Hi All,
Is there any command available to get the user name details from the complete memory dump collected on a windows server machine with multiple sessions in logged on state.
Hi All,
Is there any command available to get the user name details from the complete memory dump collected on a windows server machine with multiple sessions in logged on state.
The only information I know that's available is through !logonsession:
0: kd> !logonsession 0
Dumping all logon sessions.
** Session 1 = 0xffff850374fcb800
LogonId = {0x1bb8ea 0x0} ServerSilo = 0000000000000000
References = 4
** Session 2 = 0xffff850371f57650
LogonId = {0xd318 0x0} ServerSilo = 0000000000000000
References = 1
** Session 3 = 0xffff8503735244b0
LogonId = {0x134da 0x0} ServerSilo = 0000000000000000
References = 19
** Session 4 = 0xffff850371f56060
LogonId = {0xd33d 0x0} ServerSilo = 0000000000000000
References = 1
** Session 5 = 0xffff850374fcc770
LogonId = {0x1bb915 0x0} ServerSilo = 0000000000000000
References = 920
** Session 6 = 0xffff85036f605d10
LogonId = {0x3e6 0x0} ServerSilo = 0000000000000000
References = 2
** Session 7 = 0xffff8503735233a0
LogonId = {0x134a8 0x0} ServerSilo = 0000000000000000
References = 2
** Session 8 = 0xffff850371f57720
LogonId = {0xcf26 0x0} ServerSilo = 0000000000000000
References = 1
** Session 9 = 0xffff850371f563a0
LogonId = {0x3e4 0x0} ServerSilo = 0000000000000000
References = 458
** Session 10 = 0xffff85036f605c30
LogonId = {0x3e7 0x0} ServerSilo = 0000000000000000
References = 1251
** Session 11 = 0xffff850373524580
LogonId = {0x3e5 0x0} ServerSilo = 0000000000000000
References = 432
11 sessions in the system.
And then each of those "session" values is a nt!_SEP_LOGON_SESSION_REFERENCES:
0: kd> dt nt!_SEP_LOGON_SESSION_REFERENCES 0xffff850374fcb800
+0x000 Next : (null)
+0x008 LogonId : _LUID
+0x010 BuddyLogonId : _LUID
+0x018 ReferenceCount : 0n4
+0x020 Flags : 0xa
+0x028 pDeviceMap : 0xffff8503`75cb5120 _DEVICE_MAP
+0x030 Token : 0xffff8503`762085f0 Void
+0x038 AccountName : _UNICODE_STRING "osr"
+0x048 AuthorityName : _UNICODE_STRING "DESKTOP-IKSARN7"
+0x058 CachedHandlesTable : _SEP_CACHED_HANDLES_TABLE
+0x068 SharedDataLock : _EX_PUSH_LOCK
+0x070 SharedClaimAttributes : (null)
+0x078 SharedSidValues : (null)
+0x080 RevocationBlock : _OB_HANDLE_REVOCATION_BLOCK
+0x0a0 ServerSilo : (null)
+0x0a8 SiblingAuthId : _LUID
+0x0b0 TokenList : _LIST_ENTRY [ 0x00000000`00000000 - 0x00000000`00000000 ]
I assume further details are buried somewhere in a user mode process and not going to be available, but maybe someone else will know...
Thanks Scott. I don't think AuthorityName is username here. I found another way. Using the below command, first I will find out the logged on sessions and then using MSFT Mex extension's !p command for processes(not all but few processes like chrome etc.) running in the logged on sessions, we can see the user name.
.foreach /pS 1 /ps 1 ( hit {!! -ci "!sprocess -4" find /i "MM_SESSION_SPACE" }) {!! -ci "dt _MM_SESSION_SPACE hit" findstr /i "IoState SessionId"}
In this context, an authority is the name of a computer or domain where the account is defined. A local SAM, antique LM domain, or modern (circa 2000) AD. All of the cloud stuff is a giant AD run by MSFT