Windows Security Reference Monitor (SRM) is used to check if a process (owned by a user) is allowed to access a resource (files / groups / ACL’s).

The SRM check for 3 things:

• Integrity level - if the integrity level of the access token is lower than the integrity level of the requested resource than the request is denied. Integrity level are low, Medium, High and System. Normal user run as low.
• Owner
• ACL

Access Token - Is granted by the LSASS, and determine the access level. It include the user SID, privilege, integrity level, privileges and more. New process/thread inherits a token from parents process.

There are 2 types of access tokens:

• Primary - Default security information of a process or thread.
• Impersonation - Allow impersonation of other users in order to perform action.