Is there a reliably way to determine the last user name to login to the system? I've looked at LsaEnumerateLogonSessions() and LsaGetLogonSessionData() however they require elevation on Vista and later (which I'm keen to avoid). WMI has the same problem (presumably it's just calling Lsa behind the scenes).
I've also looked at "SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\LastLoggedOnUser" in HKLM, but in testing that's unreliable and doesn't get updated.
I'm really only interested in console logons, rather than Fast User Switching or TS logons.
I've read various articles, but have yet to come up with a good solution.
You might be able to use Audit Logon events - this requires your service to have a user access right to see the Security log, but not be a full Administrator.
Eventid 528 indicates who logged on, you'd have to find the most recent instance of this.
Related
I have a machine which gets locked if no interaction is done after 15 minutes and when right time comes I want to unlock it programmatically because my program does some things which needs UI. Of course I can disable the screen locking entirely but let's consider that this is not an option.
I've googled and found out that I need to implement credential provider for this but I don't understand why. I guess I don't know the internal workings of the windows. If I know the username/password of the user or even when user doesn't have a password I can use why I need to implement the credential provider? I've read this article on Windows website and it seems like windows already has "System credential providers" but I could not found how I can interact with them (Maybe you can't and that's why everybody suggest to implement third party CP) Can somebody please explain how screen locking on windows works and why is that impossible to unlock the screen without implementing CP? thanks
If your machine locks, it will require some kind of credentials to be passed back through the LSA to unlock it. It is best to prevent the machine from locking in the first place.
If you pursue a strategy using a credential provider, you will need to find a way of securely recording and replaying the user's password. The credential provider will also put up a 'sign in' button as a 'road block' (Microsoft's term) to force user interaction when logging in.
I apologize for the bad phrasing in the title, but here's a little more context.
I recently bought a Windows 8 laptop and noticed that Norton was pre-installed and running with SYSTEM level privileges. Thus, it occurred to me that there must be some way for third-party applications to run with SYSTEM privileges.
However, after much googling, I could not figure out whether it was an API call or a registry setting or something else entirely that enabled Norton to do this, so I decided to ask the SO community. How can I write an application that runs with SYSTEM privileges?
Services can be configured to run as several different accounts, including LOCAL SERVICE, NETWORK SERVICE, SYSTEM, or any user's account.
Using SYSTEM isn't recommended, because any security problem can lead to complete compromise of the machine, but it is available.
This is configured by the lpServiceStartName parameter of CreateService and/or ChangeServiceConfig. Pass a NULL pointer as this parameter of CreateService, or ".\\LocalSystem" to ChangeServiceConfig, to use the local system account.
It's a bad idea to run a GUI application as local system. The best approach is to have both a GUI application (running as the logged-on user) and a service (running as SYSTEM) and have them communicate as needed using any suitable IPC method. This is probably what Norton is actually doing.
However, it is possible to get a system service to launch an application as SYSTEM in the user's session. To do this, duplicate the processes security token with DuplicateTokenEx and then use SetTokenInformation with the TokenSessionId option. This will give you a token in SYSTEM context but in the user's session which you can use to launch an executable. (There may be additional issues; for example, you might also need to change the permissions on the workstation and desktop.)
We have developed a ASP.NET 3.5 web application with Web Server 2008 and has implemented a custom authentication solution using active directory as the credentials store. Our front end application uses a normal login form to capture the user name and password and leverages the Win32 LogonUser method to authenticate the user’s credentials. When we are calling the LogonUser method, we are using the LOGON32_LOGON_NETWORK as the logon type.
The issue we have found is that user profile folders are being created under the C:\Users folder of the web server. The folder seems to be created when a new user who has never logged on before is logging in for the first time. As the number of new users logging into the application grows, disk space is shrinking due to the large number of new user folders getting created.
I need to get the token back after the authentication (authenticated \ password locked \ wrong password ) its futher use and based on logic showing different web pages
Has anyone seen this behavior with the Win32 LogonUser method?
Please answer the following issue:
Is it possible to disable this behavior to create the folder as taking 2.78 MB of space for every new user and it eating my disck space?
I have tried LOGON32_LOGON_BATCH but it was giving an error 1385 in authentication user.
For any solution related to LOGON32_LOGON_BATCH, can you please confirm if that will stop creating the folders at location C:\users.
Also for any possible solution I need either
I am able to disable the folder to be created at C:\user or
Any other option to authenticated user which will not creat folders.
