Hi! Longtime power user of PH!
I would love to have some more information around knowing Thread integirty for impersonation tokens quickly (without having to right click on all threads in a process), as well as general session\windowstation\desktop information.
Perhaps these columns could be implemented here and there in future builds? It seems like it's still a very active project (rock on dmex; also hope wj32 is going well)... So here's my list:
I. Thread columns:
- Integrity (IL text shown if impersonating, blank or N/A otherwsie)
- Current desktop of the thread (if possible to obtain)
- Count of number of windows owned by the thread.
II. Process columns:
1. Is impersonating (is a thread within the process using an impersonation token, which occurs from a call to ImpersonateLoggedOnUser)
2. A process token's session ID + session User (this would obviously be different than Username since a process could run as a different user but under the current session, and vice-versa)
+ Window station
Ex: 1 [User1]\WinSta0
3. It would even more awesome to get the desktop of the main thread of the process so that the format could be: 1 [User1] \ WinSta0 \ Default
4. Has visible windows (that is are any windows set with WS_VISIBLE attribute)
III. Under 'Token' tab for processes and threads,
- it would be nice to have a label showing the current Integrity, rather than having to click on the Integrity button to display the dropdown list
- Perhaps another label under App Container SID showing "Capability Count" on win10 for Modern UI processes that is.
All of these would be super invaluable to me, and same lots of time digging into handles and the like.
Bold are my most desired