Token Module Command Reference
The token module in mimikatz exposes commands that inspect, enumerate, impersonate, and reuse Windows access tokens. Understanding how each command selects and manipulates tokens is essential before using it on a live system. This document explains every token:: command, the flags they accept, and why you would reach for each option in practice.
| Command | Purpose | Notable flags |
|---|---|---|
token::whoami |
Display the identities of the current process and thread tokens. | /full |
token::list |
Enumerate accessible tokens on the machine. | Common selection flags such as /id, /user, /admin, /domainadmin, /enterpriseadmin, /system, /localservice, /networkservice |
token::elevate |
Duplicate and impersonate one of the listed tokens. | Same selection flags as token::list |
token::run |
Spawn a process under a duplicated token. | Same selection flags as token::list, plus /process |
token::revert |
Drop any impersonated token from the current thread. | (none) |
All commands are registered in kuhl_m_token.c, which is the source of truth for the module’s behavior.【F:mimikatz/mimikatz/modules/kuhl_m_token.c†L8-L60】 The rest of this guide walks through the details.
token::whoamitoken::whoami prints information for both the process token and (if present) the thread token of the current mimikatz session.【F:mimikatz/mimikatz/modules/kuhl_m_token.c†L21-L41】 The summary view contains:
/full – Any argument causes the command to request full group and privilege detail for each token. Internally the function treats a non-zero argument count as a request for expanded output, retrieving every group SID and privilege attribute tied to the token.【F:mimikatz/mimikatz/modules/kuhl_m_token.c†L27-L36】【F:mimikatz/mimikatz/modules/kuhl_m_token.c†L214-L245】 Use this when you need to understand exactly which security groups or privileges are active (for example, before deciding whether a token is useful for lateral movement).token::listtoken::list iterates over every accessible token from other processes and prints the same summary output as whoami alongside the owning process ID.【F:mimikatz/mimikatz/modules/kuhl_m_token.c†L45-L131】【F:mimikatz/mimikatz/modules/kuhl_m_token.c†L254-L310】 This is the reconnaissance view for deciding which tokens are interesting.
The listing routine supports several mutually compatible filters. If multiple filters are provided, the token must match all of them before it is displayed or reused. These filters are also honored by token::elevate and token::run because all three commands share the same handler.【F:mimikatz/mimikatz/modules/kuhl_m_token.c†L63-L138】
/id:<tokenId> – Match a specific token by its numeric Token ID.【F:mimikatz/mimikatz/modules/kuhl_m_token.c†L75-L78】 Use this to target a token you already identified from a previous token::list run; it eliminates ambiguity when several processes share the same account./user:<account> – Match tokens whose account name equals the supplied value, case-insensitively.【F:mimikatz/mimikatz/modules/kuhl_m_token.c†L73-L74】【F:mimikatz/mimikatz/modules/kuhl_m_token.c†L270-L277】 Helpful when you want to see every token belonging to a user regardless of process./admin – Require membership in the local Builtin Administrators group by resolving its well-known SID.【F:mimikatz/mimikatz/modules/kuhl_m_token.c†L83-L125】【F:mimikatz/mimikatz/modules/kuhl_m_token.c†L282-L293】 Use this to quickly surface high-privilege local tokens./domainadmin – Require membership in the Domain Admins group of the current domain. The command first discovers the domain SID before constructing the group SID.【F:mimikatz/mimikatz/modules/kuhl_m_token.c†L79-L107】 Choose this when you want to pivot specifically to domain-wide administrators./enterpriseadmin – Same as /domainadmin, but for the Enterprise Admins group.【F:mimikatz/mimikatz/modules/kuhl_m_token.c†L81-L107】 Relevant in multi-domain forests where enterprise privileges are valuable./system – Target the Local System account by comparing against its well-known SID.【F:mimikatz/mimikatz/modules/kuhl_m_token.c†L95-L103】【F:mimikatz/mimikatz/modules/kuhl_m_token.c†L281-L293】 This is the fastest way to identify or impersonate SYSTEM-level tokens./localservice – Match the Local Service account by SID and require that the SID is the user SID of the token, not just a group membership.