Windows uses objects called tokens to store the security information for a particular process, such as the user account context in which the process has been invoked. When debugging a system's behavior, you'll sometimes need a low-level view of all the security activity taking place. An example would be if you're trying to find out why a particular service won't start in a given user context, which can be very tricky to figure out.
Mark Russinovich's Tokenmon uses low-level system filters to capture all the security activity taking place in a system. When you run the program, it displays a running list of every security-related action in the system: logon/logoff, process creation, enabling or disabling privileges on items, and impersonation actions.
Many admins use Tokenmon to look for security problems involving specific applications or components. The program can filter its output by process ID, username, thread ID or request type, so a program that's suspected of having some kind of permissions or security issue can have its behavior audited this way. The program can also be used to detect permission requests coming from something unexpected, e.g., a possible piece of malware.
Some of the routines used in Tokenmon are not documented and have been reverse-engineered from the way the kernel handles security calls. Despite this, Tokenmon seems to work fine in NT 4.0, Windows 2000 and Windows XP. However, when I ran it in one instance of Windows Server 2003, LSASS.EXE crashed after Tokenmon exited, which required a reboot. I have also tested Tokenmon in Windows Vista RC1. Although it needs to be explicitly run as Administrator to work, it seems to function fine.
The full source code for the program is included, in case you want to apply some of the techniques used in your own work.
About the author: Serdar Yegulalp is editor of the Windows Power Users Newsletter, which is devoted to hints, tips, tricks, news and goodies for Windows NT, Windows 2000 and Windows XP users and administrators. He has more than 10 years of Windows experience under his belt, and contributes regularly to SearchWinComputing.com and SearchSQLServer.com.
More information on this topic:
