Hello,
Are there notifications, events or callbacks in the kernel that inform
WTS session switching(FUS) and user log on and log off? Thanks!
Jicun
There is a callback called when logon session is destroyed. See SeRegisterLogonSessionTerminatedRoutine and related routines in IFS kit docs. However, it isn’t quite reliable because some logon sessions are never destroyed. The first interactive session is usually immortal. Also, it can take some time after user logoff until logon session is terminated.
For other notifications you can write GINA replacement. Very complicated task especially when FUS is involved. Maybe there is some easier way.
Best regards,
Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http:://www.upek.com]
From: xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on behalf of Jicun Zhong[SMTP:xxxxx@vallcom.com]
Reply To: Windows System Software Devs Interest List
Sent: Friday, June 25, 2004 6:15 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Session and logon notification in the kernelHello,
Are there notifications, events or callbacks in the kernel that inform
WTS session switching(FUS) and user log on and log off? Thanks!Jicun
Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@upek.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
Hello,
Although it would not answer to the question “in the kernel”, in case the
reliability is an issue as reported by Michal Vodicka, notifications for the
user-mode components are as far as I know (and used them) reliable. Hence
you could considerate to write a small user-mode helper service for your
driver which will forward you through private ioctl the reliable user-mode
session change notifications (WM_WTSSESSION_CHANGE).
Best regards,
David Burg
David Burg
Software Development,
InCD Project Leader
Ahead Software AG
Im Stoeckmaedle 18 fax: +49 (0)7248 911 888
76307 Karlsbad email: xxxxx@nero.com
Germany http://www.nero.com
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Michal Vodicka
Sent: Friday, June 25, 2004 7:35 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] Session and logon notification in the kernel
There is a callback called when logon session is destroyed. See
SeRegisterLogonSessionTerminatedRoutine and related routines in IFS kit
docs. However, it isn’t quite reliable because some logon sessions are never
destroyed. The first interactive session is usually immortal. Also, it can
take some time after user logoff until logon session is terminated.
For other notifications you can write GINA replacement. Very complicated
task especially when FUS is involved. Maybe there is some easier way.
Best regards,
Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http:://www.upek.com]
From:
xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on
behalf of Jicun Zhong[SMTP:xxxxx@vallcom.com]
Reply To: Windows System Software Devs Interest List
Sent: Friday, June 25, 2004 6:15 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Session and logon notification in the kernelHello,
Are there notifications, events or callbacks in the kernel that inform
WTS session switching(FUS) and user log on and log off? Thanks!Jicun
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256You are currently subscribed to ntdev as: xxxxx@upek.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@nero.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
Hi Michal,
Thanks for the info!
In my case it is much more important to know when a user logged on or
reconnected thru FUS or RDC. I have done all these in the user space like
gina, WTS event and notifications. They work well. However, user app may
hang, therefore stop sending to my driver the events leaving possible
resources in the driver to someone who may not allowed to access. The
problem is in our SW the trustee identification is not merged with Windows.
When someone logged on and authenticate to our SW then he can use the
resource under his interactive session. If the console switch to somebody
else thru FUS and RDC ( you are right that the orignal interactive session
is not termnating, actually all WTS sessions are alive until explicitly
logged off ), then I need to close the resource. This is currently done thru
user app. But to exclude the last possible leak, I would like to move it
into the kernel if possible.
Of course there are still solutions in the user space like a dedicated
thread litening to the notifications and periodically reporting to the
driver that it is healthy.
Best regards,
Jicun
----- Original Message -----
From: “Michal Vodicka”
To: “Windows System Software Devs Interest List”
Sent: Friday, June 25, 2004 7:35 AM
Subject: RE: [ntdev] Session and logon notification in the kernel
There is a callback called when logon session is destroyed. See
SeRegisterLogonSessionTerminatedRoutine and related routines in IFS kit
docs. However, it isn’t quite reliable because some logon sessions are never
destroyed. The first interactive session is usually immortal. Also, it can
take some time after user logoff until logon session is terminated.
For other notifications you can write GINA replacement. Very complicated
task especially when FUS is involved. Maybe there is some easier way.
