Updated 20/10/2021

Some time ago already I had written a few utilities to manipulate Windows account security settings. I use them at work all the time because they are more flexible and easier to understand than the built-in GUI tools (and much much easier to use than the built-in CLI tools).

I have now updated the tools to use (mostly) WCHAR and standard I/O, so output is now redirectable. Everything is (should be) statically linked and does not require the Visual C runtime library installed. TokenTest requires the .NET Framework version 4. Some of the tools now display some help.

Source: https://github.com/ajbrehm/ABTokenTools

Download binaries (in ZIP archives) of the newest versions here:


They are, so far:


AccountRights someuser SeShutdownPrivilege

Gives a user account the shutdown privilege (which allows that user to stop or reboot the computer).

AccountRights someuser SeShutdownPrivilege REMOVE

Removes that same privilege from the user.

This works for all privileges and rights.


CopyAsBackup drive_letter:\directory\sourcefile drive_letter:\directory\targetfile

Copies a file sourcefile to file targetfile using backup privileges to ignore ACLs.


DecryptLsaSecrets 1000 SomeService

Assuming 1000 is the PID of the Local Security Authority (lsass.exe), gets the password stored to start a service SomeService stored in HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets. For some reason this fails if the service name contains an underscore (_) which most of them do.


EnablePrivilege SeTakeOwnershipPrivilege

Enables the user’s privilege given (if the user has it) and starts cmd with the privilege enabled.


GetProcessOwner 1000

Often gets the privileges and owner of the process with id 1000.


LookupAccountName someuser

Gets the SID (security identifier) for a user name.


This does the same as LookupAccountName but vice versa, gets the user name for a SID.


Logs a user on without a password and does nothing. To be honest, I have forgotten what this was good for other than a proof of concept…


SessionForPId 1000

Returns the session for the PID 1000. Proof of concept…


TokenTest user

TokenTest user@domain

Displays the privileges a user would have if he logged on now. This is useful for testing effective privileges based on groups. It is a good counterpart to AccountRights above which shows the rights and privileges a security principal (user or group) has by itself.

Use them at your own discretion. I use them all the time and find them indispensible.

Use them at your own discretion. I use them all the time and find them indispensible.

 © Andrew Brehm 2016