diff --git a/project/common.mk b/project/common.mk
index 0ec9d59..717cf04 100644
--- a/project/common.mk
+++ b/project/common.mk
@@ -9,6 +9,7 @@ INTERNAL_SRCS = \
 	src/daemon/toks_daemon_connect.c \
 	src/daemon/toks_daemon_init.c \
 	src/daemon/toks_daemon_loop.c \
+	src/daemon/toks_daemon_pidopen.c \
 	src/daemon/toks_daemon_release.c \
 	src/daemon/toks_daemon_signal.c \
 	src/driver/toks_amain.c \
diff --git a/src/daemon/toks_daemon_acquire.c b/src/daemon/toks_daemon_acquire.c
index 567eb68..d4802d8 100644
--- a/src/daemon/toks_daemon_acquire.c
+++ b/src/daemon/toks_daemon_acquire.c
@@ -178,6 +178,13 @@ int32_t __stdcall toks_daemon_acquire(struct toks_daemon_ctx * dctx)
 
 	(void)timeout;
 
+	if (msg->ipcinfo.ctrlsvc.keys.key[0]) {
+		if ((status = toks_daemon_pidopen(dctx)))
+			return status;
+
+		client.cid.process_id = msg->ipcinfo.ctrlsvc.keys.key[1];
+	}
+
 	if ((status = ntapi->zw_open_process(
 			&client.hprocess,
 			NT_PROCESS_SYNCHRONIZE | NT_PROCESS_QUERY_INFORMATION,
diff --git a/src/daemon/toks_daemon_pidopen.c b/src/daemon/toks_daemon_pidopen.c
new file mode 100644
index 0000000..2c816fe
--- /dev/null
+++ b/src/daemon/toks_daemon_pidopen.c
@@ -0,0 +1,103 @@
+/*********************************************************/
+/*  toksvc: a framework-native token broker service      */
+/*  Copyright (C) 2020  Z. Gilboa                        */
+/*  Released under GPLv2 and GPLv3; see COPYING.TOKSVC.  */
+/*********************************************************/
+
+#include <psxtypes/psxtypes.h>
+#include <ntapi/ntapi.h>
+
+#include <toksvc/toksvc.h>
+#include "toksvc_daemon_impl.h"
+#include "toksvc_driver_impl.h"
+
+#include <psxabi/sys_daemon.h>
+
+static const nt_guid	g_pidany    = NT_PROCESS_GUID_PIDANY;
+static const wchar16_t	p_pidany[6] = NT_PROCESS_OBJDIR_PREFIX_PIDANY;
+
+static int32_t toks_daemon_pid_connect(
+	struct toks_driver_ctx * dctx,
+	int32_t pid, void ** hipc)
+{
+	int32_t			status;
+	void *			hpidany;
+	void *			hpiddir;
+	nt_oa			ipcoa;
+	nt_unicode_string	pidname;
+	wchar16_t		pidnamebuf[8];
+
+	/* hpiddir */
+	if (!(hpiddir = toks_get_driver_hpiddir(dctx))) {
+		if ((status = ntapi->tt_open_ipc_object_directory(
+				&hpiddir,
+				NT_SEC_READ_CONTROL
+					| NT_DIRECTORY_QUERY
+					| NT_DIRECTORY_TRAVERSE
+					| NT_DIRECTORY_CREATE_OBJECT
+					| NT_DIRECTORY_CREATE_SUBDIRECTORY,
+				p_pidany,&g_pidany)))
+			return status;
+
+		toks_set_driver_hpiddir(dctx,hpiddir);
+	}
+
+	/* pid entry name */
+	ntapi->tt_uint32_to_hex_utf16(
+		pid,pidnamebuf);
+
+	pidname.strlen = sizeof(pidnamebuf);
+	pidname.maxlen = sizeof(pidnamebuf);;
+	pidname.buffer = pidnamebuf;
+
+        /* open symlink */
+        ipcoa.len      = sizeof(ipcoa);
+        ipcoa.root_dir = hpiddir;
+        ipcoa.obj_name = &pidname;
+        ipcoa.obj_attr = 0;
+        ipcoa.sec_desc = 0;
+        ipcoa.sec_qos  = 0;
+
+        if ((status = ntapi->zw_open_symbolic_link_object(
+			&hpidany,
+			NT_SEC_STANDARD_RIGHTS_READ | NT_GENERIC_READ,
+			&ipcoa)))
+		return status;
+
+	status = ntapi->ipc_connect_by_symlink(
+		hipc,hpidany);
+
+	ntapi->zw_close(hpidany);
+
+	return status;
+}
+
+int32_t toks_daemon_pidopen(struct toks_daemon_ctx * dctx)
+{
+	int32_t			status;
+	nt_tty_session_msg	msg;
+	void *			hipc;
+	int32_t			pid;
+
+	pid = dctx->reply.ipcinfo.ctrlsvc.keys.key[0];
+
+	if ((status = toks_daemon_pid_connect(dctx->driver_ctx,pid,&hipc)))
+		return status;
+
+	ntapi->tt_aligned_block_memset(
+		&msg,0,sizeof(msg));
+
+	msg.header.msg_type		= NT_LPC_NEW_MESSAGE;
+	msg.header.data_size		= sizeof(msg.data);
+	msg.header.msg_size		= sizeof(msg);
+	msg.data.ttyinfo.opcode		= PSX_DAEMON_IOCTL_PIDQUERY;
+
+	if ((status = ntapi->zw_request_wait_reply_port(hipc,&msg,&msg)))
+		return status;
+	else if (msg.data.ttyinfo.status)
+		return msg.data.ttyinfo.status;
+
+	dctx->reply.ipcinfo.ctrlsvc.keys.key[1] = msg.data.sessioninfo.syspid;
+
+	return NT_STATUS_SUCCESS;
+}
diff --git a/src/internal/toksvc_daemon_impl.h b/src/internal/toksvc_daemon_impl.h
index 614dd24..487722e 100644
--- a/src/internal/toksvc_daemon_impl.h
+++ b/src/internal/toksvc_daemon_impl.h
@@ -61,6 +61,7 @@ int32_t __stdcall toks_daemon_loop(void *);
 int32_t __stdcall toks_daemon_connect(struct toks_daemon_ctx *);
 int32_t __stdcall toks_daemon_signal(struct toks_daemon_ctx *);
 int32_t __stdcall toks_daemon_acquire(struct toks_daemon_ctx *);
+int32_t __stdcall toks_daemon_pidopen(struct toks_daemon_ctx *);
 int32_t __stdcall toks_daemon_release(struct toks_daemon_ctx *);
 
