nt-part2_89
Analysis of the Security of Windows NT
1 March 1999
89
D.2.5 NT File System Monitor (NTFilemon)
NTFilemon can be used to monitor file system activity for NT 3.51 and NT 4.0. This
utility consists of a device driver and GUI, like NTRegmon. The device driver is a type
of driver known as a filter driver, which means that it layers itself above the file system
drivers. After installation, NTFilemon can see I/O requests pass to, and from, the file
systems. All types of file system drivers that have an associated driver letter may be
monitored, e.g. FAT and NTFS partitions. The GUI application will automatically load
the driver.
D.2.6 NT Process Monitor (NTPmon)
With NTPmon, information about all process activity on an NT 4.0 system can be gath-
ered and displayed in a window. The utility program consists of a device driver and a
GUI, like NTRegmon and NTFilemon. The driver uses a number of undocumented
hooking functions, which collects information about activity such as process creation,
process deletion, thread creation, thread deletion, and optional context switches. The
latter is only present in multiprocessor builds of NT, and is by default disabled.
D.2.7 Object Manager Name Space Viewer (WinObj)
WinObj is an NT application that displays information on the NT object manager's
name space. This means that the program shows information about various operating
system components. WinObj uses the native NT API, which, for example, provides
routines to allow user programs to browse the name space. It is also possible to query
the status of objects located there.
D.2.8 Microsoft Network Monitor
The Microsoft Network Monitor is Microsofts own program for monitoring network
activities. It comes in two variants. One of the variants is on the server installation CD.
This program has sever limitations. It can only read broadcast messages and traffic
directed to the machine that runs the program. Microsoft claims that this is for security
reasons. It also has limitations in how it interprets the messages it receives. The copy
we tried did for example not translate the RPC messages. The other variant is part of
Microsoft SMS. This program is a proper monitor that monitors all traffic on the net as
long as the network interface card can handle promiscuous mode. It also, as far as we
could see, parses the messages fully except for password fields.
The network monitor also has the ability to fetch information from network agents
across the network. This could come in handy, e.g. in a switched network environment
where an agent could pickup traffic on a switched segment. The program can also
detect other instances of Microsoft Network Monitor that is active on the network.