How to fix the Win32 API function error: 1312 (GetTokenInformation) occurring for the below code used for creating a windows application.

Prem Jha 45

I have used the below code and it is working fine for most of the cases but for one windows machine it is failing at the section where we call 'GetTokenInformation' win32 API function and throws an error as ERROR: API = GetTokenInformation, error code = 1312, message = A specified logon session does not exist. It may already have been terminated.)
What could have gone wrong and how can we resolve this. Please help. Thanks!

// Logging on as the passed ssh user (not logged in user) which is non-Administrator
        if (!LogonUser(username.c_str(), domain.c_str(), password.c_str(), LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, &hToken)) {
                DisplayError(L"LogonUser");
                goto Cleanup;
        }

        tokenUsed = hToken;
        
        // If the ssh user (not logged in user) is non-Administrator, we need linked token
        if (!adminUser)
        {
                if (!GetTokenInformation(hToken, TokenLinkedToken, &linkedToken, sizeof(TOKEN_LINKED_TOKEN), &returnLength))
                {
                        DisplayError(L"GetTokenInformation");
                        goto Cleanup;
                }

                // Duplicate the token to ensure valid usage
                if (!DuplicateTokenEx(linkedToken.LinkedToken, MAXIMUM_ALLOWED, NULL, SecurityIdentification, TokenPrimary, &hDupToken)) {
                        DisplayError(L"DuplicateTokenEx");
                        goto Cleanup;
                }

                tokenUsed = hDupToken;  // Use the duplicated token
        }

Jeanine Zhang-MSFT 9,666 Reputation points Microsoft Vendor

2024-09-10T06:33:19.3133333+00:00

The GetTokenInformation function retrieves a specified type of information about an access token. The calling process must have appropriate access rights to obtain the information.

The handle must have TOKEN_QUERY access.

Whether the issue only occurs on this one Windows. I suggest you could check the configuration of the Windows. Is this version of Windows the same as the version of other Windows?
Prem Jha 45 Reputation points

2024-09-10T08:38:15.89+00:00

It has the token_query access as it is working for the other windows machine. what should we done and what configs can be checked for the windows that could help?
Jeanine Zhang-MSFT 9,666 Reputation points Microsoft Vendor

2024-09-12T07:48:40.2566667+00:00

I suggest you could check if UAC is disabled. The "Never notify" setting disables UAC.
Prem Jha 45 Reputation points

2024-09-12T08:31:41.51+00:00

@Jeanine Zhang-MSFT I checked but that does not really made any difference as the UAC being enabled also gave the same error for standard users.

Accepted answer

RLWA32 45,326 Reputation points

2024-09-10T06:42:49.3633333+00:00

Ordinarily, a standard account (i.e., non-Administrator) will not have a linked token when UAC is enabled. Only accounts that are members of the Administrators group will have one when logged on with the usual Windows API functions such as LogonUser.

// If the ssh user (not logged in user) is non-Administrator, we need linked token

The posted code seems to be looking for a linked token for non-Administrator accounts which doesn't make sense to me.
Please sign in to rate this answer.

1 person found this answer helpful.
Prem Jha 45 Reputation points

2024-09-10T08:34:09.7833333+00:00

So that means according to you, this error would have occurred for the user which is not part of the administrator group? Once it is a part of administrator group then this error should have not occurred?

Prem Jha 45 Reputation points

2024-09-10T08:36:53.88+00:00

So that means if the used user is not part of the administrator group then it would have given us an error which I mentioned above. Had the user been the group of the administrators group then we have not been encountered this error? Is that so?

RLWA32 45,326 Reputation points

2024-09-10T09:23:59.2033333+00:00

So that means if the used user is not part of the administrator group then it would have given us an error which I mentioned above. Had the user been the group of the administrators group then we have not been encountered this error? Is that so?

Yes. For example, RLWA32 is a member of the Administrators group and Bozo is a standard user. GetTokenInformation for a linked token functioned as follows -

For RLWA32

For Bozo

Darran Rowe 916 Reputation points

2024-09-10T10:04:47.1466667+00:00

I will not say anything about this in relation to a standard user, but the reason why an administrator has a linked token is because of UAC. The linked token of the full administrator token is the restricted token. The linked token of the restricted administrator token is the full administrator token, appropriately protected of course.