Best regards,
Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http:://www.upek.com]
> ----------
> From:
> xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com]
> on behalf of Jicun Zhong[SMTP:xxxxx@vallcom.com]
> Reply To: Windows System Software Devs Interest List
> Sent: Friday, June 25, 2004 6:15 AM
> To: Windows System Software Devs Interest List
> Subject: [ntdev] Session and logon notification in the kernel
>
> Hello,
> Are there notifications, events or callbacks in the kernel that inform
> WTS session switching(FUS) and user log on and log off? Thanks!
>
> Jicun
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@upek.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@vallcom.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
Hi David,
Already done that. See a follow up to Michal’s reply.
Thanks!
Jicun
----- Original Message -----
From: “David Burg”
To: “Windows System Software Devs Interest List”
Sent: Friday, June 25, 2004 8:50 AM
Subject: RE: [ntdev] Session and logon notification in the kernel
Hello,
Although it would not answer to the question “in the kernel”, in case the
reliability is an issue as reported by Michal Vodicka, notifications for the
user-mode components are as far as I know (and used them) reliable. Hence
you could considerate to write a small user-mode helper service for your
driver which will forward you through private ioctl the reliable user-mode
session change notifications (WM_WTSSESSION_CHANGE).
Best regards,
David Burg
----------------------------------------------------------------
David Burg
Software Development,
InCD Project Leader
Ahead Software AG
Im Stoeckmaedle 18 fax: +49 (0)7248 911 888
76307 Karlsbad email: xxxxx@nero.com
Germany http://www.nero.com
----------------------------------------------------------------
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Michal Vodicka
Sent: Friday, June 25, 2004 7:35 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] Session and logon notification in the kernel
There is a callback called when logon session is destroyed. See
SeRegisterLogonSessionTerminatedRoutine and related routines in IFS kit
docs. However, it isn’t quite reliable because some logon sessions are never
destroyed. The first interactive session is usually immortal. Also, it can
take some time after user logoff until logon session is terminated.
For other notifications you can write GINA replacement. Very complicated
task especially when FUS is involved. Maybe there is some easier way.
Best regards,
Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http:://www.upek.com]
> ----------
> From:
xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on
behalf of Jicun Zhong[SMTP:xxxxx@vallcom.com]
> Reply To: Windows System Software Devs Interest List
> Sent: Friday, June 25, 2004 6:15 AM
> To: Windows System Software Devs Interest List
> Subject: [ntdev] Session and logon notification in the kernel
>
> Hello,
> Are there notifications, events or callbacks in the kernel that inform
> WTS session switching(FUS) and user log on and log off? Thanks!
>
> Jicun
>
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@upek.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@nero.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@vallcom.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
>isn’t quite reliable because some logon sessions are never destroyed. The
first interactive
session is usually immortal.
Really? The logoff even is written for it to the event log, same way as for
other sessions.
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
> ----------
From: xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on behalf of Maxim S. Shatskih[SMTP:xxxxx@storagecraft.com]
Reply To: Windows System Software Devs Interest List
Sent: Friday, June 25, 2004 4:52 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Session and logon notification in the kernel>isn’t quite reliable because some logon sessions are never destroyed. The
first interactive
>session is usually immortal.Really? The logoff even is written for it to the event log, same way as for
other sessions.
Yes, but session termination routine is called later when the last session reference is closed. When I tested it (XP SP0), there were 7 or more outstanding references for the first interractive session after user logoff. Or more, depending on previous activity. Some came out when next user logged on but not all and usually, session remained forever. If I remember correctly, I saw termination of this session only after quick logon/logoff just after boot. Logoff event is of course written when user logs off but it doesn’t mean all related data are freed.
Try it, it is rather easy. Maybe it was fixed since then but I doubt.
Best regards,
Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http:://www.upek.com]
Jicun,
maybe you could try different approach. You can control access to your resource according to request logon ID. If the request is made in context of calling thread, you can get logon ID (LUID structure) for current thread and compare with approved IDs. You should do it anyway, if I understand correctly, your approach isn’t quite safe. Threads under different sessions can run in parallel. Have you tried for example “runas cmd” for different user? That way you can have interractive session and console logged as different user. I use it for multi-user testing; any app started from this console runs under that user. Also, what about impersonated threads? Maybe your solution handles it, too, I’m not sure.
