You can find samples from Google, like
SeCreateTokenPrivilege.cpp
But I get STATUS_PRIVILEGE_NOT_HELD as Admin on Windows 10
(cannot enable SE_CREATE_TOKEN_NAME privilege)
NtCreateToken example for creating elevated token without user password
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 32%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBS%3C/text%3E%3C/svg%3E)
Bala Smart
51
Reputation points
Hi,
I need elevated token for user, So i can achieve this by using NtCreateToken undocumented API. I'm not able to find any examples to call NtCreateToken.
If anybody knowing usage of [NtCreateToken][1], help me!!!!!!
Developer technologies | C++
{count} votes
-
RLWA32 50,576 Reputation points2021-06-15T16:05:26.607+00:00 Have you considered doing what Task Scheduler does when it doesn't save a password for a scheduled task?
-
Bala Smart 51 Reputation points
2021-06-15T17:21:49.507+00:00 To create scheduler task with Run with highest privilege, We need users password.
My aim is to create elevated token without using users password
-
RLWA32 50,576 Reputation points
2021-06-15T17:26:16.847+00:00 The scheduler can create a process for a user without having the user's password.
Anyway, I'm not suggesting that you use the task scheduler. Only that you can do the same thing that it does to logon a user without a password. -
Bala Smart 51 Reputation points
2021-06-17T11:00:34.987+00:00 To create scheduler task
Run with highest privilege
we need user's password -
RLWA32 50,576 Reputation points
2021-06-17T11:04:29.467+00:00 I suggest you re-read the comment to which you are responding. I didn't suggest that you create a scheduled task.
Sign in to comment
3 answers
Sort by: Most helpful
-
Castorix31 91,066 Reputation points2021-06-15T14:04:54.96+00:00 -
Bala Smart 51 Reputation points
2021-06-15T15:51:45.203+00:00 I am also getting 1314 (A required privilege is not held by the client), Event i'm starting process as System account.
-
Bala Smart 51 Reputation points
2021-06-20T06:17:30.083+00:00 You have to enable SeCreateTokenPrivilege in your token in order to call NtCreateToken API @Castorix31
Sign in to comment -
-
RLWA32 50,576 Reputation points
2021-06-17T22:29:36.047+00:00 Well, it can be done. Here's a standard user - Bozo with an elevated Administrator command prompt running.
-
Bala Smart 51 Reputation points
2021-06-20T06:14:59.84+00:00 I am able to create token by using NtCreateToken, But when i run process by using CreateProcessAsUser API
Getting Access denied error
Following this project
-
Bala Smart 51 Reputation points
2021-06-27T17:16:35.673+00:00 Hi @RLWA32
Do you have source code of NtCreateToken API?
Sign in to comment -
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(16, 0%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
杨 承浩睿 0 Reputation points2025-08-24T13:14:52.8766667+00:00 #include <Windows.h>#include <winternl.h>
#include <sddl.h>
#include <iostream>
#include <vector>
#pragma comment(lib, "advapi32.lib")
// 来自 ntdll.dll 的 NtCreateToken 声明
extern "C" NTSTATUS NTAPI NtCreateToken(
PHANDLE TokenHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, TOKEN_TYPE TokenType, PLUID AuthenticationId, PLARGE_INTEGER ExpirationTime, PTOKEN_USER TokenUser, PTOKEN_GROUPS TokenGroups, PTOKEN_PRIVILEGES TokenPrivileges, PTOKEN_OWNER Owner, PTOKEN_PRIMARY_GROUP PrimaryGroup, PTOKEN_DEFAULT_DACL DefaultDacl, PTOKEN_SOURCE TokenSource ```); // 启用指定特权 BOOL EnablePrivilege(LPCWSTR privName) {HANDLE hToken;
TOKEN_PRIVILEGES tp;
LUID luid;
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
return FALSE;if (!LookupPrivilegeValue(NULL, privName, &luid)) {
CloseHandle(hToken); return FALSE;}
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(tp), NULL, NULL);
CloseHandle(hToken);
return (GetLastError() == ERROR_SUCCESS);
int wmain() {// 1️⃣ 启用创建令牌的特权
if (!EnablePrivilege(L"SeCreateTokenPrivilege")) {
std::wcout << L"[-] 无法启用 SeCreateTokenPrivilege\n"; return 1;}
// 2️⃣ 基本对象属性
OBJECT_ATTRIBUTES objAttr = {};
objAttr.Length = sizeof(objAttr);
// 3️⃣ 身份标识符(可自定义)
LUID authId = { 999, 0 };
// 4️⃣ 令牌过期时间(-1 = 永不过期)
LARGE_INTEGER expTime;
expTime.QuadPart = -1;
// 5️⃣ 主用户 SID(SYSTEM)
PSID pUserSid = NULL;
ConvertStringSidToSid(L"S-1-5-18", &pUserSid); // Local System
TOKEN_USER tokenUser = {};
tokenUser.User.Sid = pUserSid;
tokenUser.User.Attributes = 0;
// 6️⃣ 用户组(这里示例只加 Administrators)
std::vector<SID_AND_ATTRIBUTES> groups(1);
ConvertStringSidToSid(L"S-1-5-32-544", &groups[0].Sid); // Administrators
groups[0].Attributes = SE_GROUP_ENABLED | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_MANDATORY;
TOKEN_GROUPS tokenGroups = { (DWORD)groups.size(), groups.data() };
// 7️⃣ 特权(开启 Debug 权限)
LUID luid;
LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid);
TOKEN_PRIVILEGES tokenPrivs = {};
tokenPrivs.PrivilegeCount = 1;
tokenPrivs.Privileges[0].Luid = luid;
tokenPrivs.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
// 8️⃣ Token Owner
TOKEN_OWNER tokenOwner = { pUserSid };
// 9️⃣ Primary Group
TOKEN_PRIMARY_GROUP primaryGroup = { pUserSid };
// 🔟 Default DACL(默认访问控制表)
TOKEN_DEFAULT_DACL defaultDacl = {};
defaultDacl.DefaultDacl = NULL; // 无默认 DACL
// 1️⃣1️⃣ Token 来源信息
TOKEN_SOURCE tokenSource = { "CppTok" };
AllocateLocallyUniqueId(&tokenSource.SourceIdentifier);
// 1️⃣2️⃣ 创建令牌
HANDLE hToken = NULL;
NTSTATUS status = NtCreateToken(
&hToken, TOKEN_ALL_ACCESS, &objAttr, TokenPrimary, &authId, &expTime, &tokenUser, &tokenGroups, &tokenPrivs, &tokenOwner, &primaryGroup, &defaultDacl, &tokenSource);
if (status == STATUS_SUCCESS) {
std::wcout << L"[+] 成功创建令牌\n"; // 1️⃣3️⃣ 使用令牌启动 cmd.exe STARTUPINFO si = { sizeof(si) }; PROCESS_INFORMATION pi; if (CreateProcessAsUser(hToken, NULL, (LPWSTR)L"C:\\Windows\\System32\\cmd.exe", NULL, NULL, FALSE, CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi)) { std::wcout << L"[+] 已使用新令牌启动进程\n"; CloseHandle(pi.hProcess); CloseHandle(pi.hThread); } else { std::wcout << L"[-] CreateProcessAsUser 失败,错误码:" << GetLastError() << L"\n"; } CloseHandle(hToken);} else {
std::wcout << L"[-] NtCreateToken 失败,状态码:0x" << std::hex << status << L"\n";}
LocalFree(pUserSid);
return 0;