【F:mimikatz/mimikatz/modules/kuhl_m_token.c†L85-L94】【F:mimikatz/mimikatz/modules/kuhl_m_token.c†L282-L291】 Use this to adopt service-level identities for constrained delegation or service abuse scenarios./networkservice – Same logic as /localservice, but for the Network Service account.【F:mimikatz/mimikatz/modules/kuhl_m_token.c†L90-L94】【F:mimikatz/mimikatz/modules/kuhl_m_token.c†L282-L291】 Useful when you need a network-authenticating service context.If no filter is provided, the command simply walks every token it can duplicate, which is ideal for exploratory auditing.【F:mimikatz/mimikatz/modules/kuhl_m_token.c†L109-L138】
token::elevatetoken::elevate shares the same filtering logic as token::list, but instead of only printing matches it duplicates the first qualifying token into an impersonation token and attaches it to the current thread.【F:mimikatz/mimikatz/modules/kuhl_m_token.c†L51-L138】【F:mimikatz/mimikatz/modules/kuhl_m_token.c†L295-L321】 After a successful impersonation, mimikatz automatically calls token::whoami so you can verify the new identity.【F:mimikatz/mimikatz/modules/kuhl_m_token.c†L319-L320】 Use this command whenever you want mimikatz itself to begin operating with the privileges of another process (for example, before dumping LSASS).
All of the selection flags described under token::list apply here. Providing a filter is highly recommended so that you only impersonate the intended user or privilege level and stop the enumeration once the match is found.【F:mimikatz/mimikatz/modules/kuhl_m_token.c†L254-L335】 Without a filter, the command impersonates the first token it can duplicate, which may not be the desired identity.
token::runtoken::run also reuses the common filtering logic, but it duplicates the target token as a primary token and launches a new process with it.【F:mimikatz/mimikatz/modules/kuhl_m_token.c†L57-L138】【F:mimikatz/mimikatz/modules/kuhl_m_token.c†L300-L327】 By default the spawned command is whoami.exe, so you immediately see the resulting identity. You can change that behavior with an additional flag:
/process:<command line> – Specify the exact process command line to run under the selected token; if omitted, mimikatz executes whoami.exe. The command line is duplicated and executed with inherited standard handles so that output is streamed back into mimikatz, and the call waits for the child process to finish.【F:mimikatz/mimikatz/modules/kuhl_m_token.c†L71-L72】【F:mimikatz/mimikatz/modules/kuhl_m_token.c†L324-L325】【F:mimikatz/mimikatz/modules/kuhl_m_process.c†L219-L263】 Use this when you want to start another tool (for example, cmd.exe or a PowerShell payload) in the context of the captured token.All other selection flags from token::list apply and serve the same purpose of narrowing down which token is duplicated before the process is started.【F:mimikatz/mimikatz/modules/kuhl_m_token.c†L63-L138】 If the process creation succeeds, enumeration stops immediately so that only the chosen token is used.【F:mimikatz/mimikatz/modules/kuhl_m_token.c†L324-L327】
token::reverttoken::revert removes any impersonation token from the current thread by calling SetThreadToken(NULL, NULL) and then redisplays the active identities with token::whoami.【F:mimikatz/mimikatz/modules/kuhl_m_token.c†L141-L145】 Run this after you finish elevated actions so that the mimikatz session falls back to the original process token.
/id or /user with privilege-based flags when multiple high-value tokens exist; the command only impersonates or runs with the first match, so specificity keeps you in control.【F:mimikatz/mimikatz/modules/kuhl_m_token.c†L254-L335】/localservice and /networkservice switches check the token’s user SID directly. This makes them ideal for acquiring those built-in service accounts even if they are not members of Administrator groups.【F:mimikatz/mimikatz/modules/kuhl_m_token.c†L85-L94】【F:mimikatz/mimikatz/modules/kuhl_m_token.c†L282-L291】token::revert whenever you are done impersonating to avoid accidentally running later commands with unexpected privileges.【F:mimikatz/mimikatz/modules/kuhl_m_token.c†L141-L145】With these details you can confidently operate every facet of the token module while understanding how and why each flag changes the result.