new token and\r\ndetermines whether child processes can inherit the token. If lpTokenAttributes is NULL, the token gets a default\r\nsecurity descriptor and the handle cannot be inherited. If the security descriptor contains a system access control\r\nlist (SACL), the token gets ACCESS_SYSTEM_SECURITY access right, even if it was not requested in\r\ndwDesiredAccess.\r\nhttps://msdn.microsoft.com/en-us/library/windows/desktop/aa446617(v=vs.85).aspx\r\nPage 1 of 3\n\nTo set the owner in the security descriptor for the new token, the caller's process token must have the\r\nSE_RESTORE_NAME privilege set.\r\n[in] ImpersonationLevel\r\nSpecifies a value from the SECURITY_IMPERSONATION_LEVEL enumeration that indicates the\r\nimpersonation level of the new token.\r\n[in] TokenType\r\nSpecifies one of the following values from the TOKEN_TYPE enumeration.\r\nValue Meaning\r\nTokenPrimary\r\nThe new token is a primary token that you can use in the CreateProcessAsUser\r\nfunction.\r\nTokenImpersonation The new token is an impersonation token.\r\n[out] phNewToken\r\nA pointer to a HANDLE variable that receives the new token.\r\nWhen you have finished using the new token, call the CloseHandle function to close the token handle.\r\nReturn value\r\nIf the function succeeds, the function returns a nonzero value.\r\nIf the function fails, it returns zero. To get extended error information, call GetLastError.\r\nThe DuplicateTokenEx function allows you to create a primary token that you can use in the\r\nCreateProcessAsUser function. This allows a server application that is impersonating a client to create a process\r\nthat has the security context of the client. Note that the DuplicateToken function can create only impersonation\r\ntokens, which are not valid for CreateProcessAsUser.\r\nThe following is a typical scenario for using DuplicateTokenEx to create a primary token. A server application\r\ncreates a thread that calls one of the impersonation functions, such as ImpersonateNamedPipeClient, to\r\nimpersonate a client. The impersonating thread then calls the OpenThreadToken function to get its own token,\r\nwhich is an impersonation token that has the security context of the client. The thread specifies this impersonation\r\ntoken in a call to DuplicateTokenEx, specifying the TokenPrimary flag. The DuplicateTokenEx function creates\r\na primary token that has the security context of the client.\r\nRequirements\r\nhttps://msdn.microsoft.com/en-us/library/windows/desktop/aa446617(v=vs.85).aspx\r\nPage 2 of 3\n\nRequirement Value\r\nMinimum supported client Windows XP [desktop apps | UWP apps]\r\nMinimum supported server Windows Server 2003 [desktop apps | UWP apps]\r\nTarget Platform Windows\r\nHeader securitybaseapi.h (include Windows.h)\r\nLibrary Advapi32.lib\r\nDLL Advapi32.dll\r\nSee also\r\nAccess Control\r\nBasic Access Control Functions\r\nCloseHandle\r\nCreateProcessAsUser\r\nDdeImpersonateClient\r\nDuplicateToken\r\nImpersonateNamedPipeClient\r\nOpenThreadToken\r\nRevertToSelf\r\nRpcImpersonateClient\r\nSECURITY_ATTRIBUTES\r\nSECURITY_IMPERSONATION_LEVEL\r\nSource: https://msdn.microsoft.com/en-us/library/windows/desktop/aa446617(v=vs.85).aspx\r\nhttps://msdn.microsoft.com/en-us/library/windows/desktop/aa446617(v=vs.85).aspx\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://msdn.microsoft.com/en-us/library/windows/desktop/aa446617(v=vs.85).aspx"
	],
	"report_names": [
		"aa446617(v=vs.85).aspx"
	],
	"threat_actors": [],
	"ts_created_at": 1775434465,
	"ts_updated_at": 1775791322,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e125ac0e684bf2cc37041ac859a1da8b01908282.pdf",
		"text": "https://archive.orkl.eu/e125ac0e684bf2cc37041ac859a1da8b01908282.txt",
		"img": "https://archive.orkl.eu/e125ac0e684bf2cc37041ac859a1da8b01908282.jpg"
	}
}