Examples/Get-AccessToken.ps1

function Get-AccessToken
{
    param
    (
        [Parameter()]
        [System.Diagnostics.Process[]]
        $Process
    )

    begin
    {
        try
        {
            Get-System
        }
        catch
        {
            Write-Error "Unable to Impersonate NT AUTHORITY\SYSTEM token"
        }

        if(-not ($PSBoundParameters.ContainsKey('Process')))
        {
            $Process = Get-Process
        }
    }

    process
    {
        foreach($proc in $Process)
        {
            if($proc.Id -ne 0 -and $proc.Id -ne 4 -and $proc.Id -ne $PID)
            {
                try
                {
                    $hProcess = OpenProcess -ProcessId $proc.Id -DesiredAccess PROCESS_QUERY_LIMITED_INFORMATION
                }
                catch
                {
                    if($_.Exception.Message -ne "OpenProcess Error: The parameter is incorrect")
                    {
                        Write-Verbose "Process Handle: $($proc.Id)"
                        Write-Verbose $_.Exception.Message
                    }
                }

                try
                {
                    $hToken = OpenProcessToken -ProcessHandle $hProcess -DesiredAccess TOKEN_QUERY
                }
                catch
                {
                    Write-Verbose "Process Token Handle: $($proc.Id)"
                    Write-Verbose $_.Exception.Message
                }

                try
                {
                    $PrimaryTokenStatistics = GetTokenInformation -TokenInformationClass TokenStatistics -TokenHandle $hToken
                    $PrimaryTokenUser = GetTokenInformation -TokenInformationClass TokenUser -TokenHandle $hToken
                    $PrimaryTokenOwner = GetTokenInformation -TokenInformationClass TokenOwner -TokenHandle $hToken
                    $PrimaryTokenIntegrityLevel = GetTokenInformation -TokenInformationClass TokenIntegrityLevel -TokenHandle $hToken
                    $PrimaryTokenType = GetTokenInformation -TokenInformationClass TokenType -TokenHandle $hToken
                    $PrimaryTokenSessionId = GetTokenInformation -TokenInformationClass TokenSessionId -TokenHandle $hToken
                    $PrimaryTokenOrigin = GetTokenInformation -TokenInformationClass TokenOrigin -TokenHandle $hToken
                    $PrimaryTokenPrivileges = GetTokenInformation -TokenInformationClass TokenPrivileges -TokenHandle $hToken
                    $PrimaryTokenElevation = GetTokenInformation -TokenInformationClass TokenElevation -TokenHandle $hToken
                    $PrimaryTokenElevationType = GetTokenInformation -TokenInformationClass TokenElevationType -TokenHandle $hToken
                    
                    $obj = [PSCustomObject]@{
                        ProcessName = $proc.Name
                        ProcessId = $proc.Id
                        ThreadId = $null
                        TokenId = [UInt32]$PrimaryTokenStatistics.TokenId
                        ModifiedId = [UInt32]$PrimaryTokenStatistics.ModifiedId
                        AuthenticationId = [UInt32]$PrimaryTokenStatistics.AuthenticationId
                        UserSid = $PrimaryTokenUser.Sid.ToString()
                        UserName = $PrimaryTokenUser.Name.Value
                        OwnerSid = $PrimaryTokenOwner.Sid.ToString()
                        OwnerName = $PrimaryTokenOwner.Name.Value
                        IntegrityLevel = $PrimaryTokenIntegrityLevel.ToString()
                        Type = $PrimaryTokenType.ToString()
                        ImpersonationLevel = 'None'
                        SessionId = [UInt32]$PrimaryTokenSessionId
                        Origin = [UInt32]$PrimaryTokenOrigin
                        EnabledPrivileges = ($PrimaryTokenPrivileges | Where-Object {$_.Attributes -like "*ENABLED*"} | select -ExpandProperty Privilege) -join ';'
                        DefaultEnabledPrivileges = ($PrimaryTokenPrivileges | Where-Object {$_.Attributes -like "*ENABLED_BY_DEFAULT*"} | select -ExpandProperty Privilege) -join ';'
                        DisabledPrivileges = ($PrimaryTokenPrivileges | Where-Object {$_.Attributes -like "*DISABLED*"} | select -ExpandProperty Privilege) -join ';'
                        IsElevated = $PrimaryTokenElevation.ToString()
                        ElevationType = $PrimaryTokenElevationType.ToString()
                        PrimaryTokenId = $PrimaryTokenStatistics.TokenId
                        PrimaryModifiedId = $PrimaryTokenStatistics.ModifiedId
                        PrimaryAuthenticationId = $PrimaryTokenStatistics.AuthenticationId
                        PrimaryUserSid = $PrimaryTokenUser.Sid.ToString()
                        PrimaryUserName = $PrimaryTokenUser.Name.Value
                        PrimaryIntegrityLevel = $PrimaryTokenIntegrityLevel.ToString()
                        PrimaryType = $PrimaryTokenType.ToString()
                        PrimarySessionId = $PrimaryTokenSessionId
                    }

