RE: ntdev digest: August 15, 2002

OSR_Community_User · August 16, 2002, 12:16am

Thanks Max. The function call you mention is used in the tokenmon sample
by sysinternals.

What about the logon detection ?

–
Bartjan.

Subject: Re: Detecting user logon/logoff
From: “Maxim S. Shatskih”
> Date: Thu, 15 Aug 2002 23:04:37 +0400
> X-Message-Number: 26
>
> In kernel mode, this is done by
> SeRegisterLogonSessionTerminationCallback and
> SeMarkLogonSessionForTerminationNotification.
>
> Maybe there can be some user-mode (for instance, WMI or such)
> facilities to detect logoff, but I’m nearly sure NT4 had no such.
>
> Max
>
> ----- Original Message -----
> From: “Bartjan Wattel”
> To: “NT Developers Interest List”
> Sent: Thursday, August 15, 2002 4:57 PM
> Subject: [ntdev] Detecting user logon/logoff
>
>
> > Hi guys,
> >
> > I’m in the need of a mechanism to detect user logon/logoff, if
> possible
> > using user mode components. As far as I see it now, there are three
> > possibilities:
> >
> > 1. The sysinternals TokenMon approach
> > I really don’t like that because of undocumented function calls are
> > used, and it is implemented using a driver
> >
> > 2. Writing a GINA stub
> > Does a GINA stub allow me to recover user name, logon domain name
> etc ?
> > Does anyone have experience with GINA stubs and compatibility with
> other
> > GINA’s (Novell, etc) ?
> >
> > 3. Polls for the shell process to be active
> > In a thread ina service, we could poll to see if the shell process
> is
> > active, and if so, get the username via the available API functions
> >
> > The questions are:
> > - Are they any other mechanisms available ?
> > - Do these mechanisms work in terminal server environments (WinXP
> fast
> > user switching) ?
> > - What do you consider to be the best approach, and why ?
> >
> > Any hints/tips are welcome!
> >
> > Thanks,
> > Bartjan
> >
> >
> >
> > —
> > You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> > To unsubscribe send a blank email to %%email.unsub%%
> >
>

OSR_Community_User · August 16, 2002, 9:44am

IIRC there is no documented way for kernel mode modules to detect
logons.
This is because it is considered that this information itself is
not important for kernel mode modules. Only resource accesses are
important, not the logon itself.
And resource accesses can be tracked in CREATE path, the IRP
contains LogonId and other security context information with it.

Max

----- Original Message -----
From: “Bartjan Wattel”
To: “NT Developers Interest List”
Sent: Friday, August 16, 2002 8:14 AM
Subject: [ntdev] RE: ntdev digest: August 15, 2002

> Thanks Max. The function call you mention is used in the tokenmon
sample
> by sysinternals.
>
> What about the logon detection ?
>
> –
> Bartjan.
>
> > Subject: Re: Detecting user logon/logoff
> > From: “Maxim S. Shatskih”
> > Date: Thu, 15 Aug 2002 23:04:37 +0400
> > X-Message-Number: 26
> >
> > In kernel mode, this is done by
> > SeRegisterLogonSessionTerminationCallback and
> > SeMarkLogonSessionForTerminationNotification.
> >
> > Maybe there can be some user-mode (for instance, WMI or such)
> > facilities to detect logoff, but I’m nearly sure NT4 had no such.
> >
> > Max
> >
> > ----- Original Message -----
> > From: “Bartjan Wattel”
> > To: “NT Developers Interest List”
> > Sent: Thursday, August 15, 2002 4:57 PM
> > Subject: [ntdev] Detecting user logon/logoff
> >
> >
> > > Hi guys,
> > >
> > > I’m in the need of a mechanism to detect user logon/logoff, if
> > possible
> > > using user mode components. As far as I see it now, there are
three
> > > possibilities:
> > >
> > > 1. The sysinternals TokenMon approach
> > > I really don’t like that because of undocumented function calls
are
> > > used, and it is implemented using a driver
> > >
> > > 2. Writing a GINA stub
> > > Does a GINA stub allow me to recover user name, logon domain
name
> > etc ?
> > > Does anyone have experience with GINA stubs and compatibility
with
> > other
> > > GINA’s (Novell, etc) ?
> > >
> > > 3. Polls for the shell process to be active
> > > In a thread ina service, we could poll to see if the shell
process
> > is
> > > active, and if so, get the username via the available API
functions
> > >
> > > The questions are:
> > > - Are they any other mechanisms available ?
> > > - Do these mechanisms work in terminal server environments
(WinXP
> > fast
> > > user switching) ?
> > > - What do you consider to be the best approach, and why ?
> > >
> > > Any hints/tips are welcome!
> > >
> > > Thanks,
> > > Bartjan
> > >
> > >
> > >
> > > —
> > > You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> > > To unsubscribe send a blank email to %%email.unsub%%
> > >
> >
>
>
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to %%email.unsub%%
>