netcat
12 days agoBronze II
WinDbg: Ep.5 – Kernel Internals
Question 9: Looking at the system process and the !token command, what is the User field?
What I did:
[...]
lkd> !process 0 0
**** NT ACTIVE PROCESS DUMP ****
PROCESS ffffdf0609685200
SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000
DirBase: 001aa002 ObjectTable: ffffc8001ac04d40 HandleCount: 1895.
Image: System
lkd> dt nt!_eprocess ffffdf0609685200
[...]
lkd> !token
Thread is not impersonating. Using process token...
_EPROCESS 0xffffdf060f46e080, _TOKEN 0x0000000000000000
TS Session ID: 0x2
User: S-1-5-21-926794839-1820024918-4247477861-500
Is it possible the Lab was migrated to a new OS?
Or what do I miss here?