Tokenmon 1.01
Tokenmon is a tool which monitors and displays a variety of security-related activity taking place on a system.
|
Tokenmon is a tool which monitors and displays a variety of security-related activity taking place on a system. Tokenmon gets its name from the fact that Windows NT/2000 stores a process' security information, including the user account context in which the process executes, in an object called a token. Tokenmon monitors includes the following:
User logon/logoff
Applications enabling or disabling security privileges in their process tokens
Process startup and exit (token creation/deletion)
Impersonation
Tokenmon has advanced filtering and search capabilities that make it a powerful tool for exploring the way NT works, seeing how applications use security functions, or tracking down problems in system or application configurations.
Simply run the Tokenmon GUI (Tokenmon.exe). Note that you must have administrative privilege to run Tokenmon. Menus, hot-keys, or toolbar buttons can be used to clear the window, save the monitored data to a file, and to filter and search output.
When a thread impersonates you'll see the thread's primary identity in the domainuser column and the identity its adopting in the Other column. Any security actions it performs at that point are in the impersonation context. When it reverts back to its own identity the thread's primary identity is again shown in the domainuser column.
As events are printed to the output, they are tagged with a sequence number. If Tokenmon's internal buffers are overflowed during extremely heavy activity, this will be reflected with gaps in the sequence number.
Each time you exit Tokenmon it remembers the position of the window and the widths of the output columns.
Tokenmon intercepts logon by hooking the NtCreateToken native API. The local security authority uses this API to create an initial login token when a user logs in either remotely or locally. When a user logs on the Local Security Authority Subsystem (LSASS) assigns the logon session a locally unique identifer (LUID) called a logon ID. To see a corresponding logoff, Tokenmon registers with the Security Reference Monitor (SRM) using the SeRegisterLogonSessionTerminatedRoutine kernel function, which requests that the SRM call the driver back whenever a user is logged off.
In order to see a process enable and disable privileges, Tokenmon hooks the NtAdjustPrivilegesToken function, which is the native API-equivalent of the Win32 AdjustTokenPrivileges functions. This function takes an array of privileges with a flag for each indicating whether the process wants to enable or disable it. Tokenmon shows the action for each privilege affected by a single call in separate output lines.
Tokenmon uses the PsSetCreateProcessNotifyRoutine kernel function, which is documented in the Windows 2000 DDK (but available on NT 4), to register a callback function whenever a process starts or exits.
Finally, there are several functions that applications can use to impersonate another user. Tokenmon hooks NtSetInformationThread, a variant of which is the native API-equivalent of the ImpersonateLoggedOnUser and ImpersonateSelf Win32 APIs, the FSCTL_PIPE_IMPERSONATE variant of NtFsControlFile (the native-equivalent of ImpersonateNamedPipeClient), and NtImpersonateClientOfPort, which is called by applications using the Local Procedure Call (LPC) facility and local RPC for impersonating the remote end of a LPC connection.
Tokenmon relies on several undocumented SRM functions to obtain a logon ID from a thread's primary and impersonation tokens, and GetSecurityUserInfo, an undocumented function exported by the KSecDD (Kernel Security-support driver) that retrieves a logon session user's name, domain name, and logon server given a logon ID. Another interesting implementation detail is that several of the native API functions that Tokenmon hooks are not exported by ntoskrnl.exe for use by drivers. Thus, the Tokenmon GUI must reach into NTDLL.DLL, extract their system call numbers, and pass them to the driver. This contrasts with Regmon, which reaches into ntoskrnl.exe using Registry function exports to obtain system call numbers.
tags native api the native the local function which tokenmon hooks call numbers ntoskrnl exe using the logon session kernel function functions that api equivalent user logs
Download Tokenmon 1.01
Similar software
Tokenmon 1.01
Mark Russinovich
Tokenmon is a tool which monitors and displays a variety of security-related activity taking place on a system.
PMon 1.0
Mark Russinovich
PMon is a device driver/GUI combination which logs and displays all process activity on a Windows NT 4.
TDIMon 1.01
Mark Russinovich
TDIMon is a program which allows you to monitor TCP and UDP activity on your local system.
Microsoft Process Monitor 1.12
Microsoft Inc
Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity.
PsLoggedOn 1.21
Mark Russinovich
You can determine who is using resources on your local computer with the "net" command ("net session"), however, there is no built-in way to determine who is using the resources of a remote computer.
WinAPIOverride32 3.0
Jacquelin POTIER
WinAPIOverride32 will enable you to override/monitor all functions of a process.
SL-Logon 1.00.0005
seliSoft
SL-Logon provides the useful registry keys Run and RunOnce to Windows NT 3.
Filemon 7.03
Sysinternals
Filemon will monitor and display file system activity on a system in real-time.
ProSecurity 1.41
ISecSoft Inc
ProSecurity is a type of security application tool known as H.
SimpleActivityLogger 1.4.0
Coruscant Ltd.
SimpleActivityLogger is a small DLL that hooks into Windows and records the following events:
Here are some key features of "SimpleActivityLogger":
· System Startup & Shutdown
· User Logon & Logoff
· Console Lock & Unlock
· Screen Saver start & stop
SimpleActivityLogger it will log all events (by default) to a file called SimpleActivityLogger.