Forum Discussion

Bronze II

10 days ago

WinDbg: Ep.5 – Kernel Internals

Question 9: Looking at the system process and the !token command, what is the User field?

What I did:

[...]
lkd> !process 0 0
**** NT ACTIVE PROCESS DUMP ****
PROCESS ffffdf0609685200
    SessionId: none  Cid: 0004    Peb: 00000000  ParentCid: 0000
    DirBase: 001aa002  ObjectTable: ffffc8001ac04d40  HandleCount: 1895.
    Image: System
lkd> dt nt!_eprocess ffffdf0609685200
[...]
lkd> !token
Thread is not impersonating. Using process token...
_EPROCESS 0xffffdf060f46e080, _TOKEN 0x0000000000000000
TS Session ID: 0x2
User: S-1-5-21-926794839-1820024918-4247477861-500

Is it possible the Lab was migrated to a new OS?
Or what do I miss here?

help & support

No RepliesBe the first to reply

Forum Discussion

WinDbg: Ep.5 – Kernel Internals

Related Content

WinDbg: Ep.3 – Debugging Malware

Unpacking CVE-2024-1086: A Critical Linux Kernel Flaw

WinDbg: Ep.4 – Debugging a Windows Crash

This Week in The Human Connection

Re: Foundational Static Analysis: Analyzing Structures

Recent Discussions

SuperSonic: Ep.6 – TEMPLE

Events & Breaches: Magecart Skimmer

Zeek - Demonstrate Your Skills

CVE-2022-29799/CVE-2022-29800 (Nimbuspwn) – Defensive

Foundational Static Analysis: Analyzing Structures