Displaying cached security descriptor info

Rossetoecioccolato · September 25, 2010, 1:10am

The !sd extension displays the contents of a given security descriptor.
However, sometimes the SecurityDescriptor member of the _OBJECT_HEADER
structure points to an offset within a cached security descriptor info
block:

0: kd> db fffff8a00008bc18-38
fffff8a00008bbe0 03 01 0a 03 4f 62 53 63-03 01 00 00 00 00 0e 00 ....ObSc........ fffff8a00008bbf0 d0 80 35 02 a0 f8 ff ff-70 c0 a2 01 00 f8 ff ff
…5…p…
fffff8a00008bc00 c2 05 00 00 08 fa 50 24-01 00 00 82 00 00 00 00 ......P$........ fffff8a00008bc10 01 00 04 80 50 00 00 00-60 00 00 00 00 00 00 00
…P…....... fffff8a00008bc20 14 00 00 00 02 00 3c 00-02 00 00 00 00 00 14 00
…<…
fffff8a00008bc30 ff 01 1f 00 01 01 00 00-00 00 00 05 12 00 00 00 ................ fffff8a00008bc40 00 00 18 00 a9 00 12 00-01 02 00 00 00 00 00 05
…
fffff8a0`0008bc50 20 00 00 00 20 02 00 00-10 8a 83 2f 03 00 00 88 …
…/…

How do I display object security info in this format? The !sd extension
doesn’t work with it.

Regards,

George.

Scott_Noone_OSR · September 27, 2010, 11:14am

I don’t think there’s any command to look the entry up in the hash table.
So, that makes you sort of stuck unless you want to invent your own (which
would take some work as this is all undocumented behavior).

-scott

–
Scott Noone
Consulting Associate
OSR Open Systems Resources, Inc.
http://www.osronline.com

“George M. Garner Jr.” wrote in message
news:xxxxx@windbg…
> The !sd extension displays the contents of a given security descriptor.
> However, sometimes the SecurityDescriptor member of the _OBJECT_HEADER
> structure points to an offset within a cached security descriptor info
> block:
>
> 0: kd> db fffff8a00008bc18-38
> fffff8a00008bbe0 03 01 0a 03 4f 62 53 63-03 01 00 00 00 00 0e 00 > ....ObSc........ > fffff8a00008bbf0 d0 80 35 02 a0 f8 ff ff-70 c0 a2 01 00 f8 ff ff
> …5…p…
> fffff8a00008bc00 c2 05 00 00 08 fa 50 24-01 00 00 82 00 00 00 00 > ......P$........ > fffff8a00008bc10 01 00 04 80 50 00 00 00-60 00 00 00 00 00 00 00
> …P…....... > fffff8a00008bc20 14 00 00 00 02 00 3c 00-02 00 00 00 00 00 14 00
> …<…
> fffff8a00008bc30 ff 01 1f 00 01 01 00 00-00 00 00 05 12 00 00 00 > ................ > fffff8a00008bc40 00 00 18 00 a9 00 12 00-01 02 00 00 00 00 00 05
> …
> fffff8a0`0008bc50 20 00 00 00 20 02 00 00-10 8a 83 2f 03 00 00 88 …
> …/…
>
> How do I display object security info in this format? The !sd extension
> doesn’t work with it.
>
> Regards,
>
> George.
>
>

Rossetoecioccolato · September 28, 2010, 12:31am

Scott,

Thanks for taking the time to reply. Actually, the security descriptor
member of _OBJECT_HEADER still points to a security descriptor. But they
are using more bits for the reference count on AMD64. The !sd extension
still works once you properly align the pointer.

Thanks again for your help.

Regards,

George.

Scott_Noone_OSR · September 28, 2010, 9:49am

Ahh, OK. Yes, you’re right, should have tried what you were asking before
answering

Glad your problem is solved.

-scott

–
Scott Noone
Consulting Associate
OSR Open Systems Resources, Inc.
http://www.osronline.com

“George M. Garner Jr.” wrote in message
news:xxxxx@windbg…
> Scott,
>
> Thanks for taking the time to reply. Actually, the security descriptor
> member of _OBJECT_HEADER still points to a security descriptor. But they
> are using more bits for the reference count on AMD64. The !sd extension
> still works once you properly align the pointer.
>
> Thanks again for your help.
>
> Regards,
>
> George.
>
>