Freeware monitors security activity for Windows services

Serdar Yegulalp, Contributor

Windows uses objects called tokens to store the security information for a particular process, such as the user account context in which the process has been invoked. When debugging a system's behavior, you'll sometimes need a low-level view of all the security activity taking place. An example would be if you're trying to find out why a particular service won't start in a given user context, which can be very tricky to figure out.

Mark Russinovich's

    Requires Free Membership to View

    Login

Tokenmon uses low-level system filters to capture all the security activity taking place in a system. When you run the program, it displays a running list of every security-related action in the system: logon/logoff, process creation, enabling or disabling privileges on items, and impersonation actions.

Many admins use Tokenmon to look for security problems involving specific applications or components. The program can filter its output by process ID, username, thread ID or request type, so a program that's suspected of having some kind of permissions or security issue can have its behavior audited this way. The program can also be used to detect permission requests coming from something unexpected, e.g., a possible piece of malware.

Some of the routines used in Tokenmon are not documented and have been reverse-engineered from the way the kernel handles security calls. Despite this, Tokenmon seems to work fine in NT 4.0, Windows 2000 and Windows XP. However, when I ran it in one instance of Windows Server 2003, LSASS.EXE crashed after Tokenmon exited, which required a reboot. I have also tested Tokenmon in Windows Vista RC1. Although it needs to be explicitly run as Administrator to work, it seems to function fine.

The full source code for the program is included, in case you want to apply some of the techniques used in your own work.

About the author: Serdar Yegulalp is editor of the  Windows Power Users Newsletter, which is devoted to hints, tips, tricks, news and goodies for Windows NT, Windows 2000 and Windows XP users and administrators. He has more than 10 years of Windows experience under his belt, and contributes regularly to SearchWinComputing.com and SearchSQLServer.com.

More information on this topic:


This was first published in November 2006

Join the conversationComment

Share
Comments

    Results

    Contribute to the conversation

    All fields are required. Comments will appear at the bottom of the article.

    Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

    Back to top