BTW, why do you care about hang if use GINA? I guess if it hangs, user won’t be able to do anything.
Best regards,
Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http:://www.upek.com]
From: xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on behalf of Jicun Zhong[SMTP:xxxxx@vallcom.com]
Reply To: Windows System Software Devs Interest List
Sent: Friday, June 25, 2004 8:59 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Session and logon notification in the kernelHi Michal,
Thanks for the info!
In my case it is much more important to know when a user logged on or
reconnected thru FUS or RDC. I have done all these in the user space like
gina, WTS event and notifications. They work well. However, user app may
hang, therefore stop sending to my driver the events leaving possible
resources in the driver to someone who may not allowed to access. The
problem is in our SW the trustee identification is not merged with Windows.
When someone logged on and authenticate to our SW then he can use the
resource under his interactive session. If the console switch to somebody
else thru FUS and RDC ( you are right that the orignal interactive session
is not termnating, actually all WTS sessions are alive until explicitly
logged off ), then I need to close the resource. This is currently done thru
user app. But to exclude the last possible leak, I would like to move it
into the kernel if possible.
Of course there are still solutions in the user space like a dedicated
thread litening to the notifications and periodically reporting to the
driver that it is healthy.
Best regards,Jicun
----- Original Message -----
From: “Michal Vodicka”
> To: “Windows System Software Devs Interest List”
> Sent: Friday, June 25, 2004 7:35 AM
> Subject: RE: [ntdev] Session and logon notification in the kernel
>
>
> There is a callback called when logon session is destroyed. See
> SeRegisterLogonSessionTerminatedRoutine and related routines in IFS kit
> docs. However, it isn’t quite reliable because some logon sessions are never
> destroyed. The first interactive session is usually immortal. Also, it can
> take some time after user logoff until logon session is terminated.
>
> For other notifications you can write GINA replacement. Very complicated
> task especially when FUS is involved. Maybe there is some easier way.
>
> Best regards,
>
> Michal Vodicka
> UPEK, Inc.
> [xxxxx@upek.com, http:://www.upek.com]
>
> > ----------
> > From:
> > xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com]
> > on behalf of Jicun Zhong[SMTP:xxxxx@vallcom.com]
> > Reply To: Windows System Software Devs Interest List
> > Sent: Friday, June 25, 2004 6:15 AM
> > To: Windows System Software Devs Interest List
> > Subject: [ntdev] Session and logon notification in the kernel
> >
> > Hello,
> > Are there notifications, events or callbacks in the kernel that inform
> > WTS session switching(FUS) and user log on and log off? Thanks!>
> >
> > Jicun
> >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> > http://www.osronline.com/article.cfm?id=256
> >
> > You are currently subscribed to ntdev as: xxxxx@upek.com
> > To unsubscribe send a blank email to xxxxx@lists.osr.com
> >
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@vallcom.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
> —
> Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@upek.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
Yes, checking the ID is a good idea. I suppose you mean the logon session
ID? The problem is some processes may not even have a logon session ID(like
services) and a process run as a different user will have the same logon ID
if I use the Windows built in “RunAs”. So may be some other ID like the user
SID in the accesss token is more appropriate.
Yes, if Gina is used I do not need to worry about hang, but I have to
support none custom gina use cases.
Thanks for the suggestion!
Jicun
----- Original Message -----
From: “Michal Vodicka”
To: “Windows System Software Devs Interest List”
Sent: Friday, June 25, 2004 9:31 PM
Subject: RE: [ntdev] Session and logon notification in the kernel
Jicun,
maybe you could try different approach. You can control access to your
resource according to request logon ID. If the request is made in context of
calling thread, you can get logon ID (LUID structure) for current thread and
compare with approved IDs. You should do it anyway, if I understand
correctly, your approach isn’t quite safe. Threads under different sessions
can run in parallel. Have you tried for example “runas cmd” for different
user? That way you can have interractive session and console logged as
different user. I use it for multi-user testing; any app started from this
console runs under that user. Also, what about impersonated threads? Maybe
your solution handles it, too, I’m not sure.
BTW, why do you care about hang if use GINA? I guess if it hangs, user won’t
be able to do anything.