Standard users don't naturally have this layout, and the documentation seems to imply that the only way a standard user token would have a token linked to it is if it was set by SetTokenInformation.

Prem Jha 45 Reputation points

2024-09-10T11:38:14.5266667+00:00

Thanks for the clarification! I will retry by adding the member in the Administrators group

Prem Jha 45 Reputation points

2024-09-12T05:46:52.9933333+00:00

@Darran Rowe @RLWA32 Are there any other instance apart from not being part of Administrators group where we can encounter this ERROR: API = GetTokenInformation, error code = 1312, message = A specified logon session does not exist. It may already have been terminated.)

RLWA32 45,326 Reputation points

2024-09-12T08:34:35.8266667+00:00

@Prem Jha, One exception that I have noticed is when a process is started by the Task Scheduler.

Run unelevated -

User RLWA32 is a member of the Administrators group Token Elevation type is TokenElevationTypeLimited Got linked token for RLWA32

Run elevated -

User RLWA32 is a member of the Administrators group Token Elevation type is TokenElevationTypeFull Got linked token for RLWA32

Run by Task Scheduler -

User RLWA32 is a member of the Administrators group Token Elevation type is TokenElevationTypeDefault (No linked token) GetTokenInformation (TokenLinkedToken) for RLWA32 failed: A specified logon session does not exist. It may already have been terminated.

Also, a linked token may not be present if a Windows Service starts a process with a token for a member of the Administrators group that was created by an S4U logon.

Prem Jha 45 Reputation points

2024-09-12T09:18:51.91+00:00

Ok understood, I used the interactive logon method for the user and the user was created using the control panel, create new user and just before GetTokenInformation function using the below code
LogonUser(username.c_str(), domain.c_str(), password.c_str(), LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, &hToken)

Prem Jha 45 Reputation points

2024-09-12T09:26:15.0466667+00:00

I created the new user using the control panel and then used the interactive logon method before the GetTokenInformation function call which is as below.
LogonUser(username.c_str(), domain.c_str(), password.c_str(), LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, &hToken)

Prem Jha 45 Reputation points

2024-09-12T09:30:54.5366667+00:00

@RLWA32 I used the control panel to create the new user and then used the interactive logon method just before GetTokenInformation which is as below.
LogonUser(username.c_str(), domain.c_str(), password.c_str(), LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, &hToken)
So, in our case the user created is not created by an S4Ulogon and thus it must fall under the 'Token Elevation type is TokenElevationTypeFull'..

Prem Jha 45 Reputation points

2024-09-12T09:35:41.8666667+00:00

@RLWA32 I used the control panel to create the new user and then used the interactive logon method just before GetTokenInformation which is as below. LogonUser(username.c_str(), domain.c_str(), password.c_str(), LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, &hToken) So, in our case the user created is not created by an S4Ulogon and thus it must fall under the 'Token Elevation type is TokenElevationTypeFull'..

Prem Jha 45 Reputation points

2024-09-12T09:37:09.05+00:00

@RLWA32 I used the control panel to create the new user and then used the interactive logon method just before GetTokenInformation which is as below. LogonUser(username.c_str(), domain.c_str(), password.c_str(), LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, &hToken) So, in our case the user created is not created by an S4Ulogon and thus it must fall under the 'Token Elevation type is TokenElevationTypeFull'..

Prem Jha 45 Reputation points

2024-09-12T09:37:27.95+00:00

@RLWA32 I used the control panel to create the new user and then used the interactive logon method just before GetTokenInformation which is as below. LogonUser(username.c_str(), domain.c_str(), password.c_str(), LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, &hToken) So, in our case the user created is not created by an S4Ulogon and thus it must fall under the 'Token Elevation type is TokenElevationTypeFull'..

Prem Jha 45 Reputation points

2024-09-12T09:38:17.1433333+00:00

@RLWA32 I used the control panel to create the new user and then used the interactive logon method just before GetTokenInformation which is as below. LogonUser(username.c_str(), domain.c_str(), password.c_str(), LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, &hToken) So, in our case the user created is not created by an S4Ulogon and thus it must fall under the 'Token Elevation type is TokenElevationTypeFull'..

