FS_Process_Token
The directory token exists as a sub-directory in each process directory.
The token directory contains user information related to the process and other information extracted from the process Token.
The files and directories and their contents are listed below:
| File | Description |
|---|---|
| integrity.txt | Process integrity level. |
| luid.txt | User Logon ID. |
| privileges.txt | List of process privileges. |
| session.txt | The session ID of the process. |
| sid.txt | The User SID. |
| sid-all.txt | All SIDs in the primary process token. |
| user.txt | The Username |
The directory exists only on Windows.
The file privileges.txt contains information about process privileges. The meaning of the different columns are as follows:
e Process privilege is Enabled.
p Process privilege is Present.
d Process privilege is Enabled by Default.
# Flags Privilege Name
--------------------------------
0003 -p- SeAssignPrimaryTokenPrivilege
0004 --d SeLockMemoryPrivilege
0007 epd SeTcbPrivilege
...
The example below shows the sid, username and process privileges of a process.
The token sub-directory is implemented as a built-in native C-code plugin. The plugin source is located in the file modules/m_proc_token.c in the vmm project.