Best regards,
Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http:://www.upek.com]
> ----------
> From:
> xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com]
> on behalf of Jicun Zhong[SMTP:xxxxx@vallcom.com]
> Reply To: Windows System Software Devs Interest List
> Sent: Friday, June 25, 2004 8:59 AM
> To: Windows System Software Devs Interest List
> Subject: Re: [ntdev] Session and logon notification in the kernel
>
> Hi Michal,
> Thanks for the info!
> In my case it is much more important to know when a user logged on or
> reconnected thru FUS or RDC. I have done all these in the user space like
> gina, WTS event and notifications. They work well. However, user app may
> hang, therefore stop sending to my driver the events leaving possible
> resources in the driver to someone who may not allowed to access. The
> problem is in our SW the trustee identification is not merged with
> Windows.
> When someone logged on and authenticate to our SW then he can use the
> resource under his interactive session. If the console switch to somebody
> else thru FUS and RDC ( you are right that the orignal interactive session
> is not termnating, actually all WTS sessions are alive until explicitly
> logged off ), then I need to close the resource. This is currently done
> thru
> user app. But to exclude the last possible leak, I would like to move it
> into the kernel if possible.
> Of course there are still solutions in the user space like a dedicated
> thread litening to the notifications and periodically reporting to the
> driver that it is healthy.
> Best regards,
>
> Jicun
>
>
> ----- Original Message -----
> From: “Michal Vodicka”
> To: “Windows System Software Devs Interest List”
> Sent: Friday, June 25, 2004 7:35 AM
> Subject: RE: [ntdev] Session and logon notification in the kernel
>
>
> There is a callback called when logon session is destroyed. See
> SeRegisterLogonSessionTerminatedRoutine and related routines in IFS kit
> docs. However, it isn’t quite reliable because some logon sessions are
> never
> destroyed. The first interactive session is usually immortal. Also, it can
> take some time after user logoff until logon session is terminated.
>
> For other notifications you can write GINA replacement. Very complicated
> task especially when FUS is involved. Maybe there is some easier way.
>
> Best regards,
>
> Michal Vodicka
> UPEK, Inc.
> [xxxxx@upek.com, http:://www.upek.com]
>
> > ----------
> > From:
> > xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com]
> > on behalf of Jicun Zhong[SMTP:xxxxx@vallcom.com]
> > Reply To: Windows System Software Devs Interest List
> > Sent: Friday, June 25, 2004 6:15 AM
> > To: Windows System Software Devs Interest List
> > Subject: [ntdev] Session and logon notification in the kernel
> >
> > Hello,
> > Are there notifications, events or callbacks in the kernel that
> > inform
> > WTS session switching(FUS) and user log on and log off? Thanks!>
> >
> > Jicun
> >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> > http://www.osronline.com/article.cfm?id=256
> >
> > You are currently subscribed to ntdev as: xxxxx@upek.com
> > To unsubscribe send a blank email to xxxxx@lists.osr.com
> >
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@vallcom.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@upek.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@vallcom.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
> ----------
From: xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on behalf of Jicun Zhong[SMTP:xxxxx@vallcom.com]
Reply To: Windows System Software Devs Interest List
Sent: Saturday, June 26, 2004 10:55 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Session and logon notification in the kernelYes, checking the ID is a good idea. I suppose you mean the logon session
ID?
Yes. You can get it from primary or impersonated token using SeQueryAuthenticationIdToken().
The problem is some processes may not even have a logon session ID(like
services)
Every process has to have session ID. Some may have built-in system ID 0:999.
and a process run as a different user will have the same logon ID
if I use the Windows built in “RunAs”.
I don’t think so. Use impersonated token to get proper ID.
So may be some other ID like the user
SID in the accesss token is more appropriate.
I may be wrong but I believe between SID and session ID is direct relation.
Yes, if Gina is used I do not need to worry about hang, but I have to
support none custom gina use cases.
I vaguely remember for such a purposes something as GINA plugin can be written. A DLL which GINA calls.
Best regards,
Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http:://www.upek.com]
Hi Michal,
See embedded.
