diff --git a/UnitTests/Win.cpp b/UnitTests/Win.cpp
index b470c316..0db67539 100644
--- a/UnitTests/Win.cpp
+++ b/UnitTests/Win.cpp
@@ -37,6 +37,27 @@ namespace UnitTests
 			Assert::IsTrue(::CreateWellKnownSid(WinBuiltinAdministratorsSid, NULL, sid));
 		}
 
+		TEST_METHOD(DuplicateTokenEx)
+		{
+			winstd::win_handle<NULL> processToken;
+			Assert::IsTrue(::OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY | TOKEN_DUPLICATE, processToken));
+			winstd::win_handle<NULL> token;
+			Assert::IsTrue(::DuplicateTokenEx(processToken, TOKEN_QUERY | TOKEN_IMPERSONATE, NULL, SecurityIdentification, TokenImpersonation, &token));
+		}
+
+		TEST_METHOD(CheckTokenMembership)
+		{
+			std::unique_ptr<SID> sid;
+			Assert::IsTrue(::CreateWellKnownSid(WinBuiltinAdministratorsSid, NULL, sid));
+			winstd::win_handle<NULL> processToken;
+			Assert::IsTrue(::OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY | TOKEN_DUPLICATE, processToken));
+			winstd::win_handle<NULL> token;
+			Assert::IsTrue(::DuplicateTokenEx(processToken, TOKEN_QUERY | TOKEN_IMPERSONATE, NULL, SecurityIdentification, TokenImpersonation, &token));
+			BOOL bIsMember = 0xcdcdcdcd;
+			Assert::IsTrue(::CheckTokenMembership(token, sid.get(), &bIsMember));
+			Assert::IsTrue(bIsMember == TRUE || bIsMember == FALSE);
+		}
+
 		TEST_METHOD(library)
 		{
 			winstd::library lib_shell32(LoadLibraryEx(_T("shell32.dll"), NULL, LOAD_LIBRARY_AS_DATAFILE | LOAD_LIBRARY_AS_IMAGE_RESOURCE));
diff --git a/include/WinStd/Win.h b/include/WinStd/Win.h
index 76190509..32485b83 100644
--- a/include/WinStd/Win.h
+++ b/include/WinStd/Win.h
@@ -2414,6 +2414,21 @@ static BOOL OpenProcessToken(_In_ HANDLE ProcessHandle, _In_ DWORD DesiredAccess
     return FALSE;
 }
 
+///
+/// Creates a new access token that duplicates an existing token. This function can create either a primary token or an impersonation token.
+///
+/// \sa [DuplicateTokenEx function](https://learn.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-duplicatetokenex)
+///
+static BOOL DuplicateTokenEx(_In_ HANDLE hExistingToken, _In_ DWORD dwDesiredAccess, _In_opt_ LPSECURITY_ATTRIBUTES lpTokenAttributes, _In_ SECURITY_IMPERSONATION_LEVEL ImpersonationLevel, _In_ TOKEN_TYPE TokenType, _Inout_ winstd::win_handle<NULL> &NewToken)
+{
+    HANDLE h;
+    if (DuplicateTokenEx(hExistingToken, dwDesiredAccess, lpTokenAttributes, ImpersonationLevel, TokenType, &h)) {
+        NewToken.attach(h);
+        return TRUE;
+    }
+    return FALSE;
+}
+
 #pragma warning(pop)
 
 /// @}