A token is a kernel object that caches part of a user's security profile, including the user SID, group SIDs, and privileges (Item 21). Item 15 discussed the basics of how this cache is normally used, but there's a bit more to it: A token also holds a reference to a logon session (Item 17) and a set of default security settings that the kernel uses.

Tokens are propagated automatically as new processes are created. A new process naturally inherits a copy of the parent's process token. Even if the thread that creates the process is impersonating, the new process gets a copy of the parent's process token, not the thread token, which usually surprises most people who are new to impersonation (Item 31). If you want to start ...