Overview
An access token is an object encapsulating the security descriptor of a process. Attached to a process, a security descriptor identifies the owner of the object (in this case, the process) and ACLs that specify access rights allowed or denied to the owner of the object. While a token is used to represent only the security information, it is technically free-form and can enclose any data. The access token is used by Windows when the process or thread tries to interact with objects whose security descriptors enforce access control (securable objects). An access token is represented by the system object of type Token. Because a token is a regular system object, access to a token itself can be controlled by attaching a security descriptor, but it is generally never done in practice.
The access token is generated by the logon service when a user logs on to the system and the credentials provided by the user are authenticated against the authentication database, by specifying the rights the user has in the security descriptor enclosed by the token. The token is attached to every process created by the user session (processes whose owner is the user). Whenever such a process accesses any resource which has access control enabled, Windows looks up in the security descriptor in the access token whether the user owning the process is eligible to access the data, and if so, what operations (read, write/modify, etc.) the user is allowed to do. If the accessing operation is allowed in the context of the user, Windows allows the process to continue with the operation, else it is denied access.
Read more about this topic: Access Token