How to check if session is being shadowed in Windows Terminal Server - windows

Assume the following scenario:
I log on terminal server with RDP (Windows Server 2012 R2 or 2016)
Another user connects to my session with "mstsc.exe /shadow" command.
I get the message to confirm this access, and I agree.
Then, after a while I would like to check if my session still being shadowed.
Is there any way to perform this check? Any command, Win32 API, WMI query?
So far, I was only able to find out that rdpsaproxy.exe program is started in shadowed session. That is almost enough, but this program also keeps running when user denies access when prompted to accept initial shadowing request. So detecting presence of rdpsaproxy in check session is not enough to say that somebody is watching me.

You could bind a notification task to the events of Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational event log:
20503 - shadow watching started
20504 - shadow watching stopped
20506 - shadow control started
20507 - shadow control stopped

Related

Im getting reset on every http/s session after removing windivert64.sys and reboot

I installed netspark on my computer and tried to remove it by removing every file and registery belongs to the program and windivert64.sys
Now Im getting reset for every http/s session, what can I do?
How can I find the driver that sends the reset?
I have win10
After I tried to manually search the services list in services.msc I found nothing.
I tried to look for SysInternalSuite programs and found autoruns.
This tool shows every driver loaded on boot.
the list of the driver was very short and I easily found the driver by the publisher description.

postgres- start process under administrator account

Is it possible to start postgres process with a user account that has "administrative" privileges? I am on windows XP.
--Error shown is --- (Not really error, it is a security feature)
The server must be started under an unprivileged user ID to prevent
possible system security compromises. See the documentation for
more information on how to properly start the server.
Current work around is to create normal user and run process under that. What I am looking at is quick way to start database, do some operations and shut it down as part of build process.
(years later)
Postgres ships with a control program. See details in official documentation
Short answer:
pg_ctl start "args"

Can users interact with services directly on Microsoft Vista?

From the Microsoft website (see msdn.microsoft.com/en-us/library/ms683502(VS.85).aspx) it clearly says "Services cannot directly interact with a user as of Windows Vista".
So I decided to test this by using "psexec -s cmd.exe". As far as I know, "psexec" creates a service in order to open a command prompt. Needless to say it worked. I then decided to use "EnumWinSta GUI" in combination with psexec to switch to the winlogon desktop. To my surprise, I could even start "cmd.exe" on this desktop. Does this mean a new process created from a service can be interactive?
Or is it because psexec does some kind of black magic? If so how does it do it?
I am trying to display a full screen window from a service into the winlogon desktop object in Vista as well as XP.
Code running within a service cannot directly interact with an interactive session.
However, code running as a service with sufficient privileges can create a new process running within a specific user's desktop - getting the interactive session's user's token and calling CreateProcessAsUser, for example.
You can use WTSGetActiveConsoleSessionId to get the active console session, the session of the user who is actually on the machine. WTSQueryUserToken can then be used to get the token.
Your service can also use session change notifications in its handler function to see when users logon/logoff, unlock their session, and so on.

On Terminal Server, how does a service start a process in a user's session?

From a Windows Service running on a Terminal Server (in global space), we would like to be able to start up a process running a windows application in a specific user's Terminal Server sessions.
How does one go about doing this?
The Scenerio: the windows service starts at boot time. After the user has logged into a Terminal Server user session, based on some criteria known only to the windows service, the windows service wants to start a process in the user's session running a windows application.
An example: We would like to display a 'Shutdown in 5 minutes' warning to the users. The windows service would detect this condition, and start up a process in each user session that starts the windows app that displays the warning. And, yes, I know there are other ways of displaying a warning dialog, this is the example, what we want to do is much more invasive.
You can use CreateProcessAsUser to do this - but it requires a bit of effort. I believe the following steps are the basic required procedure:
Get the user's session (WTSQuerySessionInformation).
Get a token for that user (WTSQueryUserToken).
Create a duplicate token for your use (DuplicateTokenEx).
Use the token to create an environment block (CreateEnvironmentBlock).
Launch the application with CreateProcessAsUser, using the block above.
You'll also want to make sure to clean up all of the appropriate handles, tokens, etc., after you've launched the process.
Really late reply but maybe somebody will find this helpful.
You can use PsExec to launch an application on a remote (or local) server inside a specified session by using the following command:
psexec \\COMPUTER_NAME -i SESSION_ID APPLICATION_NAME
Where SESSION_ID indicates the session id in which to launch the application.
You will need to know what sessions are active on the server and which session id maps to which user login. The following thread provides a nice code sample for this exact problem: How do you retrieve a list of logged-in/connected users in .NET?
Late reply but in the answer above DuplicateToken is not necessary since WTSQueryUserToken already returns a primary token.

How to check if program is running in local console?

In Windows Server 2003, how I can check if my program is running in local console ("on the screen of the server machine") instead of remote session?
I'm using Delphi Win32, so any Windows API based method should work..
Wouldn't the session number tell you this ?
ProcessIdToSessionId (GetCurrentProcessId(),&dwSessionNum)
You'd have to check the OS version as well, using GetVersionEx: for everything up to XP/Server 2003 session 0 is local (service or interactive console), anything higher is virtual. For Vista/2008 session 0 and 1 are both local (0 is service, 1 is console), everything else is virtual.
I'm guessing your Delphi units would declare the session number as var, so you wouldn't need the ampersand.
WTSGetActiveConsoleSessionId() should return the ID of the session attached to the console. You can then compare that session id with your application's current session ID to determine whether you are running on the console or not. Vista (not sure about Windows Server 2008) does not necessarily give the console session the ID of 1 (Fast User Switching, anyone?).
For me, ProcessIdToSessionId returned 0 both when run directly at the physical console and when logged in to the administrative session (mstsc /admin).
However, when you login via RDP, Windows (XP Pro in this case) creates a new session which it shows on the physical console which just has the "this computer is locked" display. WTSGetActiveConsoleSessionId returns the session id for that second session which in my case was 2.
So even though your app is running on the console, there are now two console sessions and your app is not running on the active one. In my code I compare session id against 0 instead.
Brian is correct, I have since encountered Vista reporting a session id of 2 for an interactive console, despite the fact that Fast User Switching was not in use. Of course, this may be just be a bug :-)

Resources