From: jim clark on
This question looks like it has been asked many times before - I think I
have a new version....


I've been writing a service that needs to enumerate and ultimately
impersonate the interactive user(s).


I'm using LsaEnumerateLogonSessions to do this because I need to support
systems where the TermService (WTS) is not running (including Windows 2000
professional) this means I cannot use WTSEnumerateSessions.

However, LSA allows multiple users to logon with the Interactive flag - what
is the best way to find the *real* interactive user (if any)?


I've looked at the following (commonly used) methods:


1. WinLogon notification package - Discounted because it would not be
supported in Vista (and later) and also would make installing/updating the
service problematic because a reboot is necessary to change the notification
package.

2. Using a process launched by the user (e.g. from HKCU/Software/.../Run or
StartUp folder) - Discounted for similar reasons

3. NetUserEnum - Discounted because it needs the Server service to be
running (which it may not be)


I noticed that some people try to solve this by enumerating processes and
looking for processes with an Interactive token - this seems a very
complicated way to do it. Is there a better way?

I also wondered about enumerating Window Stations - but I don't think this
will be productive without allowing the service to interact with the desktop
(which I would like to avoid)


If anyone has any suggestions I would be very grateful.


Best Regards

James


From: Stefan Kuhr on
Hi Jim,

jim clark wrote:
> <snip>
> However, LSA allows multiple users to logon with the Interactive flag - what
> is the best way to find the *real* interactive user (if any)?
>

What is your definition of "the *real* interactive user"? Is it the user
who logged in at the glass terminal but not the user who is used with
runas or an su clone to run a dedicated process with an interactive
logon session?

If this is your definition I would definitely go with a Winlogon
Notification package for W2K, XP and W2K3 Server and use
WTSEnumerateSessions on Vista and later.


Cheers,

--
Stefan
From: jim clark on
Yes, my definition of "the *real* interactive user is the guy who logged on
to the glass console.

A Win notification package is not suitable because:

a. The solution needs to be compatible with Vista
b. Notification packages create problems with installation/upgrade (because
the DLL is always locked) and security concerns

Similarly, WTSEnumerateSessions is not suitable because I need to support
systems where the Terminal Services service is not running

Therefore the LSA functions appear the best bet but obviously have this
problem with the interactive flag. I probably wouldn't have even noticed it
(my initial sense being there would only be one interactive user on a
typical system but on my dev machine there is a __vmware__ user who has the
flag set). This leaves me wondering if the only way is to enumerate
processes and try and link this back to the results from the LSA functions?

James



"Stefan Kuhr" <kustt110(a)gmx.li> wrote in message
news:%23fmy59dpIHA.4848(a)TK2MSFTNGP05.phx.gbl...
> Hi Jim,
>
> jim clark wrote:
>> <snip>
>> However, LSA allows multiple users to logon with the Interactive flag -
>> what is the best way to find the *real* interactive user (if any)?
>>
>
> What is your definition of "the *real* interactive user"? Is it the user
> who logged in at the glass terminal but not the user who is used with
> runas or an su clone to run a dedicated process with an interactive logon
> session?
>
> If this is your definition I would definitely go with a Winlogon
> Notification package for W2K, XP and W2K3 Server and use
> WTSEnumerateSessions on Vista and later.
>
>
> Cheers,
>
> --
> Stefan


From: Stefan Kuhr on
Hi Jim,

jim clark wrote:
> <snip>
> Similarly, WTSEnumerateSessions is not suitable because I need to support
> systems where the Terminal Services service is not running
>


Why can't you call WTSEnumerateSessions? I just made a tiny program that
enumerates TS sessions and ran it on W2K Workstation Gold.
WTSEnumerateSessions failed with a last error 1151 ("The specified
program is not a Windows or MS-DOS program", yes a very meaningful last
error in this case), but the API can be called.

--
Stefan



From: jim clark on
WTSEnumerateSessionsn fails if the Terminal Services service (TermService is
not running) on XP (Error 1702). I hadn't tried it on Windows 2000 yet but I
anticiated that it would be the same. When this service is not present the
multiple session functionality used by TS (and FUS etc) isn't available and
only one user can logon at a time to session zero. This seems to have
changed in Vista because the function is always available even if the
service is stopped.

You can recreate this senario by using the QUERY program (in Windows 2003
and Vista) with the QUERY SESSION command. This works fine when the service
is running but fails when it is stopped. I suspect the cause is the same.

Some of my customers disable this service for security reasons which means I
cannot use WTSEnumerateSessions. I thought the LSA route would be okay but
there is this problem that there can be more than one 'interactive' logon at
a time.

I suppose what I'm asking is - Is there a way to find the owner of the
current 'glass console' session (maybe the Windows Station/Desktop) from a
service?

James



"Stefan Kuhr" <kustt110(a)gmx.li> wrote in message
news:eOjGnXhpIHA.5916(a)TK2MSFTNGP04.phx.gbl...
> Hi Jim,
>
> jim clark wrote:
>> <snip>
>> Similarly, WTSEnumerateSessions is not suitable because I need to support
>> systems where the Terminal Services service is not running
>>
>
>
> Why can't you call WTSEnumerateSessions? I just made a tiny program that
> enumerates TS sessions and ran it on W2K Workstation Gold.
> WTSEnumerateSessions failed with a last error 1151 ("The specified program
> is not a Windows or MS-DOS program", yes a very meaningful last error in
> this case), but the API can be called.
>
> --
> Stefan
>
>
>