使用 Process Explorer 工具,我们可以看到正在运行的进程所拥有的权限。正在运行的进程可能删除权限,因此进程拥有的有效权限将小于用户/组允许的权限。
如果我们在 ProcExp 中打开一个进程,并选择“安全”选项卡,我们可以看到所有权限现在进程所拥有的权限,以及每个权限的状态:
如果我们选择在 SYSTEM 帐户下运行的任何其他进程(服务),它将不会拥有所有权限(如 SeTcbPrivilege)——进程本身可能已删除该进程(使用AdjustTokenPrivilege标志SE_PRIVILEGE_REMOVED)。
哪个命令可以列出运行进程?
答案1
这个答案有点晚了,但经过我自己的努力,我认为值得记录结果:
系统内部访问检查工具似乎可以做到。
它对命令行参数的顺序很敏感,因此需要进行一些实验才能获得预期的结果:
C:\sysinternals>accesschk.exe -p -f 13488
Accesschk v6.14 - Reports effective permissions for securable objects
Copyright 2006-2021 Mark Russinovich`
Sysinternals - www.sysinternals.com
[13488] game.exe
RW NT AUTHORITY\SYSTEM
RW BUILTIN\Administrators
Token security:
RW NT AUTHORITY\SYSTEM
RW BUILTIN\Administrators
Token contents:
User:
NT AUTHORITY\SYSTEM
Groups:
BUILTIN\Administrators OWNER
Everyone MANDATORY
NT AUTHORITY\Authenticated Users MANDATORY
Mandatory Label\System Mandatory Level INTEGRITY
Privileges:
SeAssignPrimaryTokenPrivilege DISABLED
SeLockMemoryPrivilege ENABLED
SeIncreaseQuotaPrivilege DISABLED
SeTcbPrivilege ENABLED
SeSecurityPrivilege DISABLED
SeTakeOwnershipPrivilege DISABLED
SeLoadDriverPrivilege DISABLED
SeSystemProfilePrivilege ENABLED
SeSystemtimePrivilege DISABLED
SeProfileSingleProcessPrivilege ENABLED
SeIncreaseBasePriorityPrivilege ENABLED
SeCreatePagefilePrivilege ENABLED
SeCreatePermanentPrivilege ENABLED
SeBackupPrivilege DISABLED
SeRestorePrivilege DISABLED
SeShutdownPrivilege DISABLED
SeDebugPrivilege ENABLED
SeAuditPrivilege ENABLED
SeSystemEnvironmentPrivilege DISABLED
SeChangeNotifyPrivilege ENABLED
SeUndockPrivilege DISABLED
SeManageVolumePrivilege DISABLED
SeImpersonatePrivilege ENABLED
SeCreateGlobalPrivilege ENABLED
SeIncreaseWorkingSetPrivilege ENABLED
SeTimeZonePrivilege ENABLED
SeCreateSymbolicLinkPrivilege ENABLED
SeDelegateSessionUserImpersonatePrivilege ENABLED
Security Attributes:
TSA://ProcUnique
[TOKEN_SECURITY_ATTRIBUTE_NON_INHERITABLE]
[TOKEN_SECURITY_ATTRIBUTE_COMPARE_IGNORE]
TOKEN_SECURITY_ATTRIBUTE_TYPE_UINT64
[0] 381
[1] 818343692 `
答案2
这仅适用于当前用户。我不知道如何指定 pid。
C:\WINDOWS\system32>whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
=============================== ========================================= ========
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeSecurityPrivilege Manage auditing and security log Disabled
SeTakeOwnershipPrivilege Take ownership of files or other objects Disabled
SeLoadDriverPrivilege Load and unload device drivers Disabled
SeSystemProfilePrivilege Profile system performance Disabled
SeSystemtimePrivilege Change the system time Disabled
SeProfileSingleProcessPrivilege Profile single process Disabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority Disabled
SeCreatePagefilePrivilege Create a pagefile Disabled
SeBackupPrivilege Back up files and directories Disabled
SeRestorePrivilege Restore files and directories Disabled
SeShutdownPrivilege Shut down the system Disabled
SeDebugPrivilege Debug programs Disabled
SeSystemEnvironmentPrivilege Modify firmware environment values Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote system Disabled
SeUndockPrivilege Remove computer from docking station Disabled
SeManageVolumePrivilege Perform volume maintenance tasks Disabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
SeCreateSymbolicLinkPrivilege Create symbolic links Disabled
C:\WINDOWS\system32>