User Account Control and Split Tokens.


QUICK QUESTION - I am a member of the local administrators group on a Windows Vista Machine. How can I check whether a process launched under my context is running under UAC or running elevated?


  1. Launch the debugger in elevated mode.
  2. Attach to process and fix symbols.
  3. Dump the process token and check if the group sid S-1-5-32-544 (Builtin\Administrators) has 'deny' attributes.
  4. If yes, then the process is running under UAC. Else it is running elevated.

0:001> !token -n
Thread is not impersonating. Using process token...
TS Session ID: 0x2
User: S-1-5-21-397955417-626881126-188441444-3417686 (User: DOMAIN\mithuns)
 00 S-1-5-21-397955417-626881126-188441444-513 (Group: DOMAIN\Domain Users)
    Attributes - Mandatory Default Enabled
 01 S-1-1-0 (Well Known Group: localhost\Everyone)
    Attributes - Mandatory Default Enabled
 02 S-1-5-21-2509036279-1584907351-1836241972-1001 (Alias: MITHUNS7\Debugger Users)
    Attributes - Mandatory Default Enabled
 03 S-1-5-32-544 (Alias: BUILTIN\Administrators)
    Attributes - DenyOnly
 04 S-1-5-32-545 (Alias: BUILTIN\Users)
    Attributes - Mandatory Default Enabled




QUICK QUESTION – When people talk about UAC, I often hear the term “split token”. What exactly is it?

QUICK ANSWER - When a process runs under UAC, some privileges are completely stripped out of the process token. Which also means that you cannot call AdjustTokenPrivileges() to enable them. See below -


Token for elevated process

 00 0x000000005 SeIncreaseQuotaPrivilege          Attributes -
 01 0x000000008 SeSecurityPrivilege               Attributes -
 02 0x000000009 SeTakeOwnershipPrivilege          Attributes -
 03 0x00000000a SeLoadDriverPrivilege             Attributes -
 04 0x00000000b SeSystemProfilePrivilege          Attributes -
 05 0x00000000c SeSystemtimePrivilege             Attributes -
 06 0x00000000d SeProfileSingleProcessPrivilege   Attributes -
 07 0x00000000e SeIncreaseBasePriorityPrivilege   Attributes -
 08 0x00000000f SeCreatePagefilePrivilege         Attributes -
 09 0x000000011 SeBackupPrivilege                 Attributes -
 10 0x000000012 SeRestorePrivilege                Attributes -
 11 0x000000013 SeShutdownPrivilege               Attributes -
 12 0x000000014 SeDebugPrivilege                  Attributes -
 13 0x000000016 SeSystemEnvironmentPrivilege      Attributes -
 14 0x000000017 SeChangeNotifyPrivilege           Attributes - Enabled Default
 15 0x000000018 SeRemoteShutdownPrivilege         Attributes -
 16 0x000000019 SeUndockPrivilege                 Attributes -
 17 0x00000001c SeManageVolumePrivilege           Attributes -
 18 0x00000001d SeImpersonatePrivilege            Attributes - Enabled Default
 19 0x00000001e SeCreateGlobalPrivilege           Attributes - Enabled Default
 20 0x000000021 SeIncreaseWorkingSetPrivilege     Attributes -
 21 0x000000022 SeTimeZonePrivilege               Attributes -
 22 0x000000023 SeCreateSymbolicLinkPrivilege     Attributes -

"SPLIT" token for process under UAC

 00 0x000000013 SeShutdownPrivilege               Attributes -
 01 0x000000017 SeChangeNotifyPrivilege           Attributes - Enabled Default
 02 0x000000019 SeUndockPrivilege                 Attributes -
 03 0x000000021 SeIncreaseWorkingSetPrivilege     Attributes -
 04 0x000000022 SeTimeZonePrivilege               Attributes -

All the highlighted privileges are missing in the UAC split token (Note that 'SeDebugPrivilege' is absent too. Hence the need to launch a debugger elevated).

Related Post -



Comments (1)

  1. Thottams says:

    Great posts Mithun. I enjoyed reading them and it is very informative as well.

Skip to main content