ntoskrnl.exeT1134T1106

NtCreateLowBoxToken

Derives a LowBox (AppContainer) token from an existing token — sets the package SID and capability list that gate broker IPC access.

Prototype

NTSTATUS NtCreateLowBoxToken(
  PHANDLE              TokenHandle,
  HANDLE               ExistingTokenHandle,
  ACCESS_MASK          DesiredAccess,
  POBJECT_ATTRIBUTES   ObjectAttributes,
  PSID                 PackageSid,
  ULONG                CapabilityCount,
  PSID_AND_ATTRIBUTES  Capabilities,
  ULONG                HandleCount,
  PHANDLE              Handles
);

Arguments

Name	Type	Dir	Description
TokenHandle	PHANDLE	out	Receives the handle to the new LowBox token.
ExistingTokenHandle	HANDLE	in	Source token. Requires TOKEN_DUPLICATE. The LowBox is derived from this token's user/groups.
DesiredAccess	ACCESS_MASK	in	Access mask requested on the new token. TOKEN_ALL_ACCESS is typical when the caller will assign it next.
ObjectAttributes	POBJECT_ATTRIBUTES	in	Object attributes. SecurityQualityOfService controls impersonation level if used in that mode.
PackageSid	PSID	in	AppContainer package SID — encodes the unique identity of the sandboxed app, used to scope object names under \Sessions\...\AppContainerNamedObjects.
CapabilityCount	ULONG	in	Number of entries in Capabilities. May be 0.
Capabilities	PSID_AND_ATTRIBUTES	in	Array of capability SIDs (internetClient, picturesLibrary, etc.) that the LowBox is granted.
HandleCount	ULONG	in	Number of handles in Handles. Usually 0.
Handles	PHANDLE	in	Optional array of object handles to attach to the LowBox so it can access them despite normal AC restrictions.

Syscall IDs by Windows version

Windows version	Syscall ID	Build
Win10 1507	0xA5	win10-1507
Win10 1607	0xA7	win10-1607
Win10 1703	0xAA	win10-1703
Win10 1709	0xAB	win10-1709
Win10 1803	0xAC	win10-1803
Win10 1809	0xAC	win10-1809
Win10 1903	0xAD	win10-1903
Win10 1909	0xAD	win10-1909
Win10 2004	0xB1	win10-2004
Win10 20H2	0xB1	win10-20h2
Win10 21H1	0xB1	win10-21h1
Win10 21H2	0xB2	win10-21h2
Win10 22H2	0xB2	win10-22h2
Win11 21H2	0xB5	win11-21h2
Win11 22H2	0xB6	win11-22h2
Win11 23H2	0xB6	win11-23h2
Win11 24H2	0xB8	win11-24h2
Server 2016	0xA7	winserver-2016
Server 2019	0xAC	winserver-2019
Server 2022	0xB4	winserver-2022
Server 2025	0xB8	winserver-2025

Kernel module

ntoskrnl.exe → NtCreateLowBoxToken

Related APIs

CreateAppContainerTokenCreateProcessAsUserNtAssignProcessTokenNtCreateUserProcessDeriveCapabilitySidsFromNameDeriveAppContainerSidFromAppContainerName

Syscall stub

4C 8B D1            mov r10, rcx
B8 B8 00 00 00      mov eax, 0xB8
F6 04 25 08 03 FE 7F 01   test byte ptr [0x7FFE0308], 1
75 03               jne short +3
0F 05               syscall
C3                  ret
CD 2E               int 2Eh
C3                  ret

Undocumented notes

Underpins the AppContainer sandbox introduced in Windows 8 and used by every Windows Runtime app, Edge content processes, Chrome's renderer sandbox (when AppContainer mode is enabled), the WSA Android runtime, and the modern WebView2 host. The kernel routine SepCreateLowBoxToken takes the source token, copies User/Groups/Privileges, then layers on the LowBox attributes: the package SID (stored in the token's `LowBoxNumberEntry` / `Package` field) and the capability array (stored as a special group with the SE_GROUP_INTEGRITY-adjacent attributes). Once the resulting token is assigned to a process via NtAssignProcessToken or used with NtCreateUserProcess, the kernel inserts AppContainer-style access checks: object name resolution is rerouted to the per-AC `\Sessions\<n>\AppContainerNamedObjects\<PackageSid>` namespace; network access is gated by `internetClient`/`privateNetworkClientServer` capabilities; broker IPC channels (the RPC interfaces gated to AppContainers) become reachable.

