• User logon/logoff
• Applications enabling or disabling security privileges in their process tokens
• Process startup and exit (token creation/deletion)
• Impersonation

Tokenmon has advanced filtering and search capabilities that make it a powerful tool for exploring the way NT works, seeing how applications use security functions, or tracking down problems in system or application configurations.

Tokenmon works on NT 4.0 and Windows 2000.

When a thread impersonates you'll see the thread's primary identity in the domain\user column and the identity its adopting in the Other column. Any security actions it performs at that point are in the impersonation context. When it reverts back to its own identity the thread's primary identity is again shown in the domain\user column.

As events are printed to the output, they are tagged with a sequence number. If Tokenmon's internal buffers are overflowed during extremely heavy activity, this will be reflected with gaps in the sequence number.

Each time you exit Tokenmon it remembers the position of the window and the widths of the output columns.

In order to see a process enable and disable privileges, Tokenmon hooks the NtAdjustPrivilegesToken function, which is the native API-equivalent of the Win32 AdjustTokenPrivileges functions. This function takes an array of privileges with a flag for each indicating whether the process wants to enable or disable it. Tokenmon shows the action for each privilege affected by a single call in separate output lines.

Tokenmon uses the PsSetCreateProcessNotifyRoutine kernel function, which is documented in the Windows 2000 DDK (but available on NT 4), to register a callback function whenever a process starts or exits.

Finally, there are several functions that applications can use to impersonate another user. Tokenmon hooks NtSetInformationThread, a variant of which is the native API-equivalent of the ImpersonateLoggedOnUser and ImpersonateSelf Win32 APIs, the FSCTL_PIPE_IMPERSONATE variant of NtFsControlFile (the native-equivalent of ImpersonateNamedPipeClient), and NtImpersonateClientOfPort, which is called by applications using the Local Procedure Call (LPC) facility and local RPC for impersonating the remote end of a LPC connection.

Tokenmon relies on several undocumented SRM functions to obtain a logon ID from a thread's primary and impersonation tokens, and GetSecurityUserInfo, an undocumented function exported by the KSecDD (Kernel Security-support driver) that retrieves a logon session user's name, domain name, and logon server given a logon ID. Another interesting implementation detail is that several of the native API functions that Tokenmon hooks are not exported by ntoskrnl.exe for use by drivers. Thus, the Tokenmon GUI must reach into NTDLL.DLL, extract their system call numbers, and pass them to the driver. This contrasts with Regmon, which reaches into ntoskrnl.exe using Registry function exports to obtain system call numbers.

See Inside Windows 2000, 3rd Edition by David Solomon and Mark Russinovich (Microsoft Press) for more information on the Windows NT/2000 security subsystem.

• Regmon - a Registry monitor
• Filemon - a file system monitor
• TDImon - a TCP/IP monitor
• Portmon - a serial and parallel port monitor
• PMon - a process and thread monitor (NT/Win2K)
• Diskmon - a hard disk monitor (NT/Win2K)
• DebugView/EE - a debug output monitor

Download Tokenmon (60 KB)