TokenUniverse
TokenUniverse is a Windows-native desktop application written in Delphi/Pascal that provides advanced UI-based manipulation of Windows access tokens, security policies, and process privileges. It enables security researchers, system administrators, and penetration testers to view, create, modify, and impersonate tokens across a range of privilege levels.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | diversenok/TokenUniverse |
| Owner | diversenok |
| Primary language | Pascal |
| License | MIT — OSI-approved |
| Stars | 662 |
| Forks | 69 |
| Open issues | 1 |
| Latest release | v0.5 (2023-08-07) |
| Last updated | 2026-07-04 |
| Source | https://github.com/diversenok/TokenUniverse |
What TokenUniverse is
A compiled Windows GUI tool exposing native Windows APIs (NtCreateToken, CreateProcessAsUser, LSA/SAM interfaces) for token manipulation, process spawning, access control verification, and security descriptor editing. Built in Embarcadero Delphi 10.4, it relies on the NtUtils library and VirtualTree VCL components; targets Windows 7 and later.
Get the TokenUniverse source
Clone the repository and explore it locally.
git clone https://github.com/diversenok/TokenUniverse.gitcd TokenUniverse# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Requires Embarcadero Delphi Community Edition (free) or licensed version to build from source; pre-compiled binaries available on releases page.
- Must clone repository with Git submodule dependencies (--recurse-submodules) and install VirtualTree VCL package via GetIt Package Manager; non-trivial build setup.
- Operates across privilege contexts (user to SYSTEM); runs as GUI only; intended for security labs and admin workstations, not production servers or user-facing systems.
- Debug symbols (TokenUniverse.dbg) available for crash diagnosis; supports Windows 7 and above, but modern Windows (10/11) mitigation policies and AppContainer isolation may limit functionality.
- Single-author maintenance; design and feature set frozen at v0.5 (Aug 2023); no roadmap for future Windows versions or security features.
When to avoid it — and what to weigh
- Need Cross-Platform Support — Windows-only tool; no macOS, Linux, or cloud-native support. Not suitable for heterogeneous or containerized environments.
- Require API/Headless Integration — No documented API, command-line interface, or library interface. Only a desktop GUI; cannot be automated in scripts or CI/CD pipelines without manual wrapper development.
- Expect Active Commercial Support — Single-author, community-driven open-source project with no SLA, vendor support, or commercial backing. One open issue; latest release August 2023; use at own risk for production security decisions.
- Low Tolerance for Privilege Escalation Risk — Tool explicitly designed to create, elevate, and manipulate tokens; intended for secure lab environments, not for end-user deployment or untrusted settings.
License & commercial use
MIT License. Permits commercial and private use, modification, and distribution provided original copyright notice and license text are retained. No liability disclaimer applies to the licensor. Full OSI-compliant permissive license.
MIT license permits commercial use without requiring payment or permission. However, this is a single-author open-source tool with no commercial support, warranty, or SLA. Use in production or high-stakes environments requires independent review, testing, and acceptance of risk. No vendor indemnification or support contracts available.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Moderate |
| Documentation | Adequate |
| License clarity | Clear |
| Deployment complexity | Moderate |
| DEV.co fit | Possible |
| Assessment confidence | High |
Tool is explicitly designed to manipulate Windows security primitives (tokens, privileges, ACLs) at high privilege levels. Intended for controlled lab environments, not production systems or untrusted networks. User must understand Windows security model to avoid unintended privilege escalation or access control bypass. No input validation hardening or privilege-dropping discussed; treat as a research tool, not a security-hardened product. Runs as GUI with full process privileges; risk of malicious use if compromised or misused.
Alternatives to consider
Process Monitor + ProcDump + WinDbg
Command-line and GUI Windows Sysinternals tools for process inspection, token listing, and debugging; more established, documented, and integrated into Windows ecosystem. Lacks token creation/manipulation UI.
Mimikatz
Open-source Windows post-exploitation utility for credential extraction and token manipulation; command-line only, more targeted for penetration testing. No GUI, different threat model, higher detection risk.
PowerShell + Get-Token + Win32 API wrappers
Scriptable, platform-agnostic (PowerShell 7+ on Linux/macOS possible), integrates into automation/CI-CD. Requires custom script development; less turnkey than TokenUniverse GUI.
Build on TokenUniverse with DEV.co software developers
TokenUniverse is a powerful lab tool for security researchers and admins. If you need production-grade token management, custom security tooling, or enterprise Windows hardening, Devco's security-focused engineering team can design and build solutions tailored to your organization.
Talk to DEV.coRelated open-source tools
Surfaced by semantic similarity across the DEV.co open-source index.
Related on DEV.co
Explore the category and the services that help you build with it.
TokenUniverse FAQ
Can I run TokenUniverse without admin/SYSTEM privileges?
Is TokenUniverse suitable for production Windows servers?
Can I automate TokenUniverse in scripts or CI/CD?
What Windows versions are supported?
Work with a software development agency
Need help beyond evaluating TokenUniverse? DEV.co is a software development agency offering software development services and web development for teams of every size. Our software developers and web developers build custom software, web applications, APIs, and open-source security integrations — and maintain them long-term.
Need Expert Windows Security Analysis?
TokenUniverse is a powerful lab tool for security researchers and admins. If you need production-grade token management, custom security tooling, or enterprise Windows hardening, Devco's security-focused engineering team can design and build solutions tailored to your organization.