Common malware usage

Mostly legitimate; truly malicious use is rare but real. Pattern: a process that would otherwise be barred from a broker RPC interface (e.g. some WinRT broker endpoints check the caller's PackageSid and accept the call only from AppContainer principals) calls NtCreateLowBoxToken with the *expected* PackageSid of a legitimate AC app, assigns the resulting token to a helper child, and pivots through the broker as if it were that app. This is the gist of several published sandbox-escape PoCs from Project Zero, Google's bughunters and a few CTF writeups (notably escapes from Edge's content process and from the WSA RuntimeBroker). It is also occasionally used by red-team tooling to *enter* an AppContainer voluntarily — useful when the operator wants their tradecraft to look like a normal Edge child to a defensive tool that whitelists AC processes.

Browser sandbox-escape PoCs (Project Zero class)

Detection opportunities

Microsoft-Windows-Threat-Intelligence does not emit a dedicated event for NtCreateLowBoxToken; detection has to rely on the side-effects. The high-fidelity pivot is *creation of an AppContainer token by a non-AppContainer-aware process*: anything not in a small allowlist (svchost.exe hosting AppContainer infrastructure, MicrosoftEdgeUpdate.exe, RuntimeBroker.exe, BackgroundTaskHost.exe, smsvchost.exe) calling this syscall is anomalous. Sysmon Event 25 (process tampering) sometimes fires on the subsequent NtAssignProcessToken when the new token mismatches the process's manifest declarations. ETW provider Microsoft-Windows-Win32k-Power can show the namespace remapping when the LowBox child starts touching `\Sessions\...\AppContainerNamedObjects\<unexpected-package>`. PackageSid forgery (mismatch between PackageSid and the executable's signed identity) is the strongest behavioral indicator.

Direct syscall examples

cVoluntarily enter a LowBox (red-team blend pattern)

// Build a LowBox token tagged with an arbitrary PackageSid, then assign it
// to a helper process so it executes as if it were that AppContainer app.
typedef NTSTATUS(NTAPI* fnNtCreateLowBoxToken)(
    PHANDLE, HANDLE, ACCESS_MASK, POBJECT_ATTRIBUTES,
    PSID, ULONG, PSID_AND_ATTRIBUTES, ULONG, PHANDLE);

HANDLE BuildLowBox(HANDLE hSourceToken, PSID packageSid) {
    HMODULE n = GetModuleHandleA("ntdll.dll");
    fnNtCreateLowBoxToken p = (fnNtCreateLowBoxToken)
        GetProcAddress(n, "NtCreateLowBoxToken");
    OBJECT_ATTRIBUTES oa = { sizeof(oa) };
    HANDLE hLowBox = NULL;
    NTSTATUS s = p(&hLowBox, hSourceToken, TOKEN_ALL_ACCESS, &oa,
                   packageSid, 0, NULL, 0, NULL);
    return (s == 0) ? hLowBox : NULL;
}

asmx64 direct stub (Win11 24H2 SSN)

; SSN 0xB8 on win11-24h2 / winserver-2025. 9 args — most spill to the stack.
NtCreateLowBoxToken PROC
    mov  r10, rcx
    mov  eax, 0B8h
    syscall
    ret
NtCreateLowBoxToken ENDP

rustAdd internetClient capability to a LowBox

// Capability SIDs are derived from cap names via DeriveCapabilitySidsFromName.
// Here we hard-code S-1-15-3-1 (internetClient) for brevity.
use windows_sys::Win32::Security::PSID;
use windows_sys::Win32::System::LibraryLoader::{GetModuleHandleA, GetProcAddress};

#[repr(C)]
struct SidAndAttributes { sid: PSID, attributes: u32 }

type NtCreateLowBoxToken = unsafe extern "system" fn(
    out: *mut isize, src: isize, access: u32, oa: *mut u8,
    package: PSID, cap_count: u32, caps: *mut SidAndAttributes,
    handle_count: u32, handles: *mut isize,
) -> i32;

pub unsafe fn lowbox_with_internet(
    src: isize, package: PSID, internet_client: PSID,
) -> Option<isize> {
    let n = GetModuleHandleA(b"ntdll.dll\0".as_ptr());
    let addr = GetProcAddress(n, b"NtCreateLowBoxToken\0".as_ptr())?;
    let f: NtCreateLowBoxToken = std::mem::transmute(addr);
    let mut cap = SidAndAttributes { sid: internet_client, attributes: 0x04 /* SE_GROUP_ENABLED */ };
    let mut oa = [0u8; 48];
    let mut out: isize = 0;
    if f(&mut out, src, 0xF01FF, oa.as_mut_ptr(), package, 1, &mut cap, 0, core::ptr::null_mut()) == 0 {
        Some(out)
    } else { None }
}

MITRE ATT&CK mappings

Last verified: 2026-05-20