|
|
//****************************************************************************/
// winsta.c
//
// TermSrv session and session stack related code.
//
// Copyright (C) 1997-2000 Microsoft Corporation
/****************************************************************************/
#include "precomp.h"
#pragma hdrstop
#include "icaevent.h"
#include "tsappcmp.h" // for TermsrvAppInstallMode
#include <msaudite.h>
#include "sessdir.h"
#include <allproc.h>
#include <userenv.h>
#include <winsock2.h>
#include "conntfy.h"
#include "tsremdsk.h"
#include <ws2tcpip.h>
#include <Accctrl.h>
#include <Aclapi.h>
#include "tssec.h"
//
// Autoreconnect security headers
//
#include <md5.h>
#include <hmac.h>
// performance flags
#include "tsperf.h"
// DoS attack Filters
#include "filters.h"
#ifndef MAX_WORD
#define MAX_WORD 0xffff
#endif
//
// SIGN_BYPASS_OPTION #define should be removed before WIN64 SHIPS!!!!!
//
#ifdef _WIN64
#define SIGN_BYPASS_OPTION
#endif
/*
* Local defines */#define SETUP_REG_PATH L"\\Registry\\Machine\\System\\Setup"
#define REG_WINDOWS_KEY TEXT("SOFTWARE\\Microsoft\\Windows\\CurrentVersion")
#define MAXIMUM_WAIT_WINSTATIONS ((MAXIMUM_WAIT_OBJECTS >> 1) - 1)
#define MAX_STRING_BYTES 512
#define MAX_ALLOWED_PASSWORD_LEN 126
BOOL gbFirtsConnectionThread = TRUE;WINSTATIONCONFIG2 gConsoleConfig;WCHAR g_DigProductId[CLIENT_PRODUCT_ID_LENGTH];
RECONNECT_INFO ConsoleReconnectInfo;
ULONG gLogoffTimeout = 90; /*90 seconds default value for logoff timeout*/
/*
* Globals to support load balancing. Since this is queried frequently we can't * afford to lock the winstation list and count them up. Note that they are * modified only when we have the WinStationListLock to avoid mutual exclusion * issues. */ULONG WinStationTotalCount = 0;ULONG WinStationDiscCount = 0;LOAD_BALANCING_METRICS gLB;BOOL g_fGetLocalIP = FALSE;
/*
* External procedures defined */
VOID StartAllWinStations(HKEY);NTSTATUS QueueWinStationCreate( PWINSTATIONNAME );NTSTATUS WinStationCreateWorker(PWINSTATIONNAME pWinStationName, PULONG pLogonId, BOOLEAN fStartWinStation );VOID WinStationTerminate( PWINSTATION );VOID WinStationDeleteWorker( PWINSTATION );NTSTATUS WinStationDoDisconnect( PWINSTATION, PRECONNECT_INFO, BOOLEAN );NTSTATUS WinStationDoReconnect( PWINSTATION, PRECONNECT_INFO );BOOL CopyReconnectInfo(PWINSTATION, PRECONNECT_INFO);VOID CleanupReconnect( PRECONNECT_INFO );NTSTATUS WinStationExceptionFilter( PWSTR, PEXCEPTION_POINTERS );NTSTATUS IcaWinStationNameFromLogonId( ULONG, PWINSTATIONNAME );VOID WriteErrorLogEntry( IN NTSTATUS NtStatusCode, IN PVOID pRawData, IN ULONG RawDataLength );
NTSTATUS CheckIdleWinstation(VOID);BOOL IsKernelDebuggerAttached();
/*
* Internal procedures defined */NTSTATUS WinStationTerminateThread( PVOID );NTSTATUS WinStationIdleControlThread( PVOID );NTSTATUS WinStationConnectThread( ULONG );NTSTATUS WinStationTransferThread( PVOID );NTSTATUS ConnectSmWinStationApiPort( VOID );NTSTATUS IcaRegWinStationEnumerate( PULONG, PWINSTATIONNAME, PULONG );NTSTATUS WinStationStart( PWINSTATION );NTSTATUS StartWinStationDeviceAndStack(PWINSTATION pWinStation);NTSTATUS WinStationCreateComplete(PWINSTATION pWinStation);BOOL WinStationTerminateProcesses( PWINSTATION, ULONG *pNumTerminated );VOID WinStationDeleteProc( PREFLOCK );VOID WinStationZombieProc( PREFLOCK );NTSTATUS SetRefLockDeleteProc( PREFLOCK, PREFLOCKDELETEPROCEDURE );
VOID WsxBrokenConnection( PWINSTATION );NTSTATUS TerminateProcessAndWait( HANDLE, HANDLE, ULONG );VOID ResetAutoReconnectInfo( PWINSTATION );ULONG WinStationShutdownReset( PVOID );ULONG WinStationLogoff( PVOID );NTSTATUS DoForWinStationGroup( PULONG, ULONG, LPTHREAD_START_ROUTINE );NTSTATUS LogoffWinStation( PWINSTATION, ULONG );PWINSTATION FindIdleWinStation( VOID );
ULONG CountWinStationType( PWINSTATIONNAME pListenName, BOOLEAN bActiveOnly, BOOLEAN bLockHeld);
NTSTATUS_CloseEndpoint( IN PWINSTATIONCONFIG2 pWinStationConfig, IN PVOID pEndpoint, IN ULONG EndpointLength, IN PWINSTATION pWinStation, IN BOOLEAN bNeedStack );
NTSTATUS _VerifyStackModules(PWINSTATION);
NTSTATUS _ImpersonateClient(HANDLE, HANDLE *);
WinstationRegUnLoadKey(HKEY hKey, LPWSTR lpSubKey);
ULONG WinstationCountUserSessions(PSID, ULONG);
BOOLEAN WinStationCheckConsoleSession(VOID);
NTSTATUSWinStationWinerrorToNtStatus(ULONG ulWinError);
VOIDWinStationSetMaxOustandingConnections();
VOID ReadDoSParametersFromRegistry( HKEY hKeyTermSrv );
NTSTATUS GetProductIdFromRegistry( WCHAR* DigProductId, DWORD dwSize );
/*
* External procedures used */NTSTATUS WinStationInitRPC( VOID );NTSTATUS WinStationInitLPC( VOID );RPC_STATUS RegisterRPCInterface( BOOL bReregister );NTSTATUS WinStationStopAllShadows( PWINSTATION );VOID NotifySystemEvent( ULONG );NTSTATUS SendWinStationCommand( PWINSTATION, PWINSTATION_APIMSG, ULONG );NTSTATUS RpcCheckClientAccess( PWINSTATION, ACCESS_MASK, BOOLEAN );NTSTATUS WinStationSecurityInit( VOID );VOID DisconnectTimeout( ULONG LogonId );PWSEXTENSION FindWinStationExtensionDll( PWSTR, ULONG );
PSECURITY_DESCRIPTORWinStationGetSecurityDescriptor( PWINSTATION pWinStation );
VOIDWinStationFreeSecurityDescriptor( PWINSTATION pWinStation );
NTSTATUSWinStationInheritSecurityDescriptor( PVOID pSecurityDescriptor, PWINSTATION pTargetWinStation );
NTSTATUSReadWinStationSecurityDescriptor( PWINSTATION pWinStation );
NTSTATUSWinStationKeepAlive();
NTSTATUSWinStationReadRegistryWorker();
voidPostErrorValueEvent( unsigned EventCode, DWORD ErrVal);
BOOLFilter_AddOutstandingConnection( IN HANDLE pContext, IN PVOID pEndpoint, IN ULONG EndpointLength, OUT PBYTE pin_addr, OUT PUINT puAddrSize, OUT BOOLEAN *pbBlocked );
BOOLFilter_RemoveOutstandingConnection( IN PBYTE pin_addr, IN UINT uAddrSize );
RTL_GENERIC_COMPARE_RESULTSNTAPIFilter_CompareConnectionEntry( IN struct _RTL_GENERIC_TABLE *Table, IN PVOID FirstInstance, IN PVOID SecondInstance );
RTL_GENERIC_COMPARE_RESULTSNTAPIFilter_CompareFailedConnectionEntry( IN struct _RTL_GENERIC_TABLE *Table, IN PVOID FirstInstance, IN PVOID SecondInstance );
PVOIDFilter_AllocateConnectionEntry( IN struct _RTL_GENERIC_TABLE *Table, IN CLONG ByteSize );
PVOIDFilter_AllocateConnectionEntry( IN struct _RTL_GENERIC_TABLE *Table, IN CLONG ByteSize );
VOIDFilter_FreeConnectionEntry ( IN struct _RTL_GENERIC_TABLE *Table, IN PVOID Buffer );
BOOLFindFirstListeningWinStationName( PWINSTATIONNAMEW pListenName, PWINSTATIONCONFIG2 pConfig );
typedef struct _TRANSFER_INFO { ULONG LogonId; PVOID pEndpoint; ULONG EndpointLength;} TRANSFER_INFO, *PTRANSFER_INFO;
VOID AuditEvent( PWINSTATION pWinstation, ULONG EventId );VOID AuditShutdownEvent(VOID);
NTSTATUSIsZeroterminateStringW( PWCHAR pwString, DWORD dwLength );
//
//From regapi.dll
//
BOOLEAN RegIsTimeZoneRedirectionEnabled();
/*
* Local variables */RTL_CRITICAL_SECTION WinStationListLock;RTL_CRITICAL_SECTION WinStationListenersLock;RTL_CRITICAL_SECTION WinStationStartCsrLock;RTL_CRITICAL_SECTION TimerCritSec;RTL_CRITICAL_SECTION WinStationZombieLock;RTL_CRITICAL_SECTION UserProfileLock;RTL_CRITICAL_SECTION ConsoleLock;RTL_RESOURCE WinStationSecurityLock;
// This synchronization counter prevents WinStationIdleControlThread from
// Trying to create a console session when there is not one. There are two
// Situations where we do no want it to create such session:
// - At initialization time before we create session Zero which is the initial
// console session.
// - During reconnect in the window were we just disconnected the console session
// (so there is no console session) but we know we are we going to reconnect
// an other session to the console.
ULONG gConsoleCreationDisable = 1;
LIST_ENTRY WinStationListHead; // protected by WinStationListLock
LIST_ENTRY SystemEventHead; // protected by WinStationListLock
LIST_ENTRY ZombieListHead;ULONG LogonId;LARGE_INTEGER TimeoutZero;HANDLE WinStationEvent = NULL;HANDLE WinStationIdleControlEvent = NULL;HANDLE ConsoleLogoffEvent = NULL;HANDLE g_hMachineGPEvent=NULL;static HANDLE WinStationApiPort = NULL;BOOLEAN StopOnDown = FALSE;HANDLE hTrace = NULL;//BOOLEAN ShutdownTerminateNoWait = FALSE;
ULONG ShutDownFromSessionID = 0;
// IdleWinStationPoolCount made 0 -- change necessiated by DoS attack prevention logic added to TS
ULONG IdleWinStationPoolCount = 0;
ULONG_PTR gMinPerSessionPageCommitMB = 20;#define REG_MIN_PERSESSION_PAGECOMMIT L"MinPerSessionPageCommit"
PVOID glpAddress;
ULONG_PTR gMinPerSessionPageCommit;
typedef struct _TS_OUTSTANDINGCONNECTION { ULONGLONG blockUntilTime; ULONG NumOutStandingConnect; UINT uAddrSize; BYTE addr[16]; struct _TS_OUTSTANDINGCONNECTION *pNext;} TS_OUTSTANDINGCONNECTION, *PTS_OUTSTANDINGCONNECTION;
PTS_OUTSTANDINGCONNECTION g_pBlockedConnections = NULL;
// Table used to keep track of Outstanding connections (DoS)
RTL_GENERIC_TABLE gOutStandingConnections;
RTL_CRITICAL_SECTION FilterLock;ULONG MaxOutStandingConnect;ULONG NumOutStandingConnect;ULONG MaxSingleOutStandingConnect; // maximum number of outstanding connections from a single IP
ULONG DelayConnectionTime = 30*1000;
//
// DoS
// If a bad IP (attacker) has 'MaxFailedConnect' # of failed Pre Auth in 'TimeLimitForFailedConnections' ms, block the IP for 'DoSBlockTime' ms
//
ULONG MaxFailedConnect; // max number of PreAuth failed connections from a single IP
ULONG DoSBlockTime; // Block IP for this much time, if they fail PreAuth simulate 5 mins block for now
ULONG TimeLimitForFailedConnections; ULONG CleanupTimeout; // Timeout to fire a routine to cleanup our Bad IP addr table for DoS
SYSTEMTIME LastLoggedDelayConnection;ULONGLONG LastLoggedBlockedConnection = 0;BOOLEAN gbNeverLoggedDelayConnection = TRUE;
HANDLE hConnectEvent;
BOOLEAN gbWinSockInitialized = FALSE;
/*
* Global data */extern BOOL g_fAppCompat;extern BOOL g_SafeBootWithNetwork;
RTL_CRITICAL_SECTION g_AuthzCritSection;
extern HANDLE gReadyEventHandle;
extern BOOLEAN RegDenyTSConnectionsPolicy();//extern BOOLEAN IsPreAuthEnabled(POLICY_TS_MACHINE *p );
extern DWORD WaitForTSConnectionsPolicyChanges( BOOLEAN bWaitForAccept, HANDLE hEvent );extern void InitializeConsoleClientData( PWINSTATIONCLIENTW pWC );
// defines in REGAPI
extern BOOLEAN RegGetMachinePolicyEx( BOOLEAN forcePolicyRead, FILETIME *pTime , PPOLICY_TS_MACHINE pPolicy );
extern BOOLEAN RegIsMachineInHelpMode();
// Global TermSrv counter values
DWORD g_TermSrvTotalSessions;DWORD g_TermSrvDiscSessions;DWORD g_TermSrvReconSessions;
DWORD g_TermSrvSuccTotalLogons;DWORD g_TermSrvSuccRemoteLogons;DWORD g_TermSrvSuccLocalLogons;DWORD g_TermSrvSuccSession0Logons;
// Global system SID
PSID gSystemSid = NULL;PSID gAdminSid = NULL;PSID gAnonymousSid = NULL;
BOOLEAN g_fDenyTSConnectionsPolicy = 0;
POLICY_TS_MACHINE g_MachinePolicy;
/****************************************************************************/// IsEmbedded
//
// Service-load-time initialization.
/****************************************************************************/BOOL IsEmbedded(){ static int fResult = -1; if(fResult == -1) { OSVERSIONINFOEX ovix; BOOL b; fResult = 0;
ovix.dwOSVersionInfoSize = sizeof(ovix); b = GetVersionEx((LPOSVERSIONINFO) &ovix); ASSERT(b); if(b && (ovix.wSuiteMask & VER_SUITE_EMBEDDEDNT)) { fResult = 1; } } return (fResult == 1);}
/****************************************************************************/// InitTermSrv
//
// Service-load-time initialization.
/****************************************************************************/NTSTATUS InitTermSrv(HKEY hKeyTermSrv){ NTSTATUS Status; DWORD dwLen; DWORD dwType; ULONG szBuffer[MAX_PATH/sizeof(ULONG)]; FILETIME policyTime; WSADATA wsaData;
#define MAX_DEFAULT_CONNECTIONS 50
#define MAX_CONNECT_LOW_THRESHOLD 5
#define MAX_SINGLE_CONNECT_THRESHOLD_DIFF 5
#define MAX_DEFAULT_CONNECTIONS_PRO 3
#define MAX_DEFAULT_SINGLE_CONNECTIONS_PRO 2
ASSERT(hKeyTermSrv != NULL);
g_TermSrvTotalSessions = 0; g_TermSrvDiscSessions = 0; g_TermSrvReconSessions = 0;
g_TermSrvSuccTotalLogons = 0; g_TermSrvSuccRemoteLogons = 0; g_TermSrvSuccLocalLogons = 0; g_TermSrvSuccSession0Logons = 0;
// Set default value for maximum simultaneous connection attempts
WinStationSetMaxOustandingConnections();
NumOutStandingConnect = 0; hConnectEvent = NULL;
ShutdownInProgress = FALSE; //ShutdownTerminateNoWait = FALSE;
ShutDownFromSessionID = 0;
// don't bother saving the policy time, the thread that waits for policy update will save it's own copy at the
// cost of running the 1st time around. Alternatively, I need to use another global var for the policy update value.
