I have a user thread in my driver that should be closed when the user logs
out. How do I detect the end of a user session?
–
Set up some function like:
NTSTATUS HookLogoff (PLUID LogonId);
and call this in your DriverEntry (or wherever):
SeRegisterLogonSessionTerminatedRoutine( HookLogoff )
Check the man page for SeRegisterLogonSessionTerminatedRoutine for more
info.
----- Original Message -----
From: “ian blake”
To: “Windows System Software Devs Interest List”
Sent: Wednesday, October 04, 2006 4:15 AM
Subject: [ntdev] How do I detect a logout?
>
> I have a user thread in my driver that should be closed when the user logs
> out. How do I detect the end of a user session?
>
Unfortunately, it is unreliable. The hook is called when the internal kernel structure representing logon session is dereferenced the last time. For some logon sessions (typically runas) it is called immediatelly when user mode logs off, for some it can take ages. For the first interactive logon session is may not be ever called, there are probably some reference leaks.
Above is based on my experience with w2k and XP up to SP1. Things could change in the meantime but I don’t really believe it.
IIRC user logoff can be detected from helper service. The next possibility is to use some GINA hook modules (I don’t know details).
Best regards,
Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]
From: xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on behalf of King Brian[SMTP:xxxxx@cdp.com]
Reply To: Windows System Software Devs Interest List
Sent: Wednesday, October 04, 2006 5:55 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] How do I detect a logout?Set up some function like:
NTSTATUS HookLogoff (PLUID LogonId);and call this in your DriverEntry (or wherever):
SeRegisterLogonSessionTerminatedRoutine( HookLogoff )Check the man page for SeRegisterLogonSessionTerminatedRoutine for more
info.----- Original Message -----
From: “ian blake”
> To: “Windows System Software Devs Interest List”
> Sent: Wednesday, October 04, 2006 4:15 AM
> Subject: [ntdev] How do I detect a logout?
>
>
> >
> > I have a user thread in my driver that should be closed when the user logs
> > out. How do I detect the end of a user session?
> >
>
>
> —
> Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>
Do you have an app running in the session? If so, can’t you just
cleanup your context when the app’s handle is closed?
d
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Michal Vodicka
Sent: Wednesday, October 04, 2006 11:10 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] How do I detect a logout?
Unfortunately, it is unreliable. The hook is called when the internal
kernel structure representing logon session is dereferenced the last
time. For some logon sessions (typically runas) it is called
immediatelly when user mode logs off, for some it can take ages. For the
first interactive logon session is may not be ever called, there are
probably some reference leaks.
Above is based on my experience with w2k and XP up to SP1. Things could
change in the meantime but I don’t really believe it.
IIRC user logoff can be detected from helper service. The next
possibility is to use some GINA hook modules (I don’t know details).
Best regards,
Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]
From:
xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com
] on behalf of King Brian[SMTP:xxxxx@cdp.com]
Reply To: Windows System Software Devs Interest List
Sent: Wednesday, October 04, 2006 5:55 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] How do I detect a logout?Set up some function like:
NTSTATUS HookLogoff (PLUID LogonId);and call this in your DriverEntry (or wherever):
SeRegisterLogonSessionTerminatedRoutine( HookLogoff )Check the man page for SeRegisterLogonSessionTerminatedRoutine for
more
info.----- Original Message -----
From: “ian blake”
> To: “Windows System Software Devs Interest List”
> Sent: Wednesday, October 04, 2006 4:15 AM
> Subject: [ntdev] How do I detect a logout?
>
>
> >
> > I have a user thread in my driver that should be closed when the
user logs
> > out. How do I detect the end of a user session?
> >
>
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
>
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
Yes, it is another solution but not always acceptable. In our case we needed to unmount all virtual drives associated with current session when user logs off. The solution was background app which did this task just before exit. There is a possibility somebody would kill the app from task manager, however.
