Maintaining state in Winlogon notification packages
Next message: David Cross [MS]: "Re: Verify Signature fails"
Date: 30 Aug 2005 10:02:40 -0700
Hi,
I'm trying to develop a winlogon notification package that can maintain
state (e.g. logon time) for Logon and Logoff events. One way I can do
this for local logons is by comparing WindowStation (from
PWLX_NOTIFICATION_INFO) to the ->Session property returned using
LsaEnumerateLogonSessions and LsaGetLogonSessionData.
Hence, I have a login time that's unique for a given machine
(hopefully).
However, when using Terminal Services, WindowStation always seems to
return a value of WinSta0 for Windows XP Pro - which is annoying, but I
guess makes sense seeing as XP is limited to only allow one user (fast
user switching excepted... and even then, I don't know how it operates
with remote desktop). This obviously means that passing "0" as a
session to the LSA provider means I get the info for the last local
interactive session in the session table, rather than the info on the
new RDP session.
Anyone got better suggestions for maintaining state (or suggestions why
the above should/shouldn't happen)? The package writes out evens to
syslog, and I want to be able to easily pair up Logon events to logoff
events, distinguishing between local interactive and remote interactive
(TS).
(One way I though of is to grab the SESSION environment variable, but
that's too easily "user controlled" for my liking!)
Thanks,
Richard
Next message: David Cross [MS]: "Re: Verify Signature fails"
Relevant Pages
- Re: Windows logoff bug possible security vulnerability and exploit.
... To reproduce the problem, I just use the computer normally, and at each logon check the event viewer and running processes to see if a profile unload failed. ... I find that if I wait for a little bit after logging off before logging on again, no running programs from the previous logon are present, but if I log on just after logging off, they will be if the profile unload fails. ... When logging on, the first logged on user is given session ID 0, as shown in task manager, but if I 'switch' to another user, the user is given a different session ID. ... A few moments ago I logged in as administrator to do some minor changes, and I ran EPIM to take some notes of things. ...
(Bugtraq) - Re: Question about Home PC connected to SBS via VPN....
... it is far easier to address this idea if you use an RDP ... session to gain control of the PC at your office, or use a TS Apps server to ... the time you first authenticated and logon at the local machine. ... SBS in the manner that your PC at home first builds the VPN before beginning ...
(microsoft.public.windows.server.sbs) - Re: Question about Home PC connected to SBS via VPN....
... Outlook E-Mail, then using RWW for my other needs. ... > session to gain control of the PC at your office, or use a TS Apps server to ... Making the remote link is easier with RWW than creating a VPN and ... > the time you first authenticated and logon at the local machine. ...
(microsoft.public.windows.server.sbs) - Re: Windows logoff bug possible security vulnerability and exploit.
... When I check the event viewer with UPHC installed, I get messages that it remaps the registry and some other stuff, but some processes from a previous logon continue to run under the account it was run as in the same 'session' as the current logon, and at times appear on the desktop as a window or in the system tray as an icon. ... I find that if I wait for a little bit after logging off before logging on again, no running programs from the previous logon are present, but if I log on just after logging off, they will be if the profile unload fails. ... A few moments ago I logged in as administrator to do some minor changes, and I ran EPIM to take some notes of things. ...
(Bugtraq) - Re: Error
... > I know it is not due to staff disconnecting as this has been ... > Have you checked the logon hours in User Manager for Domains on ... > their TS session when they go home at 5 PM, ... > MCSE, CCEA, Microsoft MVP - Terminal Server ...
(microsoft.public.win2000.termserv.clients) |
|
