Mark Russinovich of SysInternals has made available Tokenmon which is an
application that monitors and displays a variety of security-related activity
taking place on a system. Tokenmon gets its name from the fact that Windows
NT/2000 stores a process’ security information, including the user account
context in which the process executes, in an object called a token. Tokenmon
monitors includes the following:
- User logon/logoff
- Applications enabling or disabling security privileges in their process
tokens
- Process startup and exit (token creation/deletion)
- Impersonation
capabilities that make it a powerful tool for exploring the way NT works, seeing
how applications use security functions, or tracking down problems in system or
application configurations. Tokenmon works on NT 4.0 and Windows 2000