Windows Session and users

Hello

I was reading Windows Sysinternals Administrator?s Reference book and searched for some details about Windows sessions and found a link that says:

“A single “session” can comprise an arbitrary number of login sessions”
http://homepage.ntlworld.com/jonathan.deboynepollard/FGA/windows-nt-session.html

What does that mean? Is that, Different users can login with same user name and password?
Or the author is just trying to say different users can use same server, then that cited definition must be wrong. Because different login sessions means different sessions. Right?

And just one more,

I run process explorer and see that:

lsm.exe –> user: NT AUTHORITY\SYSTEM –>session 0
csrss.exe –> user: NT AUTHORITY\SYSTEM –>session 1

How can one user name related with two different sessions?

“Windows session” is the instance of kernel’s Session Space region, and the display driver instance loaded there.

Different Windows sessions occur if you’re using Fast User Switching on XP or Remote Desktop.

Windows sessions are fully isolated from one another in terms of GUI subsystem. App which runs in one session will not be able to do anything with the GUI of another session.

Pre-Vista, the services were running in the same Windows session as the first interactive logon. In Vista+, they are running in their special separate Windows session.

Each Windows session also has an instance of CSRSS.EXE which controls it.

Native NT processes do not belong to any Windows session.

Logon session is actually a set of a token object and all its duplicates, the ones created using DuplicateToken.

So, surely there can be many logon sessions within the single Windows session. “Run As” and UAC are the simplest ways to create them.

–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

Hmm
So, if “Windows session” is the instance of kernel’s Session Space region and we can run or create processes in another sessions,

When process is switched to another session’s process, Is its display driver instance switched too?

If so, we must see the another desktop with different icons. Right? I don’t understand that part.(Maybe it is related with differences between switching windows session and logon session, I don’t know)

Also, as you said, we can create process by run as. What does that mean.

Different users in the same session.
Or different sessions in same operating system?

Does Windows allow all the combination. One can create a process for different user in the same session or different user in the different session?

Because in process explorer, It seems,
dwm.exe (session:1 - user:Johnlock-Pc\john) is created by svchost (session : 0 - user :NT AUTHORITY\SYSTEM )

Thank you very much for answer.

> So, if “Windows session” is the instance of kernel’s Session Space region and we can run or create processes in

another sessions,

I don’t think you can, probably SMSS is the only process which can do this (create a session), and I don’t think there are ways of injecting processes to the other session.

When process is switched to another session’s process

I don’t think it is possible.

Also, as you said, we can create process by run as. What does that mean.

“Run As” in shell’s context menu.

–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

Maxim S. Shatskih wrote:
I don’t think there are ways of injecting processes to the other session

So Why does dwm.exe(season:1) appear under the svchost(season:0)?

Maxim S. Shatskih wrote:
I don’t think it is possible

If, after OS selects a thread that belongs to different season’s process, switching Session Space region is not possible, then what is the point of supporting different sessions in one OS environment. Just security credentials?

Maxim S. Shatskih wrote:
“Run As” in shell’s context menu.

I was just trying to ask about relations between users and sessions. NT AUTHORITY\SYSTEM appears bot session 0 and session 1. What does that indicate? Does it means owner of the session run a process with run as?

Thanks.

An application (running with suitable privs) can easily launch processes into other sessions as other users. See CreateProcessAsUser and related functions : http://msdn.microsoft.com/en-us/library/ms682429(v=vs.85).aspx
Note that it takes 9 parameters to launch another application, and if that’s not enough the 10th is a pointer to another bunch of parameters (STARTUPINFOEX).

Have fun,
Tim.

From: xxxxx@lists.osr.com [xxxxx@lists.osr.com] On Behalf Of Maxim S. Shatskih [xxxxx@storagecraft.com]
Sent: 06 July 2011 19:03
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Windows Session and users

So, if “Windows session” is the instance of kernel’s Session Space region and we can run or create processes in
another sessions,

I don’t think you can, probably SMSS is the only process which can do this (create a session), and I don’t think there are ways of injecting processes to the other session.

When process is switched to another session’s process

I don’t think it is possible.

Also, as you said, we can create process by run as. What does that mean.

“Run As” in shell’s context menu.

–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

>An application (running with suitable privs) can easily launch processes into other sessions as other users.

As other users - yes, what about other desktops?

–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

AFIK threads are attached to desktop, and unless they create Gdi/user object
they can switch to any desktop in same window station where process is
attached. Proceess are able to change window station in own session. But
process itself cannot change own sessionId. Of course process can start
another process in any session (if have TCB right)

–
Best regards,
Krystian Bigaj
On Jul 7, 2011 12:11 PM, “Maxim S. Shatskih” wrote:
>>An application (running with suitable privs) can easily launch processes
into other sessions as other users.
>
> As other users - yes, what about other desktops?
>
> –
> Maxim S. Shatskih
> Windows DDK MVP
> xxxxx@storagecraft.com
> http://www.storagecraft.com
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

1-) A logon session[2] is managed by the Local Security Authority[2], and manages the scope of a user logon. These are created primarily by the winlogon process, but also secondarily by API functions such as LogonUser, CreateProcessAsUser, and CreateProcessWithLogonW, or by applications that use these functions, such as the runas command.

A logon session isn’t tied to any specific Object Manager[2] concepts as window stations and desktops. It’s basically just a block of information containing the logon SID and some cached security information about the account. This block of information, this logon session, is what an access token points to.

2-) The other type of session is sometimes called a Terminal Services session, Terminal Server session, Remote Desktop session, logon session (as confusing as that is), user logon session, or user session. Usually, though, it’s just called a “session”, without further qualification.

This is the type of session that you’ll usually hear about, and is what window stations belong to. This type of session came about to support multiple interactive GUI logons, as provided by Terminal Services (now known as Remote Desktop), and is now also used to support Fast User Switching. Sessions provide the necessary isolation between the Object Manager objects associated with each user logon.
http://stackoverflow.com/questions/4686897/sessions-window-stations-and-desktops

In summary logon session is an application concept which can be done with runas, it is not related with kernel, and it is all about running an application with different user account(that means different security context).

But, kernel session or terminal session or whatever it is called, is about kernel session space and it can be done by Fast user switching or remote connection like terminal services. Kernel switches session space and it results switching switching video card driver.

I hope all these information is right.

Thanks…