Pass LOGON32_LOGON_BATCH and grant the users permission to log on as a batch job on that machine using Group Policy.
The MSDN documentation for LogonUser recommends LOGON32_LOGON_BATCH as the logon type for web services:
This logon type is intended for batch
servers, where processes may be
executing on behalf of a user without
their direct intervention. This type
is also for higher performance servers
that process many plaintext
authentication attempts at a time,
such as mail or Web servers. The
LogonUser function does not cache
credentials for this logon type.
Have you tried that?
You don't write any information about the version of products (.NET, Windows Server which you use) and the best answer on your question can depend on this. Moreover the best way for your solution depend on what you want to do with the users token after logon. Do you really want to use this token or you want only verify the user? So I try to answer most general on your question.
In general, error 1385 (ERROR_LOGON_TYPE_NOT_GRANTED) means following (see http://support.microsoft.com/kb/155012/en):
A user has requested a type of logon,
such as interactive or network, that
was not granted. An administrator has
control over who may logon
interactively and through the network.
There are SE_BATCH_LOGON_NAME and SE_DENY_BATCH_LOGON_NAME (NTSecAPI.h) privileges which can be disabled/enabled in your case (see http://msdn.microsoft.com/en-us/library/bb545671%28VS.85%29.aspx for description). Use Process Explorer started with administrator rights (see http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx) to see which privileges has a process and which from there are enabled (see "Security" tab of a process). If your account used for the application pool don't have SE_BATCH_LOGON_NAME granted or this privilege is not enabled before call of LogonUser, you should add the corresponding code in your program.
By the way sometimes you don't really want to do much with an user account and want only verify a password. To do this you can use an old way with SSPI (see http://support.microsoft.com/kb/180548/en) which are used inside of LogonUser implementation. This way is the most smart and quick way to verify an user account which I know.
You can look at "The SSPI Workaround" (see http://alt.pluralsight.com/wiki/default.aspx/Keith.GuideBook/HowToGetATokenForAUser.html) for more information of usage SSPI in .NET 2.0.
As we all know,we can use such api as "LockWorkStation()" in "user32.dll" to lock windows.
But how to unlock it?
For example, if i run an app at first, I want the app to unlock windows by itself after 30 second.
How to do it? In another word, if auto-logging in, windows will read the username and password from regedit and then use an api to login by those.
Now i need the api. It must exist, but it seems not to make public.
I can get the app the username and password of the windows.
It seems that there is some Api in WBF.But you know,the resource is too less.
I don't want to send keyboard message to solve the problem,for it is the worst method.
Promoting my comment because it needs more explanation:
You really want to write a GINA (for XP) or a Credential Provider for Windows Vista and beyond.
Fundamentally the Windows authentication model is based on the user providing evidence (identification) that they're authorized to access the computer (either by their credentials or biometric data or smartcard or other information). Once you've been authorized to log onto the computer, Windows allows you access.
When the workstation is locked (for whatever reason - screen saver, user typing in Win-L) the user needs to be re-authenticated.
Typically that's sufficient - the authorization is good for a period of time (determined by the administrator). If (for policy reasons) you need a finer grained control model, you could use your "LockWorkstation" idea to force the user to re-authenticate themselves. You need to be VERY careful about false positives (nothing pisses off users more than being told they're not allowed to use their computer simply because they removed their glasses or combed their hair differently) and how much drain on system resources your app causes.
When the workstation is locked the only way to unlock it is by the user logging in (pressing Alt+Ctrl+Del and entering correct password). This is a security feature that you cannot circumvent using an application API.
Let's say we have an application that has a number of features and each feature as a permission set of users that are allowed to use that feature. The application is designed to be always-on, but at different times during the day we want different users to log on and use it.
Rather than reinvent the wheel and create yet another user account and password system, we'd like to use built-in Windows user accounts (for authentication) and Windows groups (for feature access).
Is it possible to leave the application running but have different users come along and log in and log out of the application without logging out of the Windows session?
There is a mechanism called Impersonation (link points to .NET documentation, but the core Windows APIs provide similar features). It allows you to programmatically run code in a context of a different user than the one currently being logged in. There are, however, other security implications to the model you describe. In particular: how do you protect the rest of the workstation your program is running on?
Well, you could certainly have the application get the user's windows credentials. You could also simply query for group membership without requesting any credentials. More specific information will help with a more specific answer. For instance, what language are you working in?