Username details from the memory dump collected on Server machine (with multiple sessions)

Saikrishna_Ravikanti · June 6, 2024, 12:40pm

Hi All,

Is there any command available to get the user name details from the complete memory dump collected on a windows server machine with multiple sessions in logged on state.

Scott_Noone_OSR · June 10, 2024, 2:29pm

The only information I know that's available is through !logonsession:

0: kd> !logonsession 0


Dumping all logon sessions.

** Session   1 = 0xffff850374fcb800
   LogonId     = {0x1bb8ea 0x0} ServerSilo = 0000000000000000
   References  = 4
** Session   2 = 0xffff850371f57650
   LogonId     = {0xd318   0x0} ServerSilo = 0000000000000000
   References  = 1
** Session   3 = 0xffff8503735244b0
   LogonId     = {0x134da  0x0} ServerSilo = 0000000000000000
   References  = 19
** Session   4 = 0xffff850371f56060
   LogonId     = {0xd33d   0x0} ServerSilo = 0000000000000000
   References  = 1
** Session   5 = 0xffff850374fcc770
   LogonId     = {0x1bb915 0x0} ServerSilo = 0000000000000000
   References  = 920
** Session   6 = 0xffff85036f605d10
   LogonId     = {0x3e6    0x0} ServerSilo = 0000000000000000
   References  = 2
** Session   7 = 0xffff8503735233a0
   LogonId     = {0x134a8  0x0} ServerSilo = 0000000000000000
   References  = 2
** Session   8 = 0xffff850371f57720
   LogonId     = {0xcf26   0x0} ServerSilo = 0000000000000000
   References  = 1
** Session   9 = 0xffff850371f563a0
   LogonId     = {0x3e4    0x0} ServerSilo = 0000000000000000
   References  = 458
** Session  10 = 0xffff85036f605c30
   LogonId     = {0x3e7    0x0} ServerSilo = 0000000000000000
   References  = 1251
** Session  11 = 0xffff850373524580
   LogonId     = {0x3e5    0x0} ServerSilo = 0000000000000000
   References  = 432
11 sessions in the system.

And then each of those "session" values is a nt!_SEP_LOGON_SESSION_REFERENCES:

0: kd> dt nt!_SEP_LOGON_SESSION_REFERENCES 0xffff850374fcb800
   +0x000 Next             : (null) 
   +0x008 LogonId          : _LUID
   +0x010 BuddyLogonId     : _LUID
   +0x018 ReferenceCount   : 0n4
   +0x020 Flags            : 0xa
   +0x028 pDeviceMap       : 0xffff8503`75cb5120 _DEVICE_MAP
   +0x030 Token            : 0xffff8503`762085f0 Void
   +0x038 AccountName      : _UNICODE_STRING "osr"
   +0x048 AuthorityName    : _UNICODE_STRING "DESKTOP-IKSARN7"
   +0x058 CachedHandlesTable : _SEP_CACHED_HANDLES_TABLE
   +0x068 SharedDataLock   : _EX_PUSH_LOCK
   +0x070 SharedClaimAttributes : (null) 
   +0x078 SharedSidValues  : (null) 
   +0x080 RevocationBlock  : _OB_HANDLE_REVOCATION_BLOCK
   +0x0a0 ServerSilo       : (null) 
   +0x0a8 SiblingAuthId    : _LUID
   +0x0b0 TokenList        : _LIST_ENTRY [ 0x00000000`00000000 - 0x00000000`00000000 ]

I assume further details are buried somewhere in a user mode process and not going to be available, but maybe someone else will know...

Saikrishna_Ravikanti · June 11, 2024, 6:57am

Thanks Scott. I don't think AuthorityName is username here. I found another way. Using the below command, first I will find out the logged on sessions and then using MSFT Mex extension's !p command for processes(not all but few processes like chrome etc.) running in the logged on sessions, we can see the user name.

.foreach /pS 1 /ps 1 ( hit {!! -ci "!sprocess -4" find /i "MM_SESSION_SPACE" }) {!! -ci "dt _MM_SESSION_SPACE hit" findstr /i "IoState SessionId"}

MBond2 · June 19, 2024, 9:26pm

In this context, an authority is the name of a computer or domain where the account is defined. A local SAM, antique LM domain, or modern (circa 2000) AD. All of the cloud stuff is a giant AD run by MSFT