User logon

OSR_Community_User · February 5, 2003, 9:26am

Hi,

Is it possible to detect from a FS filter driver that a user logs on
and hiow to do this?

Sorry for this, probably stupid question, but I never concern with
user-related things before. I’ve seen several posts regarding logon
session termination notification, wich can be used to cleanup
per-session context, but I never seen how (when) to create it.
Is it any difference between interactive and network logon sessions?
What kind of relations exist between a logon session and a user?

I will be very appreciated for any information on this topic.

Thanks in advance,
Leonid.

OSR_Community_User · February 5, 2003, 10:12am

In “userland” the logoff can be detected via W32 API
SetConsoleControlHandler(…) and CTRL_LOGOFF_EVENT. I used it and it worked
for me. Regarding logon, the detection is more complicated. I “heard” (I
didn’t try it) about approach to hook and monitor changes in some registry
keys like “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon”.
WBR Primoz

-----Original Message-----
From: Leonid Zhigunov [mailto:xxxxx@progate.spb.ru]
Sent: Wednesday, February 05, 2003 3:27 PM
To: File Systems Developers
Subject: [ntfsd] User logon

Hi,

Is it possible to detect from a FS filter driver that a user
logs on and hiow to do this?

Sorry for this, probably stupid question, but I never concern
with user-related things before. I’ve seen several posts
regarding logon session termination notification, wich can be
used to cleanup per-session context, but I never seen how
(when) to create it. Is it any difference between interactive
and network logon sessions? What kind of relations exist
between a logon session and a user?

I will be very appreciated for any information on this topic.

Thanks in advance,
Leonid.

You are currently subscribed to ntfsd as:
xxxxx@hermes.si To unsubscribe send a blank email to
xxxxx@lists.osr.com

OSR_Community_User · February 5, 2003, 2:23pm

You cannot, you can only sense the Logon ID in the filter’s CREATE
path. So, you will sense the logon, but only after it will open some
files.

Max

----- Original Message -----
From: “Leonid Zhigunov”
Newsgroups: ntfsd
To: “File Systems Developers”
Sent: Wednesday, February 05, 2003 5:26 PM
Subject: [ntfsd] User logon

> Hi,
>
> Is it possible to detect from a FS filter driver that a user logs on
> and hiow to do this?
>
> Sorry for this, probably stupid question, but I never concern with
> user-related things before. I’ve seen several posts regarding logon
> session termination notification, wich can be used to cleanup
> per-session context, but I never seen how (when) to create it.
> Is it any difference between interactive and network logon sessions?
> What kind of relations exist between a logon session and a user?
>
> I will be very appreciated for any information on this topic.
>
> Thanks in advance,
> Leonid.
>
>
>
>
>
> —
> You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

OSR_Community_User · February 5, 2003, 8:16pm

so any create before logon will not have the logon ID, and the first create
after logon will have it? and where can i find this logon ID?

thanks!

Ampsi

----- Original Message -----
From: “Maxim S. Shatskih”
To: “File Systems Developers”
Sent: Thursday, February 06, 2003 2:33 AM
Subject: [ntfsd] Re: User logon

You cannot, you can only sense the Logon ID in the filter’s CREATE
path. So, you will sense the logon, but only after it will open some
files.

Max

----- Original Message -----
From: “Leonid Zhigunov”
Newsgroups: ntfsd
To: “File Systems Developers”
Sent: Wednesday, February 05, 2003 5:26 PM
Subject: [ntfsd] User logon

> Hi,
>
> Is it possible to detect from a FS filter driver that a user logs on
> and hiow to do this?
>
> Sorry for this, probably stupid question, but I never concern with
> user-related things before. I’ve seen several posts regarding logon
> session termination notification, wich can be used to cleanup
> per-session context, but I never seen how (when) to create it.
> Is it any difference between interactive and network logon sessions?
> What kind of relations exist between a logon session and a user?
>
> I will be very appreciated for any information on this topic.
>
> Thanks in advance,
> Leonid.
>
>
>
>
>
> —
> You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

—
You are currently subscribed to ntfsd as: xxxxx@pmail.ntu.edu.sg
To unsubscribe send a blank email to xxxxx@lists.osr.com

OSR_Community_User · February 6, 2003, 9:51am

// Returns a logon ID from the security context
NTSTATUS GetLogonId(PIO_SECURITY_CONTEXT SecurityContext, LUID*
LogonId)
{
PAGED_CODE();
// Use impersonation token if any
return SeQueryAuthenticationIdToken(
( SecurityContext->AccessState->SubjectSecurityContext.ClientToken
!= NULL ) ?
SecurityContext->AccessState->SubjectSecurityContext.ClientToken :
SecurityContext->AccessState->SubjectSecurityContext.PrimaryToken,
LogonId);
}

