The
??“n parameter to the !token command will resolve the SIDs to names and groups. The
output from a Windows XP machine is captured in Figure 16-11.
This is mostly the same information as presented in the Process Explorer Security tab.
It??™s handy to see the actual SIDs here, which are not displayed by Process Explorer. You
can also see the Impersonation Level, which shows whether this process can pass the credentials
of the user to remote systems. In this case, rapimgr.exe is running as jness, but its
Impersonation Level does not allow it to authenticate with those credentials remotely.
TIP To detach the debugger, use the command qd (quit-detach). If you quit
with the q command, the process will be killed.
Dumping the Security Descriptor
Let??™s next examine object DACLs. The Windows Explorer built-in security UI actually
does a decent job displaying file-system object DACLs. You??™ll need to click through several
prompts, as we did in Figure 16-6 earlier, but once you get there, you can see exactly
what access is allowed or denied to whom. However, it??™s awfully tedious to work
through so many dialog boxes. The free downloadable alternatives are SubInACL from
Microsoft, and AccessCheck, written by SysInternals, acquired by Microsoft.
Pages:
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722