These security measures were introduced since it was relatively easy to modify memory and remove any security identification, thus leads to code modification and injection being used to allow illegitimate access to important system data structures etc.
User-Mode processes often require the use of system services and system resources which reside within the Kernel-Mode. To stop any illegitimate access or any poor programming from creating havoc in Kernel-Mode, some security validation procedures have been introduced to Windows, these commonly are Integrity Levels and Access Tokens.
The Integrity Levels come in 5 different levels, with 4 being the highest and most privileged level.
Integrity Levels (Lowest to Highest):
- Untrusted (0) - Blocks most write access to a majority of objects
- Low (1) - Blocks most write access to registry keys and file objects
- Medium (2) - This is the default setting for most processes when UAC has been enabled on the system.
- High (3) - Most processes will have this setting if UAC is disabled and the currently logged on user is the administrator. Otherwise, administrative programs will have this setting with
- System (4) - This is a setting reserved for system level components.
Viewing Integrity Levels (Process Explorer):
If you haven't enabled the Integrity Level column in Process Explorer, then follow these simple steps:
Click View > Select Columns > Integrity Level > OK/Apply
Process Explorer |
Alternatively, we can view the Integrity Level of a process with WinDbg, and the viewing the _TOKEN data structure. I'm not sure on its effectiveness.
Using the Token Address with _TOKEN data structure, we can find the Integrity Level of the process.