Access Token In Microsoft Windows operating systems, an access token contains the security information for a login session and identifies the user, the user’s groups, and the user’s privileges.
An access token is an object encapsulating the security descriptor of a process. Attached to a process, a security descriptor identifies the owner of the object (in this case, the process) and ACLs that specifies accessing rights allowed or denied to the owner of the object. While a token is used to represent only the security information, it is technically free-form and can enclose any data. The access token is used by Windows when the process or thread tries to interact with objects whose security descriptors enforce access control (securable objects).
The Access token is generated by the logon service when a user logs on to the system and the credentials provided by the user are authenticated against the authentication database, by specifying the rights the user has in the security descriptor enclosed by the token. The token is attached to every process created by the user session (processes whose owner is the user). Whenever such a process accesses any resource which has access control enabled, Windows looks up in the security descriptor in the access token whether the user owning the process is eligible to access the data, and if so, what operations (read, write/modify etc) the user is allowed to do. If the accessing operation is allowed in the context of the user, Windows allows the process to continue with the operation, else it is denied access.
