Thursday, 31 July 2014

Windows Integrity Levels - Process Explorer and WinDbg

From Windows Vista onwards, Microsoft has placed a substantially greater focus on the security of the operating system, which is one of the areas most users will neglect and then later come to complain about. In this article I'm going to talk about Windows Integrity Levels, and how we can view this information in WinDbg and through some SysInternals Tools. In another article, I will going into more depth about access tokens and how they are used to increase system security.

These security measures were introduced since it was relatively easy to modify memory and remove any security identification, thus leads to code modification and injection being used to allow illegitimate access to important system data structures etc.

User-Mode processes often require the use of system services and system resources which reside within the Kernel-Mode. To stop any illegitimate access or any poor programming from creating havoc in Kernel-Mode, some security validation procedures have been introduced to Windows, these commonly are Integrity Levels and Access Tokens.

The Integrity Levels come in 5 different levels, with 4 being the highest and most privileged level.

Integrity Levels (Lowest to Highest):
  • Untrusted (0) - Blocks most write access to a majority of objects
  • Low (1) - Blocks most write access to registry keys and file objects
  • Medium (2) - This is the default setting for most processes when UAC has been enabled on the system.
  • High (3) - Most processes will have this setting if UAC is disabled and the currently logged on user is the administrator. Otherwise, administrative programs will have this setting with
  • System (4) - This is a setting reserved for system level components.
Integrity Levels are used to isolate privileged code and data from programs which do not have the correct access rights. The Integrity Levels are stored with a Access Token, which we can view in WinDbg with the _TOKEN data structure and also find with Process Explorer. Access Tokens are typically checked when a process requests access to a handle for an object.

Viewing Integrity Levels (Process Explorer):

If you haven't enabled the Integrity Level column in Process Explorer, then follow these simple steps:

Click View > Select Columns > Integrity Level > OK/Apply

Process Explorer
Viewing Integrity Levels (WinDbg):

Alternatively, we can view the Integrity Level of a process with WinDbg, and the viewing the _TOKEN data structure. I'm not sure on its effectiveness.


Using the Token Address with _TOKEN data structure, we can find the Integrity Level of the process.


No comments:

Post a Comment