Software Diagnostics Library

Crash Dump Analysis Patterns (Part 191)

Sometimes we need to check under what security principal or group we run a process or what privileges it has or whether it has impersonating threads. We call this pattern Deviant Token when we find, for example, an unexpected token with a different security identifier, for example, Network Service instead of Local System (SID: S-1-5-18):

PROCESS 8f218d88 SessionId: 0 Cid: 09c4 Peb: 7ffdf000 ParentCid: 0240 DirBase: bffd4260 ObjectTable: e10eae90 HandleCount: 93. Image: ServiceA.exe VadRoot 8f1f70e8 Vads 141 Clone 0 Private 477. Modified 2. Locked 0. DeviceMap e10038d8 Token e10ff5d8 […]

0: kd> !token e10ff5d8 _TOKEN e10ff5d8 TS Session ID: 0 User: S-1-5-20 […]

Well-known SIDs can be found in this MS article: http://support.microsoft.com/kb/243330

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

This entry was posted on Monday, December 31st, 2012 at 10:17 pm and is filed under Crash Dump Analysis, Crash Dump Patterns, Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Crash Dump Analysis Patterns (Part 191)

Leave a Reply