 #endif
diff --git a/src/internal/toksvc_driver_impl.h b/src/internal/toksvc_driver_impl.h
index a643ae6..2fec8b6 100644
--- a/src/internal/toksvc_driver_impl.h
+++ b/src/internal/toksvc_driver_impl.h
@@ -42,6 +42,7 @@ struct toks_driver_ctx_impl {
 	struct _nt_port_keys    keys;
 	void *			hevent;
 	void *			hsvcdir;
+	void *			hpiddir;
 	void *			hsvclink;
 	void *			hservice;
 	int			ntokens;
@@ -88,6 +89,20 @@ static inline void toks_set_driver_hsvcdir(const struct toks_driver_ctx * dctx, 
 	ictx->hsvcdir = hsvcdir;
 }
 
+static inline void * toks_get_driver_hpiddir(const struct toks_driver_ctx * dctx)
+{
+	struct toks_driver_ctx_impl * ictx;
+	ictx = toks_get_driver_ictx(dctx);
+	return ictx->hpiddir;
+}
+
+static inline void toks_set_driver_hpiddir(const struct toks_driver_ctx * dctx, void * hpiddir)
+{
+	struct toks_driver_ctx_impl * ictx;
+	ictx = toks_get_driver_ictx(dctx);
+	ictx->hpiddir = hpiddir;
+}
+
 static inline void * toks_get_driver_hsvclink(const struct toks_driver_ctx * dctx)
 {
 	struct toks_driver_ctx_impl * ictx;