Windows Integrity Levels – Process Explorer and WinDbg

From Windows Vista onwards, Microsoft has placed a substantially greater focus on the security of the operating system, which is one of the areas most users will neglect and then later come to complain about. In this article I’m going to talk about Windows Integrity Levels, and how we can view this information in WinDbg and through some SysInternals Tools. In another article, I will going into more depth about access tokens and how they are used to increase system security.

These security measures were introduced since it was relatively easy to modify memory and remove any security identification, thus leads to code modification and injection being used to allow illegitimate access to important system data structures etc.

User-Mode processes often require the use of system services and system resources which reside within the Kernel-Mode. To stop any illegitimate access or any poor programming from creating havoc in Kernel-Mode, some security validation procedures have been introduced to Windows, these commonly are Integrity Levels and Access Tokens.

The Integrity Levels come in 5 different levels, with 4 being the highest and most privileged level.

Integrity Levels (Lowest to Highest):

  • Untrusted (0) – Blocks most write access to a majority of objects
  • Low (1) – Blocks most write access to registry keys and file objects
  • Medium (2) – This is the default setting for most processes when UAC has been enabled on the system.
  • High (3) – Most processes will have this setting if UAC is disabled and the currently logged on user is the administrator. Otherwise, administrative programs will have this setting with
  • System (4) – This is a setting reserved for system level components.

Integrity Levels are used to isolate privileged code and data from programs which do not have the correct access rights. The Integrity Levels are stored with a Access Token, which we can view in WinDbg with the _TOKEN data structure and also find with Process Explorer. Access Tokens are typically checked when a process requests access to a handle for an object.

Viewing Integrity Levels (Process Explorer):

If you haven’t enabled the Integrity Level column in Process Explorer, then follow these simple steps:

Click View > Select Columns > Integrity Level > OK/Apply

Process Explorer

Viewing Integrity Levels (WinDbg):

Alternatively, we can view the Integrity Level of a process with WinDbg, and the viewing the _TOKEN data structure. I’m not sure on its effectiveness.

Using the Token Address with _TOKEN data structure, we can find the Integrity Level of the process.

Advertisements

About 0x14c

I'm a Computer Science student and writer. My primary interests are Graph Theory, Number Theory, Programming Language Theory, Logic and Windows Debugging.
This entry was posted in Debugging, System Security, Windows Internals. Bookmark the permalink.

One Response to Windows Integrity Levels – Process Explorer and WinDbg

  1. Way cool! Some extremely valid points! I appreciate you writing this
    write-up aand the rest off the site is really good.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s