                    Write-Output $obj

                    CloseHandle -Handle $hProcess
                    CloseHandle -Handle $hToken
                }
                catch
                {
                    Write-Verbose "Process Token Query: $($proc.Id)"
                    Write-Verbose $_.Exception.Message
                }

                foreach($thread in $proc.Threads)
                {
                    try
                    {
                        $hThread = OpenThread -ThreadId $thread.Id -DesiredAccess THREAD_QUERY_LIMITED_INFORMATION
                    }
                    catch
                    {
                        Write-Verbose "Thread Handle: [Proc] $($proc.Id) [THREAD] $($thread.Id)"
                        Write-Verbose $_.Exception.Message
                    }

                    try
                    {
                        $hToken = OpenThreadToken -ThreadHandle $hThread -DesiredAccess TOKEN_QUERY

                        $TokenStatistics = GetTokenInformation -TokenInformationClass TokenStatistics -TokenHandle $hToken
                        $TokenUser = GetTokenInformation -TokenInformationClass TokenUser -TokenHandle $hToken
                        $TokenOwner = GetTokenInformation -TokenInformationClass TokenOwner -TokenHandle $hToken
                        $TokenIntegrityLevel = GetTokenInformation -TokenInformationClass TokenIntegrityLevel -TokenHandle $hToken
                        $TokenType = GetTokenInformation -TokenInformationClass TokenType -TokenHandle $hToken
                        $TokenImpersonationLevel = GetTokenInformation -TokenInformationClass TokenImpersonationLevel -TokenHandle $hToken
                        $TokenSessionId = GetTokenInformation -TokenInformationClass TokenSessionId -TokenHandle $hToken
                        $TokenOrigin = GetTokenInformation -TokenInformationClass TokenOrigin -TokenHandle $hToken
                        $TokenPrivileges = GetTokenInformation -TokenInformationClass TokenPrivileges -TokenHandle $hToken
                        $TokenElevation = GetTokenInformation -TokenInformationClass TokenElevation -TokenHandle $hToken
                        $TokenElevationType = GetTokenInformation -TokenInformationClass TokenElevationType -TokenHandle $hToken

                        $obj = [PSCustomObject]@{
                            ProcessName = $proc.Name
                            ProcessId = $proc.Id
                            ThreadId = $thread.Id
                            TokenId = [UInt32]$TokenStatistics.TokenId
                            ModifiedId = [UInt32]$TokenStatistics.ModifiedId
                            AuthenticationId = [UInt32]$TokenStatistics.AuthenticationId
                            UserSid = $TokenUser.Sid.ToString()
                            UserName = $TokenUser.Name.Value
                            OwnerSid = $TokenOwner.Sid.ToString()
                            OwnerName = $TokenOwner.Name.Value
                            IntegrityLevel = $TokenIntegrityLevel.ToString()
                            Type = $TokenType.ToString()
                            ImpersonationLevel = $TokenImpersonationLevel.ToString()
                            SessionId = [UInt32]$TokenSessionId
                            Origin = [UInt32]$TokenOrigin
                            EnabledPrivileges = ($PrimaryTokenPrivileges | Where-Object {$_.Attributes -like "*ENABLED*"} | select -ExpandProperty Privilege) -join ';'
                            DefaultEnabledPrivileges = ($PrimaryTokenPrivileges | Where-Object {$_.Attributes -like "*ENABLED_BY_DEFAULT*"} | select -ExpandProperty Privilege) -join ';'
                            DisabledPrivileges = ($PrimaryTokenPrivileges | Where-Object {$_.Attributes -like "*DISABLED*"} | select -ExpandProperty Privilege) -join ';'
                            IsElevated = $TokenElevation.ToString()
                            ElevationType = $TokenElevationType.ToString()
                            PrimaryTokenId = $PrimaryTokenStatistics.TokenId
                            PrimaryModifiedId = $PrimaryTokenStatistics.ModifiedId
                            PrimaryAuthenticationId = $PrimaryTokenStatistics.AuthenticationId
                            PrimaryUserSid = $PrimaryTokenUser.Sid.ToString()
                            PrimaryUserName = $PrimaryTokenUser.Name.Value
                            PrimaryIntegrityLevel = $PrimaryTokenIntegrityLevel.ToString()
                            PrimaryType = $PrimaryTokenType.ToString()
                            PrimarySessionId = $PrimaryTokenSessionId
                        }

                        Write-Output $obj

                        CloseHandle -Handle $hThread
                        CloseHandle -Handle $hToken
                    }
                    catch
                    {
                        if($_.Exception.Message -ne 'OpenThreadToken Error: An attempt was made to reference a token that does not exist')
                        {
                            Write-Verbose "Thread Token Handle"
                            Write-Verbose $_.Exception.Message
                        }
                    }
                }
            }
        }
    }

    end
    {
        RevertToSelf
    }
}