list

token::list lists all tokens on the system.

It has the following command line arguments:

/id: The token to list by its ID
/user: The user token to list
/system: List only system tokens
/admin: List a token of builtin local administrators
/domainadmin: List tokens with Domain Admin privileges
/enterpriseadmin: List tokens with Enterprise Admin privileges
/localservice: List local service accounts tokens
/networkservice: List network service accounts tokens

General Usage

A low-privileged user can list only own tokens:

mimikatz # token::list
Token Id  : 0
User name :
SID name  :

3844    {0;0008d895} 2 L 588473         SERVER01\tmassie    S-1-5-21-755659916-1915924768-2761631771-1001   (15g,02p)        Primary
964     {0;0008d895} 2 L 651175         SERVER01\tmassie    S-1-5-21-755659916-1915924768-2761631771-1001   (15g,02p)        Primary
760     {0;0008d895} 2 L 659720         SERVER01\tmassie    S-1-5-21-755659916-1915924768-2761631771-1001   (15g,02p)        Primary
1456    {0;0008d895} 2 L 664286         SERVER01\tmassie    S-1-5-21-755659916-1915924768-2761631771-1001   (15g,02p)        Primary
5200    {0;0008d895} 2 L 676578         SERVER01\tmassie    S-1-5-21-755659916-1915924768-2761631771-1001   (15g,02p)        Primary
6164    {0;0008d895} 2 L 5603039        SERVER01\tmassie    S-1-5-21-755659916-1915924768-2761631771-1001   (15g,01p)        Impersonation (Impersonation)

Every line shows one token:

6164    {0;0008d895} 2 L 5603039        SERVER01\tmassie    S-1-5-21-755659916-1915924768-2761631771-1001   (15g,01p)        Impersonation (Impersonation)

Displayed information (source: kuhl_m_token.c):

6164: Process ID
- To which process the token belongs.
- Every process has one primary token and can have multiple impersonation tokens.
- This ID can be seen in Taskmanager, or Get-Process
{0;0008d895}: Logon Session ID (64 bit)
- higher 32 bit and lower 32 bit
2: Session ID
L: Token Elevation Type
- D: Default
- F: Full
- L: Limited
5603039: Token ID
SERVER01\tmassie: Username
- Domain Accounts: domain\username
- Local Accounts: hostname\username or NT AUTHORITY\USERNAME
S-1-5-21-755659916-1915924768-2761631771-1001: SID
(15g,01p): Groups and privileges
- g: Number of groups
- p: Number of privileges
Impersonation: Token Type
- Unknown
- Primary
- Impersonation
(Impersonation): Impersonation Level (Only for impersonation tokens)
- Anonymous: Server cannot impersonate the client
- Identification: Server can identify client but not impersonate
- Impersonation: Server can impersonate client’s security context on local system
- Delegation: Server can impersonate client’s security context on remote systems using cached credentials

As a local admin but without the SeDebugPrivilege privilege, you can see the tokens of other user's as well but not of system users like SYSTEM or NETWORK SERVICE:

mimikatz # token::list
Token Id  : 0
User name :
SID name  :

3844    {0;0008d895} 2 L 588473         SERVER01\tmassie    S-1-5-21-755659916-1915924768-2761631771-1001   (15g,02p)       Primary
4376    {0;0008d895} 2 L 601368         SERVER01\tmassie    S-1-5-21-755659916-1915924768-2761631771-1001   (15g,02p)       Primary
964     {0;0008d895} 2 L 651175         SERVER01\tmassie    S-1-5-21-755659916-1915924768-2761631771-1001   (15g,02p)       Primary
760     {0;0008d895} 2 L 659720         SERVER01\tmassie    S-1-5-21-755659916-1915924768-2761631771-1001   (15g,02p)       Primary
3768    {0;0008d7f5} 2 F 661766         SERVER01\tmassie    S-1-5-21-755659916-1915924768-2761631771-1001   (15g,24p)       Primary
1456    {0;0008d895} 2 L 664286         SERVER01\tmassie    S-1-5-21-755659916-1915924768-2761631771-1001   (15g,02p)       Primary
5200    {0;0008d895} 2 L 676578         SERVER01\tmassie    S-1-5-21-755659916-1915924768-2761631771-1001   (15g,02p)       Primary
7156    {0;000f0ac5} 3 F 1075487        winattacklab\ffast     S-1-5-21-1345929560-157546789-2569868433-1123   (15g,24p)       Primary
5508    {0;0008d7f5} 2 F 5127728        SERVER01\tmassie    S-1-5-21-755659916-1915924768-2761631771-1001   (15g,24p)       Primary
7224    {0;0008d7f5} 2 F 5870190        SERVER01\tmassie    S-1-5-21-755659916-1915924768-2761631771-1001   (15g,24p)       Primary
6164    {0;0008d895} 2 L 5603039        SERVER01\tmassie    S-1-5-21-755659916-1915924768-2761631771-1001   (15g,01p)       Impersonation (Impersonation)

