Detecting Windows Session Change

akin_ocal · June 18, 2007, 7:44pm

How can i detect if a user logoffs or switches ?

Thankl you very much…

Skywing · June 18, 2007, 9:43pm

In user mode, see WTSRegisterSessionNotification / WM_WTSESSION_CHANGE, -or-
use RegisterServiceCtrlHandlerEx (if you are a service) to receive
SERVICE_CONTROL_SESSIONCHANGE. I don’t know of any documented, supported
way to do this directly from kernel mode without a helper service.

–
Ken Johnson (Skywing)
Windows SDK MVP
http://www.nynaeve.net
wrote in message news:xxxxx@ntdev…
> How can i detect if a user logoffs or switches ?
>
>
>
> Thankl you very much…
>
>

anton_bassov · June 18, 2007, 10:24pm

> I don’t know of any documented, supported way to do this directly from kernel mode

without a helper service.

Actually, the very concept of Windows session is pretty much meaningless for drivers - an IRP that gets submitted in context of a user process may be completed in context of a process that runs under the LocalSystem account, and vice versa; interrupts and DPC may get processed in context of any process, etc. This is why all access-right checks are made by the system services *before* a driver has a chance to process a request that has been originated in the user mode.

Anton Bassov

Alyah_Nihal · June 19, 2007, 7:25am

You can also try Winlogon Notification Events (don’t work in Vista).

WTSRegisterSessionNotification and RegisterServiceCtrlHandlerEx / SERVICE_CONTROL_SESSIONCHANGE require Windows XP or above.

Is there a unified solution for Windows 2000 - Vista?

Maxim_S_Shatskih · June 19, 2007, 10:30am

> SERVICE_CONTROL_SESSIONCHANGE. I don’t know of any documented,

supported
way to do this directly from kernel mode without a helper service.

SeMarkLogonSessionForTerminationNotification and friends. This is for logoff
only, not for switches.

–
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

Skywing · June 19, 2007, 10:36am

That should be dealing with LSA logon sessions and not MM (terminal server)
sessions, though?

(Granted, you’ll usually have an LSA logon session confined to the lifetime
of a particular TS session, but you’ll still need to figure out the logon
session associated with a TS session if the real goal is to watch TS
sessions. In user mode, I’d suggest WTSQueryUserToken + GetTokenInformation
for that, but … )

I suppose it might suffice, though, depending on what the actual requirement
for the thing to be monitored is.

–
Ken Johnson (Skywing)
Windows SDK MVP
http://www.nynaeve.net
“Maxim S. Shatskih” wrote in message
news:xxxxx@ntdev…
>> SERVICE_CONTROL_SESSIONCHANGE. I don’t know of any documented,
>>supported
>> way to do this directly from kernel mode without a helper service.
>
> SeMarkLogonSessionForTerminationNotification and friends. This is for
> logoff
> only, not for switches.
>
> –
> Maxim Shatskih, Windows DDK MVP
> StorageCraft Corporation
> xxxxx@storagecraft.com
> http://www.storagecraft.com
>
>