Best regards,
Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]
From: xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on behalf of Doron Holan[SMTP:xxxxx@microsoft.com]
Reply To: Windows System Software Devs Interest List
Sent: Wednesday, October 04, 2006 8:16 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] How do I detect a logout?Do you have an app running in the session? If so, can’t you just
cleanup your context when the app’s handle is closed?d
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Michal Vodicka
Sent: Wednesday, October 04, 2006 11:10 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] How do I detect a logout?Unfortunately, it is unreliable. The hook is called when the internal
kernel structure representing logon session is dereferenced the last
time. For some logon sessions (typically runas) it is called
immediatelly when user mode logs off, for some it can take ages. For the
first interactive logon session is may not be ever called, there are
probably some reference leaks.Above is based on my experience with w2k and XP up to SP1. Things could
change in the meantime but I don’t really believe it.IIRC user logoff can be detected from helper service. The next
possibility is to use some GINA hook modules (I don’t know details).Best regards,
Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]> ----------
> From:
xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com
] on behalf of King Brian[SMTP:xxxxx@cdp.com]
> Reply To: Windows System Software Devs Interest List
> Sent: Wednesday, October 04, 2006 5:55 PM
> To: Windows System Software Devs Interest List
> Subject: Re: [ntdev] How do I detect a logout?
>
> Set up some function like:
> NTSTATUS HookLogoff (PLUID LogonId);
>
> and call this in your DriverEntry (or wherever):
> SeRegisterLogonSessionTerminatedRoutine( HookLogoff )
>
> Check the man page for SeRegisterLogonSessionTerminatedRoutine for
more
> info.
>
> ----- Original Message -----
> From: “ian blake”
> > To: “Windows System Software Devs Interest List”
> > Sent: Wednesday, October 04, 2006 4:15 AM
> > Subject: [ntdev] How do I detect a logout?
> >
> >
> > >
> > > I have a user thread in my driver that should be closed when the
> user logs
> > > out. How do I detect the end of a user session?
> > >
> >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
> >
> > To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
> >
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
> —
> Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>
SeMarkLogonSessionForTerminationNotification and
SeRegisterLogonSessionTerminatedRoutine.
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
----- Original Message -----
From: “ian blake”
To: “Windows System Software Devs Interest List”
Sent: Wednesday, October 04, 2006 12:15 PM
Subject: [ntdev] How do I detect a logout?
>
> I have a user thread in my driver that should be closed when the user logs
> out. How do I detect the end of a user session?
>
> –
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
>some it can take ages. For the first interactive logon session is may not be
ever
called, there are probably some reference leaks.
In my experience, the callback is called the same time as logoff is written to
Security log. Is it not so?
IIRC user logoff can be detected from helper service.
…from Windows session 0 only.
The next possibility is to use some GINA hook modules (I don’t know details).
…and then no SMB/RPC/DCOM/Remoting logons noticed.
Subauth package can help though.
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
> ----------
From: xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on behalf of Maxim S. Shatskih[SMTP:xxxxx@storagecraft.com]
Reply To: Windows System Software Devs Interest List
Sent: Wednesday, October 04, 2006 10:12 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] How do I detect a logout?>some it can take ages. For the first interactive logon session is may not be
ever
>called, there are probably some reference leaks.In my experience, the callback is called the same time as logoff is written to
Security log. Is it not so?
My experience is different. Security log entries are written in timely manner but callback is called later if ever. It usually depends on the logon session “usage” – for simple tests as logon and immediate logoff it works as expected but if you work several hours in the first logon session (surprisingly it doesn’t apply for next FUS sessions), the callback is never called. Once I examined it thoroughly and there were usually 5 - 7 or more references left.
But as I said, things could change, the hell freeze and MS fix it.
>The next possibility is to use some GINA hook modules (I don’t know details).
…and then no SMB/RPC/DCOM/Remoting logons noticed.
which may not be necessary.
Best regards,
Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]