With the SeDebugPrivilege privilege enabled, you can see all tokens on the system:

mimikatz # privilege::debug
Privilege '20' OK

mimikatz # token::list
Token Id  : 0
User name :
SID name  :

[...]
1916    {0;000003e7} 2 D 556559         NT AUTHORITY\SYSTEM     S-1-5-18        (04g,21p)       Primary
3844    {0;0008d895} 2 L 588473         SERVER01\tmassie    S-1-5-21-755659916-1915924768-2761631771-1001   (15g,02p)       Primary
3428    {0;000003e7} 0 D 593863         NT AUTHORITY\SYSTEM     S-1-5-18        (04g,05p)       Primary
4376    {0;0008d895} 2 L 601368         SERVER01\tmassie    S-1-5-21-755659916-1915924768-2761631771-1001   (15g,02p)       Primary
964     {0;0008d895} 2 L 651175         SERVER01\tmassie    S-1-5-21-755659916-1915924768-2761631771-1001   (15g,02p)       Primary
3992    {0;000003e7} 0 D 655073         NT AUTHORITY\SYSTEM     S-1-5-18        (04g,11p)       Primary
760     {0;0008d895} 2 L 659720         SERVER01\tmassie    S-1-5-21-755659916-1915924768-2761631771-1001   (15g,02p)       Primary
3768    {0;0008d7f5} 2 F 661766         SERVER01\tmassie    S-1-5-21-755659916-1915924768-2761631771-1001   (15g,24p)       Primary
1456    {0;0008d895} 2 L 664286         SERVER01\tmassie    S-1-5-21-755659916-1915924768-2761631771-1001   (15g,02p)       Primary
5200    {0;0008d895} 2 L 676578         SERVER01\tmassie    S-1-5-21-755659916-1915924768-2761631771-1001   (15g,02p)       Primary
5268    {0;000003e7} 3 D 973825         NT AUTHORITY\SYSTEM     S-1-5-18        (04g,21p)       Primary
7156    {0;000f0ac5} 3 F 1075487        winattacklab\ffast     S-1-5-21-1345929560-157546789-2569868433-1123   (15g,24p)       Primary
4428    {0;000003e7} 0 D 2267524        NT AUTHORITY\SYSTEM     S-1-5-18        (04g,28p)       Primary
5508    {0;0008d7f5} 2 F 5127728        SERVER01\tmassie    S-1-5-21-755659916-1915924768-2761631771-1001   (15g,24p)       Primary
7224    {0;0008d7f5} 2 F 5870190        SERVER01\tmassie    S-1-5-21-755659916-1915924768-2761631771-1001   (15g,24p)       Primary
676     {0;000003e7} 0 D 28607          NT AUTHORITY\SYSTEM     S-1-5-18        (04g,31p)       Impersonation (Impersonation)
676     {0;000003e4} 0 D 555174         NT AUTHORITY\NETWORK SERVICE    S-1-5-20        (11g,06p)       Impersonation (Impersonation)
676     {0;003e1c50} 0 D 4070487        winattacklab\ffast     S-1-5-21-1345929560-157546789-2569868433-1123   (12g,24p)       Impersonation (Impersonation)
676     {0;0000756e} 0 D 30076          Font Driver Host\UMFD-0 S-1-5-96-0-0    (09g,02p)       Impersonation (Impersonation)
676     {0;000003e7} 0 D 46009          NT AUTHORITY\SYSTEM     S-1-5-18        (04g,21p)       Impersonation (Impersonation)
[...]
2096    {0;000003e5} 0 D 75329          NT AUTHORITY\LOCAL SERVICE      S-1-5-19        (16g,03p)       Primary
2812    {0;000003e6} 0 D 109047         NT AUTHORITY\ANONYMOUS LOGON    S-1-5-7 (01g,00p)       Impersonation (Impersonation)
2956    {0;000003e7} 0 D 326793         NT AUTHORITY\SYSTEM     S-1-5-18        (12g,07p)       Impersonation (Impersonation)
1916    {0;000003e7} 2 D 559210         NT AUTHORITY\SYSTEM     S-1-5-18        (04g,10p)       Primary
5268    {0;000003e7} 3 D 976221         NT AUTHORITY\SYSTEM     S-1-5-18        (04g,10p)       Primary

