Re: Interactive user name?
- From: Mick <Mick@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 24 Jul 2007 06:26:10 -0700
Hi Alexander,
In your answer for #2 you said the LSA doesn't know about terminals, only
about logon sessions, but in an earlier post Skywing said, “When someone logs
in via FUS or RDP/Terminal Server, they get a "terminal server session" (and
also a "logon session").” If they also get a “logon session”, doesn’t that
mean that it has to go through the LSA to create the session?
Thanks for helping!
Mick
"Alexander Nickolov" wrote:
1 - yes.
2 - no (LSA doesn't know about terminals, only about logon
sessions); the API name should be clear on that...
3 - yes
4 - yes (FUS is the layman name), though only one may be
displayed at any time of course
5 - no
6 - I don't have sample code, but I may advise you to start
reading on the WTS family of functions. For example to get
the currently displayed WTS session you'd use the
WTSGetActiveConsoleSessionId() function.
--
=====================================
Alexander Nickolov
Microsoft MVP [VC], MCSD
email: agnickolov@xxxxxxxx
MVP VC FAQ: http://vcfaq.mvps.org
=====================================
"Mick" <Mick@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:BCCF97B9-F7C7-4469-BFFC-886E64BC8A1C@xxxxxxxxxxxxxxxx
Hi Ken,
Yeah, it's a bit confusicating. Mind if I ask a few questions?
1. On a system with FUS enabled (let's say an XP system), do all users
that
log into the system get a Terminal Services session, even if they're not
logging in remotely?
2. Does LsaEnumerateLogonSessions enumerate all sessions, including all of
the "logon sessions" and "terminal server sessions" that you mentioned?
3. Can more than one of the sessions returned by LsaEnumerateLogonSessions
be interactive simultaneously? For instance, if LsaEnumerateLogonSessions
returns ten sessions, and I call LsaGetLogonSessionData for each of them,
can
the LogonType members of the SECURITY_LOGON_SESSION_DATAs be Interactive
for
more than one?
4. Is it possible to have more than one session connected to the physical
"glass terminal" at any given time? Moreover, how can you tell if a given
session is connected to the physical "glass terminal"?
5. Could the presence of custom authentication packages make any
differences
in the answers to the questions above?
6. Do you know of any sample code that might help me sort this all out?
Any help that you can offer will be greatly appreciated.
Regards,
Mick
"Skywing [MVP]" wrote:
N.B. There is a difference between "logon sessions" and "terminal server
sessions" (or just "sessions"). When you launch an app via RunAs, you
create a new "logon session", same as if you were running the telnet
server
and logged into it, or as if someone had connected to your computer via a
network share. When someone logs in via FUS or RDP/Terminal Server, they
get a "terminal server session" (and also a "logon session").
Logon session = created by LogonUser and the other user authentication
APIs
(e.g. LsaLogonUser internally)
Terminal server session = created (or reused*) when logging in to the
console physically, using FUS, or RDP/Terminal Server.
A TS session is a complete user-interactive environment with its own
WinSta0, WinSta0\Default, csrss instance, winlogon instance, and soforth.
One of these may be connected to the physical "glass terminal" and the
rest
can be in varying states (e.g. idle, disconnected, connected to a remote
user). Logon sessions (as returned by LSA) represent a logged on user
but
are not necessarily representative of a "human user" using the system.
--
Ken Johnson (Skywing)
Windows SDK MVP
http://www.nynaeve.net
"Mick" <Mick@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:E4ACA3B8-DC3D-4094-867B-3D2F99A5606C@xxxxxxxxxxxxxxxx
Hi Kellie,
Well, thanks to you, I was able to get the info I needed using
LsaEnumerateLogonSessions. I can at least grab the first interactive
user
session anyway. That gives me the user name. For some reason it returns
the
machine name for the domain though. Maybe that's because my test
machine
is
part of a workgroup and not a domain.
Your second suggestion, using a Winlogon Notification Package, will not
work
on Windows Vista. Actually, that's what we used to use in our software.
Unfortunately, it's not supported on Vista so we had to find another
way
to
get this info.
Processing SERVICE_CONTROL_SESSIONCHANGE notifications in the HandlerEx
of
our service is what I was attempting to implement. I had no problems
processing the notifications, but the notifications do not contain the
user
info. So, I needed to find some way of getting the info.
Thank you for the help! It is very much appreciated.
Regards,
Mick
"Kellie Fitton" wrote:
On Jul 22, 11:02 am, Mick <M...@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
Hi Kellie,
Thank you for replying to my question. I have a few questions about
your
response though.
Yes, there can be more than one user logged onto the system, but
then
there
should be a way to enumerate those users. Also, it's my
understanding
that
each user should have a seperate desktop (winstation, console...?)
and
only
one of those will be active at any given time. If that's correct,
then
there
should be some way to find out which of them is active, right?
I don't think that your suggestion of having a helper application in
the
user's session will work for us. One of the goals of our software is
to
be as
unobtrusive as possible, and starting another process for each
logged
on user
would be a step in the wrong direction. There's also the problem of
how
to
start that process for each user that logs on.
Retrieving the user's name or token using the Terminal Services API
is
the
more attractive of your suggestions. However, what happens if
Terminal
Services has been disabled on the system? For instance, would
WTSQueryUserToken still work if Terminal Services is disabled?
I'm surprized that Microsoft has added the ability to have multiple
users
logged on to a machine, but didn't add functionality to the API for
dealing
with multiple users. For instance, why wasn't GetUserName and/or
GetUserNameEx modified to work with multiple logged on users? Of
course
it's
very possible that I just haven't looked in the right direction yet.
I
hope
so anyway.
Regards,
Mick
Hi,
Well, there may not be a currently logged on user, for example,
after the machine has come up but no one's logged on yet. Also,
there is the issue of Fast User Switching, in which multiple
users are logged in but only one has access to the console.
Nonetheless, there are several ways to get this information:
1). You can use the function LsaEnumerateLogonSessions()
to enumerate logon sessions, however, only services running
under LocalSystem have enough privileges by default to use
this function successfully. Also, this function can report
stale or orphaned interactive logon sessions of already logged
off users.
2). Winlogon Notification Package, it will catch logon, logoff,
and other events and can send information to your service.
3). Use the API HandlerEx() in your service and process the event
SERVICE_CONTROL_SESSIONCHANGE.
4). Write a small application that runs as part of user logon, and
put it in all users startup group, or in the following registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run regkey
this application will get the user's name and send it to your
service via any IPC mechanism (e.g: Named Pipe).
http://msdn2.microsoft.com/en-us/library/aa378275.aspx
http://msdn2.microsoft.com/en-us/library/aa380545.aspx
http://msdn2.microsoft.com/en-us/library/ms683241.aspx
http://msdn.microsoft.com/msdnmag/issues/02/08/SENS/default.aspx
Kellie.
- Follow-Ups:
- Re: Interactive user name?
- From: Skywing [MVP]
- Re: Interactive user name?
- References:
- Re: Interactive user name?
- From: Mick
- Re: Interactive user name?
- From: Mick
- Re: Interactive user name?
- From: Skywing [MVP]
- Re: Interactive user name?
- From: Mick
- Re: Interactive user name?
- From: Alexander Nickolov
- Re: Interactive user name?
- Prev by Date: Re: CFtpConnection does not send "QUIT" cmd when calling Close()
- Next by Date: Re: Infinite loop with wsaasyncselect
- Previous by thread: Re: Interactive user name?
- Next by thread: Re: Interactive user name?
- Index(es):
Relevant Pages
|
|