----- Original Message -----
From: “Ampsi”
To: “File Systems Developers”
Sent: Thursday, February 06, 2003 4:13 AM
Subject: [ntfsd] Re: User logon

> so any create before logon will not have the logon ID, and the first
create
> after logon will have it? and where can i find this logon ID?
>
> thanks!
>
> Ampsi
>
> ----- Original Message -----
> From: “Maxim S. Shatskih”
> To: “File Systems Developers”
> Sent: Thursday, February 06, 2003 2:33 AM
> Subject: [ntfsd] Re: User logon
>
>
> You cannot, you can only sense the Logon ID in the filter’s CREATE
> path. So, you will sense the logon, but only after it will open some
> files.
>
> Max
>
> ----- Original Message -----
> From: “Leonid Zhigunov”
> Newsgroups: ntfsd
> To: “File Systems Developers”
> Sent: Wednesday, February 05, 2003 5:26 PM
> Subject: [ntfsd] User logon
>
>
> > Hi,
> >
> > Is it possible to detect from a FS filter driver that a user logs
on
> > and hiow to do this?
> >
> > Sorry for this, probably stupid question, but I never concern with
> > user-related things before. I’ve seen several posts regarding
logon
> > session termination notification, wich can be used to cleanup
> > per-session context, but I never seen how (when) to create it.
> > Is it any difference between interactive and network logon
sessions?
> > What kind of relations exist between a logon session and a user?
> >
> > I will be very appreciated for any information on this topic.
> >
> > Thanks in advance,
> > Leonid.
> >
> >
> >
> >
> >
> > —
> > You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
> > To unsubscribe send a blank email to
xxxxx@lists.osr.com
> >
>
>
>
> —
> You are currently subscribed to ntfsd as: xxxxx@pmail.ntu.edu.sg
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>
>
> —
> You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

OSR_Community_User · February 7, 2003, 4:38am

thanks for the info, Maxim!

can i confirm that anything other than LogonId->LowPart = 999 is due to the
logged on user?

Ampsi

----- Original Message -----
From: “Maxim S. Shatskih”
To: “File Systems Developers”
Sent: Thursday, February 06, 2003 10:45 PM
Subject: [ntfsd] Re: User logon

// Returns a logon ID from the security context
NTSTATUS GetLogonId(PIO_SECURITY_CONTEXT SecurityContext, LUID*
LogonId)
{
PAGED_CODE();
// Use impersonation token if any
return SeQueryAuthenticationIdToken(
( SecurityContext->AccessState->SubjectSecurityContext.ClientToken
!= NULL ) ?
SecurityContext->AccessState->SubjectSecurityContext.ClientToken :
SecurityContext->AccessState->SubjectSecurityContext.PrimaryToken,
LogonId);
}

----- Original Message -----
From: “Ampsi”
To: “File Systems Developers”
Sent: Thursday, February 06, 2003 4:13 AM
Subject: [ntfsd] Re: User logon

> so any create before logon will not have the logon ID, and the first
create
> after logon will have it? and where can i find this logon ID?
>
> thanks!
>
> Ampsi
>
> ----- Original Message -----
> From: “Maxim S. Shatskih”
> To: “File Systems Developers”
> Sent: Thursday, February 06, 2003 2:33 AM
> Subject: [ntfsd] Re: User logon
>
>
> You cannot, you can only sense the Logon ID in the filter’s CREATE
> path. So, you will sense the logon, but only after it will open some
> files.
>
> Max
>
> ----- Original Message -----
> From: “Leonid Zhigunov”
> Newsgroups: ntfsd
> To: “File Systems Developers”
> Sent: Wednesday, February 05, 2003 5:26 PM
> Subject: [ntfsd] User logon
>
>
> > Hi,
> >
> > Is it possible to detect from a FS filter driver that a user logs
on
> > and hiow to do this?
> >
> > Sorry for this, probably stupid question, but I never concern with
> > user-related things before. I’ve seen several posts regarding
logon
> > session termination notification, wich can be used to cleanup
> > per-session context, but I never seen how (when) to create it.
> > Is it any difference between interactive and network logon
sessions?
> > What kind of relations exist between a logon session and a user?
> >
> > I will be very appreciated for any information on this topic.
> >
> > Thanks in advance,
> > Leonid.
> >
> >
> >
> >
> >
> > —
> > You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
> > To unsubscribe send a blank email to
xxxxx@lists.osr.com
> >
>
>
>
> —
> You are currently subscribed to ntfsd as: xxxxx@pmail.ntu.edu.sg
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>
>
> —
> You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

—
You are currently subscribed to ntfsd as: xxxxx@pmail.ntu.edu.sg
To unsubscribe send a blank email to xxxxx@lists.osr.com