RegGetMachinePolicyEx( TRUE, &policyTime, &g_MachinePolicy ); // see if keep alive is required, then IOCTL it to TermDD
WinStationKeepAlive();
Status = RtlInitializeCriticalSection( &FilterLock ); ASSERT( NT_SUCCESS( Status )); if (!NT_SUCCESS(Status)) { goto badFilterLock; }
// Table to keep track of OutStanding Sessions
RtlInitializeGenericTable( &gOutStandingConnections, Filter_CompareConnectionEntry, Filter_AllocateConnectionEntry, Filter_FreeConnectionEntry, NULL );
//
// Following code is for PreAuthenticating client + DoS attack - commented out for now
//
#if 0
// Lock to serialize access to list of sessions which failed PreAuthentication (DoS attack)
Status = RtlInitializeCriticalSection( &DoSLock ); if (!NT_SUCCESS(Status)) { goto badFilterLock; } // Table to keep track of sessions which failed PreAuthentication
RtlInitializeGenericTable( &gFailedConnections, Filter_CompareFailedConnectionEntry, Filter_AllocateConnectionEntry, Filter_FreeConnectionEntry, NULL );
#endif
Status = RtlInitializeCriticalSection( &ConsoleLock ); ASSERT( NT_SUCCESS( Status ) ); if (!NT_SUCCESS(Status)) { goto badConsoleLock; }
Status = RtlInitializeCriticalSection( &UserProfileLock ); ASSERT( NT_SUCCESS( Status ) ); if (!NT_SUCCESS(Status)) { goto badUserProfileLock; }
Status = RtlInitializeCriticalSection( &WinStationListLock ); ASSERT( NT_SUCCESS( Status ) ); if (!NT_SUCCESS(Status)) { goto badWinstationListLock; }
if (gbListenerOff) { Status = RtlInitializeCriticalSection( &WinStationListenersLock ); ASSERT( NT_SUCCESS( Status ) ); if (!NT_SUCCESS(Status)) { goto badWinStationListenersLock; } }
Status = RtlInitializeCriticalSection( &WinStationZombieLock ); ASSERT( NT_SUCCESS( Status ) ); if (!NT_SUCCESS(Status)) { goto badWinStationZombieLock; }
Status = RtlInitializeCriticalSection( &TimerCritSec ); ASSERT( NT_SUCCESS( Status ) ); if (!NT_SUCCESS(Status)) { goto badTimerCritsec; }
Status = RtlInitializeCriticalSection( &g_AuthzCritSection ); ASSERT( NT_SUCCESS( Status ) ); if (!NT_SUCCESS(Status)) { goto badAuthzCritSection; }
InitializeListHead( &WinStationListHead ); InitializeListHead( &SystemEventHead ); InitializeListHead( &ZombieListHead );
Status = InitializeConsoleNotification (); if (!NT_SUCCESS(Status)) { goto badinitStartCsrLock; }
Status = RtlInitializeCriticalSection( &WinStationStartCsrLock ); ASSERT( NT_SUCCESS( Status ) ); if (!NT_SUCCESS(Status)) { goto badinitStartCsrLock; }
Status = LCInitialize( g_bPersonalTS ? LC_INIT_LIMITED : LC_INIT_ALL, g_fAppCompat );
if (!NT_SUCCESS(Status)) { goto badLcInit; }
//
// Listener winstations always get LogonId above 65536 and are
// assigned by Terminal Server. LogonId's for sessions are
// generated by mm in the range 0-65535
//
LogonId = MAX_WORD + 1;
TimeoutZero = RtlConvertLongToLargeInteger( 0 ); Status = NtCreateEvent( &WinStationEvent, EVENT_ALL_ACCESS, NULL, NotificationEvent, FALSE ); Status = NtCreateEvent( &WinStationIdleControlEvent, EVENT_ALL_ACCESS, NULL, SynchronizationEvent, FALSE ); ASSERT( NT_SUCCESS( Status ) ); if (!NT_SUCCESS(Status)) { goto badEvent; }
Status = NtCreateEvent( &ConsoleLogoffEvent, EVENT_ALL_ACCESS, NULL, NotificationEvent, TRUE ); ASSERT( NT_SUCCESS( Status ) ); if (!NT_SUCCESS(Status)) { goto badEvent; }
/*
* Initialize WinStation security */
RtlAcquireResourceExclusive(&WinStationSecurityLock, TRUE); Status = WinStationSecurityInit(); RtlReleaseResource(&WinStationSecurityLock); ASSERT( NT_SUCCESS( Status ) ); if (!NT_SUCCESS(Status)) { goto badInitSecurity; }
Status = WinStationInitLPC(); ASSERT( NT_SUCCESS( Status ) ); if (!NT_SUCCESS(Status)) { goto badInitLPC; }
//
// Read the registry to determine if maximum outstanding connections
// policy is turned on and the value for it
//
//
// Get MaxOutstandingCon string value
//
dwLen = sizeof(MaxOutStandingConnect); if (RegQueryValueEx(hKeyTermSrv, MAX_OUTSTD_CONNECT, NULL, &dwType, (PCHAR)&szBuffer, &dwLen) == ERROR_SUCCESS) { if (*(PULONG)szBuffer > 0) { MaxOutStandingConnect = *(PULONG)szBuffer; } }
dwLen = sizeof(MaxSingleOutStandingConnect); if (RegQueryValueEx(hKeyTermSrv, MAX_SINGLE_OUTSTD_CONNECT, NULL, &dwType, (PCHAR)&szBuffer, &dwLen) == ERROR_SUCCESS) { if (*(PULONG)szBuffer > 0) { MaxSingleOutStandingConnect = *(PULONG)szBuffer; } }
//ReadDoSParametersFromRegistry(hKeyTermSrv);
dwLen = sizeof(gLogoffTimeout); if (RegQueryValueEx(hKeyTermSrv, LOGOFF_TIMEOUT, NULL, &dwType, (PCHAR)&szBuffer, &dwLen) == ERROR_SUCCESS) { gLogoffTimeout = *(PULONG)szBuffer; }
//
// Read the logoff timeout value. This timeout is used by termsrv to force terminate
// winlogon, if winlogon does not complete logoff after ExitWindows message was sent to him
//
//
// set max number of outstanding connection from single IP
//
if ( MaxOutStandingConnect < MAX_SINGLE_CONNECT_THRESHOLD_DIFF*5) { MaxSingleOutStandingConnect = MaxOutStandingConnect - 1; } else { MaxSingleOutStandingConnect = MaxOutStandingConnect - MAX_SINGLE_CONNECT_THRESHOLD_DIFF; }
//
// Create the connect Event
//
if (MaxOutStandingConnect != 0) { hConnectEvent = CreateEvent(NULL, TRUE, FALSE, NULL); if (hConnectEvent == NULL) { MaxOutStandingConnect = 0; } }
//
// Initialize winsock
//
// Ask for Winsock version 2.2.
if (WSAStartup(MAKEWORD(2, 2), &wsaData) == 0) { gbWinSockInitialized = TRUE; }
//
// Initialize the Cleanup Timer used to cleanup the Bad IP addr for DoS attacks
// Just create the timer, do not start it now - it will be started when there is a entry in the table
// Not used now but may be turned on at a later state
// Status = IcaTimerCreate( 0, &hCleanupTimer );
return(Status);
/*
* Clean up on failure. Clean up is not implemented for * all cases of failure. However most of it will be done implicitly * by the exit from termsrv process. Failure at this point means anyway * there will be no multi-user feature. */
badInitLPC: // Cleanup code not implemented
badInitSecurity:badEvent: if (WinStationEvent != NULL) NtClose(WinStationEvent); if (WinStationIdleControlEvent != NULL) NtClose(WinStationIdleControlEvent); if (ConsoleLogoffEvent != NULL) NtClose(ConsoleLogoffEvent);badLcInit: RtlDeleteCriticalSection( &WinStationStartCsrLock );badinitStartCsrLock: RtlDeleteCriticalSection( &TimerCritSec );badTimerCritsec:badWinStationZombieLock: if (gbListenerOff) { RtlDeleteCriticalSection( &WinStationListenersLock ); }badWinStationListenersLock: RtlDeleteCriticalSection( &WinStationListLock );badWinstationListLock: RtlDeleteCriticalSection( &UserProfileLock );badUserProfileLock: RtlDeleteCriticalSection( &ConsoleLock );badAuthzCritSection: RtlDeleteCriticalSection( &g_AuthzCritSection );badConsoleLock: RtlDeleteCriticalSection( &FilterLock );badFilterLock: return Status;}
/*******************************************************************************
* * GroupPOlicyChangeStartSalem() * * This routine is called by timer to start Salem. * * Entry: * None, not using any input parameter, refer to WAITORTIMERCALLBACK * for function declaration. * ********************************************************************************/VOID CALLBACKGroupPOlicyChangeStartSalem( PVOID lParm, BOOLEAN TimerOrWait ){ // Policy might change during wait, check if policy still allow
// to get help from local machine, if so, startup Salem.
if( TSIsMachinePolicyAllowHelp() && RegIsMachineInHelpMode() ) { TSStartupSalem(); }
return;}
/*******************************************************************************
* * GroupPolicyNotifyThread * Entry: * nothing * ********************************************************************************/DWORD GroupPolicyNotifyThread(DWORD notUsed ){ DWORD dwError; BOOL rc; HANDLE hEvent; BOOLEAN bWaitForAccept; BOOLEAN bSystemStartup;
HANDLE hStartupSalemTimer = NULL; HANDLE hStartupSalemTimerQueue = NULL; BOOL bTimerStatus;
static FILETIME timeOfLastPolicyRead = { 0 , 0 } ;
rc = RegisterGPNotification( g_hMachineGPEvent, TRUE);
if (rc) { hEvent = g_hMachineGPEvent; } else { // TS can still run with the default set of config data, besides
// if there were any machine group policy data, TS got them on the
// last reboot cycle.
//
hEvent = NULL; }
hStartupSalemTimerQueue = CreateTimerQueue(); if( NULL == hStartupSalemTimerQueue ) { // non-critical, we just can't startup Salem to punch firewall or
// ICS port.
DBGPRINT(("TERMSRV: Error %d in CreateTimerQueue\n", GetLastError())); }
//
// At the beginning the listeners are not started.
// So wait (or test) for the connections to be accepted.
//
bWaitForAccept = TRUE; bSystemStartup = TRUE;
//
// Query and set the global flag before entering any wait.
//
g_fDenyTSConnectionsPolicy = RegDenyTSConnectionsPolicy();
while (TRUE) {
dwError = WaitForTSConnectionsPolicyChanges( bWaitForAccept, hEvent );
if( hStartupSalemTimerQueue && (dwError == WAIT_OBJECT_0 || dwError == WAIT_OBJECT_0 + 1) ) { // refer to WaitForTSConnectionsPolicyChanges() for return code.
if( hStartupSalemTimer != NULL ) { // Delete the timer-queue timer and wait for callback to complete
DeleteTimerQueueTimer( hStartupSalemTimerQueue, hStartupSalemTimer, INVALID_HANDLE_VALUE ); hStartupSalemTimer = NULL; }
//
// Delay startup Salem, user might change mind or policy might change especially
// domain policy.
//
bTimerStatus = CreateTimerQueueTimer( &hStartupSalemTimer, hStartupSalemTimerQueue, GroupPOlicyChangeStartSalem, NULL, DELAY_STARTUP_SALEM_TIME, 0, WT_EXECUTEONLYONCE );
if( FALSE == bTimerStatus ) { // non-critical, we just can't startup Salem to punch firewall or
// ICS port.
DBGPRINT(("TERMSRV: Error %d in CreateTimerQueueTimer\n", GetLastError())); } }
//
// Both GP changes and reg changes can affect this one.
//
g_fDenyTSConnectionsPolicy = RegDenyTSConnectionsPolicy();
if (dwError == WAIT_OBJECT_0) {
//
// A change in the TS connections policy has occurred.
//
if (bWaitForAccept) {
// are the connections really accepted?
if (!(g_fDenyTSConnectionsPolicy && !(TSIsMachinePolicyAllowHelp() && RegIsMachineInHelpMode()))) {
// Start the listeners.
if ( bSystemStartup ) { // the first time, start all listeners
StartStopListeners(NULL, TRUE); } else { // after the first time, use this function to start
// listeners only as needed.
WinStationReadRegistryWorker(); }
// Switch to a wait for denied connections.
bWaitForAccept = FALSE;
bSystemStartup = FALSE; }
} else {
// are the connections really denied?
if (g_fDenyTSConnectionsPolicy && !(TSIsMachinePolicyAllowHelp() && RegIsMachineInHelpMode())) { // Stop the listeners.
StartStopListeners(NULL, FALSE);
// Switch to a wait for accepted connections.
bWaitForAccept = TRUE; }
}
} else if (dwError == WAIT_OBJECT_0 + 1) {
//
// We got notified that the GP has changed.
//
if ( RegGetMachinePolicyEx( FALSE, & timeOfLastPolicyRead, &g_MachinePolicy ) ) { // there has been a change, go ahead with the actual updates
WinStationReadRegistryWorker();
// Also update the session directory settings if on an app
// server.
if (!g_bPersonalTS && g_fAppCompat && g_bAdvancedServer) { UpdateSessionDirectory(0); }
RegisterRPCInterface( TRUE ); }
} else {
// should we not do something else?
Sleep( 5000 ); continue; }
}
if (rc) { UnregisterGPNotification(g_hMachineGPEvent); }
if( hStartupSalemTimerQueue ) { if( hStartupSalemTimer != NULL ) { // Delete the timer-queue timer and wait for callback to complete
DeleteTimerQueueTimer( hStartupSalemTimerQueue, hStartupSalemTimer, INVALID_HANDLE_VALUE ); }
DeleteTimerQueueEx( hStartupSalemTimerQueue, NULL ); }
return 0;}
/*******************************************************************************
* * StartAllWinStations * * Get list of configured WinStations from the registry, * start the Console, and then start all remaining WinStations. * * ENTRY: * nothing * * EXIT: * nothing * ******************************************************************************/
void StartAllWinStations(HKEY hKeyTermSrv){ OBJECT_ATTRIBUTES ObjectAttributes; UNICODE_STRING KeyPath; HANDLE KeyHandle; UNICODE_STRING ValueName;#define VALUE_BUFFER_SIZE (sizeof(KEY_VALUE_PARTIAL_INFORMATION) + 256 * sizeof(WCHAR))
CHAR ValueBuffer[VALUE_BUFFER_SIZE]; PKEY_VALUE_PARTIAL_INFORMATION KeyValueInfo; ULONG ValueLength; DWORD ThreadId; NTSTATUS Status; DWORD ValueType; DWORD ValueSize;#define AUTOSTARTTIME 600000
ASSERT(hKeyTermSrv != NULL);
/*
* Initialize the number of idle winstations and gMinPerSessionPageCommitMB, * if this value is in the registry. */ ValueSize = sizeof(IdleWinStationPoolCount); Status = RegQueryValueEx(hKeyTermSrv, REG_CITRIX_IDLEWINSTATIONPOOLCOUNT, NULL, &ValueType, (LPBYTE) &ValueBuffer, &ValueSize ); if ( Status == ERROR_SUCCESS ) { IdleWinStationPoolCount = *(PULONG)ValueBuffer; }
// IdleWinStationPoolCount made 0 -- change necessiated by DoS attack prevention logic added to TS
// Also Idle WinStations are not very useful anymore because CSR and Winlogon is started much later than before
// So set it to Zero here, irrespective of what its value is in the Registry
IdleWinStationPoolCount = 0; //get the product id from registry for use in detecting shadow loop
GetProductIdFromRegistry( g_DigProductId, sizeof( g_DigProductId ) );
//Terminal Service needs to skip Memory check in Embedded images
//when the TS service starts
//bug #246972
if(!IsEmbedded()) { ValueSize = sizeof(gMinPerSessionPageCommitMB); Status = RegQueryValueEx(hKeyTermSrv, REG_MIN_PERSESSION_PAGECOMMIT, NULL, &ValueType, (LPBYTE) &ValueBuffer, &ValueSize ); if ( Status == ERROR_SUCCESS ) { gMinPerSessionPageCommitMB = *(PULONG)ValueBuffer; }
gMinPerSessionPageCommit = gMinPerSessionPageCommitMB * 1024 * 1024; Status = NtAllocateVirtualMemory( NtCurrentProcess(), &glpAddress, 0, &gMinPerSessionPageCommit, MEM_RESERVE, PAGE_READWRITE ); ASSERT( NT_SUCCESS( Status ) );
}
/*
* Open connection to our WinStationApiPort. This will be used to * queue requests to our API thread instead of doing them inline. */ Status = ConnectSmWinStationApiPort(); ASSERT( NT_SUCCESS( Status ) );
/*
* Create Console WinStation first */ Status = WinStationCreateWorker( L"Console", NULL, TRUE ); if ( !NT_SUCCESS( Status ) ) { DBGPRINT(("INIT: Failed to create Console WinStation, status=0x%08x\n", Status)); } else { /*
* From now on,WinStationIdleControlThread can create console sessions if needed */ InterlockedDecrement(&gConsoleCreationDisable);
}
/*
* Open the Setup key and look for the valuename "SystemSetupInProgress". * If found and it has a value of TRUE (non-zero), then setup is in * progress and we skip starting WinStations other than the Console. */ RtlInitUnicodeString( &KeyPath, SETUP_REG_PATH ); InitializeObjectAttributes( &ObjectAttributes, &KeyPath, OBJ_CASE_INSENSITIVE, NULL, NULL ); Status = NtOpenKey( &KeyHandle, GENERIC_READ, &ObjectAttributes ); if ( NT_SUCCESS( Status ) ) { RtlInitUnicodeString( &ValueName, L"SystemSetupInProgress" ); KeyValueInfo = (PKEY_VALUE_PARTIAL_INFORMATION)ValueBuffer; Status = NtQueryValueKey( KeyHandle, &ValueName, KeyValuePartialInformation, (PVOID)KeyValueInfo, VALUE_BUFFER_SIZE, &ValueLength ); NtClose( KeyHandle ); if ( NT_SUCCESS( Status ) ) { ASSERT( ValueLength < VALUE_BUFFER_SIZE ); if ( KeyValueInfo->Type == REG_DWORD && KeyValueInfo->DataLength == sizeof(ULONG) && *(PULONG)(KeyValueInfo->Data) != 0 ) { return; } } }
/*
* Start a policy notfiy thread. * */ { HANDLE hGroupPolicyNotifyThread; DWORD dwID; g_hMachineGPEvent = CreateEvent (NULL, FALSE, FALSE, TEXT("TermSrv: machine GP event"));
if (g_hMachineGPEvent) { hGroupPolicyNotifyThread = CreateThread ( NULL, 0, (LPTHREAD_START_ROUTINE) GroupPolicyNotifyThread, 0, 0, &dwID); if ( hGroupPolicyNotifyThread ) { NtClose( hGroupPolicyNotifyThread ); } } }
/*
* If necessary, create the thread in charge of the regulation of the idle sessions */ { HANDLE hIdleControlThread = CreateThread( NULL, 0, // use Default stack size of the svchost process
(LPTHREAD_START_ROUTINE)WinStationIdleControlThread, NULL, THREAD_SET_INFORMATION, &ThreadId ); if (hIdleControlThread) { NtClose(hIdleControlThread); } }
/*
* Finally, create the terminate thread */ { HANDLE hTerminateThread = CreateThread( NULL, 0, // use Default stack size of the svchost process
(LPTHREAD_START_ROUTINE)WinStationTerminateThread, NULL, THREAD_SET_INFORMATION, &ThreadId ); if ( hTerminateThread ) NtClose( hTerminateThread ); }}
/*******************************************************************************
* * StartStopListeners * * Get list of configured WinStations from the registry, * and start the WinStations. * * ENTRY: * bStart * if TRUE start the listeners. * if FALSE stop the listeners if no connections related to them exist * anymore. However we do this only on PRO and PER as on a server we * don't mind keeping the listeners. * * EXIT: * nothing * ******************************************************************************/BOOL StartStopListeners(LPWSTR WinStationName, BOOLEAN bStart){ ULONG i; ULONG WinStationCount, ByteCount; PWINSTATIONNAME pBuffer; PWINSTATIONNAME pWinStationName; PLIST_ENTRY Head, Next; PWINSTATION pWinStation; NTSTATUS Status; BOOL bReturn = FALSE;
if (bStart) {
/*
* Get list of WinStations from registry */ pBuffer = NULL; WinStationCount = 0; Status = IcaRegWinStationEnumerate( &WinStationCount, NULL, &ByteCount ); if ( NT_SUCCESS(Status) ) { pBuffer = pWinStationName = MemAlloc( ByteCount ); WinStationCount = (ULONG) -1; if (pBuffer) { IcaRegWinStationEnumerate( &WinStationCount, pWinStationName, &ByteCount ); } }
/*
* Now create all remaining WinStations defined in registry * Note that every 4th WinStation we do the WinStationCreate inline * instead of queueing it. This is so we don't create an excess * number of API threads right off the bat. */ if ( pBuffer ) { for ( i = 0; i < WinStationCount; i++ ) {
if ( _wcsicmp( pWinStationName, L"Console" ) ) {
if ( i % 4 ) QueueWinStationCreate( pWinStationName ); else { // Don't queue more than 4 at a time
(void) WinStationCreateWorker( pWinStationName, NULL, TRUE ); } } (char *)pWinStationName += sizeof(WINSTATIONNAME); }
MemFree( pBuffer ); }
bReturn = TRUE;
} else {
if ( !gbListenerOff ) { return FALSE; }
ENTERCRIT( &WinStationListenersLock );
// Test if TS connections are denied or not in case we are called from a
// terminate or a disconnect.
if ( g_fDenyTSConnectionsPolicy && // Performance, we only want to check if policy enable help when connection is denied
(!TSIsMachineInHelpMode() || !TSIsMachinePolicyAllowHelp()) ) {
ULONG ulLogonId;
if( WinStationName ) {
// note that this function doesn't handle renamed listeners
WinStationCount = CountWinStationType( WinStationName, TRUE, FALSE );
if ( WinStationCount == 0 ) {
pWinStation = FindWinStationByName( WinStationName, FALSE );
if ( pWinStation ) {
ulLogonId = pWinStation->LogonId;
ReleaseWinStation( pWinStation );
// reset it and don't recreate it
WinStationResetWorker( ulLogonId, TRUE, FALSE, FALSE ); } }
} else {
// terminate all listeners
searchagain: Head = &WinStationListHead; ENTERCRIT( &WinStationListLock );
for ( Next = Head->Flink; Next != Head; Next = Next->Flink ) {
pWinStation = CONTAINING_RECORD( Next, WINSTATION, Links );
//
// Only check listening winstations
//
if ( (pWinStation->Flags & WSF_LISTEN) && !(pWinStation->Flags & (WSF_RESET | WSF_DELETE)) ) {
ulLogonId = pWinStation->LogonId;
// note that this function doesn't handle renamed listeners
WinStationCount = CountWinStationType( pWinStation->WinStationName, TRUE, TRUE );
if ( WinStationCount == 0 ) {
LEAVECRIT( &WinStationListLock );
// reset it and don't recreate it
WinStationResetWorker( ulLogonId, TRUE, FALSE, FALSE ); goto searchagain; }
} } LEAVECRIT( &WinStationListLock ); }
bReturn = TRUE;
} LEAVECRIT( &WinStationListenersLock );
}
return bReturn;}
/*******************************************************************************
* WinStationIdleControlThread * * This routine will control the number of idle sessions. ******************************************************************************/NTSTATUS WinStationIdleControlThread(PVOID Parameter){ ULONG i; NTSTATUS Status = STATUS_SUCCESS; PLIST_ENTRY Head, Next; PWINSTATION pWinStation; ULONG IdleCount = 0; ULONG j; LARGE_INTEGER Timeout; PLARGE_INTEGER pTimeout; ULONG ulSleepDuration; ULONG ulRetries = 0;
ulSleepDuration = 60*1000; // 1 minute
pTimeout = NULL;
/*
* Now create the pool of idle WinStations waiting for a connection. * we need to wait for termsrv to be fully up, otherwise Winlogon will * fail its RPC call to termsrv (WaitForConnectWorker). */
if (gReadyEventHandle != NULL) { WaitForSingleObject(gReadyEventHandle, (DWORD)-1); }
for ( i = 0; i < IdleWinStationPoolCount; i++ ) { (void) WinStationCreateWorker( NULL, NULL, FALSE ); }
Timeout = RtlEnlargedIntegerMultiply( ulSleepDuration, -10000);
if (WinStationIdleControlEvent != NULL) { while (TRUE) {
Status = NtWaitForSingleObject(WinStationIdleControlEvent,FALSE, pTimeout);
if ( !NT_SUCCESS(Status) && (Status != STATUS_TIMEOUT)) { Sleep(1000); // don't eat too much CPU
continue; } pTimeout = &Timeout; /*
* See if we need to create a console session * If if we fail creating a console session, we'll set a timeout so that we will * retry . */ ENTERCRIT( &ConsoleLock );
if (gConsoleCreationDisable == 0) { if (WinStationCheckConsoleSession()) { pTimeout = NULL; } }
LEAVECRIT( &ConsoleLock );
/*
* Now count the number of IDLE WinStations and ensure there * are enough available. */ if (IdleWinStationPoolCount != 0) { ENTERCRIT( &WinStationListLock ); IdleCount = 0; Head = &WinStationListHead; for ( Next = Head->Flink; Next != Head; Next = Next->Flink ) { pWinStation = CONTAINING_RECORD( Next, WINSTATION, Links ); if ( pWinStation->Flags & WSF_IDLE ) IdleCount++; } LEAVECRIT( &WinStationListLock );
for ( j = IdleCount; j < IdleWinStationPoolCount; j++ ) { WinStationCreateWorker( NULL, NULL, FALSE ); } } } } return STATUS_SUCCESS;}
#if _MSC_FULL_VER >= 13008827
#pragma warning(push)
#pragma warning(disable:4715) // Not all control paths return (due to infinite loop)
#endif
/*******************************************************************************
* WinStationTerminateThread * * This routine will wait for WinStation processes to terminate, * and will then reset the corresponding WinStation. ******************************************************************************/NTSTATUS WinStationTerminateThread(PVOID Parameter){ LONG ThreadIndex = (LONG)(INT_PTR)Parameter; LONG WinStationIndex; PLIST_ENTRY Head, Next; PWINSTATION pWinStation; LONG EventCount; LONG EventIndex, i; int WaitCount; int HandleCount; int HandleArraySize = 0; PHANDLE pHandleArray = NULL; PULONG pIdArray = NULL; ULONG ThreadsNeeded; ULONG ThreadsRunning = 1; ULONG j; NTSTATUS Status; LARGE_INTEGER Timeout; PLARGE_INTEGER pTimeout; ULONG ulSleepDuration; HANDLE DupHandle;
/*
* We need some timer values for the diferent cases of failure in * the thread's loop: * - If we fail creating a new WinstationterminateThread, * then we will do a WaitFormulpipleObjects with a timer instead of a wait without * time out. This will give a new chance to create the thread when timout is over. * if we fail allocating a new buffer to extend handle array, we will wait a timeout * duration before we retry. */
ulSleepDuration = 3*60*1000; Timeout = RtlEnlargedIntegerMultiply( ulSleepDuration, -10000);
/*
* Loop forever waiting for WinStation processes to terminate */ for ( ; ; ) {
/*
* Determine number of WinStations */ pTimeout = NULL; WaitCount = 0; Head = &WinStationListHead; ENTERCRIT( &WinStationListLock ); for ( Next = Head->Flink; Next != Head; Next = Next->Flink ) WaitCount++;
/*
* If there are more than the maximum number of objects that * can be specified to NtWaitForMultipleObjects, then determine * if we must start up additional thread(s). */ if ( WaitCount > MAXIMUM_WAIT_WINSTATIONS ) { ThreadsNeeded = (WaitCount + MAXIMUM_WAIT_WINSTATIONS - 1) / MAXIMUM_WAIT_WINSTATIONS; WaitCount = MAXIMUM_WAIT_WINSTATIONS; if ( ThreadIndex == 0 && ThreadsNeeded > ThreadsRunning ) { LEAVECRIT( &WinStationListLock ); for ( j = ThreadsRunning; j < ThreadsNeeded; j++ ) { DWORD ThreadId; HANDLE Handle;
Handle = CreateThread( NULL, 0, // use Default stack size of the svchost process
(LPTHREAD_START_ROUTINE) WinStationTerminateThread, ULongToPtr( j * MAXIMUM_WAIT_WINSTATIONS ), THREAD_SET_INFORMATION, &ThreadId ); if ( !Handle ) { pTimeout = &Timeout; break; }
// makarp: 182597 - close handle to the thread.
CloseHandle(Handle);
ThreadsRunning++; } ENTERCRIT( &WinStationListLock ); } }
/*
* If we need a larger handle array, then release the * WinStationList lock, allocate the new handle array, * and go start the loop again. */ HandleCount = (WaitCount << 1) + 1; ASSERT( HandleCount < MAXIMUM_WAIT_OBJECTS ); if ( HandleCount > HandleArraySize || HandleCount < HandleArraySize - 10 ) { LEAVECRIT( &WinStationListLock ); if ( pHandleArray ){ MemFree( pHandleArray ); }
pHandleArray = MemAlloc( HandleCount * sizeof(HANDLE) ); if ( pIdArray ) { MemFree( pIdArray ); }
pIdArray = MemAlloc( HandleCount * sizeof(ULONG) );
/* makarp: check for allocation failures #182597 */ if (!pIdArray || !pHandleArray) {
if (pIdArray) { MemFree(pIdArray); pIdArray = NULL; } if (pHandleArray){ MemFree(pHandleArray); pHandleArray = NULL; }
HandleArraySize = 0;
Sleep(ulSleepDuration); continue; }
HandleArraySize = HandleCount; continue; }
/*
* Build list of handles to wait on */ EventCount = 0; pIdArray[EventCount] = 0; pHandleArray[EventCount++] = WinStationEvent; WinStationIndex = 0; for ( Next = Head->Flink; Next != Head; Next = Next->Flink ) { if ( WinStationIndex++ < ThreadIndex ) continue; pWinStation = CONTAINING_RECORD( Next, WINSTATION, Links ); if ( !pWinStation->LogonId ) // no waiting on console
continue; if ( pWinStation->Starting ) continue; if (pWinStation->Terminating) { continue; }
/*
* Do not use handles to subsystem and initial command. These handles may get closed in Winstation * Terminate routine and there is no easy way to synchronize this with Terminate routine using those * handles. So, duplicated those handles. * * NOTE: If the duplication of the handles fails below, the winstation remains unmonitored. */
// Duplicate the subsystem process handle.
DupHandle = NULL; if ( pWinStation->WindowsSubSysProcess ) { Status = NtDuplicateObject( NtCurrentProcess(), pWinStation->WindowsSubSysProcess, NtCurrentProcess(), &DupHandle, 0, 0, DUPLICATE_SAME_ACCESS ); if (NT_SUCCESS(Status)) { pIdArray[EventCount] = pWinStation->LogonId; pHandleArray[EventCount++] = DupHandle; } }
// Duplicate the initial command process handle.
DupHandle = NULL; if ( pWinStation->InitialCommandProcess ) { Status = NtDuplicateObject( NtCurrentProcess(), pWinStation->InitialCommandProcess, NtCurrentProcess(), &DupHandle, 0, 0, DUPLICATE_SAME_ACCESS ); if (NT_SUCCESS(Status)) { pIdArray[EventCount] = pWinStation->LogonId; pHandleArray[EventCount++] = DupHandle; } }
if ( WinStationIndex - ThreadIndex >= WaitCount ) break; }
/*
* Reset WinStationEvent and release the WinStationList lock */ NtResetEvent( WinStationEvent, NULL ); LEAVECRIT( &WinStationListLock );
/*
* Wait for WinStationEvent to trigger (meaning that the * WinStationList has changed), or for one of the existing * Win32 subsystems or initial commands to terminate. */ TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: TerminateThread, Waiting for initial command exit (ArraySize=%d)\n", EventCount ));
Status = NtWaitForMultipleObjects( EventCount, pHandleArray, WaitAny, FALSE, pTimeout );
TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: TerminateThread, WaitForMultipleObjects, rc=%x\n", Status ));
/*
* Cleanup the handles array immediately. Close the duplicated handles. Just make sure we are closing a valid handle. * Do not close the handle[0]. It's WinstationEvent handle. */ for ( i = 1; i < EventCount; i++) { if (pHandleArray[i]) { NtClose(pHandleArray[i]); pHandleArray[i] = NULL; } }
if ( !NT_SUCCESS(Status) || Status >= EventCount ) { //WinStationVerifyHandles();
continue; }
/*
* If WinStationEvent triggered, then just go recompute handle list */ if ( (EventIndex = Status) == STATUS_WAIT_0 ) continue;
/*
* Find the WinStation for the process that terminated and * mark it as terminating. This prevents us from waiting * on that WinStation's processes next time through the loop. * (NOTE: The 'Terminating' field is protected by the global * WinStationListLock instead of the WinStation mutex.) */ Head = &WinStationListHead; ENTERCRIT( &WinStationListLock ); for ( Next = Head->Flink; Next != Head; Next = Next->Flink ) { pWinStation = CONTAINING_RECORD( Next, WINSTATION, Links ); if ( pWinStation->LogonId == pIdArray[EventIndex] ) { pWinStation->Terminating = TRUE; break; } }
LEAVECRIT( &WinStationListLock );
/*
* Wake up the WinStationIdleControlThread */ NtSetEvent(WinStationIdleControlEvent, NULL);
/*
* If there are multiple terminate threads, cause the other * threads to wakeup in order to recompute their wait lists. */ NtSetEvent( WinStationEvent, NULL );
/*
* One of the initial command processes has terminated, * queue a request to reset the WinStation. */ QueueWinStationReset( pIdArray[EventIndex]); }
// make the compiler happy
return STATUS_SUCCESS;}#if _MSC_FULL_VER >= 13008827
#pragma warning(pop)
#endif
/*******************************************************************************
* InvalidateTerminateWaitList * * Wakes up WinStationTerminateThread to force it to reinitialize its * wait list. Used when we detect that the initial process was ntsd, * and we change the initial process to WinLogon. * * ENTRY: * The WinStationListLock must not be held. ******************************************************************************/VOID InvalidateTerminateWaitList(void){ ENTERCRIT( &WinStationListLock ); NtSetEvent( WinStationEvent, NULL ); LEAVECRIT( &WinStationListLock );}
/*******************************************************************************
* WinStationConnectThread * * This routine will wait for and process incoming connections * for a specified WinStation. ******************************************************************************/NTSTATUS WinStationConnectThread(ULONG Parameter){ typedef struct _TRANSFERTHREAD { LIST_ENTRY Entry; HANDLE hThread; } TRANSFERTHREAD, *PTRANSFERTHREAD;
LIST_ENTRY TransferThreadList; PTRANSFERTHREAD pTransferThread; PLIST_ENTRY Next;
PWINSTATION pListenWinStation; PVOID pEndpoint = NULL; ULONG EndpointLength; ULONG WinStationCount; ULONG TransferThreadCount; BOOLEAN rc; BOOLEAN bConnectSuccess = FALSE; BOOLEAN bTerminate = FALSE; NTSTATUS Status; SYSTEMTIME currentSystemTime;
#define MODULE_SIZE 1024
#define _WAIT_ERROR_LIMIT 10
ULONG WaitErrorLimit = _WAIT_ERROR_LIMIT; // # of consecutive errors allowed
/*
* Initialize list of transfer threads */ InitializeListHead( &TransferThreadList );
/*
* Find and lock the WinStation */ pListenWinStation = FindWinStationById( Parameter, FALSE ); if ( pListenWinStation == NULL ) { return( STATUS_ACCESS_DENIED ); }
/*
* Ensure only authorized Session Driver and Video Driver stack * modules will be loaded as a result of this connection thread. * * If any module fails verification, mark the WinStation in the * DOWN state and exit WITHOUT error. * * NOTE: * The silent exit is very much intentional so as not to aid in * a third party's attempt to circumvent this security measure. */
Status = _VerifyStackModules( pListenWinStation ); if ( Status != STATUS_SUCCESS ) { pListenWinStation->State = State_Down; ReleaseWinStation( pListenWinStation ); return( STATUS_SUCCESS ); }
/*
* Indicate we got this far successfully. */ pListenWinStation->CreateStatus = STATUS_SUCCESS;
/*
* Load the WinStation extension dll for this WinStation. * Note that we don't save the result in pListenWinStation->pWsx * since we don't want to make callouts to it for the * listen WinStation. */ (VOID) FindWinStationExtensionDll( pListenWinStation->Config.Wd.WsxDLL, pListenWinStation->Config.Wd.WdFlag );
/*
* Do not start accepting client connections before termsrv is totaly UP */ if (gReadyEventHandle != NULL) { WaitForSingleObject(gReadyEventHandle, (DWORD)-1); }
/*
* for perf reason termsrv startup is delayed. We the need to also delay * accepting connections so that if a console logon hapened before termsrv * was up, we get the delayed logon notification before we accept a * client connection. */
if (gbFirtsConnectionThread) { Sleep(5*1000); gbFirtsConnectionThread = FALSE; }
// Get the local IP address enabled for rdp for Session Directory Use
if (!g_bPersonalTS && g_fAppCompat && g_bAdvancedServer && !g_fGetLocalIP) { ULONG LocalIPAddress, LocalIPAddressLength; struct sockaddr_in6 addr6;
Status = IcaStackQueryLocalAddress( pListenWinStation->hStack, pListenWinStation->WinStationName, &pListenWinStation->Config, NULL, (PVOID)&addr6, sizeof(addr6), &LocalIPAddressLength );
if( NT_SUCCESS(Status) ) { g_fGetLocalIP = TRUE; if( AF_INET == addr6.sin6_family ) { struct sockaddr_in* pAddr = (struct sockaddr_in *)&addr6;
LocalIPAddress = pAddr->sin_addr.s_addr; } else { // Support of IPV6 is for next release.
; } if (g_LocalIPAddress != LocalIPAddress) { g_LocalIPAddress = LocalIPAddress; UpdateSessionDirectory(0); } }
}
/*
* Loop waiting for connection requests and passing them off * to an idle WinStation. */ for ( ; ; ) {
/*
* Abort retries if this listener has been terminated */ if ( pListenWinStation->Terminating ) { break; }
/*
* Allocate an endpoint buffer */ pEndpoint = MemAlloc( MODULE_SIZE ); if ( !pEndpoint ) { Status = STATUS_NO_MEMORY;
// Sleep for 30 seconds and try again. Listener thread should not exit
// simply just in low memory condition
UnlockWinStation(pListenWinStation);
Sleep(30000);
if (!RelockWinStation(pListenWinStation)) break;
continue; }
/*
* Unlock listen WinStation while we wait for a connection */ UnlockWinStation( pListenWinStation );
/*
* Check if # outstanding connections reaches max value * If so, wait for the event when the connection # drops * below the max. There is a timeout value of 30 seconds * for the wait */ if (hConnectEvent != NULL) { if (NumOutStandingConnect > MaxOutStandingConnect) { DWORD rc;
// Event log we have exceeded max outstanding connections. but not more than
// once in a day.
GetSystemTime(¤tSystemTime); if ( currentSystemTime.wYear != LastLoggedDelayConnection.wYear || currentSystemTime.wMonth != LastLoggedDelayConnection.wMonth || currentSystemTime.wDay != LastLoggedDelayConnection.wDay || gbNeverLoggedDelayConnection ) { gbNeverLoggedDelayConnection = FALSE; LastLoggedDelayConnection = currentSystemTime; WriteErrorLogEntry(EVENT_TOO_MANY_CONNECTIONS, pListenWinStation->WinStationName, sizeof(pListenWinStation->WinStationName)); }
// manual reset the ConnectEvent before wait
ResetEvent(hConnectEvent); rc = WAIT_TIMEOUT;
// wait for Connect Event for 30 secs
while (rc == WAIT_TIMEOUT) { rc = WaitForSingleObject(hConnectEvent, DelayConnectionTime); if (NumOutStandingConnect <= MaxOutStandingConnect) { break; } if (rc == WAIT_TIMEOUT) { KdPrint(("TermSrv: Reached 30 secs timeout\n")); } else { KdPrint(("TermSrv: WaitForSingleObject return status=%x\n", rc)); } }
} }
/*
* Wait for connection */ Status = IcaStackConnectionWait( pListenWinStation->hStack, pListenWinStation->WinStationName, &pListenWinStation->Config, NULL, pEndpoint, MODULE_SIZE, &EndpointLength );
if ( Status == STATUS_BUFFER_TOO_SMALL ) { MemFree( pEndpoint ); pEndpoint = MemAlloc( EndpointLength ); if ( !pEndpoint ) { Status = STATUS_NO_MEMORY;
// Sleep for 30 seconds and try again. Listener thread should not exit
// simply just in low memory condition
Sleep(30000);
if (!RelockWinStation( pListenWinStation )) break;
continue;
}
Status = IcaStackConnectionWait( pListenWinStation->hStack, pListenWinStation->WinStationName, &pListenWinStation->Config, NULL, pEndpoint, EndpointLength, &EndpointLength ); }
/*
* If ConnectionWait was not successful, * check to see if the consecutive error limit has been reached. */ if ( !NT_SUCCESS( Status ) ) { MemFree( pEndpoint ); pEndpoint = NULL; if (Status == STATUS_SHARING_VIOLATION && _wcsicmp(pListenWinStation->Config.Pd[0].Create.PdName, L"tcp") == 0) { /*
* This status means that our port is opened by some other process. * Lets log an event about this. */ static BOOL bPortTakenEventlogged = FALSE; if (!bPortTakenEventlogged) { PostErrorValueEvent(EVENT_TS_WINSTATION_START_FAILED, WSAEADDRINUSE); bPortTakenEventlogged = TRUE; } }
/*
* If status is DEVICE_DOES_NOT_EXIST, then we want to wait before retrying * otherwise, this prioritary thread will take all the CPU trying 10 times * lo load the listener stack. Such an error takes time to be fixed (either * changing the NIC or going into tscc to have the NIC GUID table updated. */ if ((Status == STATUS_DEVICE_DOES_NOT_EXIST) || (!bConnectSuccess) || (Status == STATUS_INVALID_ADDRESS_COMPONENT) ) {
Sleep(30000); }
if ( WaitErrorLimit--) { if (!RelockWinStation( pListenWinStation )) break;
/*
* If we have had a successful connection, * then skip the stack close/reopen since this would * terminate any existing connections. */ if ( !bConnectSuccess ) { /*
* What we really need is a function to unload the * stack drivers but leave the stack handle open. */ Status = IcaStackClose( pListenWinStation->hStack ); ASSERT( NT_SUCCESS( Status ) ); pListenWinStation->hStack = NULL; Status = IcaStackOpen( pListenWinStation->hIca, Stack_Primary, (PROC)WsxStackIoControl, pListenWinStation, &pListenWinStation->hStack ); if ( !NT_SUCCESS( Status ) ) { pListenWinStation->State = State_Down; break; } }
continue; } else {
// Sleep for 30 seconds and try again. Listener thread should not exit
Sleep(30000);
if (!RelockWinStation( pListenWinStation )) break;
// Reset the error count
WaitErrorLimit = _WAIT_ERROR_LIMIT;
continue; }
} else { bConnectSuccess = TRUE; WaitErrorLimit = _WAIT_ERROR_LIMIT; }
/*
* Check for Shutdown and MaxInstance */ rc = RelockWinStation( pListenWinStation ); if ( !rc ) { Status = _CloseEndpoint( &pListenWinStation->Config, pEndpoint, EndpointLength, pListenWinStation, TRUE ); // Use a temporary stack
MemFree( pEndpoint ); pEndpoint = NULL; break; }
/*
* Reject all connections if a shutdown is in progress */ if ( ShutdownInProgress ) { Status = _CloseEndpoint( &pListenWinStation->Config, pEndpoint, EndpointLength, pListenWinStation, TRUE ); // Use a temporary stack
MemFree( pEndpoint ); pEndpoint = NULL;
continue; }
/*
* Reject all connections if user or the Group-Policy has disabled accepting connections */ if ( g_fDenyTSConnectionsPolicy ) {
//
// Performance, we only want to check if policy enable help when connection is denied
//
if( !TSIsMachineInHelpMode() || !TSIsMachinePolicyAllowHelp() ) { Status = _CloseEndpoint( &pListenWinStation->Config, pEndpoint, EndpointLength, pListenWinStation, TRUE ); // Use a temporary stack
MemFree( pEndpoint ); pEndpoint = NULL;
if ( gbListenerOff ) { //
// if there are no more connections associated
// to this listener, then terminate it.
//
// note that this function doesn't handle renamed listeners
WinStationCount = CountWinStationType( pListenWinStation->WinStationName, TRUE, FALSE );
if ( WinStationCount == 0 ) { bTerminate = TRUE; break; } }
Sleep( 5000 ); // sleep for 5 seconds, defense against
// denial of service attacks.
continue; } }
/*
* Check to see how many transfer threads we have active. * If more than the MaxInstance count, we won't start any more. */ TransferThreadCount = 0; Next = TransferThreadList.Flink; while ( Next != &TransferThreadList ) { pTransferThread = CONTAINING_RECORD( Next, TRANSFERTHREAD, Entry ); Next = Next->Flink;
/*
* If thread is still active, bump the thread count */ if ( WaitForSingleObject( pTransferThread->hThread, 0 ) != 0 ) { TransferThreadCount++;
/*
* Thread has exited, so close the thread handle and free memory */ } else { RemoveEntryList( &pTransferThread->Entry ); CloseHandle( pTransferThread->hThread ); MemFree( pTransferThread ); } }
/*
* If this is not a single-instance connection * and there is a MaxInstance count specified, * then check whether the MaxInstance limit will be exceeded. */ if ( !(pListenWinStation->Config.Pd[0].Create.PdFlag & PD_SINGLE_INST) && pListenWinStation->Config.Create.MaxInstanceCount != (ULONG)-1 ) { ULONG Count;
/*
* Count number of currently active WinStations */ WinStationCount = CountWinStationType( pListenWinStation->WinStationName, FALSE, FALSE );
/*
* Get larger of WinStation and TransferThread count */ Count = max( WinStationCount, TransferThreadCount );
TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: Count %d\n", Count )); TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: MaxInstanceCount %d\n", pListenWinStation->Config.Create.MaxInstanceCount ));
if ( pListenWinStation->Config.Create.MaxInstanceCount <= Count ) { Status = _CloseEndpoint( &pListenWinStation->Config, pEndpoint, EndpointLength, pListenWinStation, TRUE ); // Use a temporary stack
MemFree( pEndpoint ); pEndpoint = NULL;
continue; } } UnlockWinStation( pListenWinStation );
/*
* Increment the counter of pending connections. */
InterlockedIncrement( &NumOutStandingConnect );
/*
* If this is a single instance connection, * then handle the transfer of the connection endpoint to * an idle WinStation directly. */ if ( pListenWinStation->Config.Pd[0].Create.PdFlag & PD_SINGLE_INST ) { Status = TransferConnectionToIdleWinStation( pListenWinStation, pEndpoint, EndpointLength, NULL ); pEndpoint = NULL;
/*
* If the transfer was successful, then for a single instance * connection, we must now exit the wait for connect loop. */ if ( NT_SUCCESS( Status ) ) { RelockWinStation( pListenWinStation ); break; } else { bConnectSuccess = FALSE; }
/*
* For non-single instance WinStations, let the worker thread * handle the connection handoff so this thread can go back * and listen for another connection immediately. */ } else { PTRANSFER_INFO pInfo; DWORD ThreadId; HANDLE hTransferThread; BOOLEAN bTransferThreadCreated = FALSE;
pInfo = MemAlloc( sizeof(*pInfo) ); pTransferThread = MemAlloc( sizeof(*pTransferThread) );
if (pInfo && pTransferThread) {
pInfo->LogonId = pListenWinStation->LogonId; pInfo->pEndpoint = pEndpoint; pInfo->EndpointLength = EndpointLength;
pTransferThread->hThread = CreateThread( NULL, 0, // use Default stack size of the svchost process
(LPTHREAD_START_ROUTINE)WinStationTransferThread, (PVOID)pInfo, 0, &ThreadId );
if ( pTransferThread->hThread ) { bTransferThreadCreated = TRUE; InsertTailList( &TransferThreadList, &pTransferThread->Entry ); }
}
if (!bTransferThreadCreated) { if (pInfo) { MemFree( pInfo ); }
if (pTransferThread) { MemFree( pTransferThread ); }
TransferConnectionToIdleWinStation( pListenWinStation, pEndpoint, EndpointLength, NULL ); }
pEndpoint = NULL; }
/*
* Relock the listen WinStation */ if (!RelockWinStation( pListenWinStation ) ) break;
} // for - wait for connection
/*
* Clean up the transfer thread list. * (There's no need to wait for them to exit.) */ Next = TransferThreadList.Flink; while ( Next != &TransferThreadList ) { pTransferThread = CONTAINING_RECORD( Next, TRANSFERTHREAD, Entry ); Next = Next->Flink; RemoveEntryList( &pTransferThread->Entry ); CloseHandle( pTransferThread->hThread ); MemFree( pTransferThread ); }
/*
* If after exiting the connect loop above, the WinStation is marked down, * then write the error status to the event log. */ if ( pListenWinStation->State == State_Down ) { ReleaseWinStation( pListenWinStation );
if ( Status != STATUS_CTX_CLOSE_PENDING ) { PostErrorValueEvent(EVENT_TS_LISTNER_WINSTATION_ISDOWN, Status); } } else { /*
* If not a single-instance transport release the WinStation; * otherwise, delete the listener WinStation. */ if (!(pListenWinStation->Config.Pd[0].Create.PdFlag & PD_SINGLE_INST) && !bTerminate) { ReleaseWinStation( pListenWinStation );
} else { /*
* Mark the listen winstation as being deleted. * If a reset/delete operation is already in progress * on this winstation, then don't proceed with the delete. */ if ( pListenWinStation->Flags & (WSF_RESET | WSF_DELETE) ) { ReleaseWinStation( pListenWinStation ); Status = STATUS_CTX_WINSTATION_BUSY; } else { pListenWinStation->Flags |= WSF_DELETE;
/*
* Make sure this WinStation is ready to delete */ WinStationTerminate( pListenWinStation );
/*
* Call the WinStationDelete worker */ WinStationDeleteWorker( pListenWinStation ); } } }
return Status;}
/*******************************************************************************
* WinStationTransferThread ******************************************************************************/NTSTATUS WinStationTransferThread(PVOID Parameter){ PTRANSFER_INFO pInfo; PWINSTATION pListenWinStation; NTSTATUS Status;
/*
* Find and lock the listen WinStation * (We MUST do this so that it doesn't get deleted while * we are attempting to transfer the new connection.) */ pInfo = (PTRANSFER_INFO)Parameter; pListenWinStation = FindWinStationById( pInfo->LogonId, FALSE ); if ( pListenWinStation == NULL ) { MemFree( pInfo );
if( InterlockedDecrement( &NumOutStandingConnect ) == MaxOutStandingConnect ) { if (hConnectEvent != NULL) { SetEvent(hConnectEvent); } }
return( STATUS_ACCESS_DENIED );
}
/*
* Unlock the listen WinStation but hold a reference to it. */ UnlockWinStation( pListenWinStation );
/*
* Transfer the connection to an idle WinStation */ Status = TransferConnectionToIdleWinStation( pListenWinStation, pInfo->pEndpoint, pInfo->EndpointLength, NULL );
/*
* Relock and release the listen WinStation */ RelockWinStation( pListenWinStation ); ReleaseWinStation( pListenWinStation );
MemFree(pInfo);
return Status;}
NTSTATUS TransferConnectionToIdleWinStation( PWINSTATION pListenWinStation, PVOID pEndpoint, ULONG EndpointLength, PICA_STACK_ADDRESS pStackAddress){ PWINSTATION pTargetWinStation = NULL; ULONG ReturnLength; BOOLEAN rc; BOOLEAN CreatedIdle = FALSE; BOOLEAN ConnectionAccepted = FALSE; NTSTATUS Status; ICA_TRACE Trace; LS_STATUS_CODE LlsStatus; NT_LS_DATA LsData;
BOOLEAN bBlockThis;
PWCHAR pListenName; PWINSTATIONCONFIG2 pConfig; BOOL bPolicyAllowHelp;
BYTE in_addr[16]; UINT uAddrSize, index; BOOL bSuccessAdded = FALSE; WINSTATIONNAME szDefaultConfigWinstationName; BOOL bCanCallout;
// error code we need to pass back to client
NTSTATUS StatusCallback = STATUS_SUCCESS;
// Flag to detemine if session is a RA login
BOOL bSessionIsHelpSession; BOOL bValidRAConnect; // Flag to determine if we can Queue the winstation for Reset - used in Error paths
BOOL bQueueForReset = FALSE; BOOL bBlocked = FALSE;
//
// Check AllowGetHelp policy is enabled and salem has pending help session
//
bPolicyAllowHelp = TSIsMachinePolicyAllowHelp() & TSIsMachineInHelpMode();
if( g_fDenyTSConnectionsPolicy && !bPolicyAllowHelp ) { //
// Close the connection if TS policy deny connection and
// help is disabled.
//
TRACE((hTrace, TC_ICASRV, TT_ERROR, "TERMSRV: Denying TS connection due to GP\n")); if ( pListenWinStation && pEndpoint ) { Status = _CloseEndpoint( &pListenWinStation->Config, pEndpoint, EndpointLength, pListenWinStation, TRUE ); // Use a temporary stack
MemFree(pEndpoint); pEndpoint = NULL;
if( InterlockedDecrement( &NumOutStandingConnect ) == MaxOutStandingConnect ) { if (hConnectEvent != NULL) { SetEvent(hConnectEvent); } } } return STATUS_CTX_WINSTATION_ACCESS_DENIED; }
//
// check for rejected connections
// This includes many pending Sessions as well as sessions failing PreAuthentication
//
if( pListenWinStation ) { uAddrSize = sizeof( in_addr );
bSuccessAdded = Filter_AddOutstandingConnection( pListenWinStation->hStack, pEndpoint, EndpointLength, in_addr, &uAddrSize, &bBlockThis );
//
// connection blocked, close and exit
//
if ( bBlockThis ) { TRACE((hTrace, TC_ICASRV, TT_ERROR, "TERMSRV: Excessive number of pending connections\n"));
if ( bSuccessAdded ) { Filter_RemoveOutstandingConnection( in_addr, uAddrSize ); } Status = _CloseEndpoint( &pListenWinStation->Config, pEndpoint, EndpointLength, pListenWinStation, TRUE ); // Use a temporary stack
MemFree( pEndpoint ); pEndpoint = NULL;
if( InterlockedDecrement( &NumOutStandingConnect ) == MaxOutStandingConnect ) { if (hConnectEvent != NULL) { SetEvent(hConnectEvent); } } return STATUS_CTX_WINSTATION_ACCESS_DENIED; }
// Look to see if this connection is to be blocked because of repeated Failure of PreAuthentication
// No PreAuthentication for now - this code will be needed later when we add PreAuthentication feature
#if 0
ENTERCRIT( &DoSLock ); bBlocked = Filter_CheckIfBlocked( in_addr, uAddrSize ) ; LEAVECRIT( &DoSLock ); if (bBlocked) {
TRACE((hTrace, TC_ICASRV, TT_ERROR, "TERMSRV: Excessive number of connections which failed PreAuthentication. \n")); if ( bSuccessAdded ) { Filter_RemoveOutstandingConnection( in_addr, uAddrSize ); } Status = _CloseEndpoint( &pListenWinStation->Config, pEndpoint, EndpointLength, pListenWinStation, TRUE ); // Use a temporary stack
MemFree( pEndpoint ); pEndpoint = NULL; if( InterlockedDecrement( &NumOutStandingConnect ) == MaxOutStandingConnect ) {
if (hConnectEvent != NULL) { SetEvent(hConnectEvent); } } return STATUS_CTX_WINSTATION_ACCESS_DENIED; }
#endif
} else { // Make sure variable
bBlockThis = FALSE; bSuccessAdded = FALSE; }
//
//
/*
* Now find an idle WinStation to transfer this connection to. * If there is not one available, then we attempt to create one. * if this also fails, then we have no choice but to close * the connection endpoint and wait again. */ pTargetWinStation = FindIdleWinStation(); if ( pTargetWinStation == NULL ) { /*
* Create another idle WinStation but do not start it as yet */ Status = WinStationCreateWorker( NULL, NULL, FALSE ); if ( NT_SUCCESS( Status ) ) CreatedIdle = TRUE;
pTargetWinStation = FindIdleWinStation(); if ( pTargetWinStation == NULL ) { TRACE((hTrace, TC_ICASRV, TT_ERROR, "TERMSRV: Could not get an idle WinStation!\n")); goto releaseresources; } }
ASSERT( pTargetWinStation->Flags & WSF_IDLE ); ASSERT( pTargetWinStation->WinStationName[0] == UNICODE_NULL );
if ( pListenWinStation ) { pConfig = &(pListenWinStation->Config); pListenName = pListenWinStation->WinStationName; } else { //
// For Whistler, callback is only for Salem, we can pick
// configuration from any listening winstation as
// 1) All we need is HelpAssistant logon/shadow right, which
// is already in default.
// 2) No listening winstation, system is either no pending help
// or not allow to get help, so we need to bail out.
// 3) Additional check at the bottom to make sure login
// from callback is HelpAssistant only.
//
// If we going support this for the general case, we need
// to take a default configuration, make connection and issue
// a new IOCTL call into tdtcp.sys to determine NIC card/IP address
// that establish connection and from there, map to right winstation
// configuration.
//
// Setup initial callback configuration, this is only
// heruristic, we will reset the configuration after
// determine which NIC is used to connect to TS client
//
bCanCallout = FindFirstListeningWinStationName( szDefaultConfigWinstationName, &pTargetWinStation->Config );
if( FALSE == bCanCallout ) { // If no listening thread, connection is not active, don't allow
// callback
Status = STATUS_ACCESS_DENIED; // It's ok to go to releaseresources even if pConfig is not set
// because in this case pListenWinStation and pEndpoint are NULL.
goto releaseresources; } pListenName = szDefaultConfigWinstationName; pConfig = &(pTargetWinStation->Config); }
/*
* Check for MaxInstance */ if ( !(pConfig->Pd[0].Create.PdFlag & PD_SINGLE_INST) ) { ULONG Count;
Count = CountWinStationType( pListenName, FALSE, FALSE );
TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: Count %d\n", Count )); TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: MaxInstanceCount %d\n", pConfig->Create.MaxInstanceCount));
if ( pConfig->Create.MaxInstanceCount <= Count ) { TRACE((hTrace, TC_ICASRV, TT_ERROR, "TERMSRV: Exceeded maximum instance count [%ld >= %ld]\n", Count, pConfig->Create.MaxInstanceCount)); goto releaseresources; } }
/*
* Copy the listen name to the target WinStation. * This is done to enable tracing on the new stack. * * Also, this is done BEFORE the connection accept so that if the * listen WinStation is reset before the accept completes, the * target WinStation will also be reset. */ RtlCopyMemory( pTargetWinStation->ListenName, pListenName, sizeof(pTargetWinStation->ListenName) );
/*
* Enable trace */ RtlZeroMemory( &Trace , sizeof( ICA_TRACE ) ); InitializeTrace( pTargetWinStation, FALSE, &Trace );
/*
* Hook extensions for this target */ pTargetWinStation->pWsx = FindWinStationExtensionDll( pConfig->Wd.WsxDLL, pConfig->Wd.WdFlag );
/*
* Initialize winstation extension context structure */ if (pTargetWinStation->pWsx && pTargetWinStation->pWsx->pWsxWinStationInitialize) { Status = pTargetWinStation->pWsx->pWsxWinStationInitialize( &pTargetWinStation->pWsxContext); if (Status != STATUS_SUCCESS) { TRACE((hTrace, TC_ICASRV, TT_ERROR, "TERMSRV: WsxWinStationInitialize failed [%lx]\n", Status)); goto badconnect; } }
/*
* Terminate Listen stack of single-instance transports now, so that * the underlying CancelIo doesn't disturb the Accept stack. */ // this one can prevent from generalizing efficiently the transfer function
if (pListenWinStation && (pListenWinStation->Config.Pd[0].Create.PdFlag & PD_SINGLE_INST)) { IcaStackTerminate(pListenWinStation->hStack); }
/*
* Change state to ConnectQuery while we try to accept the connection */ pTargetWinStation->State = State_ConnectQuery; NotifySystemEvent(WEVENT_STATECHANGE);
/*
* Since the ConnectionAccept may take a while, we have to unlock * the target WinStation before the call. However, we set the * WSF_IDLEBUSY flag so that the WinStation does not appear idle. */ pTargetWinStation->Flags |= WSF_IDLEBUSY; UnlockWinStation( pTargetWinStation );
if ( !pListenWinStation && pStackAddress) {
// must have extension DLL loaded
if( !pTargetWinStation->pWsx || !pTargetWinStation->pWsx->pWsxIcaStackIoControl ) { Status = STATUS_UNSUCCESSFUL; goto badconnect; }
//
// Allocate an endpoint buffer
//
EndpointLength = MODULE_SIZE; pEndpoint = MemAlloc( MODULE_SIZE ); if ( !pEndpoint ) { Status = STATUS_NO_MEMORY; goto badconnect; }
Status = IcaStackConnectionRequest( pTargetWinStation->hStack, pTargetWinStation->ListenName, pConfig, pStackAddress, pEndpoint, EndpointLength, &ReturnLength );
if ( Status == STATUS_BUFFER_TOO_SMALL ) { MemFree( pEndpoint ); pEndpoint = MemAlloc( ReturnLength ); if ( !pEndpoint ) { Status = STATUS_NO_MEMORY; goto badconnect; } EndpointLength = ReturnLength;
Status = IcaStackConnectionRequest( pTargetWinStation->hStack, pTargetWinStation->ListenName, pConfig, pStackAddress, pEndpoint, EndpointLength, &ReturnLength ); }
if ( !NT_SUCCESS(Status) ) { // special error code to pass back to client
StatusCallback = Status; goto badconnect; }
}
/*
* Now accept the connection for the target WinStation * using the new endpoint. */ Status = IcaStackConnectionAccept(pTargetWinStation->hIca, pTargetWinStation->hStack, pListenName, pConfig, pEndpoint, EndpointLength, NULL, 0, &Trace);
ConnectionAccepted = (Status == STATUS_SUCCESS);
TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: IcaStackConnectionAccept, Status=0x%x\n", Status));
if (NT_SUCCESS(Status)) { // In post-logon SD work, quering load balancing info has been moved
// to WinStationNotifyLogonWorker
// while this part of getting load balancing info is still here
// because we rely on it to connect to the console
TS_LOAD_BALANCE_INFO LBInfo; ULONG ReturnLength; // Get the client load balance capability info.
// Note we use _IcaStackIoControl() instead of IcaStackIoControl() or
// WsxIcaStackIoControl() since we still have the stack lock.
memset(&LBInfo, 0, sizeof(LBInfo)); Status = _IcaStackIoControl(pTargetWinStation->hStack, IOCTL_TS_STACK_QUERY_LOAD_BALANCE_INFO, NULL, 0, &LBInfo, sizeof(LBInfo), &ReturnLength);
// On non-success, we'll have FALSE for all of our entries, on
// success valid values. So, save off the cluster info into the
// WinStation struct now.
pTargetWinStation->bClientSupportsRedirection = LBInfo.bClientSupportsRedirection; pTargetWinStation->bRequestedSessionIDFieldValid = LBInfo.bRequestedSessionIDFieldValid; pTargetWinStation->bClientRequireServerAddr = LBInfo.bClientRequireServerAddr; pTargetWinStation->RequestedSessionID = LBInfo.RequestedSessionID;
/*
* Attempt to license the client. Failure is fatal, do not let the * connection continue. */
LCAssignPolicy(pTargetWinStation);
Status = LCProcessConnectionProtocol(pTargetWinStation);
TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: LCProcessConnectionProtocol, LogonId=%d, Status=0x%x\n", pTargetWinStation->LogonId, Status));
// The stack was locked from successful IcaStackConnectionAccept(),
// unlock it now.
IcaStackUnlock(pTargetWinStation->hStack); }
/*
* Now relock the target WinStation */ rc = RelockWinStation(pTargetWinStation);
/*
* If the connection accept was not successful, * then we have no choice but to close the connection endpoint * and go back and wait for another connection. */ if (!NT_SUCCESS(Status) || !rc) { TRACE((hTrace, TC_ICASRV, TT_ERROR, "TERMSRV: Connection attempt failed, Status [%lx], rc [%lx]\n", Status, rc)); goto badconnect; }
/*
* Initialize client data */ pTargetWinStation->Client.ClientSessionId = LOGONID_NONE; ZeroMemory( pTargetWinStation->Client.clientDigProductId, sizeof( pTargetWinStation->Client.clientDigProductId )); pTargetWinStation->Client.PerformanceFlags = TS_PERF_DISABLE_NOTHING;
// Reset the client ActiveInputLocale info
pTargetWinStation->Client.ActiveInputLocale = 0;
if ( pTargetWinStation->pWsx && pTargetWinStation->pWsx->pWsxIcaStackIoControl ) { (void) pTargetWinStation->pWsx->pWsxIcaStackIoControl( pTargetWinStation->pWsxContext, pTargetWinStation->hIca, pTargetWinStation->hStack, IOCTL_ICA_STACK_QUERY_CLIENT, NULL, 0, &pTargetWinStation->Client, sizeof(pTargetWinStation->Client), &ReturnLength ); }
//
// Clear helpassistant specific bits to indicate we still not sure
// login user is a help assistant
//
pTargetWinStation->StateFlags &= ~WSF_ST_HELPSESSION_FLAGS; bSessionIsHelpSession = TSIsSessionHelpSession( pTargetWinStation, &bValidRAConnect );
/*
* We have to start this new WinStation. * Before doing so, lets see if GP or WMI requires us to pre-authenticate this client connection * No Pre Auth if this is a RA Session */
// Note : g_PreAuthenticateClient is hard-coded to FALSE now -- we will call IsPreAuthEnabled later on when Preauth feature is included
// So the block below will not be entered for now
// g_PreAuthenticateClient = IsPreAuthEnabled( &g_MachinePolicy );
if ( (bSessionIsHelpSession == FALSE) && g_PreAuthenticateClient ) {
pExtendedClientCredentials pPreAuthenticationCredentials = NULL; ULONG BytesGot ;
pPreAuthenticationCredentials = MemAlloc( sizeof(ExtendedClientCredentials) ); if ( pPreAuthenticationCredentials == NULL ) { Status = STATUS_NO_MEMORY; goto badconnect; } RtlZeroMemory(pPreAuthenticationCredentials,sizeof(ExtendedClientCredentials));
// Try WsxEscape first to get long credentials
if ( pTargetWinStation->pWsx && pTargetWinStation->pWsx->pWsxEscape ) {
Status = pTargetWinStation->pWsx->pWsxEscape( pTargetWinStation->pWsxContext, GET_LONG_USERNAME, NULL, 0, pPreAuthenticationCredentials, sizeof(ExtendedClientCredentials), &BytesGot) ;
} else if ( pTargetWinStation->pWsx && pTargetWinStation->pWsx->pWsxIcaStackIoControl ) {
// We must never be here for RDP client as we support WsxEscape
RtlCopyMemory(pPreAuthenticationCredentials->Domain, pTargetWinStation->Client.Domain, sizeof(pTargetWinStation->Client.Domain)); RtlCopyMemory(pPreAuthenticationCredentials->UserName, pTargetWinStation->Client.UserName, sizeof(pTargetWinStation->Client.UserName)); RtlCopyMemory(pPreAuthenticationCredentials->Password, pTargetWinStation->Client.Password, sizeof(pTargetWinStation->Client.Password)); } if (!NT_SUCCESS(Status)) { // WsxEscape for GET_LONG_USERNAME failed
RtlSecureZeroMemory(pPreAuthenticationCredentials->Password, sizeof(pPreAuthenticationCredentials->Password)); MemFree(pPreAuthenticationCredentials); pPreAuthenticationCredentials = NULL; goto badconnect; } else { HANDLE hToken; BOOL Result;
// If the UserName is a UPN name, then explicitly set the Domain name to NULL
if ( wcschr(pPreAuthenticationCredentials->UserName, '@') != NULL ) { pPreAuthenticationCredentials->Domain[0] = L'\0'; }
// If the password is bigger than max allowed password len, make it NULL
if (wcslen(pPreAuthenticationCredentials->Password) > MAX_ALLOWED_PASSWORD_LEN) { pPreAuthenticationCredentials->Password[0] = L'\0'; }
Result = LogonUser( pPreAuthenticationCredentials->UserName, pPreAuthenticationCredentials->Domain, pPreAuthenticationCredentials->Password, LOGON32_LOGON_INTERACTIVE, // Logon Type
LOGON32_PROVIDER_WINNT50, // Logon Provider
&hToken // Token that represents the account
); RtlSecureZeroMemory(pPreAuthenticationCredentials->Password, sizeof(pPreAuthenticationCredentials->Password)); /*
* check for account restriction which indicates a blank password * on the account that is correct though - allow this thru on console */
if ( (!Result) && (GetLastError() == ERROR_ACCOUNT_RESTRICTION) ) { Result = TRUE; }
if( !Result) { BOOL bSuccessfulAdded = TRUE ;
if (g_BlackListPolicy) { bSuccessfulAdded = Filter_AddFailedConnection( in_addr, uAddrSize ); }
MemFree(pPreAuthenticationCredentials); pPreAuthenticationCredentials = NULL; goto badconnect; }
// LogonUser Successful !
/*
* Close the token handle since we only needed to determine * if the account and password is still valid. */ CloseHandle( hToken ); MemFree(pPreAuthenticationCredentials); pPreAuthenticationCredentials = NULL; }
} // if (bPreAuthenticateClient)
//Since we don't need the password anymore, clean it up
RtlSecureZeroMemory(pTargetWinStation->Client.Password, sizeof(pTargetWinStation->Client.Password));
// Start the WinStation now if its not already started
if ( (pTargetWinStation->InitialCommandProcess == NULL) && (pTargetWinStation->WindowsSubSysProcess == NULL) ) { Status = WinStationStart( pTargetWinStation ) ; if (Status != STATUS_SUCCESS) { // Starting the winstation failed - close connection endpoint and go and wait for another connection
TRACE((hTrace, TC_ICASRV, TT_ERROR, "TERMSRV: TransferConnectionToIdleWinStation: WinstationStart Failed : Connection attempt failed, Status [%lx]\n",Status )); goto badconnect; }
Status = WinStationCreateComplete( pTargetWinStation) ; if (Status != STATUS_SUCCESS) { // WinstationCreateComplete failed - close connection endpoint and go and wait for another connection
TRACE((hTrace, TC_ICASRV, TT_ERROR, "TERMSRV: TransferConnectionToIdleWinStation: WinstationCreateComplete Failed : Connection attempt failed, Status [%lx]\n",Status )); goto badconnect;
} }
ASSERT( pTargetWinStation->LogonId != -1 );
pTargetWinStation->Flags &= ~WSF_IDLEBUSY;
// From this point on, it is ok to Queue the WinStation for Reset in case of error
bQueueForReset = TRUE;
/*
* The connection accept was successful, save the * new endpoint in the target WinStation, copy the config * parameters to the target WinStation, and reset the WSF_IDLE flag. */ pTargetWinStation->pEndpoint = pEndpoint; pTargetWinStation->EndpointLength = EndpointLength; if ( pListenWinStation ) pTargetWinStation->Config = pListenWinStation->Config; pTargetWinStation->Flags &= ~WSF_IDLE;
/*
* Copy real name of Single-Instance transports */ if ( pConfig->Pd[0].Create.PdFlag & PD_SINGLE_INST ) { RtlCopyMemory( pTargetWinStation->WinStationName, pTargetWinStation->ListenName, sizeof(pTargetWinStation->WinStationName) ); /*
* Otherwise, build dynamic name from Listen name and target LogonId. */ } else { int CopyCount; WINSTATIONNAME TempName;
// swprintf( TempName, L"#%d", pTargetWinStation->LogonId );
ASSERT(pTargetWinStation->LogonId > 0 && pTargetWinStation->LogonId < 65536); swprintf( TempName, L"#%d", pTargetWinStation->SessionSerialNumber );
CopyCount = min( wcslen( pTargetWinStation->ListenName ), sizeof( pTargetWinStation->WinStationName ) / sizeof( pTargetWinStation->WinStationName[0] ) - wcslen( TempName ) - 1 ); wcsncpy( pTargetWinStation->WinStationName, pTargetWinStation->ListenName, CopyCount ); wcscpy( &pTargetWinStation->WinStationName[CopyCount], TempName ); }
/*
* Inherit the security descriptor from the listen WINSTATION to the * connected WINSTATION. */ if ( pListenWinStation ) { RtlAcquireResourceShared(&WinStationSecurityLock, TRUE); Status = WinStationInheritSecurityDescriptor( pListenWinStation->pSecurityDescriptor, pTargetWinStation ); RtlReleaseResource(&WinStationSecurityLock); if (Status != STATUS_SUCCESS) { // badconnect free pEndpoint, WinStationTerminate() will try to free this
// end point again causing double free.
pTargetWinStation->pEndpoint = NULL; goto badconnect; } } else { ReadWinStationSecurityDescriptor( pTargetWinStation ); } //
// For non-experience-aware clients give as close an experience
// as win2k.
//
if (pTargetWinStation->Client.PerformanceFlags & TS_PERF_DEFAULT_NONPERFCLIENT_SETTING) { pTargetWinStation->Client.PerformanceFlags = TS_PERF_DISABLE_MENUANIMATIONS | TS_PERF_DISABLE_THEMING | TS_PERF_DISABLE_CURSOR_SHADOW; }
if ( pTargetWinStation->Config.Config.User.fWallPaperDisabled ) { pTargetWinStation->Client.PerformanceFlags |= TS_PERF_DISABLE_WALLPAPER; }
if ( pTargetWinStation->Config.Config.User.fCursorBlinkDisabled ) { pTargetWinStation->Client.PerformanceFlags |= TS_PERF_DISABLE_CURSORSETTINGS; } //
// If TS policy denies connection, only way to comes to
// here is policy allow help, reject connection if logon
// user is not salem help assistant.
//
if( TRUE == bSessionIsHelpSession ) { //
// If invalid ticket or policy deny help, we immediately disconnect
//
if( FALSE == bValidRAConnect || FALSE == bPolicyAllowHelp ) { // Invalid ticket, disconnect immediately
TRACE((hTrace, TC_ICASRV, TT_ERROR, "TERMSRV: Invalid RA login\n")); goto invalid_ra_connection; } } else if( !pListenWinStation && pStackAddress ) { //
// Reverse Connect, parameter passed in pListenWinStation = NULL
// and pStackAddress is not NULL, for normal connection,
// pListenWinStation is not NULL but pStackAddress is NULL
//
//
// Handle non-RA Reverse connection, Whistler revert connection
// only allow RA login.
//
TRACE((hTrace, TC_ICASRV, TT_ERROR, "TERMSRV: Not/invalid Help Assistant logon\n")); goto invalid_ra_connection; }
//
// Connecting client must be either non-RA or valid RA connection.
//
//
// Handle Safeboot with networking and TS deny non-RA connection,
// safeboot with networking only allow RA connection.
//
// Disconnect client on following
//
// 1) Safeboot with networking if not RA connect.
// 2) Reverse connection if not RA connect.
// 3) TS not accepting connection via policy setting if not RA connect.
// 4) Not allowing help if RA connect.
// 5) Invalid RA connection if RA connect.
// 6) if Home edition and not RA commection
//
if( g_SafeBootWithNetwork || g_fDenyTSConnectionsPolicy || g_bPersonalWks) { if( FALSE == bSessionIsHelpSession ) { TRACE((hTrace, TC_ICASRV, TT_ERROR, "TERMSRV: Policy or safeboot denied connection\n"));
goto invalid_ra_connection; } }
//
// Only log Salem event for reverse connection
//
if( !pListenWinStation && pStackAddress ) { ASSERT( TRUE == bSessionIsHelpSession ); TSLogSalemReverseConnection(pTargetWinStation, pStackAddress); }
/*
* Set the connect event to wake up the target WinStation. */ if (pTargetWinStation->ConnectEvent != NULL) { NtSetEvent( pTargetWinStation->ConnectEvent, NULL ); }
/*
* Release target WinStation */
if( pListenWinStation ) {
if (bSuccessAdded) { // If we could add this IP address to the per IP list then remember it.
PREMEMBERED_CLIENT_ADDRESS pAddress; if ((uAddrSize != 0) && (pAddress = (PREMEMBERED_CLIENT_ADDRESS) MemAlloc( sizeof(REMEMBERED_CLIENT_ADDRESS) + uAddrSize -1 ))!= NULL ) { pAddress->length = uAddrSize; RtlCopyMemory( &pAddress->addr[0] , in_addr,uAddrSize ); pTargetWinStation->pRememberedAddress = pAddress;
// at this point we have a valid remote address. We'll cache this address.
pTargetWinStation->pLastClientAddress = ( PREMEMBERED_CLIENT_ADDRESS )MemAlloc( sizeof( REMEMBERED_CLIENT_ADDRESS ) + uAddrSize - 1 );
if( pTargetWinStation->pLastClientAddress != NULL ) { RtlCopyMemory( &pTargetWinStation->pLastClientAddress->addr[0] , &pTargetWinStation->pRememberedAddress->addr[0] , uAddrSize );
pTargetWinStation->pLastClientAddress->length = uAddrSize;
}
} else { Filter_RemoveOutstandingConnection( in_addr, uAddrSize ); if( (ULONG)InterlockedDecrement( &NumOutStandingConnect ) == MaxOutStandingConnect ) { if (hConnectEvent != NULL) { SetEvent(hConnectEvent); } }
} } else{ // We could not add this IP address to the pr IP list
if( (ULONG)InterlockedDecrement( &NumOutStandingConnect ) == MaxOutStandingConnect ) { if (hConnectEvent != NULL) { SetEvent(hConnectEvent); } } }
}
ReleaseWinStation( pTargetWinStation );
/*
* If necessary, create another idle WinStation to replace the one being connected */ NtSetEvent(WinStationIdleControlEvent, NULL);
return STATUS_SUCCESS;
/*=============================================================================
== Error returns=============================================================================*/ invalid_ra_connection:
// badconnect free pEndpoint, WinStationTerminate() will try to free this
// end point again causing double free.
pTargetWinStation->pEndpoint = NULL; StatusCallback = STATUS_CTX_WINSTATION_ACCESS_DENIED;
/*
* Error during ConnectionAccept */badconnect: /*
* Clear the Listen name */ if (pTargetWinStation) { RtlZeroMemory( pTargetWinStation->ListenName, sizeof(pTargetWinStation->ListenName) ); /*
* Call WinStation rundown function before killing the stack */ if (pTargetWinStation->pWsxContext) { if ( pTargetWinStation->pWsx && pTargetWinStation->pWsx->pWsxWinStationRundown ) { pTargetWinStation->pWsx->pWsxWinStationRundown( pTargetWinStation->pWsxContext ); } pTargetWinStation->pWsxContext = NULL; } pTargetWinStation->pWsx = NULL; }
/*
* Release system resources. This happens in two phases: * * a.) The connection endpoint - since endpoints are not reference counted * care must be taken to destroy the endpoint with the stack in which it * was loaded. In the event it was not loaded, we create a temporary * stack to do the dirty work. * * b.) The Winstation inself - if we had to create an idle winstation to * handle this connection, it is destroyed. Otherwise we just return * it back to the idle pool. * */releaseresources: /*
* If we created a target WinStation, then use its stack to close the * endpoint since the stack may have a reference to it. */ TRACE((hTrace, TC_ICASRV, TT_ERROR, "TERMSRV: Closing Endpoint [0x%p], winsta = 0x%p, Accepted = %ld\n", pEndpoint, pTargetWinStation, ConnectionAccepted));
if ((pTargetWinStation != NULL) && (ConnectionAccepted)) { Status = _CloseEndpoint( pConfig, pEndpoint, EndpointLength, pTargetWinStation, FALSE ); // Use the stack which already has
// the endpoint loaded
}
/*
* Otherwise, we failed before we got the endpoint loaded so close the * endpoint using a temporary stack. */ else if ( pListenWinStation ) { // note that:
// 1. if pListenWinStation is NULL then pEndpoint is NULL, so nothing to close;
// 2. use the config of pListenWinStation in case pConfig is not set yet.
Status = _CloseEndpoint( &pListenWinStation->Config, pEndpoint, EndpointLength, pListenWinStation, TRUE ); // Use a temporary stack
}
if ( pEndpoint ) MemFree( pEndpoint );
pEndpoint = NULL;
/*
* Return the winstation if we got that far in the protocol sequence */ if (pTargetWinStation != NULL) { /*
* If we created a WinStation above because there were no IDLE * WinStations available, then we will now have an extra IDLE * WinStation. In this case, reset the current IDLE WinStation. */ if ( CreatedIdle ) { // clear this so it doesn't get selected as idle when unlocked
pTargetWinStation->Flags &= ~WSF_IDLE; if ( bQueueForReset == TRUE ) { QueueWinStationReset( pTargetWinStation->LogonId ); ReleaseWinStation( pTargetWinStation ); } else { if ( !(pTargetWinStation->Flags & (WSF_RESET | WSF_DELETE)) ) { pTargetWinStation->Flags |= WSF_DELETE; WinStationTerminate( pTargetWinStation ); pTargetWinStation->State = State_Down; //PostErrorValueEvent(EVENT_TS_WINSTATION_START_FAILED, Status);
WinStationDeleteWorker(pTargetWinStation); } else { ReleaseWinStation(pTargetWinStation); } } } /*
* Else return this WinStation to the idle pool after cleaning up the * stack. */ else {
//
// The licensing context needs to be freed and recreated to
// ensure it is cleaned up properly.
//
LCDestroyContext(pTargetWinStation);
Status = LCCreateContext(pTargetWinStation);
if (NT_SUCCESS(Status)) { Status = IcaStackClose( pTargetWinStation->hStack ); ASSERT( NT_SUCCESS( Status ) ); pTargetWinStation->hStack = NULL; Status = IcaStackOpen( pTargetWinStation->hIca, Stack_Primary, (PROC)WsxStackIoControl, pTargetWinStation, &pTargetWinStation->hStack ); }
if (NT_SUCCESS(Status)) { pTargetWinStation->Flags |= WSF_IDLE; pTargetWinStation->Flags &= ~WSF_IDLEBUSY; RtlZeroMemory(pTargetWinStation->WinStationName, sizeof(pTargetWinStation->WinStationName)); pTargetWinStation->State = State_Idle; NotifySystemEvent( WEVENT_STATECHANGE ); ReleaseWinStation( pTargetWinStation ); } else { pTargetWinStation->Flags &= ~WSF_IDLE; QueueWinStationReset( pTargetWinStation->LogonId); ReleaseWinStation( pTargetWinStation ); } } }
if ( pListenWinStation ) {
if (bSuccessAdded) { Filter_RemoveOutstandingConnection( in_addr, uAddrSize ); } if( (ULONG)InterlockedDecrement( &NumOutStandingConnect ) == MaxOutStandingConnect ) { if (hConnectEvent != NULL) { SetEvent(hConnectEvent); } }
}
// If error is due to call back, return meaningful error
// code.
if( STATUS_SUCCESS != StatusCallback ) { return StatusCallback; }
return -1 /*STATUS_CTX_UNACCEPTED_CONNECTION*/;}
/*******************************************************************************
* ConnectSmWinStationApiPort * * Open a connection to the WinStationApiPort. This will be used * to queue requests to the Api Request thread instead of processing * them in line. ******************************************************************************/NTSTATUS ConnectSmWinStationApiPort(){ UNICODE_STRING PortName; SECURITY_QUALITY_OF_SERVICE DynamicQos; WINSTATIONAPI_CONNECT_INFO info; ULONG ConnectInfoLength; NTSTATUS Status;
/*
* Set up the security quality of service parameters to use over the * port. Use the most efficient (least overhead) - which is dynamic * rather than static tracking. */ DynamicQos.ImpersonationLevel = SecurityImpersonation; DynamicQos.ContextTrackingMode = SECURITY_DYNAMIC_TRACKING; DynamicQos.EffectiveOnly = TRUE;
RtlInitUnicodeString( &PortName, L"\\SmSsWinStationApiPort" );
// Fill in the ConnectInfo structure with our access request mask
info.Version = CITRIX_WINSTATIONAPI_VERSION; info.RequestedAccess = 0; ConnectInfoLength = sizeof(WINSTATIONAPI_CONNECT_INFO);
Status = NtConnectPort( &WinStationApiPort, &PortName, &DynamicQos, NULL, NULL, NULL, // Max message length [select default]
(PVOID)&info, &ConnectInfoLength );
if ( !NT_SUCCESS( Status ) ) { // Look at the returned INFO to see why if desired
if ( ConnectInfoLength == sizeof(WINSTATIONAPI_CONNECT_INFO) ) { DBGPRINT(( "TERMSRV: Sm connect failed, Reason 0x%x\n", info.AcceptStatus)); } DBGPRINT(( "TERMSRV: Connect to SM failed %lx\n", Status )); }
return Status;}
/*******************************************************************************
* QueueWinStationCreate * * Send a create message to the WinStationApiPort. * * ENTRY: * pWinStationName (input) * Pointer to WinStationName to be created ******************************************************************************/NTSTATUS QueueWinStationCreate(PWINSTATIONNAME pWinStationName){ WINSTATION_APIMSG msg; NTSTATUS Status;
TRACE((hTrace,TC_ICASRV,TT_API1,"TERMSRV: QueueWinStationCreate: %S\n", pWinStationName ));
/*
* Initialize msg */ msg.h.u1.s1.DataLength = sizeof(msg) - sizeof(PORT_MESSAGE); msg.h.u1.s1.TotalLength = sizeof(msg); msg.h.u2.s2.Type = 0; // Kernel will fill in message type
msg.h.u2.s2.DataInfoOffset = 0; msg.ApiNumber = SMWinStationCreate; msg.WaitForReply = FALSE; if ( pWinStationName ) { RtlCopyMemory( msg.u.Create.WinStationName, pWinStationName, sizeof(msg.u.Create.WinStationName) ); } else { RtlZeroMemory( msg.u.Create.WinStationName, sizeof(msg.u.Create.WinStationName) ); }
/*
* Send create message to our API request thread * but don't wait for a reply. */ Status = NtRequestPort( WinStationApiPort, (PPORT_MESSAGE) &msg ); ASSERT( NT_SUCCESS( Status ) );
return Status;}
/*******************************************************************************
* QueueWinStationReset * * Send a reset message to the WinStationApiPort. * * ENTRY: * LogonId (input) * LogonId of WinStationName to reset ******************************************************************************/NTSTATUS QueueWinStationReset(ULONG LogonId){
WINSTATION_APIMSG msg; NTSTATUS Status;
TRACE((hTrace,TC_ICASRV,TT_API1,"TERMSRV: QueueWinStationReset: %u\n", LogonId ));
/*
* Initialize msg */ msg.h.u1.s1.DataLength = sizeof(msg) - sizeof(PORT_MESSAGE); msg.h.u1.s1.TotalLength = sizeof(msg); msg.h.u2.s2.Type = 0; // Kernel will fill in message type
msg.h.u2.s2.DataInfoOffset = 0; msg.ApiNumber = SMWinStationReset; msg.WaitForReply = FALSE; msg.u.Reset.LogonId = LogonId;
/*
* Send reset message to our API request thread * but don't wait for a reply. */ Status = NtRequestPort( WinStationApiPort, (PPORT_MESSAGE) &msg ); ASSERT( NT_SUCCESS( Status ) );
return( Status );}
/*******************************************************************************
* QueueWinStationDisconnect * * Send a disconnect message to the WinStationApiPort. * * ENTRY: * LogonId (input) * LogonId of WinStationName to disconnect ******************************************************************************/NTSTATUS QueueWinStationDisconnect(ULONG LogonId){ WINSTATION_APIMSG msg; NTSTATUS Status;
TRACE((hTrace,TC_ICASRV,TT_API1,"TERMSRV: QueueWinStationDisconnect: %u\n", LogonId ));
/*
* Initialize msg */ msg.h.u1.s1.DataLength = sizeof(msg) - sizeof(PORT_MESSAGE); msg.h.u1.s1.TotalLength = sizeof(msg); msg.h.u2.s2.Type = 0; // Kernel will fill in message type
msg.h.u2.s2.DataInfoOffset = 0; msg.ApiNumber = SMWinStationDisconnect; msg.WaitForReply = FALSE; msg.u.Reset.LogonId = LogonId;
/*
* Send disconnect message to our API request thread * but don't wait for a reply. */ Status = NtRequestPort( WinStationApiPort, (PPORT_MESSAGE) &msg ); ASSERT( NT_SUCCESS( Status ) );
return( Status );}
/*******************************************************************************
* IcaRegWinStationEnumerate * * Enumerate all WinStations configured in the registry. * * ENTRY: * pWinStationCount (input/output) * count of WinStation names to return, on return the number of * WinStation names actually returned in name buffer * pWinStationName (output) * pointer to buffer to return WinStation names * pByteCount (input/output) * size of WinStation name buffer, on return the number of * bytes actually returned in the name buffer ******************************************************************************/NTSTATUS IcaRegWinStationEnumerate( PULONG pWinStationCount, PWINSTATIONNAME pWinStationName, PULONG pByteCount){ NTSTATUS Status; OBJECT_ATTRIBUTES ObjectAttributes; WCHAR PathBuffer[ 260 ]; UNICODE_STRING KeyPath; HANDLE Handle; ULONG i; ULONG Count;
wcscpy( PathBuffer, REG_NTAPI_CONTROL_TSERVER L"\\" REG_WINSTATIONS ); RtlInitUnicodeString( &KeyPath, PathBuffer );
InitializeObjectAttributes( &ObjectAttributes, &KeyPath, OBJ_CASE_INSENSITIVE, NULL, NULL );
Status = NtOpenKey( &Handle, GENERIC_READ, &ObjectAttributes ); if ( !NT_SUCCESS( Status ) ) { DBGPRINT(( "TERMSRV: NtOpenKey failed, rc=%x\n", Status )); return( Status ); }
Count = pWinStationName ? min( *pByteCount / sizeof(WINSTATIONNAME), *pWinStationCount ) : (ULONG) -1; *pWinStationCount = *pByteCount = 0; for ( i = 0; i < Count; i++ ) { WINSTATIONNAME WinStationName; UNICODE_STRING WinStationString;
WinStationString.Length = 0; WinStationString.MaximumLength = sizeof(WinStationName); WinStationString.Buffer = WinStationName; Status = RtlpNtEnumerateSubKey( Handle, &WinStationString, i, NULL ); if ( !NT_SUCCESS( Status ) ) { if ( Status != STATUS_NO_MORE_ENTRIES ) { DBGPRINT(( "TERMSRV: RtlpNtEnumerateSubKey failed, rc=%x\n", Status )); } break; } if ( pWinStationName ) { RtlCopyMemory( pWinStationName, WinStationName, WinStationString.Length ); pWinStationName[WinStationString.Length>>1] = UNICODE_NULL; (char*)pWinStationName += sizeof(WINSTATIONNAME); } (*pWinStationCount)++; *pByteCount += sizeof(WINSTATIONNAME); }
NtClose( Handle );
return STATUS_SUCCESS;}
/*******************************************************************************
* WinStationCreateWorker * * Worker routine to create/start a WinStation. * * ENTRY: * pWinStationName (input) (optional) * Pointer to WinStationName to be created * pLogonId (output) * location to return LogonId of new WinStation * fStartWinStation (input) * Tells if we need to Start the winstation after creating it * * NOTE: If a WinStation name is specified, then this will become the * "listening" WinStation for the specified name. * If a WinStation name is not specified, then this will become * part of the free pool of idle/disconnected WinStations. ******************************************************************************/NTSTATUS WinStationCreateWorker( PWINSTATIONNAME pWinStationName, PULONG pLogonId, BOOLEAN fStartWinStation ) { BOOL fConsole; PWINSTATION pWinStation = NULL; PWINSTATION pCurWinStation; NTSTATUS Status; UNICODE_STRING WinStationString; ULONG ReturnLength; /*
* If system shutdown is in progress, then don't allow create */ if ( ShutdownInProgress ) { Status = STATUS_ACCESS_DENIED; goto shutdown; }
if (pWinStationName == NULL) { fConsole = FALSE; } else { fConsole = (_wcsicmp(pWinStationName, L"Console") == 0); }
/*
* If not the Console, then verify the WinStation name is defined * in the registry and that it is enabled. */ if ( pWinStationName && !fConsole ) { Status = CheckWinStationEnable( pWinStationName ); if ( Status != STATUS_SUCCESS ) { DBGPRINT(( "TERMSRV: WinStation '%ws' is disabled\n", pWinStationName )); goto disabled; } }
/*
* Allocate and initialize WinStation struct */ if ( (pWinStation = MemAlloc( sizeof(WINSTATION) )) == NULL ) { Status = STATUS_NO_MEMORY; goto nomem; } RtlZeroMemory( pWinStation, sizeof(WINSTATION) ); pWinStation->Starting = TRUE; pWinStation->NeverConnected = TRUE; pWinStation->State = State_Init; pWinStation->pNewNotificationCredentials = NULL; pWinStation->fReconnectPending = FALSE; pWinStation->fReconnectingToConsole = FALSE; pWinStation->LastReconnectType = NeverReconnected; pWinStation->fDisallowAutoReconnect = FALSE; pWinStation->fSmartCardLogon = FALSE; pWinStation->fSDRedirectedSmartCardLogon = FALSE; memset( pWinStation->ExecSrvSystemPipe, 0, EXECSRVPIPENAMELEN*sizeof(WCHAR) );
// Create the Session Initialized event which will be set when Winlogon calls after creating a Desktop
pWinStation->SessionInitializedEvent = CreateEvent(NULL, TRUE, // Manual Reset
FALSE, // Initial State is non signaled
NULL);
if (pWinStation->SessionInitializedEvent == NULL) { Status = STATUS_INSUFFICIENT_RESOURCES; goto nomem; }
InitializeListHead( &pWinStation->ShadowHead ); InitializeListHead( &pWinStation->Win32CommandHead );
// Create the licensing context
Status = LCCreateContext(pWinStation); if ( !NT_SUCCESS( Status ) ) goto nolicensecontext;
// Create and lock winstation mutex
Status = InitRefLock( &pWinStation->Lock, WinStationDeleteProc ); if ( !NT_SUCCESS( Status ) ) goto nolock;
/*
* If a WinStation name was specified, see if it already exists * (on return, WinStationListLock will be locked). */ if ( pWinStationName ) { if ( pCurWinStation = FindWinStationByName( pWinStationName, TRUE ) ) { ReleaseWinStation( pCurWinStation ); LEAVECRIT( &WinStationListLock ); Status = STATUS_CTX_WINSTATION_NAME_COLLISION; goto alreadyexists; }
TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: Creating WinStation %ws\n", pWinStationName )); LEAVECRIT( &WinStationListLock ); wcscpy( pWinStation->WinStationName, pWinStationName );
/*
* If not the console, then this will become a "listen" WinStation */ if ( !fConsole ) {
pWinStation->Flags |= WSF_LISTEN;
//
// Listener winstations always get LogonId above 65536 and are
// assigned by Terminal Server. LogonId's for sessions are
// generated by mm in the range 0-65535
//
pWinStation->LogonId = LogonId++; ASSERT(pWinStation->LogonId >= 65536);
} else {
//
// Console always get 0
//
pWinStation->LogonId = 0; pWinStation->fOwnsConsoleTerminal = TRUE;
}
/*
* No WinStation name was specified. * This will be an idle WinStation waiting for a connection. */ } else { TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: Creating IDLE WinStation\n" )); pWinStation->Flags |= WSF_IDLE; pWinStation->LogonId = -1; // MM will asssign session IDs
}
/*
* Initialize WinStation configuration data */#ifdef NO_CONSOLE_REGISTRY
if ( pWinStation->LogonId ) {#endif
/*
* Read winstation configuration data from registry */ if ( pWinStationName ) { Status = RegWinStationQueryEx( SERVERNAME_CURRENT, &g_MachinePolicy, pWinStationName, &pWinStation->Config, sizeof(WINSTATIONCONFIG2), &ReturnLength, TRUE ); if ( !NT_SUCCESS(Status) ) { goto badregdata; }
if (pWinStation->Config.Wd.WdFlag & WDF_TSHARE) { pWinStation->Client.ProtocolType = PROTOCOL_RDP; } else if (pWinStation->Config.Wd.WdFlag & WDF_ICA) { pWinStation->Client.ProtocolType = PROTOCOL_ICA; } else { pWinStation->Client.ProtocolType = PROTOCOL_CONSOLE; }
/*
* Save console config for console sessions. */
if (pWinStation->LogonId == 0) { gConsoleConfig = pWinStation->Config;
// initalize client data, since there isn't any real rdp client sending anythhing to us
InitializeConsoleClientData( & pWinStation->Client );
} }#ifdef NO_CONSOLE_REGISTRY
} else {
/*
* Hand craft the console configuration data */ PWDCONFIG pWdConfig = &pWinStation->Config.Wd; PPDCONFIGW pPdConfig = &pWinStation->Config.Pd[0];
wcscpy( pWdConfig->WdName, L"Console" ); pWdConfig->WdFlag = WDF_NOT_IN_LIST; wcscpy( pPdConfig->Create.PdName, L"Console" ); pPdConfig->Create.PdClass = PdConsole; pPdConfig->Create.PdFlag = PD_USE_WD | PD_RELIABLE | PD_FRAME | PD_CONNECTION | PD_CONSOLE;
RegQueryOEMId( (PBYTE) &pWinStation->Config.Config.OEMId, sizeof(pWinStation->Config.Config.OEMId) );
}#endif
/*
* Allocate LogonId and insert in WinStation list */ ENTERCRIT( &WinStationListLock ); InsertTailList( &WinStationListHead, &pWinStation->Links ); LEAVECRIT( &WinStationListLock );
if (pWinStation->LogonId == 0 || g_bPersonalTS) { // Create a named event for console session so that winmm can check if we
// are remoting audio on the console itself. Use a global event is for
// fast check
{ BYTE bSA[SECURITY_DESCRIPTOR_MIN_LENGTH]; PSECURITY_DESCRIPTOR pSD = &bSA; SECURITY_ATTRIBUTES SA; EXPLICIT_ACCESS ea[2]; SID_IDENTIFIER_AUTHORITY siaWorld = SECURITY_WORLD_SID_AUTHORITY; SID_IDENTIFIER_AUTHORITY siaNT = SECURITY_NT_AUTHORITY; PSID pSidWorld; PSID pSidNT; PACL pNewDAcl; DWORD dwres;
if ( AllocateAndInitializeSid( &siaWorld, 1, SECURITY_WORLD_RID, 0, 0, 0, 0, 0, 0, 0, &pSidWorld)) { if ( AllocateAndInitializeSid( &siaNT, 1, SECURITY_LOCAL_SYSTEM_RID, 0, 0, 0, 0, 0, 0, 0, &pSidNT)) { ZeroMemory(ea, sizeof(ea)); ea[0].grfAccessPermissions = SYNCHRONIZE; ea[0].grfAccessMode = GRANT_ACCESS; ea[0].Trustee.TrusteeForm = TRUSTEE_IS_SID; ea[0].Trustee.ptstrName = (LPTSTR)pSidWorld; ea[1].grfAccessPermissions = GENERIC_ALL; ea[1].grfAccessMode = GRANT_ACCESS; ea[1].Trustee.TrusteeForm = TRUSTEE_IS_SID; ea[1].Trustee.ptstrName = (LPTSTR)pSidNT;
dwres = SetEntriesInAcl(2, ea, NULL, &pNewDAcl ); if ( ERROR_SUCCESS == dwres ) { if (InitializeSecurityDescriptor(pSD, SECURITY_DESCRIPTOR_REVISION)) { if (SetSecurityDescriptorDacl(pSD, TRUE, pNewDAcl, FALSE )) { SA.nLength = sizeof( SA ); SA.lpSecurityDescriptor = pSD; SA.bInheritHandle = FALSE; pWinStation->hWinmmConsoleAudioEvent = CreateEvent( &SA, TRUE, FALSE, L"Global\\WinMMConsoleAudioEvent"); if ( pWinStation->LogonId == 0 ) { pWinStation->hRDPAudioDisabledEvent = CreateEvent( &SA, TRUE, FALSE, L"Global\\RDPAudioDisabledEvent"); } else { pWinStation->hRDPAudioDisabledEvent = NULL; } } } LocalFree( pNewDAcl ); } LocalFree( pSidNT ); } LocalFree( pSidWorld ); } } } else { pWinStation->hWinmmConsoleAudioEvent = NULL; pWinStation->hRDPAudioDisabledEvent = NULL; }
/*
* Start the WinStation's primary device and stack */
Status = StartWinStationDeviceAndStack( pWinStation ) ;
/*
* Ignore errors from console, otherwise keep going */ if ( ( pWinStation->LogonId ) && ( Status != STATUS_SUCCESS ) ) { goto starterror; }
/*
* Start the WinStation - do this only for the Listener and Console Sessions or if last param is TRUE * For idle winstations, we start the Csr and Winlogon later on when Transferring connection */
if (( pWinStation->Flags & WSF_LISTEN ) || (pWinStation->LogonId == 0) || (fStartWinStation)) {
Status = WinStationStart( pWinStation );
/*
* Ignore errors from console, otherwise keep going */ if ( ( pWinStation->LogonId ) && ( Status != STATUS_SUCCESS ) ) goto starterror;
Status = WinStationCreateComplete( pWinStation ) ;
if (Status != STATUS_SUCCESS) { TRACE((hTrace, TC_ICASRV, TT_ERROR, "TERMSRV: WinstationCreateComplete Failed : Connection attempt failed, Status [%lx]\n",Status )); goto starterror; } }
/*
* Return LogonId to caller * At this point LogonId is really -1 for idle sessions because we delay the starting of Csr and winlogon */ if ( pLogonId ) *pLogonId = pWinStation->LogonId;
pWinStation->Starting = FALSE;
/*
* Release WinStation now */ ReleaseWinStation( pWinStation );
return( STATUS_SUCCESS );
/*=============================================================================
== Error returns=============================================================================*/
/*
* WinStationStart returned error * WinStation kernel object could not be created */starterror: if ( !(pWinStation->Flags & (WSF_RESET | WSF_DELETE)) ) { if ( StopOnDown ) DbgBreakPoint(); pWinStation->Flags |= WSF_DELETE; WinStationTerminate( pWinStation ); pWinStation->State = State_Down; PostErrorValueEvent(EVENT_TS_WINSTATION_START_FAILED, Status); WinStationDeleteWorker(pWinStation); } else { ReleaseWinStation( pWinStation ); }
return Status;
/*
* Error reading registry data */badregdata:
/*
* WinStation name already exists */alreadyexists: NtClose( pWinStation->Lock.Mutex );
/*
* Could not create WinStation lock */nolock: LCDestroyContext(pWinStation);
/*
* Could not allocate licensing context */nolicensecontext:
/*
* Close the session initialization event if created successfully. */ if (pWinStation->SessionInitializedEvent) { CloseHandle(pWinStation->SessionInitializedEvent); pWinStation->SessionInitializedEvent = NULL; }
/*
* Could not allocate WinStation */nomem: PostErrorValueEvent(EVENT_TS_WINSTATION_START_FAILED, Status);
if (pWinStation) { MemFree(pWinStation); }
/*
* WinStation is disabled * System shutdown is in progress */disabled:shutdown:
return Status;}
/*******************************************************************************
* StartWinStationDeviceAndStack * Open the primary Device and primary Stack of the WinStation. * * ENTRY: * pWinStation (input) * Pointer to WinStation to start ******************************************************************************/
NTSTATUS StartWinStationDeviceAndStack(PWINSTATION pWinStation){ NTSTATUS Status = STATUS_SUCCESS; ICA_TRACE Trace;
TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: StartWinStationDeviceAndStack, %S (LogonId=%d)\n", pWinStation->WinStationName, pWinStation->LogonId ));
/*
* If its a WSF_LISTEN WinStation, see if a specific ACL has * been set for it. * * This ACL will be inherited by WinStations that are * connected to from this thread. * * If not specific ACL has been set, the system default * will be used. */
if (( pWinStation->Flags & WSF_LISTEN ) || (pWinStation->LogonId == 0)){
ReadWinStationSecurityDescriptor( pWinStation ); }
/*
* Open an instance of the TermDD device driver */ Status = IcaOpen( &pWinStation->hIca ); if ( !NT_SUCCESS( Status ) ) { DBGPRINT(( "TERMSRV StartWinStationDeviceAndStack : IcaOpen: Error 0x%x from IcaOpen, last error %d\n", Status, GetLastError() )); goto done; }
/*
* Open a stack instance */ Status = IcaStackOpen( pWinStation->hIca, Stack_Primary, (PROC)WsxStackIoControl, pWinStation, &pWinStation->hStack);
if ( !NT_SUCCESS( Status ) ) { IcaClose( pWinStation->hIca ); pWinStation->hIca = NULL; DBGPRINT(( "TERMSRV StartWinStationDeviceAndStack : IcaStackOpen: Error 0x%x from IcaStackOpen, last error %d\n", Status, GetLastError() )); goto done; }
/*
* Enable trace */ RtlZeroMemory( &Trace , sizeof( ICA_TRACE ) ); InitializeTrace( pWinStation, FALSE, &Trace );
done: TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: StartWinStationDeviceAndStack, Status = 0x%x\n", Status));
return Status; }
/*******************************************************************************
* WinStationStart * * Start a WinStation. This involves reading the * execute list from the registry, loading the WinStation * subsystems, and starting the initial program. * * ENTRY: * pWinStation (input) * Pointer to WinStation to start ******************************************************************************/NTSTATUS WinStationStart(PWINSTATION pWinStation){ OBJECT_ATTRIBUTES ObjA; LARGE_INTEGER Timeout; NTSTATUS Status; UNICODE_STRING InitialCommand; PUNICODE_STRING pInitialCommand; PWCHAR pExecuteBuffer = NULL; ULONG CommandSize; PWCHAR pszCsrStartEvent = NULL; PWCHAR pszReconEvent = NULL; UNICODE_STRING EventName;
TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: WinStationStart, %S (LogonId=%d)\n", pWinStation->WinStationName, pWinStation->LogonId ));
// allocate memory
pExecuteBuffer = MemAlloc( MAX_STRING_BYTES * sizeof(WCHAR) ); if (pExecuteBuffer == NULL) { Status = STATUS_NO_MEMORY; goto done; }
pszCsrStartEvent = MemAlloc( MAX_PATH * sizeof(WCHAR) ); if (pszCsrStartEvent == NULL) { Status = STATUS_NO_MEMORY; goto done; }
pszReconEvent = MemAlloc( MAX_PATH * sizeof(WCHAR) ); if (pszReconEvent == NULL) { Status = STATUS_NO_MEMORY; goto done; }
/*
* If this is a "listening" WinStation, then we don't load the * subsystems and initial command. Instead we create a service * thread to wait for new connections and service them. */ if ( pWinStation->Flags & WSF_LISTEN ) { DWORD ThreadId;
pWinStation->hConnectThread = CreateThread( NULL, 0, // use Default stack size of the svchost process
(LPTHREAD_START_ROUTINE)WinStationConnectThread, LongToPtr( pWinStation->LogonId ), 0, &ThreadId );
pWinStation->CreateStatus = STATUS_SUCCESS; Status = pWinStation->CreateStatus; pWinStation->NeverConnected = FALSE; pWinStation->State = State_Listen; NotifySystemEvent( WEVENT_STATECHANGE );
/*
* Load subsystems and initial command * * Session Manager starts the console itself, but returns the * process ID's. For all others, this actually starts CSR * and winlogon. */ } else { /*
* Create event we will wait on below */ if ( pWinStation->LogonId ) {
InitializeObjectAttributes( &ObjA, NULL, 0, NULL, NULL ); Status = NtCreateEvent( &pWinStation->CreateEvent, EVENT_ALL_ACCESS, &ObjA, NotificationEvent, FALSE ); if ( !NT_SUCCESS( Status ) ) goto done; }
UnlockWinStation( pWinStation );
/*
* Check debugging options */ Status = RegWinStationQueryValueW( SERVERNAME_CURRENT, pWinStation->WinStationName, L"Execute", pExecuteBuffer, MAX_STRING_BYTES * sizeof(WCHAR), &CommandSize );
if ( !Status && CommandSize ) { RtlInitUnicodeString( &InitialCommand, pExecuteBuffer ); pInitialCommand = &InitialCommand; } else { pInitialCommand = NULL; }
/*
* For now only do one winstation start at a time. This is because of * WinStation space problems. The Session manager maps it's self into * the WinStation space of the CSR it wants to start so the CSR inherits * the space. That means only one CSR can be started at a time. */ ENTERCRIT( &WinStationStartCsrLock ); //Terminal Service needs to skip Memory check in Embedded images
//when the TS service starts
//bug #246972
if(!IsEmbedded()) { /*
* Make sure we have enough resources to start a new session */
Status = NtAllocateVirtualMemory( NtCurrentProcess(), &glpAddress, 0, &gMinPerSessionPageCommit, MEM_COMMIT, PAGE_READWRITE );
if (!NT_SUCCESS(Status)) { DBGPRINT(( "TERMSRV: NtAllocateVirtualMemory failed with Status %lx for Size %lx(MB)\n",Status,gMinPerSessionPageCommitMB)); LEAVECRIT( &WinStationStartCsrLock ); goto done; } else {
Status = NtFreeVirtualMemory( NtCurrentProcess(), &glpAddress, &gMinPerSessionPageCommit, MEM_DECOMMIT ); if (!NT_SUCCESS(Status)) { DBGPRINT(( "TERMSRV: NtFreeVirtualMemory failed with Status %lx \n",Status)); ASSERT(NT_SUCCESS(Status)); } } }
Status = SmStartCsr( IcaSmApiPort, &pWinStation->LogonId, pInitialCommand, (PULONG_PTR)&pWinStation->InitialCommandProcessId, (PULONG_PTR)&pWinStation->WindowsSubSysProcessId );
LEAVECRIT( &WinStationStartCsrLock );
if ( !RelockWinStation( pWinStation ) ) Status = STATUS_CTX_CLOSE_PENDING;
if ( Status != STATUS_SUCCESS) { DBGPRINT(("TERMSRV: SmStartCsr failed\n")); goto done; }
/*
* Close handle to initial command process, if already opened */ if ( pWinStation->InitialCommandProcess ) { NtClose( pWinStation->InitialCommandProcess ); pWinStation->InitialCommandProcess = NULL; }
/*
* Open handle to initial command process */ pWinStation->InitialCommandProcess = OpenProcess( PROCESS_ALL_ACCESS, FALSE, (DWORD)(ULONG_PTR)(pWinStation->InitialCommandProcessId) );
if ( pWinStation->InitialCommandProcess == NULL ) { TRACE((hTrace,TC_ICASRV,TT_ERROR,"TERMSRV: Logon %d cannot open Initial command process\n", pWinStation->LogonId)); Status = STATUS_ACCESS_DENIED; goto done; }
/*
* Open handle to WIN32 subsystem process */ pWinStation->WindowsSubSysProcess = OpenProcess( PROCESS_ALL_ACCESS, FALSE, (DWORD)(ULONG_PTR)(pWinStation->WindowsSubSysProcessId) );
if ( pWinStation->WindowsSubSysProcess == NULL ) { TRACE((hTrace,TC_ICASRV,TT_ERROR,"TERMSRV: Logon %d cannot open windows subsystem process\n", pWinStation->LogonId)); Status = STATUS_ACCESS_DENIED; goto done; }
//
// Terminal Server calls into Session Manager to create a new Hydra session.
