DEV.co
Open-Source Security · diversenok

TokenUniverse

TokenUniverse is a Windows-native desktop application written in Delphi/Pascal that provides advanced UI-based manipulation of Windows access tokens, security policies, and process privileges. It enables security researchers, system administrators, and penetration testers to view, create, modify, and impersonate tokens across a range of privilege levels.

Source: GitHub — github.com/diversenok/TokenUniverse
662
GitHub stars
69
Forks
Pascal
Primary language
MIT
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositorydiversenok/TokenUniverse
Ownerdiversenok
Primary languagePascal
LicenseMIT — OSI-approved
Stars662
Forks69
Open issues1
Latest releasev0.5 (2023-08-07)
Last updated2026-07-04
Sourcehttps://github.com/diversenok/TokenUniverse

What TokenUniverse is

A compiled Windows GUI tool exposing native Windows APIs (NtCreateToken, CreateProcessAsUser, LSA/SAM interfaces) for token manipulation, process spawning, access control verification, and security descriptor editing. Built in Embarcadero Delphi 10.4, it relies on the NtUtils library and VirtualTree VCL components; targets Windows 7 and later.

Quickstart

Get the TokenUniverse source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/diversenok/TokenUniverse.gitcd TokenUniverse# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Security Research & Penetration Testing

Directly inspect and manipulate Windows access tokens, test privilege escalation vectors, verify access control policies, and analyze token-based attack surfaces without writing custom native code.

Windows Security Policy Auditing

View and edit LSA security settings, audit privilege assignments, check logon rights, and verify security descriptors across system objects to identify misconfigurations.

System Administration & Privilege Management

Operate across privilege levels from LPAC AppContainer to SYSTEM with SeCreateTokenPrivilege; spawn processes under specific tokens to test access and isolate workloads.

Implementation considerations

  • Requires Embarcadero Delphi Community Edition (free) or licensed version to build from source; pre-compiled binaries available on releases page.
  • Must clone repository with Git submodule dependencies (--recurse-submodules) and install VirtualTree VCL package via GetIt Package Manager; non-trivial build setup.
  • Operates across privilege contexts (user to SYSTEM); runs as GUI only; intended for security labs and admin workstations, not production servers or user-facing systems.
  • Debug symbols (TokenUniverse.dbg) available for crash diagnosis; supports Windows 7 and above, but modern Windows (10/11) mitigation policies and AppContainer isolation may limit functionality.
  • Single-author maintenance; design and feature set frozen at v0.5 (Aug 2023); no roadmap for future Windows versions or security features.

When to avoid it — and what to weigh

  • Need Cross-Platform Support — Windows-only tool; no macOS, Linux, or cloud-native support. Not suitable for heterogeneous or containerized environments.
  • Require API/Headless Integration — No documented API, command-line interface, or library interface. Only a desktop GUI; cannot be automated in scripts or CI/CD pipelines without manual wrapper development.
  • Expect Active Commercial Support — Single-author, community-driven open-source project with no SLA, vendor support, or commercial backing. One open issue; latest release August 2023; use at own risk for production security decisions.
  • Low Tolerance for Privilege Escalation Risk — Tool explicitly designed to create, elevate, and manipulate tokens; intended for secure lab environments, not for end-user deployment or untrusted settings.

License & commercial use

MIT License. Permits commercial and private use, modification, and distribution provided original copyright notice and license text are retained. No liability disclaimer applies to the licensor. Full OSI-compliant permissive license.

MIT license permits commercial use without requiring payment or permission. However, this is a single-author open-source tool with no commercial support, warranty, or SLA. Use in production or high-stakes environments requires independent review, testing, and acceptance of risk. No vendor indemnification or support contracts available.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceModerate
DocumentationAdequate
License clarityClear
Deployment complexityModerate
DEV.co fitPossible
Assessment confidenceHigh
Security considerations

Tool is explicitly designed to manipulate Windows security primitives (tokens, privileges, ACLs) at high privilege levels. Intended for controlled lab environments, not production systems or untrusted networks. User must understand Windows security model to avoid unintended privilege escalation or access control bypass. No input validation hardening or privilege-dropping discussed; treat as a research tool, not a security-hardened product. Runs as GUI with full process privileges; risk of malicious use if compromised or misused.

Alternatives to consider

Process Monitor + ProcDump + WinDbg

Command-line and GUI Windows Sysinternals tools for process inspection, token listing, and debugging; more established, documented, and integrated into Windows ecosystem. Lacks token creation/manipulation UI.

Mimikatz

Open-source Windows post-exploitation utility for credential extraction and token manipulation; command-line only, more targeted for penetration testing. No GUI, different threat model, higher detection risk.

PowerShell + Get-Token + Win32 API wrappers

Scriptable, platform-agnostic (PowerShell 7+ on Linux/macOS possible), integrates into automation/CI-CD. Requires custom script development; less turnkey than TokenUniverse GUI.

Software development agency

Build on TokenUniverse with DEV.co software developers

TokenUniverse is a powerful lab tool for security researchers and admins. If you need production-grade token management, custom security tooling, or enterprise Windows hardening, Devco's security-focused engineering team can design and build solutions tailored to your organization.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

TokenUniverse FAQ

Can I run TokenUniverse without admin/SYSTEM privileges?
Yes; the tool operates across privilege levels from LPAC AppContainer to SYSTEM. Functionality varies by privilege; some operations (e.g., opening arbitrary process tokens) require elevation.
Is TokenUniverse suitable for production Windows servers?
No. It is a research and lab tool intended for security engineers and administrators in controlled environments. Not hardened for production, no commercial support, and designed to enable privilege escalation.
Can I automate TokenUniverse in scripts or CI/CD?
Not natively. The tool is GUI-only with no CLI or API. Automation would require custom wrapper scripts (e.g., UI automation, process spawning) and is not recommended.
What Windows versions are supported?
Windows 7 and above. Specific support for Windows 10/11 security features (e.g., modern AppContainer isolation, mitigation policies) is not documented.

Work with a software development agency

Need help beyond evaluating TokenUniverse? DEV.co is a software development agency offering software development services and web development for teams of every size. Our software developers and web developers build custom software, web applications, APIs, and open-source security integrations — and maintain them long-term.

Need Expert Windows Security Analysis?

TokenUniverse is a powerful lab tool for security researchers and admins. If you need production-grade token management, custom security tooling, or enterprise Windows hardening, Devco's security-focused engineering team can design and build solutions tailored to your organization.