Main > System > System Miscellaneous >

Tokenmon 1.01


Tokenmon 1.01

Sponsored Links

Tokenmon 1.01 Ranking & Summary

RankingClick at the star to rank
Ranking Level
User Review: 0 (0 times)
File size: 51 KB
Platform: Windows NT/2K
License: Freeware
Downloads: 1429
Date added: 2006-05-29
Publisher: Mark Russinovich

Tokenmon 1.01 description

Tokenmon - Watch security-related activity, including logon, logoff, privilege usage and impersonation with this monitoring tool Tokenmon is a tool which monitors and displays a variety of security-related activity taking place on a system. Tokenmon gets its name from the fact that Windows NT/2000 stores a process security information, including the user account context in which the process executes, in an object called a token. Tokenmon monitors includes the following:
User logon/logoff
Applications enabling or disabling security privileges in their process tokens
Process startup and exit (token creation/deletion)
Tokenmon has advanced filtering and search capabilities that make it a powerful tool for exploring the way NT works, seeing how applications use security functions, or tracking down problems in system or application configurations.
Simply run the Tokenmon GUI (Tokenmon.exe). Note that you must have administrative privilege to run Tokenmon. Menus, hot-keys, or toolbar buttons can be used to clear the window, save the monitored data to a file, and to filter and search output.
When a thread impersonates youll see the threads primary identity in the domainuser column and the identity its adopting in the Other column. Any security actions it performs at that point are in the impersonation context. When it reverts back to its own identity the threads primary identity is again shown in the domainuser column.
As events are printed to the output, they are tagged with a sequence number. If Tokenmons internal buffers are overflowed during extremely heavy activity, this will be reflected with gaps in the sequence number.
Each time you exit Tokenmon it remembers the position of the window and the widths of the output columns.
Tokenmon intercepts logon by hooking the NtCreateToken native API. The local security authority uses this API to create an initial login token when a user logs in either remotely or locally. When a user logs on the Local Security Authority Subsystem (LSASS) assigns the logon session a locally unique identifer (LUID) called a logon ID. To see a corresponding logoff, Tokenmon registers with the Security Reference Monitor (SRM) using the SeRegisterLogonSessionTerminatedRoutine kernel function, which requests that the SRM call the driver back whenever a user is logged off.
In order to see a process enable and disable privileges, Tokenmon hooks the NtAdjustPrivilegesToken function, which is the native API-equivalent of the Win32 AdjustTokenPrivileges functions. This function takes an array of privileges with a flag for each indicating whether the process wants to enable or disable it. Tokenmon shows the action for each privilege affected by a single call in separate output lines.
Tokenmon uses the PsSetCreateProcessNotifyRoutine kernel function, which is documented in the Windows 2000 DDK (but available on NT 4), to register a callback function whenever a process starts or exits.
Finally, there are several functions that applications can use to impersonate another user. Tokenmon hooks NtSetInformationThread, a variant of which is the native API-equivalent of the ImpersonateLoggedOnUser and ImpersonateSelf Win32 APIs, the FSCTL_PIPE_IMPERSONATE variant of NtFsControlFile (the native-equivalent of ImpersonateNamedPipeClient), and NtImpersonateClientOfPort, which is called by applications using the Local Procedure Call (LPC) facility and local RPC for impersonating the remote end of a LPC connection.
Tokenmon relies on several undocumented SRM functions to obtain a logon ID from a threads primary and impersonation tokens, and GetSecurityUserInfo, an undocumented function exported by the KSecDD (Kernel Security-support driver) that retrieves a logon session users name, domain name, and logon server given a logon ID. Another interesting implementation detail is that several of the native API functions that Tokenmon hooks are not exported by ntoskrnl.exe for use by drivers. Thus, the Tokenmon GUI must reach into NTDLL.DLL, extract their system call numbers, and pass them to the driver. This contrasts with Regmon, which reaches into ntoskrnl.exe using Registry function exports to obtain system call numbers.

Tokenmon 1.01 Screenshot

Tokenmon 1.01 Keywords

Bookmark Tokenmon 1.01

Hyperlink code:
Link for forum:

Tokenmon 1.01 Copyright do not provide cracks, serial numbers etc for Tokenmon 1.01. Any sharing links from, or are also prohibited.

Allok Video Splitter 2.2.0 Review:

Name (Required)
Featured Software

Want to place your software product here?
Please contact us for consideration.

Related Software
SocketSniff allows you to watch the Windows Sockets (WinSock) activity of the selected process. For each created socket, the following information is displayed: socket handle, socket type, local/remote addresses, local/remote ports, and more... Free Download
Process Monitor brings a powerful, perfect and popular monitoring tool for Windows that shows real-time file system, Registry, and process/thread activity. Free Download
X-Login is a powerful application that provides face based login authentication in conjunction with password Free Download
Advanced process viewer and security analyzer with intuitive user interface. Free Download
mjBugTracker - track your bugs, problems, incidents, requests, enchancements, etc Free Download
Safe AutoLogon allows your Windows personal computer to automatically logon when the computer is powered on or restarted Free Download
Includes process viewer,security analyzer,real time monitoring,startup manager. Free Download
RoboSSO is the Password Manager that completely automates password filling Free Download