Thursday, 31 July 2014

Windows Integrity Levels - Process Explorer and WinDbg

From Windows Vista onwards, Microsoft has placed a substantially greater focus on the security of the operating system, which is one of the areas most users will neglect and then later come to complain about. In this article I'm going to talk about Windows Integrity Levels, and how we can view this information in WinDbg and through some SysInternals Tools. In another article, I will going into more depth about access tokens and how they are used to increase system security.

These security measures were introduced since it was relatively easy to modify memory and remove any security identification, thus leads to code modification and injection being used to allow illegitimate access to important system data structures etc.

User-Mode processes often require the use of system services and system resources which reside within the Kernel-Mode. To stop any illegitimate access or any poor programming from creating havoc in Kernel-Mode, some security validation procedures have been introduced to Windows, these commonly are Integrity Levels and Access Tokens.

The Integrity Levels come in 5 different levels, with 4 being the highest and most privileged level.

Integrity Levels (Lowest to Highest):
  • Untrusted (0) - Blocks most write access to a majority of objects
  • Low (1) - Blocks most write access to registry keys and file objects
  • Medium (2) - This is the default setting for most processes when UAC has been enabled on the system.
  • High (3) - Most processes will have this setting if UAC is disabled and the currently logged on user is the administrator. Otherwise, administrative programs will have this setting with
  • System (4) - This is a setting reserved for system level components.
Integrity Levels are used to isolate privileged code and data from programs which do not have the correct access rights. The Integrity Levels are stored with a Access Token, which we can view in WinDbg with the _TOKEN data structure and also find with Process Explorer. Access Tokens are typically checked when a process requests access to a handle for an object.

Viewing Integrity Levels (Process Explorer):

If you haven't enabled the Integrity Level column in Process Explorer, then follow these simple steps:

 Click View > Select Columns > Integrity Level > OK/Apply

Process Explorer
Viewing Integrity Levels (WinDbg):

Alternatively, we can view the Integrity Level of a process with WinDbg, and the viewing the _TOKEN data structure. I'm not sure on its effectiveness.


Using the Token Address with _TOKEN data structure, we can find the Integrity Level of the process.


Posted by at
Labels: , ,

2 comments:

  1. Sanish15 February 2026 at 21:33

    WinProFX presents in-depth Forex Broker Reviews that help traders understand and compare broker offerings with confidence. Each review focuses on essential factors such as trading platforms, execution speed, spreads, and available tools. MetaTrader 5 features, including charting, technical indicators, and automated trading support, are carefully evaluated. Designed for both beginners and experienced traders, WinProFX delivers clear, structured, and transparent insights. By highlighting user experience, platform reliability, and risk management practices, these reviews assist traders in selecting a suitable broker for long-term forex trading success.

    ReplyDelete
  2. Jack Damionds18 February 2026 at 23:43

    This is a really insightful breakdown of Windows Integrity Levels and how tools like Process Explorer and WinDbg can be used to analyze them in depth. The explanation of security boundaries and process privileges makes a complex topic much easier to understand. For students exploring operating systems or cybersecurity, posts like this are incredibly valuable almost like practical computer science assignment help when trying to grasp real-world debugging and system internals concepts. Great technical walkthrough and clear examples!

    ReplyDelete

Subscribe to: Post Comments (Atom)