Process Hacker Discussion Forum

 
User avatar
AltF4
Member
Posts: 77
Joined: 15 Mar 2011 00:53
OS: XP SP3

Perhaps more columns around impersonation and Sessions + Desktops ?

12 Jan 2018 06:55

Hi! Longtime power user of PH!
I would love to have some more information around knowing Thread integirty for impersonation tokens quickly (without having to right click on all threads in a process), as well as general session\windowstation\desktop information.

Perhaps these columns could be implemented here and there in future builds? It seems like it's still a very active project (rock on dmex; also hope wj32 is going well)... So here's my list:

I. Thread columns:
- Integrity (IL text shown if impersonating, blank or N/A otherwsie)
- Current desktop of the thread (if possible to obtain)
- Count of number of windows owned by the thread.

II. Process columns:
1. Is impersonating (is a thread within the process using an impersonation token, which occurs from a call to ImpersonateLoggedOnUser)
2. A process token's session ID + session User (this would obviously be different than Username since a process could run as a different user but under the current session, and vice-versa)
+ Window station
Ex: 1 [User1]\WinSta0
3. It would even more awesome to get the desktop of the main thread of the process so that the format could be: 1 [User1] \ WinSta0 \ Default
4. Has visible windows (that is are any windows set with WS_VISIBLE attribute)

III. Under 'Token' tab for processes and threads,
- it would be nice to have a label showing the current Integrity, rather than having to click on the Integrity button to display the dropdown list
- Perhaps another label under App Container SID showing "Capability Count" on win10 for Modern UI processes that is.

All of these would be super invaluable to me, and same lots of time digging into handles and the like.
Bold are my most desired :-)
 
User avatar
AltF4
Member
Posts: 77
Joined: 15 Mar 2011 00:53
OS: XP SP3

Re: Perhaps more columns around impersonation and Sessions + Desktops ?

02 Feb 2018 15:57

I would also like to add if there is a possibility for 3 other main Process columns to add:
- Token group count
- Token privilege count
- Impersonating thread count (number of threads in the process that have a token of their own)
 
User avatar
AltF4
Member
Posts: 77
Joined: 15 Mar 2011 00:53
OS: XP SP3

Re: Perhaps more columns around impersonation and Sessions + Desktops ?

05 Feb 2018 06:44

There's also some additional Token_Information_Class that I would find valuable as well:

- TOKEN_PRIMARY_GROUP -- this doesn't seem to be displayed at all by PH, and the Primary Group needs to exist within the Groups list, so i find it odd that it doesn't show this in the list of groups
- TOKEN_STATISTICS fields
- TokenSource, TokenOrigin
- Maybe some information within TOKEN_ACCESS_INFORMATION
 
User avatar
AltF4
Member
Posts: 77
Joined: 15 Mar 2011 00:53
OS: XP SP3

Re: Perhaps more columns around impersonation and Sessions + Desktops ?

21 Feb 2018 16:21

I would also like to add one other suggestion that bothers me whenever clicking on the Token tab for a process (or defaulting to the Token tab), or when viewing it for a handle... If there are a lot of groups in the token, like for a domain (such as 200+) it can take 0 to 15 seconds to show due to LookupAccountSid having a second or 2 delay for each. This significantly freezes all of PH and you must wait for the dialog to open. (Especially annoying if Token was your last tab in the process properties, and you have it wait for it to perform the full lookup, until the dialog even shows to change tabs to where you need to go).

I would recommend just having this operation in a different background thread, with the Token tab simply saying "populating...." until its complete.

Thanks!