Gaining Deep Visibility into Windows with PowerShell and NtObjectManager
Gaining Deep Visibility into Windows with PowerShell and NtObjectManager
Windows internals offer powerful mechanisms for system inspection and management—but many of them are not exposed through standard PowerShell cmdlets. That’s where the NtObjectManager module comes in.
In this post, we’ll explore:
What NtObjectManager is
How to install it
How to start a child PowerShell process
What it means to interact with elevated/system contexts
Security and ethical considerations
What Is NtObjectManager?
NtObjectManager is a PowerShell module created by James Forshaw, a well-known Windows security researcher. The module provides direct access to the Windows NT object manager namespace and low-level system functionality that normally isn’t exposed in typical administrative tools.
It allows you to:
Browse the NT object namespace
Inspect handles and tokens
Interact with ALPC ports
Create processes with custom security tokens
Perform advanced security research tasks
This makes it especially useful for:
Security researchers
Red teamers
Incident responders
Windows internals enthusiasts
Installing the NtObjectManager Module
You can install the module directly from the PowerShell Gallery using:
What This Does
Downloads the latest version from the PowerShell Gallery
Installs it locally
-Forceoverwrites previous versions if they exist
You may need to run PowerShell as Administrator depending on your execution policy and scope.
Starting a Child PowerShell Process
After installing the module, you might see examples like:
What Is Happening Here?
Start-Win32ChildProcess is a function provided by NtObjectManager. It allows you to start a new process using lower-level Windows APIs instead of the standard Start-Process cmdlet.
The command above:
Launches a new instance of PowerShell
Returns a process object stored in
$pGives you programmatic control over that child process
This method is often used in:
Token manipulation experiments
Privilege escalation research
Security boundary testing
Process creation behavior analysis
About SYSTEM Shells
You may encounter references online to “interactive SYSTEM shells.” The SYSTEM account (NT AUTHORITY\SYSTEM) is a highly privileged Windows account used by the operating system itself.
Running a shell as SYSTEM means:
You have more privileges than a local Administrator
You can access protected system resources
You can manipulate services, drivers, and security tokens
However:
⚠️ Obtaining a SYSTEM shell through privilege escalation techniques on systems you do not own or have permission to test is illegal and unethical.
Legitimate use cases include:
Lab environments
Authorized penetration tests
Security research
Digital forensics
Always ensure you have explicit authorization.
Why NtObjectManager Matters
The Windows NT architecture includes a rich object namespace (e.g., \Device, \BaseNamedObjects, \RPC Control) that most users never see.
NtObjectManager exposes:
Named pipes
Mutexes
Sections
Tokens
Symbolic links
Driver objects
This visibility helps researchers understand how Windows enforces security boundaries internally.
Security and Ethical Considerations
Tools like NtObjectManager are powerful. With that power comes responsibility.
Best practices:
Only use in lab environments
Document all testing activity
Never test production systems without approval
Follow responsible disclosure practices
Understand applicable laws
Security research is valuable when conducted ethically.
Final Thoughts
NtObjectManager opens a window into the lower layers of Windows that most administrators never touch. Whether you're studying Windows internals, conducting defensive research, or exploring how process tokens and objects work under the hood, this module is an exceptional learning tool.
If you're diving into Windows internals, pairing NtObjectManager with tools like:
WinDbg
Process Explorer
Sysinternals Suite
can significantly enhance your understanding.
Last updated