1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
|
# Get-ProcessTokenGroup
## SYNOPSIS
Returns all SIDs that the current token context is a part of, whether they are disabled or not.
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: PSReflect, Get-TokenInformation
## SYNTAX
```
Get-ProcessTokenGroup [[-Id] <UInt32>]
```
## DESCRIPTION
First, if a process ID is passed, then the process is opened using OpenProcess(),
otherwise GetCurrentProcess() is used to open up a pseudohandle to the current process.
OpenProcessToken() is then used to get a handle to the specified process token.
The token
is then passed to Get-TokenInformation to query the current token groups for the specified
token.
## EXAMPLES
### -------------------------- EXAMPLE 1 --------------------------
```
Get-ProcessTokenGroup
```
SID Attributes ProcessId
--- ---------- ---------
S-1-5-21-890171859-3433809...
..._DEFAULT, SE_GROUP_ENABLED 1372
S-1-1-0 ..._DEFAULT, SE_GROUP_ENABLED 1372
S-1-5-32-544 SE_GROUP_USE_FOR_DENY_ONLY 1372
S-1-5-32-545 ..._DEFAULT, SE_GROUP_ENABLED 1372
S-1-5-4 ..._DEFAULT, SE_GROUP_ENABLED 1372
S-1-2-1 ..._DEFAULT, SE_GROUP_ENABLED 1372
S-1-5-11 ..._DEFAULT, SE_GROUP_ENABLED 1372
S-1-5-15 ..._DEFAULT, SE_GROUP_ENABLED 1372
S-1-5-5-0-419601 ...SE_GROUP_INTEGRITY_ENABLED 1372
S-1-2-0 ..._DEFAULT, SE_GROUP_ENABLED 1372
S-1-5-21-890171859-3433809...
..._DEFAULT, SE_GROUP_ENABLED 1372
S-1-5-21-890171859-3433809...
..._DEFAULT, SE_GROUP_ENABLED 1372
S-1-5-21-890171859-3433809...
..._DEFAULT, SE_GROUP_ENABLED 1372
S-1-18-1 ..._DEFAULT, SE_GROUP_ENABLED 1372
S-1-16-8192 1372
### -------------------------- EXAMPLE 2 --------------------------
```
Get-Process notepad | Get-ProcessTokenGroup
```
SID Attributes ProcessId
--- ---------- ---------
S-1-5-21-890171859-3433809...
..._DEFAULT, SE_GROUP_ENABLED 2640
S-1-1-0 ..._DEFAULT, SE_GROUP_ENABLED 2640
S-1-5-32-544 SE_GROUP_USE_FOR_DENY_ONLY 2640
S-1-5-32-545 ..._DEFAULT, SE_GROUP_ENABLED 2640
S-1-5-4 ..._DEFAULT, SE_GROUP_ENABLED 2640
S-1-2-1 ..._DEFAULT, SE_GROUP_ENABLED 2640
S-1-5-11 ..._DEFAULT, SE_GROUP_ENABLED 2640
S-1-5-15 ..._DEFAULT, SE_GROUP_ENABLED 2640
S-1-5-5-0-419601 ...SE_GROUP_INTEGRITY_ENABLED 2640
S-1-2-0 ..._DEFAULT, SE_GROUP_ENABLED 2640
S-1-5-21-890171859-3433809...
..._DEFAULT, SE_GROUP_ENABLED 2640
S-1-5-21-890171859-3433809...
..._DEFAULT, SE_GROUP_ENABLED 2640
S-1-5-21-890171859-3433809...
..._DEFAULT, SE_GROUP_ENABLED 2640
S-1-18-1 ..._DEFAULT, SE_GROUP_ENABLED 2640
S-1-16-8192 2640
## PARAMETERS
### -Id
The process ID to enumerate token groups for, otherwise defaults to the current process.
```yaml
Type: UInt32
Parameter Sets: (All)
Aliases: ProcessID
Required: False
Position: 1
Default value: 0
Accept pipeline input: True (ByPropertyName, ByValue)
Accept wildcard characters: False
```
## INPUTS
## OUTPUTS
### PowerUp.TokenGroup
Outputs a custom object containing the token group (SID/attributes) for the specified token if
"-InformationClass 'Groups'" is passed.
PowerUp.TokenPrivilege
Outputs a custom object containing the token privilege (name/attributes) for the specified token if
"-InformationClass 'Privileges'" is passed
## NOTES
## RELATED LINKS
|