When a non Administrator logs into Windows Vista, they are
granted a standard user token. All work that user does in Vista is down under
the privileges granted by that token. If a non Administrator with only a
standard user token attempts to perform an action that required elevated
privileges, Vista will prompt them to enter Administrator credentials (user
name and password). If elevated privileges are granted, a new token with
Administrative privileges is created for that process. When the process ends
the token is destroy. Tokens can be passed from parent processes to child
processes, but beyond that there is no sharing of tokens among processes.
When an Administrator logs into Windows Vista, two tokens
are created: a standard user token and an Administrator token. As with a
non-Administrative user, the Administrator will generally operate with their
standard user token. When the Administrator attempts to perform an action that
required Administrative privileges, UAC prompts the user to allow the action.
If the Administrator consents, a copy of the user Administrative token is
created. The process requiring the elevated uses that copy to perform its
functions. Like the previous example, once the process is complete the token is
destroyed. Also, like the previous example, a parent may pass the token to a
child process, but no other sharing of tokens between processes is allowed.