We were in a presentation room, when I struck up a conversation with Mark Russinovich, Technical Fellow here at Microsoft, and one of the 2 founders of Winternals/Sysinternals. Mark was about to go into his talk on malware & Windows Vista when the two of us started talking about the acquisition of Winternals and how things had been "life after acquisition" so to speak.
One of his most famous tools, and a personal favorite of mine, is Process Explorer… the Professional’s Task Manager. Think TaskMan++. Task Manager Premium Edition. Task Manager v2.0.
And one of the most interesting things that Process Explorer has are the additions Mark’s made to accomodate Windows Vista.
PROCESS VIRTUALIZATION
One of them is whether or not a running process is "virtualized" into a higher user rights context: This is a process state that will be most commonly associated with ‘Vista’-based processes because of the manner in which Windows Vista popularizes the concept of running with a limited user account on a day to day basis and ‘virtualizing an environment with elevated rights’ in order to execute a process that requires administrative rights.
INTEGRITY LEVELS
Another is the concept of integrity levels. When you elevate the rights available to a process, a virtualized environment is created for that process. To protect the the elevated process space (with superuser permissions) from intrusion from the standard user context, the concept for "integrity" levels was introduced – high integrity levels are assigned to elevated rights processes, and medium/lower levels are assigned to lesser states. Lower levels of integrity can not write directly into the space of a higher levels of "integrity", isolating them to some degree. (This is debated and contested in Mark’s recent blog entry, "PsExec, User Account Control and Security Boundaries" however the point of this post isn’t to debate the security of rights elevation but rather to make a point that Process Explorer can help people understand the internals of process management & security rights within Windows Vista)
In any case, here’s what’s new in Process Explorer – just updated for Windows Vista!
What’s new in Version 10.2:
- Vista integrity level and virtualized columns and process properties
- Signed driver for 64-bit Vista for x64 processors
What’s new in Version 10.1:
- Vista process cycle counters in process properties and as column
- Service permissions viewing and editing
- Workaround for .NET runtime handle leak
- Many new I/O columns and process properties
- System and per-process I/O bytes history graphs
- I/O history minigraph
- Memory commit history minigraph
- Optional I/O history tray icon
- Windows 64-bit for Itanium support
DOWNLOAD:
http://www.microsoft.com/technet/sysinternals/ProcessesAndThreads/ProcessExplorer.mspx
kurtsh
Kurt Shintaku's Blog 