Access Tokens and Threads

Robert Shearman rob at
Wed Nov 3 16:02:42 CST 2004

Elad Lahav wrote:

>I've been looking into the annoying "Set ThreadImpersonationToken handle" 
>messages. In order to fix this issue, I need to know a few things:
>1. Does Wine maintain access tokens at all? It seems that most of the relevant 
>functions (e.g., NtQueryInformationThread and NtSetInformationThread) simply 
>ignore it.
No, Wine currently ignores thread tokens. It should store them as an 
attribute of the thread in wineserver. Some tests need to be performed 
to figure out whether the access checks for the token are carried out in 
NtSetInformationThread or whether they are carried out on a 
syscall-by-syscall basis.

>2. It looks like the thread's token is a part of the so-called "security 
>descriptor" member of the thread's SECURITY_ATTRIBUTES structure. 
Not really. The SECURITY_ATTRIBUTES lpSecurityDescriptor member contains 
the owner and the access control lists that specify who has access to 
that handle (as with most other objects through the OBJECT_ATTRIBUTES 

>Does anyone 
>know what structure this descriptor points to?

If I understand you correctly I think it is SECURITY_DESCRIPTOR. It is 
documented here:


More information about the wine-devel mailing list