What's "Replace a process level token" for anyway?

Let me start by saying I know next to zero about Windows. My understanding is that processes in Windows get their privileges from a process-level token, which normally would identify the user started the process, but may differ as is common for system tasks, correct? This is somewhat akin to Linux processes having real and effective user and group IDs (it may not be appropriate to make analogies to Linux, but it's all I know). Also, as far as I know, a user can run a process as another user using runas.exe (similar to sudo in Linux). And of course they'll be prompted for the credentials of the user they want to run the process as, and as long as they know the credentials no special permissions are needed, correct?

Now, there is a user right called "Replace a process level token", which according to the docs:

Users with the Replace a process level token user right can start processes as another user if they know the user’s credentials.

Emphasis above is mine. So my question is: if someone knows the credentials for a given user, they can always run a process as them (either using runas.exe or just by logging in as them). What's the purpose of the "Replace a process level token" user right, and what's the security impact of it?

13 Related questions 1 What is LogonUser()'s token returned used for? 10 Is passing a windows security token between processes permitted 1 Which use of AdjustTokenPrivileges in KB131065 is correct? Related questions 1 What is LogonUser()'s token returned used for? 10 Is passing a windows security token between processes permitted 1 Which use of AdjustTokenPrivileges in KB131065 is correct? 6 CreateProcessWithTokenW - Example of usage in C# 7 Removing Administrator Privilages from Process 0 Explain following batch file 1 Is there any way to "seal" a token so child processes can't inherit it? 3 Difference between TokenUser and TokenOwner 0 Difference between access token taken from process than from user/pass 0 c++ token Impersonation to modify HKEY_CURRENT_USERS from service Load 7 more related questions Show fewer related questions Reset to default

Know someone who can answer? Share a link to this question via email, Twitter, or Facebook.

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password

Post as a guest

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge that you have read and understand our privacy policy and code of conduct.

You Might Also Like