As I understand, on Windows systems, a thread "gets" it’s own token, separate from the process’ token, upon impersonation.

One way to test that – the GetTokenInformation WinApi, called with the TokenType information class, retrieves the token type for a passed token. (if it exists/valid, of course)

My questions are regarding the purpose and lifetime of a thread’s access token, aka Impersonation Token –

1. Is there any other scenario, besides impersonation, when a thread gets it’s own token?
2. Does the token gets freed always upon impersonation end (RevertToSelf call) or are there scenarios when it’s lifetime might be prolonged and exceed a successful RevertToSelf call?
3. In which scenario will a GetTokenInformation WinApi, called with the TokenType information class return ERROR_NO_TOKEN and in which case will it return TokenPrimary? I mean, as I understand an error will occur if I’ll call the WinApi upon GetCurrentThreadToken(), if impersonation isn’t taking place. But why is TokenImpersonation isn’t returned in that scenario? I mean, in a case there’s no thread token, the process token should be used – according to MSDN. Or am I missing something here?

Source: Windows Questions