Forum Discussion
Silver IIIWinDbg: Ep.5 – Kernel Internals
Question 9: Looking at the system process and the !token command, what is the User field?
What I did:
[...]
lkd> !process 0 0
**** NT ACTIVE PROCESS DUMP ****
PROCESS ffffdf0609685200
SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000
DirBase: 001aa002 ObjectTable: ffffc8001ac04d40 HandleCount: 1895.
Image: System
lkd> dt nt!_eprocess ffffdf0609685200
[...]
lkd> !token
Thread is not impersonating. Using process token...
_EPROCESS 0xffffdf060f46e080, _TOKEN 0x0000000000000000
TS Session ID: 0x2
User: S-1-5-21-926794839-1820024918-4247477861-500Is it possible the Lab was migrated to a new OS?
Or what do I miss here?
Did it again, read the questions again:
Looking at the current process and the !token command, what is the TS Session ID field?
Looking at the system process and the !token command, what is the User field?
-> Looking at the _system_ process, I got the correct answer.
4 Replies
- netcat
bump
- KieranRowley
Community Manager
Hi netcat I am working with the internal teams to get you answers to this and the 2 other WinDbg questions which I know are still unanswered
- netcat
Did it again, read the questions again:
Looking at the current process and the !token command, what is the TS Session ID field?
Looking at the system process and the !token command, what is the User field?
-> Looking at the _system_ process, I got the correct answer. Hi netcat thanks for bumping this. I've reached out to to lab author about your question. We'll come back to you ASAP. Thanks
