Forum Discussion

netcat's avatar
netcat
Icon for Bronze III rankBronze III
2 months ago

WinDbg: Ep.5 – Kernel Internals

Question 9: Looking at the system process and the !token command, what is the User field?

What I did:

[...]
lkd> !process 0 0
**** NT ACTIVE PROCESS DUMP ****
PROCESS ffffdf0609685200
    SessionId: none  Cid: 0004    Peb: 00000000  ParentCid: 0000
    DirBase: 001aa002  ObjectTable: ffffc8001ac04d40  HandleCount: 1895.
    Image: System
lkd> dt nt!_eprocess ffffdf0609685200
[...]
lkd> !token
Thread is not impersonating. Using process token...
_EPROCESS 0xffffdf060f46e080, _TOKEN 0x0000000000000000
TS Session ID: 0x2
User: S-1-5-21-926794839-1820024918-4247477861-500

Is it possible the Lab was migrated to a new OS?
Or what do I miss here?

help & support
  • netcat's avatar
    netcat
    17 days ago

    Did it again, read the questions again:
    Looking at the current process and the !token command, what is the TS Session ID field?
    Looking at the system process and the !token command, what is the User field?

    -> Looking at the _system_ process, I got the correct answer.

    • KieranRowley's avatar
      KieranRowley
      Icon for Community Manager rankCommunity Manager
      18 days ago

      Hi netcat I am working with the internal teams to get you answers to this and the 2 other WinDbg questions which I know are still unanswered

  • netcat's avatar
    netcat
    Icon for Bronze III rankBronze III
    17 days ago

    Did it again, read the questions again:
    Looking at the current process and the !token command, what is the TS Session ID field?
    Looking at the system process and the !token command, what is the User field?

    -> Looking at the _system_ process, I got the correct answer.

  • TillyCorless's avatar
    TillyCorless
    Icon for Community Manager rankCommunity Manager
    18 days ago

    Hi netcat thanks for bumping this. I've reached out to to lab author about your question. We'll come back to you ASAP. Thanks