Sometimes we need to check under what security principal or group we run a process or what privileges it has or whether it has impersonating threads. We may find an unexpected token with a different security identifier, for example, Network Service instead of Local System (SID: S-1-5-18):
PROCESS 8f218d88 SessionId: 0 Cid: 09c4 Peb: 7ffdf000 ParentCid: 0240 DirBase: bffd4260 ObjectTable: e10eae90 HandleCount: 93. Image: ServiceA.exe VadRoot 8f1f70e8 Vads 141 Clone 0 Private 477. Modified 2. Locked 0. DeviceMap e10038d8 Token e10ff5d8 [...] 0: kd> !token e10ff5d8 _TOKEN e10ff5d8 TS Session ID: 0 User: S-1-5-20 [...]
Well-known SIDs can be found in this MS article: