ntoskrnl.exeT1106

NtCompareTokens

Decides whether two tokens grant the same access — same user, same groups, same restricted SIDs, same privileges.

Prototype

NTSTATUS NtCompareTokens(
  HANDLE   FirstTokenHandle,
  HANDLE   SecondTokenHandle,
  PBOOLEAN Equal
);

Arguments

Name	Type	Dir	Description
FirstTokenHandle	HANDLE	in	Handle to the first token. Requires TOKEN_QUERY.
SecondTokenHandle	HANDLE	in	Handle to the second token. Requires TOKEN_QUERY.
Equal	PBOOLEAN	out	TRUE if the tokens grant identical access for the comparison set, FALSE otherwise.

Syscall IDs by Windows version

Windows version	Syscall ID	Build
Win10 1507	0x96	win10-1507
Win10 1607	0x97	win10-1607
Win10 1703	0x99	win10-1703
Win10 1709	0x9A	win10-1709
Win10 1803	0x9B	win10-1803
Win10 1809	0x9B	win10-1809
Win10 1903	0x9B	win10-1903
Win10 1909	0x9B	win10-1909
Win10 2004	0x9D	win10-2004
Win10 20H2	0x9D	win10-20h2
Win10 21H1	0x9D	win10-21h1
Win10 21H2	0x9D	win10-21h2
Win10 22H2	0x9D	win10-22h2
Win11 21H2	0x9F	win11-21h2
Win11 22H2	0x9F	win11-22h2
Win11 23H2	0x9F	win11-23h2
Win11 24H2	0xA1	win11-24h2
Server 2016	0x97	winserver-2016
Server 2019	0x9B	winserver-2019
Server 2022	0x9F	winserver-2022
Server 2025	0xA1	winserver-2025

Kernel module

ntoskrnl.exe → NtCompareTokens

Related APIs

CompareObjectHandlesAccessCheckByTypeAndAuditAlarmNtQueryInformationTokenNtDuplicateTokenNtAccessCheck

Syscall stub

4C 8B D1            mov r10, rcx
B8 A1 00 00 00      mov eax, 0xA1
F6 04 25 08 03 FE 7F 01   test byte ptr [0x7FFE0308], 1
75 03               jne short +3
0F 05               syscall
C3                  ret
CD 2E               int 2Eh
C3                  ret

Undocumented notes

Compares the *effective* access decision of two tokens, not raw token identity. The kernel routine SepCompareTokens walks both tokens' User SID, Groups, RestrictedSids and Privileges arrays and returns Equal=TRUE only when each set matches element-for-element. The MandatoryPolicy, integrity level and impersonation level are not part of the comparison — two tokens at different integrity levels can therefore compare equal. Microsoft documents the API mainly for security software that needs to know whether two impersonation tokens are interchangeable (e.g. should a cached resource handle still be valid). It is one of the lower-traffic token syscalls — a typical workstation issues only a handful per minute, mostly from svchost.exe and lsass.exe.

Common malware usage

Rare in offensive use; almost always seen in defensive software. Browsers (Edge, Chrome) call it via `CompareObjectHandles` to verify that a sandboxed renderer's token still matches the one the broker minted, defending against token-swap attacks during IPC. AppContainer hosts use it to validate child-token continuity. The handful of malicious uses are reconnaissance: an implant duplicates several tokens it has captured and compares them to detect duplicates or to deduplicate impersonation candidates before attempting `SetThreadToken`. There is essentially no canonical offensive recipe.

Detection opportunities

Largely a *non-detection* — the legitimate callers (lsass.exe, MsMpEng.exe, RuntimeBroker.exe, msedge.exe) dominate. A non-system process calling `NtCompareTokens` on two tokens it just acquired via `NtOpenProcessToken` against unrelated processes is a weak credential-recon signal, best paired with `NtDuplicateToken` and `NtImpersonateAnonymousToken` telemetry. There is no dedicated ETW Threat-Intelligence event; rely on EDR hooks of `ntdll!NtCompareTokens` filtered by `actor_image NOT IN (browser/AV/runtime brokers)`.

Direct syscall examples

cSandbox token-swap defense (browser pattern)

// Pattern used by AppContainer hosts: a broker reopens the renderer's token
// and confirms it still matches the one it issued, defending against an attacker
// who swapped the renderer's primary token via cross-process injection.
typedef NTSTATUS(NTAPI* fnNtCompareTokens)(HANDLE, HANDLE, PBOOLEAN);

BOOL TokenStillMine(HANDLE issued, HANDLE currentRendererToken) {
    HMODULE n = GetModuleHandleA("ntdll.dll");
    fnNtCompareTokens p = (fnNtCompareTokens)GetProcAddress(n, "NtCompareTokens");
    BOOLEAN eq = FALSE;
    return p(issued, currentRendererToken, &eq) == 0 && eq;
}

asmx64 direct stub (Win11 24H2 SSN)

; SSN 0xA1 on win11-24h2 / winserver-2025.
NtCompareTokens PROC
    mov  r10, rcx
    mov  eax, 0A1h
    syscall
    ret
NtCompareTokens ENDP

rustImplant-side dedup of stolen tokens

// Implant collected N tokens via NtOpenProcessToken. Before bothering to
// SetThreadToken into each, drop duplicates that grant the same access.
use windows_sys::Win32::System::LibraryLoader::{GetModuleHandleA, GetProcAddress};

type NtCompareTokens = unsafe extern "system" fn(a: isize, b: isize, eq: *mut u8) -> i32;

pub unsafe fn dedup_tokens(mut tokens: Vec<isize>) -> Vec<isize> {
    let n = GetModuleHandleA(b"ntdll.dll\0".as_ptr());
    let addr = GetProcAddress(n, b"NtCompareTokens\0".as_ptr()).unwrap();
    let f: NtCompareTokens = std::mem::transmute(addr);
    let mut out: Vec<isize> = Vec::new();
    for t in tokens.drain(..) {
        let mut is_dup = false;
        for &kept in &out {
            let mut eq: u8 = 0;
            if f(t, kept, &mut eq) == 0 && eq != 0 { is_dup = true; break; }
        }
        if !is_dup { out.push(t); }
    }
    out
}

MITRE ATT&CK mappings

T1106 Native API mitre ↗

Last verified: 2026-05-20