Windows® Internals, Sixth Edition, Part 1 полностью

You can examine the token for a process with the !token command. You’ll find the address of the token in the output of the !process command, as shown here:lkd> !process d6c 1 Searching for Process with Cid == d6c PROCESS 85450508 SessionId: 1 Cid: 0d6c Peb: 7ffda000 ParentCid: 0ecc DirBase: cc9525e0 ObjectTable: afd75518 HandleCount: 18. Image: cmd.exe VadRoot 85328e78 Vads 24 Clone 0 Private 148. Modified 0. Locked 0. DeviceMap a0688138 Token afd48470 ElapsedTime 01:10:14.379 UserTime 00:00:00.000 KernelTime 00:00:00.000 QuotaPoolUsage[PagedPool] 42864 QuotaPoolUsage[NonPagedPool] 1152 Working Set Sizes (now,min,max) (566, 50, 345) (2264KB, 200KB, 1380KB) PeakWorkingSetSize 582 VirtualSize 22 Mb PeakVirtualSize 25 Mb PageFaultCount 680 MemoryPriority BACKGROUND BasePriority 8 CommitCharge 437 lkd> !token afd48470 _TOKEN afd48470 TS Session ID: 0x1 User: S-1-5-21-2778343003-3541292008-524615573-500 (User: ALEX-LAPTOP\Administrator) Groups: 00 S-1-5-21-2778343003-3541292008-524615573-513 (Group: ALEX-LAPTOP\None) Attributes - Mandatory Default Enabled 01 S-1-1-0 (Well Known Group: localhost\Everyone) Attributes - Mandatory Default Enabled 02 S-1-5-21-2778343003-3541292008-524615573-1000 (Alias: ALEX-LAPTOP\Debugger Users) Attributes - Mandatory Default Enabled 03 S-1-5-32-544 (Alias: BUILTIN\Administrators) Attributes - Mandatory Default Enabled Owner 04 S-1-5-32-545 (Alias: BUILTIN\Users) Attributes - Mandatory Default Enabled 05 S-1-5-4 (Well Known Group: NT AUTHORITY\INTERACTIVE) Attributes - Mandatory Default Enabled 06 S-1-5-11 (Well Known Group: NT AUTHORITY\Authenticated Users) Attributes - Mandatory Default Enabled 07 S-1-5-15 (Well Known Group: NT AUTHORITY\This Organization) Attributes - Mandatory Default Enabled 08 S-1-5-5-0-89263 (no name mapped) Attributes - Mandatory Default Enabled LogonId 09 S-1-2-0 (Well Known Group: localhost\LOCAL) Attributes - Mandatory Default Enabled 10 S-1-5-64-10 (Well Known Group: NT AUTHORITY\NTLM Authentication) Attributes - Mandatory Default Enabled 11 S-1-16-12288 Unrecognized SID Attributes - GroupIntegrity GroupIntegrityEnabled Primary Group: S-1-5-21-2778343003-3541292008-524615573-513 (Group: ALEX-LAPTOP\None) Privs: 05 0x000000005 SeIncreaseQuotaPrivilege Attributes - 08 0x000000008 SeSecurityPrivilege Attributes - 09 0x000000009 SeTakeOwnershipPrivilege Attributes - 10 0x00000000a SeLoadDriverPrivilege Attributes - 11 0x00000000b SeSystemProfilePrivilege Attributes - 12 0x00000000c SeSystemtimePrivilege Attributes - 13 0x00000000d SeProfileSingleProcessPrivilege Attributes - 14 0x00000000e SeIncreaseBasePriorityPrivilege Attributes - 15 0x00000000f SeCreatePagefilePrivilege Attributes - 17 0x000000011 SeBackupPrivilege Attributes - 18 0x000000012 SeRestorePrivilege Attributes - 19 0x000000013 SeShutdownPrivilege Attributes - 20 0x000000014 SeDebugPrivilege Attributes - 22 0x000000016 SeSystemEnvironmentPrivilege Attributes - 23 0x000000017 SeChangeNotifyPrivilege Attributes - Enabled Default 24 0x000000018 SeRemoteShutdownPrivilege Attributes - 25 0x000000019 SeUndockPrivilege Attributes - 28 0x00000001c SeManageVolumePrivilege Attributes - 29 0x00000001d SeImpersonatePrivilege Attributes - Enabled Default 30 0x00000001e SeCreateGlobalPrivilege Attributes - Enabled Default 33 0x000000021 SeIncreaseWorkingSetPrivilege Attributes - 34 0x000000022 SeTimeZonePrivilege Attributes - 35 0x000000023 SeCreateSymbolicLinkPrivilege Attributes - Authentication ID: (0,be1a2) Impersonation Level: Identification TokenType: Primary Source: User32 TokenFlags: 0x0 ( Token in use ) Token ID: 711076 ParentToken ID: 0 Modified ID: (0, 711081) RestrictedSidCount: 0 RestrictedSids: 00000000 OriginatingLogonSession: 3e7

You can indirectly view token contents with Process Explorer’s Security tab in its process Properties dialog box. The dialog box shows the groups and privileges included in the token of the process you examine.

EXPERIMENT: Launching a Program at Low Integrity Level