id

List token with specific token id:

mimikatz # token::list /id:27044241
Token Id  : 27044241
User name :
SID name  :

9196    {0;019c935c} 2 F 27044241       winattacklab\ffast     S-1-5-21-1345929560-157546789-2569868433-1123   (14g,24p)       Primary

user

List token of specific user:

mimikatz # token::list /user:ffast
Token Id  : 0
User name : ffast
SID name  :

5332    {0;000563b2} 2 F 457263         winattacklab\ffast     S-1-5-21-1345929560-157546789-2569868433-1123   (15g,24p)       Primary
4432    {0;000563b2} 2 F 2839551        winattacklab\ffast     S-1-5-21-1345929560-157546789-2569868433-1123   (15g,24p)       Primary
668     {0;00050574} 0 D 329079         winattacklab\ffast     S-1-5-21-1345929560-157546789-2569868433-1123   (12g,24p)       Impersonation (Impersonation)
668     {0;000563e4} 2 L 353269         winattacklab\ffast     S-1-5-21-1345929560-157546789-2569868433-1123   (15g,02p)       Impersonation (Impersonation)
800     {0;000563e4} 2 L 456098         winattacklab\ffast     S-1-5-21-1345929560-157546789-2569868433-1123   (15g,02p)       Impersonation (Impersonation)
920     {0;000563e4} 2 L 380750         winattacklab\ffast     S-1-5-21-1345929560-157546789-2569868433-1123   (15g,02p)       Impersonation (Impersonation)
920     {0;000563e4} 2 L 387116         winattacklab\ffast     S-1-5-21-1345929560-157546789-2569868433-1123   (15g,01p)       Impersonation (Identification)
920     {0;000563e4} 2 L 436160         winattacklab\ffast     S-1-5-21-1345929560-157546789-2569868433-1123   (15g,02p)       Impersonation (Impersonation)
920     {0;000563e4} 2 L 443911         winattacklab\ffast     S-1-5-21-1345929560-157546789-2569868433-1123   (15g,02p)       Impersonation (Impersonation)
920     {0;000563e4} 2 L 432114         winattacklab\ffast     S-1-5-21-1345929560-157546789-2569868433-1123   (15g,02p)       Impersonation (Impersonation)
920     {0;000563b2} 2 F 460527         winattacklab\ffast     S-1-5-21-1345929560-157546789-2569868433-1123   (15g,24p)       Impersonation (Impersonation)
1816    {0;000563e4} 2 L 424793         winattacklab\ffast     S-1-5-21-1345929560-157546789-2569868433-1123   (15g,01p)       Impersonation (Impersonation)

system

List tokens of local SYSTEM account:

mimikatz # token::list /system
Token Id  : 0
User name :
SID name  : NT AUTHORITY\SYSTEM

660     {0;000003e7} 1 D 22777          NT AUTHORITY\SYSTEM     S-1-5-18        (04g,21p)       Primary
676     {0;000003e7} 0 D 23261          NT AUTHORITY\SYSTEM     S-1-5-18        (04g,31p)       Primary
[...]
2236    {0;000003e7} 0 D 118305         NT AUTHORITY\SYSTEM     S-1-5-18        (12g,04p)       Impersonation (Identification)
3272    {0;000003e7} 0 D 31384213       NT AUTHORITY\SYSTEM     S-1-5-18        (12g,07p)       Impersonation (Impersonation)
5568    {0;000003e7} 2 D 594642         NT AUTHORITY\SYSTEM     S-1-5-18        (04g,10p)       Primary

admin

List tokens of local admins:

mimikatz # token::list /admin
Token Id  : 0
User name :
SID name  : BUILTIN\Administrators

