Every process gets its own token describing the user
context under which the process is running. Many processes launched by the logged-in
user will just get a copy of the token of its originating process. An example token from an
example usermode process is shown in Figure 16-1.
You can see that this process is running under a user named jness on the workstation
JNESS2. It runs on logon session #0 and this token includes membership in various
groups:
??? BUILTIN\Administrators and BUILTIN\Users.
??? The ???Everyone??? group.
??? JNESS2\None is the global group membership on this non-domain-joined
workstation.
??? LOCAL implies that this is a console logon.
Gray Hat Hacking: The Ethical Hacker??™s Handbook
390
??? The Logon SID, useful for securing resources accessible only to this particular
logon session.
??? NT AUTHORITY\Authenticated Users is in every token whose owner
authenticated when they logged on. Tokens attached to processes originated
from anonymous logons do not contain this group.
??? NT AUTHORITY\INTERACTIVE exists only for users who log on interactively.
Below the group list, you can see specific privileges granted to this process that have
been granted to either the user (JNESS2\jness) explicitly or to one of the groups to which
jness belongs.
Pages:
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706