Prem Jha 45 Reputation points

2024-09-12T09:38:54.43+00:00

@RLWA32 I used the control panel to create the new user and then used the interactive logon method just before GetTokenInformation which is as below. LogonUser(username.c_str(), domain.c_str(), password.c_str(), LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, &hToken) So, in our case the user created is not created by an S4Ulogon and thus it must fall under the 'Token Elevation type is TokenElevationTypeFull'..

RLWA32 45,326 Reputation points

2024-09-12T13:29:41.9166667+00:00

@Prem Jha, It seems that the site has automatically deleted whatever you recently posted. You may want to try again or ask for a moderator to restore your deleted content.

Prem Jha 45 Reputation points

2024-09-12T13:48:59.4766667+00:00

@RLWA32 I created the new user using the usual control panel path.

Once the user was created then I started the windows installer where we are using all these Win32 API functions, there before the get token information function call we logged on to the newly created user using the below code and then looked for the token so I think we have not used the S4U logon method.

LogonUser(username.c_str(), domain.c_str(), password.c_str(), LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, &hToken) tokenUsed = hToken; GetTokenInformation(hToken, TokenLinkedToken, &linkedToken, sizeof(TOKEN_LINKED_TOKEN), &returnLength)

Prem Jha 45 Reputation points

2024-09-12T13:49:42.4833333+00:00

I do not know why my comments are not getting posted every comment is being deleted automatically.

Prem Jha 45 Reputation points

2024-09-12T13:50:47.3066667+00:00

I have not used the S4U logon method, instead we created user manually using the control panel path only and then programmatically logged in using interactive method and move ahead with the token checking.

RLWA32 45,326 Reputation points

2024-09-12T15:13:46.39+00:00

I do not know why my comments are not getting posted every comment is being deleted automatically.

The Q&A site has had an ongoing problem with filters improperly performing automatic deletion of user posts. Recently, the volume of improper deletions has increased tremendously.

Anyway, has your question been answered?
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

1 additional answer

Prem Jha 45 Reputation points

2024-09-12T09:35:50.0333333+00:00

@RLWA32 I used the control panel to create the new user and then used the interactive logon method just before GetTokenInformation which is as below. LogonUser(username.c_str(), domain.c_str(), password.c_str(), LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, &hToken) So, in our case the user created is not created by an S4Ulogon and thus it must fall under the 'Token Elevation type is TokenElevationTypeFull'..
Please sign in to rate this answer.
Prem Jha 45 Reputation points

2024-09-13T10:45:19.8533333+00:00

Question is visible if you could check now.

RLWA32 45,326 Reputation points

2024-09-13T13:18:04.1533333+00:00

So, in our case the user created is not created by an S4Ulogon...

I think you misunderstand. S4U is a type of logon that does not require a user's password. It is not a way to create a user account. That is what the Task Scheduler uses when you specify that a task is to run whether or not the user is signed on and you don't save the user's credentials.

So, in our case the user created is not created by an S4Ulogon and thus it must fall under the 'Token Elevation type is TokenElevationTypeFull'..

Ordinarily, an elevated process running under an account that is a member of the Administrators group will have that token elevation type and a process that is not elevated but running under that same account will have an elevation type of TokenElevationTypeLimited.

The only reason why I mentioned an S4U logon was because you asked "Are there any other instance apart from not being part of Administrators group where we can encounter this ERROR: API = GetTokenInformation, error code = 1312, message = A specified logon session does not exist. It may already have been terminated.).

Prem Jha 45 Reputation points

2024-09-13T13:24:43.3933333+00:00

Thank you for the clarification @RLWA32 I will check if the process running under account is an elevated one or not and then move ahead with further debugging.

RLWA32 45,326 Reputation points

2024-09-17T13:43:54.14+00:00

Just checking back -- do you have any further questions about linked tokens or has my previous Answer resolved your issue?

Prem Jha 45 Reputation points

2024-09-18T11:12:13.6933333+00:00

Thanks @RLWA32 for looking into my query and yes the previous answer resolved the issue.

RLWA32 45,326 Reputation points

2024-09-18T11:31:36.2566667+00:00

Thanks @RLWA32 for looking into my query and yes the previous answer resolved the issue.

You're welcome. That being the case it would help others with a similar question if you accepted my posted Answer.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

How to fix the Win32 API function error: 1312 (GetTokenInformation) occurring for the below code used for creating a windows application.

1 additional answer

Your answer