660     {0;000003e7} 1 D 22777          NT AUTHORITY\SYSTEM     S-1-5-18        (04g,21p)       Primary
676     {0;000003e7} 0 D 23261          NT AUTHORITY\SYSTEM     S-1-5-18        (04g,31p)       Primary
1356    {0;000003e7} 0 D 69077          NT AUTHORITY\SYSTEM     S-1-5-18        (04g,07p)       Primary
1392    {0;000003e7} 0 D 69588          NT AUTHORITY\SYSTEM     S-1-5-18        (04g,07p)       Primary
1428    {0;000003e7} 0 D 69888          NT AUTHORITY\SYSTEM     S-1-5-18        (04g,04p)       Primary
[...]

domainadmin

List tokens of domain admins:

mimikatz # token::list /domainadmin
Token Id  : 0
User name :
SID name  : winattacklab\Domain Admins

6260    {0;019c935c} 2 F 30080881       winattacklab\ffast     S-1-5-21-1345929560-157546789-2569868433-1123   (14g,24p)       Primary
676     {0;019c935c} 2 F 27038624       winattacklab\ffast     S-1-5-21-1345929560-157546789-2569868433-1123   (14g,24p)       Impersonation (Impersonation)
9196    {0;019c935c} 2 F 27044241       winattacklab\ffast     S-1-5-21-1345929560-157546789-2569868433-1123   (14g,24p)       Primary

enterpriseadmin

List tokens of enterprise admins:

mimikatz # token::list /enterpriseadmin
Token Id  : 0
User name :
SID name  : winattacklab\Domain Admins

6260    {0;019c935c} 2 F 30080881       winattacklab\ffast     S-1-5-21-1345929560-157546789-2569868433-1123   (14g,24p)       Primary
676     {0;019c935c} 2 F 27038624       winattacklab\ffast     S-1-5-21-1345929560-157546789-2569868433-1123   (14g,24p)       Impersonation (Impersonation)
9196    {0;019c935c} 2 F 27044241       winattacklab\ffast     S-1-5-21-1345929560-157546789-2569868433-1123   (14g,24p)       Primary

localservice

List tokens of local service accounts:

mimikatz # token::list /localservice
Token Id  : 0
User name :
SID name  : NT AUTHORITY\LOCAL SERVICE

676     {0;000003e5} 0 D 540433         NT AUTHORITY\LOCAL SERVICE      S-1-5-19        (17g,02p)       Impersonation (Impersonation)
676     {0;000003e5} 0 D 61742          NT AUTHORITY\LOCAL SERVICE      S-1-5-19        (17g,11p)       Impersonation (Impersonation)
[...]
3816    {0;000003e5} 0 D 20547077       NT AUTHORITY\LOCAL SERVICE      S-1-5-19        (17g,03p)       Primary

networkservice

List tokens of network service accounts:

mimikatz # token::list /networkservice
Token Id  : 0
User name :
SID name  : NT AUTHORITY\NETWORK SERVICE

952     {0;000003e4} 0 D 61753          NT AUTHORITY\NETWORK SERVICE    S-1-5-20        (11g,03p)       Primary
8       {0;000003e4} 0 D 66030          NT AUTHORITY\NETWORK SERVICE    S-1-5-20        (11g,06p)       Primary
[...]
688     {0;000003e4} 0 D 51362          NT AUTHORITY\NETWORK SERVICE    S-1-5-20        (11g,08p)       Impersonation (Impersonation)
688     {0;000003e4} 0 D 90007          NT AUTHORITY\NETWORK SERVICE    S-1-5-20        (11g,04p)       Impersonation (Impersonation)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

list.md

list.md

list

General Usage

id

user

system

admin

domainadmin

enterpriseadmin

localservice

networkservice

Files

list.md

Latest commit

History

list.md

File metadata and controls

list

General Usage

id

user

system

admin

domainadmin

enterpriseadmin

localservice

networkservice