Jicun
From:
xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com]
on behalf of Jicun Zhong[SMTP:xxxxx@vallcom.com]
Reply To: Windows System Software Devs Interest List
Sent: Saturday, June 26, 2004 10:55 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Session and logon notification in the kernelYes, checking the ID is a good idea. I suppose you mean the logon session
ID?
Yes. You can get it from primary or impersonated token using
SeQueryAuthenticationIdToken().
The problem is some processes may not even have a logon session ID(like
services)
Every process has to have session ID. Some may have built-in system ID
0:999.
[Jicun] I messed up logon session id with logon SID. Yes, every process must
have a logon session id. For everything in the TCB it is 0-999, however they
seems to lack logon SID in their token.
and a process run as a different user will have the same logon ID
if I use the Windows built in “RunAs”.
I don’t think so. Use impersonated token to get proper ID.
[Jicun] Again I am not clear on this. What I meant is using the built-in
“RunAs” as invoked from Explorer(right-click/RunAs…) with a different
local user credential. The new process will have the same logon SID as
explorer and all the processes launched by explorer but a different
authentication id and of course different user SID. This is kind of
contracting to the common belief of logon SID being a tag of a special
instance of a logged on user.
So may be some other ID like the user
SID in the accesss token is more appropriate.
I may be wrong but I believe between SID and session ID is direct relation.
[Jicun] I donot think they are one-to-one. User SID is constant for an
account. The same user SID can produce multiple Logon SID and logon session
ids.
Yes, if Gina is used I do not need to worry about hang, but I have to
support none custom gina use cases.
I vaguely remember for such a purposes something as GINA plugin can be
written. A DLL which GINA calls.
Best regards,
Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http:://www.upek.com]
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@vallcom.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
> ----------
From: xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on behalf of Jicun Zhong[SMTP:xxxxx@vallcom.com]
Reply To: Windows System Software Devs Interest List
Sent: Monday, June 28, 2004 10:49 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Session and logon notification in the kernelEvery process has to have session ID. Some may have built-in system ID
0:999.
[Jicun] I messed up logon session id with logon SID. Yes, every process must
have a logon session id. For everything in the TCB it is 0-999, however they
seems to lack logon SID in their token.
No wonder. 0:999 is for local system.
I don’t think so. Use impersonated token to get proper ID.
[Jicun] Again I am not clear on this. What I meant is using the built-in
“RunAs” as invoked from Explorer(right-click/RunAs…) with a different
local user credential. The new process will have the same logon SID as
explorer and all the processes launched by explorer but a different
authentication id and of course different user SID. This is kind of
contracting to the common belief of logon SID being a tag of a special
instance of a logged on user.
That’s why I believe authentication ID should be used. I’m sorry if terminology was confusing, I never though about using SIDs and when mentioned logon or session ID, I meant AuthenticationID because it uniquely identifies logon session. It may not be exactly what do you want because one user can be logged more times under different session.
I’m unsure how logon and user SIDs are used. Session IDs were ideal for me because I needed to keep a separate set of virtual drives per session (symbolic links are stored per session).
I may be wrong but I believe between SID and session ID is direct relation.
[Jicun] I donot think they are one-to-one. User SID is constant for an
account. The same user SID can produce multiple Logon SID and logon session
ids.
Sure, the relation is 1:N, I didn’t mention it as it seemed obvious.
Best regards,
Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http:://www.upek.com]
It seems that the requirement between yours and mine is a bit different. In
my case, the user SID is better because as long as it is the same user I
have to support it no matter it comes in on with a different WTS session or
a logon session.
Regards!
Jicun
----- Original Message -----
From: “Michal Vodicka”
To: “Windows System Software Devs Interest List”
Sent: Monday, June 28, 2004 11:46 PM
Subject: RE: [ntdev] Session and logon notification in the kernel
> ----------
> From:
> xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com]
> on behalf of Jicun Zhong[SMTP:xxxxx@vallcom.com]
> Reply To: Windows System Software Devs Interest List
> Sent: Monday, June 28, 2004 10:49 PM
> To: Windows System Software Devs Interest List
> Subject: Re: [ntdev] Session and logon notification in the kernel
>
> Every process has to have session ID. Some may have built-in system ID
> 0:999.
> [Jicun] I messed up logon session id with logon SID. Yes, every process
> must
> have a logon session id. For everything in the TCB it is 0-999, however
> they
> seems to lack logon SID in their token.
