Kernel Process (EB) ID to PID

hello all.

my apologies for the cross-posting but i needed an answer sooner rather than
later.

i need to know how i can convert / translate the process ID from a security
audit event (apparently the linear address of the Kernel Process Environment
Block) to a PID (the process ID one might see when you run tlist from a
command prompt). we are seeing numerous event id 578 in our PDC / BDC event
logs apparently logged by the built-in (now renamed) domain 'administrator'
account - approximately 10 to 40 per minute - with the
seTakeOwnershipPrivilege listed. no one (?) is using this account on the
domain...I have found very little on google groups to shed any light. the
only hint in solving the problem appears to be the process ID.

i have been to EventID.net - i'm afraid their reasons do not apply.

i have figured the easiest way to get to the bottom of the problem is to
find what process is using the account and take it from there. it appears
that kernel debugging tools are required to do this. are there any tools
available (that one does not have to purchase - ie softICE) that can
translate the KPEB IDs into PIDs? i would rather not have to purchase any
;-)

any (and ALL) help is much appreciated. if there is any other info i can
provide...just ask. thanks in advance all.

> i need to know how i can convert / translate the process ID from a security
> audit event (apparently the linear address of the Kernel Process Environment
> Block) to a PID (the process ID one might see when you run tlist from a
> command prompt).

This is even theoretically impossible after the process exited. Its PID can be
then reused by another process. The only guarantees on PID is that they do not
collide at any given moment.

Unlike the logon IDs, PID is not a LUID, and thus can be reused by another
process after this one was exited.

If the process still running - attach WinDbg via serial cable, and say !process
with some parameters (look at the help) there. This will give you a list of all
processes, with all their EPROCESS addresses and PIDs.

--
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
maxim@storagecraft.com
http://www.storagecraft.com

thanks maxim. i know the information is useless unless current. i just
wasn't sure were to start.

windbg and kd are the tools i needed (and to load the appropriate symbols /
paths). !process 0 0 showed me exactly the data i required - translated the
process to cid. this runs well on my xp machine (in local debugging mode!).
i'm not sure when i'll next have physical access to one of our (NT4) BDCs to
connect via a serial cable to perform the debug though. is there any way to
utilise tcp/ip - that is, debug over the network?

thanks.

"Maxim S. Shatskih" wrote in message
news:c29vdr$al2$1@gavrilo.mtu.ru...
> > i need to know how i can convert / translate the process ID from a
security
> > audit event (apparently the linear address of the Kernel Process
Environment
> > Block) to a PID (the process ID one might see when you run tlist from a
> > command prompt).
>
> This is even theoretically impossible after the process exited. Its PID
can be
> then reused by another process. The only guarantees on PID is that they do
not
> collide at any given moment.
>
> Unlike the logon IDs, PID is not a LUID, and thus can be reused by another
> process after this one was exited.
>
> If the process still running - attach WinDbg via serial cable, and say
!process
> with some parameters (look at the help) there. This will give you a list
of all
> processes, with all their EPROCESS addresses and PIDs.
>
> --
> Maxim Shatskih, Windows DDK MVP
> StorageCraft Corporation
> maxim@storagecraft.com
> http://www.storagecraft.com
>
>

Kernel Process (EB) ID to PID - Programmer

Thread: Kernel Process (EB) ID to PID

LinkBack

Tools

Kernel Process (EB) ID to PID

Re: Kernel Process (EB) ID to PID

Re: Kernel Process (EB) ID to PID