Kernel Process (EB) ID to PID - Programmer

This is a discussion on Kernel Process (EB) ID to PID - Programmer ; hello all. my apologies for the cross-posting but i needed an answer sooner rather than later. i need to know how i can convert / translate the process ID from a security audit event (apparently the linear address of the ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: Kernel Process (EB) ID to PID

  1. Kernel Process (EB) ID to PID

    hello all.

    my apologies for the cross-posting but i needed an answer sooner rather than
    later.

    i need to know how i can convert / translate the process ID from a security
    audit event (apparently the linear address of the Kernel Process Environment
    Block) to a PID (the process ID one might see when you run tlist from a
    command prompt). we are seeing numerous event id 578 in our PDC / BDC event
    logs apparently logged by the built-in (now renamed) domain 'administrator'
    account - approximately 10 to 40 per minute - with the
    seTakeOwnershipPrivilege listed. no one (?) is using this account on the
    domain...I have found very little on google groups to shed any light. the
    only hint in solving the problem appears to be the process ID.

    i have been to EventID.net - i'm afraid their reasons do not apply.

    i have figured the easiest way to get to the bottom of the problem is to
    find what process is using the account and take it from there. it appears
    that kernel debugging tools are required to do this. are there any tools
    available (that one does not have to purchase - ie softICE) that can
    translate the KPEB IDs into PIDs? i would rather not have to purchase any
    ;-)

    any (and ALL) help is much appreciated. if there is any other info i can
    provide...just ask. thanks in advance all.



  2. Re: Kernel Process (EB) ID to PID

    > i need to know how i can convert / translate the process ID from a security
    > audit event (apparently the linear address of the Kernel Process Environment
    > Block) to a PID (the process ID one might see when you run tlist from a
    > command prompt).


    This is even theoretically impossible after the process exited. Its PID can be
    then reused by another process. The only guarantees on PID is that they do not
    collide at any given moment.

    Unlike the logon IDs, PID is not a LUID, and thus can be reused by another
    process after this one was exited.

    If the process still running - attach WinDbg via serial cable, and say !process
    with some parameters (look at the help) there. This will give you a list of all
    processes, with all their EPROCESS addresses and PIDs.

    --
    Maxim Shatskih, Windows DDK MVP
    StorageCraft Corporation
    maxim@storagecraft.com
    http://www.storagecraft.com



  3. Re: Kernel Process (EB) ID to PID

    thanks maxim. i know the information is useless unless current. i just
    wasn't sure were to start.

    windbg and kd are the tools i needed (and to load the appropriate symbols /
    paths). !process 0 0 showed me exactly the data i required - translated the
    process to cid. this runs well on my xp machine (in local debugging mode!).
    i'm not sure when i'll next have physical access to one of our (NT4) BDCs to
    connect via a serial cable to perform the debug though. is there any way to
    utilise tcp/ip - that is, debug over the network?

    thanks.

    "Maxim S. Shatskih" wrote in message
    news:c29vdr$al2$1@gavrilo.mtu.ru...
    > > i need to know how i can convert / translate the process ID from a

    security
    > > audit event (apparently the linear address of the Kernel Process

    Environment
    > > Block) to a PID (the process ID one might see when you run tlist from a
    > > command prompt).

    >
    > This is even theoretically impossible after the process exited. Its PID

    can be
    > then reused by another process. The only guarantees on PID is that they do

    not
    > collide at any given moment.
    >
    > Unlike the logon IDs, PID is not a LUID, and thus can be reused by another
    > process after this one was exited.
    >
    > If the process still running - attach WinDbg via serial cable, and say

    !process
    > with some parameters (look at the help) there. This will give you a list

    of all
    > processes, with all their EPROCESS addresses and PIDs.
    >
    > --
    > Maxim Shatskih, Windows DDK MVP
    > StorageCraft Corporation
    > maxim@storagecraft.com
    > http://www.storagecraft.com
    >
    >




+ Reply to Thread