>
No wonder. 0:999 is for local system.
> I don’t think so. Use impersonated token to get proper ID.
> [Jicun] Again I am not clear on this. What I meant is using the built-in
> “RunAs” as invoked from Explorer(right-click/RunAs…) with a different
> local user credential. The new process will have the same logon SID as
> explorer and all the processes launched by explorer but a different
> authentication id and of course different user SID. This is kind of
> contracting to the common belief of logon SID being a tag of a special
> instance of a logged on user.
>
That’s why I believe authentication ID should be used. I’m sorry if
terminology was confusing, I never though about using SIDs and when
mentioned logon or session ID, I meant AuthenticationID because it uniquely
identifies logon session. It may not be exactly what do you want because one
user can be logged more times under different session.
I’m unsure how logon and user SIDs are used. Session IDs were ideal for me
because I needed to keep a separate set of virtual drives per session
(symbolic links are stored per session).
> I may be wrong but I believe between SID and session ID is direct
> relation.
> [Jicun] I donot think they are one-to-one. User SID is constant for an
> account. The same user SID can produce multiple Logon SID and logon
> session
> ids.
>
Sure, the relation is 1:N, I didn’t mention it as it seemed obvious.
Best regards,
Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http:://www.upek.com]
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@vallcom.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
If it makes a difference to you, make sure to test domain users both
online and offline, as their SIDs can be different in those 2
circumstances (at least that’s what I remember from the dim past :-).
Jicun Zhong wrote:
It seems that the requirement between yours and mine is a bit different.
In my case, the user SID is better because as long as it is the same
user I have to support it no matter it comes in on with a different WTS
session or a logon session.Regards!
Jicun
----- Original Message ----- From: “Michal Vodicka”
> To: “Windows System Software Devs Interest List”
> Sent: Monday, June 28, 2004 11:46 PM
> Subject: RE: [ntdev] Session and logon notification in the kernel
>
>
>> ----------
>> From:
>> xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com]
>> on behalf of Jicun Zhong[SMTP:xxxxx@vallcom.com]
>> Reply To: Windows System Software Devs Interest List
>> Sent: Monday, June 28, 2004 10:49 PM
>> To: Windows System Software Devs Interest List
>> Subject: Re: [ntdev] Session and logon notification in the kernel
>>
>> Every process has to have session ID. Some may have built-in system ID
>> 0:999.
>> [Jicun] I messed up logon session id with logon SID. Yes, every
>> process must
>> have a logon session id. For everything in the TCB it is 0-999,
>> however they
>> seems to lack logon SID in their token.
>>
> No wonder. 0:999 is for local system.
>
>> I don’t think so. Use impersonated token to get proper ID.
>> [Jicun] Again I am not clear on this. What I meant is using the built-in
>> “RunAs” as invoked from Explorer(right-click/RunAs…) with a different
>> local user credential. The new process will have the same logon SID as
>> explorer and all the processes launched by explorer but a different
>> authentication id and of course different user SID. This is kind of
>> contracting to the common belief of logon SID being a tag of a special
>> instance of a logged on user.
>>
> That’s why I believe authentication ID should be used. I’m sorry if
> terminology was confusing, I never though about using SIDs and when
> mentioned logon or session ID, I meant AuthenticationID because it
> uniquely identifies logon session. It may not be exactly what do you
> want because one user can be logged more times under different session.
>
> I’m unsure how logon and user SIDs are used. Session IDs were ideal for
> me because I needed to keep a separate set of virtual drives per session
> (symbolic links are stored per session).
>
>> I may be wrong but I believe between SID and session ID is direct
>> relation.
>> [Jicun] I donot think they are one-to-one. User SID is constant for an
>> account. The same user SID can produce multiple Logon SID and logon
>> session
>> ids.
>>
> Sure, the relation is 1:N, I didn’t mention it as it seemed obvious.
>
> Best regards,
>
> Michal Vodicka
> UPEK, Inc.
> [xxxxx@upek.com, http:://www.upek.com]
>
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@vallcom.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
–
…/ray..
Please remove “.spamblock” from my email address if you need to contact
me outside the newsgroup.