Operating System Protection Rings
What is it?
[ext] OS Protection rings / Hierarchical protection domains
Microsoft Windows: inspecting protected processes...
... or why not even the system's Win32 APIs can fetch information about some processes, even if calling them from the NT Authority\System account.
A user process example...
| PowerShell |
|---|
| # from powershell
Get-WmiObject Win32_Process -Filter "name = 'explorer.exe'" | Select-Object processid,processname,path,commandline
|
Results in something like:
| ProcessId ProcessName Path CommandLine
--------- ----------- ---- -----------
10752 explorer.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\Explorer.EXE
|
... a kernel/protected process example ...
| PowerShell |
|---|
| # from powershell
Get-WmiObject Win32_Process -Filter "name = 'csrss.exe'" | Select-Object processid,processname,path,commandline
|
Results in:
| ProcessId ProcessName Path CommandLine
--------- ----------- ---- -----------
824 csrss.exe
1148 csrss.exe
|
... and The Solution
[ext] Debugging Protected Processes (archived)