Freeware monitors security activity for Windows services

When debugging a system's behavior, admins sometimes need a low-level view of all the security activity taking place. A utility from Sysinternals called Tokenmon can help you get that.

This Content Component encountered an error

Windows uses objects called tokens to store the security information for a particular process, such as the user account context in which the process has been invoked. When debugging a system's behavior, you'll sometimes need a low-level view of all the security activity taking place. An example would be if you're trying to find out why a particular service won't start in a given user context, which can be very tricky to figure out.

Mark Russinovich's Tokenmon uses low-level system filters to capture all the security activity taking place in a system. When you run the program, it displays a running list of every security-related action in the system: logon/logoff, process creation, enabling or disabling privileges on items, and impersonation actions.

Many admins use Tokenmon to look for security problems involving specific applications or components. The program can filter its output by process ID, username, thread ID or request type, so a program that's suspected of having some kind of permissions or security issue can have its behavior audited this way. The program can also be used to detect permission requests coming from something unexpected, e.g., a possible piece of malware.

Some of the routines used in Tokenmon are not documented and have been reverse-engineered from the way the kernel handles security calls. Despite this, Tokenmon seems to work fine in NT 4.0, Windows 2000 and Windows XP. However, when I ran it in one instance of Windows Server 2003, LSASS.EXE crashed after Tokenmon exited, which required a reboot. I have also tested Tokenmon in Windows Vista RC1. Although it needs to be explicitly run as Administrator to work, it seems to function fine.

The full source code for the program is included, in case you want to apply some of the techniques used in your own work.

About the author: Serdar Yegulalp is editor of the  Windows Power Users Newsletter, which is devoted to hints, tips, tricks, news and goodies for Windows NT, Windows 2000 and Windows XP users and administrators. He has more than 10 years of Windows experience under his belt, and contributes regularly to SearchWinComputing.com and SearchSQLServer.com.

More information on this topic:


This was first published in November 2006

Dig deeper on Server Hardware for Windows

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchWinIT

SearchEnterpriseDesktop

SearchVirtualDesktop

Close