About "TokenMon" of sysinternals.com

OSR_Community_User · September 26, 2002, 9:18pm

While I search data about Process creation/exit, I found a project
“TokenMon” of sysinternals.com.

By the way, I Found a bug while using “TokenMon”.
Two computers are connected with LAN(One is Windows 2000 system(A) that
TokenMon is executed and the other is Windows 2000 system(B) that TokenMon
is not executed).
In this situation, If i(B system) try to do something in the shared folder
of A system, System A(TokenMon is executing) has been downed.
But, If i use Windows NT system(C) that TokenMon is executed and B system
try to same work, System C has no problem(ie, not downed).
TokenMon has differences in action between Windows 2000 and Windows NT, to
my thinking.
I wonder what cause system A to be downed in first situation.

There was another difference between Windows 2000 and Windows NT.
When System B accesses to System A(Windows 200) (with Administrator
privilege), and when System A creates a process (with Administrator
privilege), The content of LogonID of LogonID://Domain/User field of
TokenMon was different.
I think that “TokenMon” distinguishs between LOCAL LOGON USER and REMOTE
LOGON USER.
But, When System B accesses to System C(Windows NT), and when System C
creates a process, The content of LogonID of LogonID://Domain/User field
of TokenMon was same.
I wonder what cause this different result.

I really want you help me, please.
I desire that you spend delightful day.

Sincerely yours!

OSR_Community_User · September 27, 2002, 11:13am

SRV runs with primary token = LocalSystem and impersonation token =
accessing user. This seems to be the explanation.

Max

----- Original Message -----
From: “Chang Sung. Jung”
To: “NT Developers Interest List”
Sent: Friday, September 27, 2002 5:20 AM
Subject: [ntdev] About “TokenMon” of sysinternals.com

> While I search data about Process creation/exit, I found a project
> “TokenMon” of sysinternals.com.
>
> By the way, I Found a bug while using “TokenMon”.
> Two computers are connected with LAN(One is Windows 2000 system(A)
that
> TokenMon is executed and the other is Windows 2000 system(B) that
TokenMon
> is not executed).
> In this situation, If i(B system) try to do something in the shared
folder
> of A system, System A(TokenMon is executing) has been downed.
> But, If i use Windows NT system(C) that TokenMon is executed and B
system
> try to same work, System C has no problem(ie, not downed).
> TokenMon has differences in action between Windows 2000 and Windows
NT, to
> my thinking.
> I wonder what cause system A to be downed in first situation.
>
> There was another difference between Windows 2000 and Windows NT.
> When System B accesses to System A(Windows 200) (with Administrator
> privilege), and when System A creates a process (with Administrator
> privilege), The content of LogonID of LogonID://Domain/User field of
> TokenMon was different.
> I think that “TokenMon” distinguishs between LOCAL LOGON USER and
REMOTE
> LOGON USER.
> But, When System B accesses to System C(Windows NT), and when System
C
> creates a process, The content of LogonID of LogonID://Domain/User
field
> of TokenMon was same.
> I wonder what cause this different result.
>
> I really want you help me, please.
> I desire that you spend delightful day.
>
> Sincerely yours!
>
> —
> You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to %%email.unsub%%
>