// The session manager creates and resume a new session and returns to Terminal
// server the session id of the new session. There is a race condition where
// CSR can resume and call into terminal server before terminal server can
// store the session id in its internal structure. To prevent this CSR will
// wait here on a named event which will be set by Terminal server once it
// gets the sessionid for the newly created session
// Create CsrStartEvent
//
if ( NT_SUCCESS( Status ) && pWinStation->LogonId ) {
wsprintf(pszCsrStartEvent, L"\\Sessions\\%d\\BaseNamedObjects\\CsrStartEvent",pWinStation->LogonId); RtlInitUnicodeString( &EventName,pszCsrStartEvent); InitializeObjectAttributes( &ObjA, &EventName, OBJ_OPENIF, NULL, NULL );
Status = NtCreateEvent( &(pWinStation->CsrStartEventHandle), EVENT_ALL_ACCESS, &ObjA, NotificationEvent, FALSE );
if ( !NT_SUCCESS( Status ) ) { DBGPRINT(("TERMSRV: NtCreateEvent (%ws) failed (%lx)\n",pszCsrStartEvent, Status)); ASSERT(FALSE); pWinStation->CsrStartEventHandle = NULL; goto done; }
//
// Now that we have the sessionId(LogonId), set the CsrStartEvent so
// CSR can connect to TerminalServer
//
NtSetEvent(pWinStation->CsrStartEventHandle, NULL); }
{ //
// Create ReconnectReadyEvent
//
if ( pWinStation->LogonId == 0 ) { wsprintf(pszReconEvent, L"\\BaseNamedObjects\\ReconEvent"); } else { wsprintf(pszReconEvent, L"\\Sessions\\%d\\BaseNamedObjects\\ReconEvent",pWinStation->LogonId); } RtlInitUnicodeString( &EventName,pszReconEvent); InitializeObjectAttributes( &ObjA, &EventName, OBJ_OPENIF, NULL, NULL );
Status = NtCreateEvent( &(pWinStation->hReconnectReadyEvent), EVENT_ALL_ACCESS, &ObjA, NotificationEvent, TRUE );
if ( !NT_SUCCESS( Status ) ) { DBGPRINT(("TERMSRV: NtCreateEvent (%ws) failed (%lx)\n",pszReconEvent, Status)); ASSERT(FALSE); pWinStation->hReconnectReadyEvent = NULL; goto done; }
}
/*
* For console, create is always successful - but do we need to * crank up the stack for the console session? */ if ( pWinStation->LogonId == 0 ) { pWinStation->CreateStatus = STATUS_SUCCESS; Status = pWinStation->CreateStatus; pWinStation->NeverConnected = FALSE; pWinStation->State = State_Connected;
/*
* Wait for create event to be triggered and get create status */ } else { Timeout = RtlEnlargedIntegerMultiply( 30000, -10000 ); UnlockWinStation( pWinStation ); Status = NtWaitForSingleObject( pWinStation->CreateEvent, FALSE, &Timeout ); if ( !RelockWinStation( pWinStation ) ) Status = STATUS_CTX_CLOSE_PENDING; if ( Status == STATUS_SUCCESS ) Status = pWinStation->CreateStatus;
NtClose( pWinStation->CreateEvent ); pWinStation->CreateEvent = NULL; } }
done: if (pExecuteBuffer != NULL) { MemFree(pExecuteBuffer); pExecuteBuffer = NULL; }
if (pszCsrStartEvent != NULL) { MemFree(pszCsrStartEvent); pszCsrStartEvent = NULL; }
if (pszReconEvent != NULL) { MemFree(pszReconEvent); pszReconEvent = NULL; }
TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: WinStationStart Subsys PID=%d InitialProg PID=%d, Status=0x%x\n", pWinStation->WindowsSubSysProcessId, pWinStation->InitialCommandProcessId, Status ));
return Status;}
NTSTATUS WinStationCreateComplete(PWINSTATION pWinStation){
NTSTATUS Status = STATUS_SUCCESS;
TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: WinStationCreateComplete, %S (LogonId=%d)\n", pWinStation->WinStationName, pWinStation->LogonId ));
// Increment the total number of sessions created since TermSrv started.
// we don't count the console and listener sessions
if (pWinStation->LogonId > 0 && pWinStation->LogonId < 65536) { pWinStation->SessionSerialNumber = (ULONG) InterlockedIncrement(&g_TermSrvTotalSessions); }
if (!(pWinStation->Flags & WSF_LISTEN)) { Status = InitializeSessionNotification(pWinStation); if ( !NT_SUCCESS( Status ) ) { goto done; } }
/*
* Set WinStationEvent to indicate another WinStation has been created */ ENTERCRIT( &WinStationListLock ); NtSetEvent( WinStationEvent, NULL ); // Keep track of total session count for Load Balancing Indicator but
// don't count listen winstations
if (!(pWinStation->Flags & WSF_LISTEN)) WinStationTotalCount++;
LEAVECRIT( &WinStationListLock );
/*
* Notify clients of WinStation create */
NotifySystemEvent( WEVENT_CREATE );
done :
TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: WinStationCreateComplete, %S (LogonId=%d) Status = 0x%x \n", pWinStation->WinStationName, pWinStation->LogonId, Status ));
return Status ;}
/*******************************************************************************
* WinStationRenameWorker * * Worker routine to rename a WinStation. * * ENTRY: * pWinStationNameOld (input) * Pointer to old WinStationName * pWinStationNameNew (input) * Pointer to new WinStationName ******************************************************************************/NTSTATUS WinStationRenameWorker( PWINSTATIONNAME pWinStationNameOld, ULONG NameOldSize, PWINSTATIONNAME pWinStationNameNew, ULONG NameNewSize){ PWINSTATION pWinStation; PLIST_ENTRY Head, Next; NTSTATUS Status; ULONG ulNewNameLength;
/*
* Ensure new WinStation name is non-zero length */
//
// The new WinStationName is allocated by the RPC server stub and the
// size is sent over by the client (this is part of the existing interface.
// Therefore, it is sufficient to assert for the pWinStationNameNew to be
// non-null AND the New size to be non-zero. If it asserts, this is a serious
// problem with the rpc stub that should never happen in a released build.
//
// The old WinStationName also poses a problem. It is assumed in the code
// that follows that the old WinStationName is NULL terminated. The RPC
// interface does not say that. Which means the call to FindWinStation by
// name can potentially AV.
if (!( (pWinStationNameNew != 0 ) && (NameNewSize != 0 ) && !IsBadWritePtr( pWinStationNameNew, NameNewSize ) ) ) {
return( STATUS_CTX_WINSTATION_NAME_INVALID ); }
if (!( (pWinStationNameOld != 0 ) && (NameOldSize != 0 ) && !IsBadReadPtr( pWinStationNameOld, NameOldSize ) && !IsBadWritePtr( pWinStationNameOld, NameOldSize))) {
return( STATUS_CTX_WINSTATION_NAME_INVALID ); }
/*
* Find and lock the WinStation * (Note that we hold the WinStationList lock while changing the name.) */ // We will add a NULL Terminator to the end of the old winstation name
pWinStationNameOld[ NameOldSize - 1 ] = 0; pWinStationNameNew[ NameNewSize - 1 ] = 0;
/*
* Ensure new WinStation name is non-zero length and not too long */ ulNewNameLength = wcslen( pWinStationNameNew ); if ( ( ulNewNameLength == 0 ) || ( ulNewNameLength > WINSTATIONNAME_LENGTH ) ) return( STATUS_CTX_WINSTATION_NAME_INVALID );
pWinStation = FindWinStationByName( pWinStationNameOld, TRUE );
if ( pWinStation == NULL ) { LEAVECRIT( &WinStationListLock ); return( STATUS_CTX_WINSTATION_NOT_FOUND ); }
/*
* Verify that client has DELETE access */ Status = RpcCheckClientAccess( pWinStation, DELETE, FALSE ); if ( !NT_SUCCESS( Status ) ) { LEAVECRIT( &WinStationListLock ); ReleaseWinStation( pWinStation ); return( Status ); }
/*
* Now search the WinStation list to see if the new WinStation name * is already used. If so then this is an error. */ Head = &WinStationListHead; for ( Next = Head->Flink; Next != Head; Next = Next->Flink ) { PWINSTATION pWinStationTemp;
pWinStationTemp = CONTAINING_RECORD( Next, WINSTATION, Links ); if ( !_wcsicmp( pWinStationTemp->WinStationName, pWinStationNameNew ) ) { LEAVECRIT( &WinStationListLock ); ReleaseWinStation( pWinStation ); return( STATUS_CTX_WINSTATION_NAME_COLLISION ); } }
/*
* Free the old name and set the new one, then release * the WinStationList lock and the WinStation mutex. */ wcsncpy( pWinStation->WinStationName, pWinStationNameNew, WINSTATIONNAME_LENGTH ); pWinStation->WinStationName[ WINSTATIONNAME_LENGTH ] = 0;
LEAVECRIT( &WinStationListLock ); ReleaseWinStation( pWinStation );
/*
* Notify clients of WinStation rename */ NotifySystemEvent( WEVENT_RENAME );
return STATUS_SUCCESS;}
/*******************************************************************************
* WinStationTerminate * * Terminate a WinStation. This involves causing the WinStation initial * program to logoff, terminating the initial program, and terminating * all subsystems. * * ENTRY: * pWinStation (input) * Pointer to WinStation to terminate ******************************************************************************/VOID WinStationTerminate(PWINSTATION pWinStation){ WINSTATION_APIMSG msg; LARGE_INTEGER Timeout; NTSTATUS Status = 0; BOOL AllExited = FALSE; BOOL bDoDisconnectFailed = FALSE; int i, iLoop;
TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: WinStationTerminate, %S (LogonId=%d)\n", pWinStation->WinStationName, pWinStation->LogonId ));
//
// Release filtered address
//
/*
if (pWinStation->pRememberedAddress != NULL) { Filter_RemoveOutstandingConnection( &pWinStation->pRememberedAddress->addr[0], pWinStation->pRememberedAddress->length ); MemFree(pWinStation->pRememberedAddress); pWinStation->pRememberedAddress = NULL; if( (ULONG)InterlockedDecrement( &NumOutStandingConnect ) == MaxOutStandingConnect ) { if (hConnectEvent != NULL) { SetEvent(hConnectEvent); } }
} */
if (pWinStation->fOwnsConsoleTerminal) { CopyReconnectInfo(pWinStation, &ConsoleReconnectInfo);
}
/*
* If not already set, mark the WinStation as terminating. * This prevents our WinStation Terminate thread from waiting on * the initial program or Win32 subsystem processes. */ ENTERCRIT( &WinStationListLock ); if ( !pWinStation->Terminating ) { pWinStation->Terminating = TRUE; NtSetEvent( WinStationEvent, NULL ); }
if (!(pWinStation->StateFlags & WSF_ST_WINSTATIONTERMINATE)) { pWinStation->StateFlags |= WSF_ST_WINSTATIONTERMINATE; } else { DBGPRINT(("Termsrv: WinstationTerminate: Session %ld has already been terminated \n",pWinStation->LogonId)); LEAVECRIT( &WinStationListLock );
return; } LEAVECRIT( &WinStationListLock );
/*
* If WinStation is idle waiting for a connection, signal connect event * - this will return an error back to winlogon */ if ( pWinStation->ConnectEvent ) { NtSetEvent( pWinStation->ConnectEvent, NULL ); }
/*
* Stop any shadowing for this WinStation */ WinStationStopAllShadows( pWinStation );
/*
* Tell Win32 to disconnect. * This puts up the disconnected desktop among other things. */ if ( ( pWinStation->WinStationName[0] ) && ( !pWinStation->NeverConnected ) && ( !(pWinStation->Flags & WSF_LISTEN) ) && ( !(pWinStation->Flags & WSF_DISCONNECT) ) && ( !(pWinStation->StateFlags & WSF_ST_IN_DISCONNECT )) && ( (pWinStation->StateFlags & WSF_ST_CONNECTED_TO_CSRSS) ) ) {
msg.ApiNumber = SMWinStationDoDisconnect; msg.u.DoDisconnect.ConsoleShadowFlag = FALSE;
/*
* Insignia really wants the video driver to be notified before * the transport is closed. */ pWinStation->StateFlags |= WSF_ST_IN_DISCONNECT;
Status = SendWinStationCommand( pWinStation, &msg, 600 );
if (!NT_SUCCESS(Status)) { bDoDisconnectFailed = TRUE; }else { /*
* Tell csrss to notify winlogon for the disconnect. */
msg.ApiNumber = SMWinStationNotify; msg.WaitForReply = FALSE; msg.u.DoNotify.NotifyEvent = WinStation_Notify_Disconnect; Status = SendWinStationCommand( pWinStation, &msg, 0 );
pWinStation->StateFlags &= ~WSF_ST_CONNECTED_TO_CSRSS;
} }
/*
* In case, the winstation termination is called without logoff notification, we will have to * carry out the post logoff licensing. */ if (pWinStation->StateFlags & WSF_ST_LICENSING) { (VOID)LCProcessConnectionLogoff(pWinStation); pWinStation->StateFlags &= ~WSF_ST_LICENSING; }
/*
* Free Timers */ if ( pWinStation->fIdleTimer ) { IcaTimerClose( pWinStation->hIdleTimer ); pWinStation->fIdleTimer = FALSE; } if ( pWinStation->fLogonTimer ) { IcaTimerClose( pWinStation->hLogonTimer ); pWinStation->fLogonTimer = FALSE; } if ( pWinStation->fDisconnectTimer ) { IcaTimerClose( pWinStation->hDisconnectTimer ); pWinStation->fDisconnectTimer = FALSE; }
/*
* Free events */ if ((pWinStation->LogonId == 0 || g_bPersonalTS)) { if ( pWinStation->hWinmmConsoleAudioEvent) { CloseHandle(pWinStation->hWinmmConsoleAudioEvent); } if ( pWinStation->hRDPAudioDisabledEvent) { CloseHandle(pWinStation->hRDPAudioDisabledEvent); } }
/*
* Notify clients of WinStation delete * * This mimics what happened in 1.6, but the state of the winstation hasn't changed * yet and it's still in the list, so it's not "deleted". Maybe we should add * a State_Exiting. Right now, it's marked down when it loses the LPC connection * with the CSR. Later, it's removed from the list and another WEVENT_DELETE is sent. */ NotifySystemEvent( WEVENT_DELETE ); if (!(pWinStation->Flags & WSF_LISTEN)) { UnlockWinStation(pWinStation); RemoveSessionNotification( pWinStation->LogonId, pWinStation->SessionSerialNumber );
/*
* WinStationDeleteWorker, deletes the lock, which is always called after WinStationTerminate. * therefore we should always succeed in Relock here. */ RTL_VERIFY(RelockWinStation(pWinStation)); }
/*
* Terminate ICA stack */
if ( pWinStation->hStack && (!bDoDisconnectFailed) ) { /*
* Close the connection endpoint, if any */ if ( pWinStation->pEndpoint ) {
/*
* First notify Wsx that connection is going away */ WsxBrokenConnection( pWinStation );
IcaStackConnectionClose( pWinStation->hStack, &pWinStation->Config, pWinStation->pEndpoint, pWinStation->EndpointLength ); MemFree( pWinStation->pEndpoint ); pWinStation->pEndpoint = NULL; pWinStation->EndpointLength = 0; }
IcaStackTerminate( pWinStation->hStack );
} else{ pWinStation->StateFlags |= WSF_ST_DELAYED_STACK_TERMINATE; }
/*
* Flush the Win32 command queue. * If the Win32 command list is not empty, then loop through each * entry on the list and unlink it and trigger the wait event. */ while ( !IsListEmpty( &pWinStation->Win32CommandHead ) ) { PLIST_ENTRY Head; PCOMMAND_ENTRY pCommand;
Head = pWinStation->Win32CommandHead.Flink; pCommand = CONTAINING_RECORD( Head, COMMAND_ENTRY, Links ); RemoveEntryList( &pCommand->Links ); if ( !pCommand->pMsg->WaitForReply ) { ASSERT( pCommand->Event == NULL ); MemFree( pCommand ); } else { pCommand->Links.Flink = NULL; pCommand->pMsg->ReturnedStatus = STATUS_CTX_WINSTATION_BUSY; NtSetEvent( pCommand->Event, NULL ); } }
//
// close CsrStartEvent
//
if (pWinStation->CsrStartEventHandle != NULL) { NtClose(pWinStation->CsrStartEventHandle); }
//
// close hReconnectReadyEvent
//
if (pWinStation->hReconnectReadyEvent != NULL) { NtClose(pWinStation->hReconnectReadyEvent); }
/*
* Force initial program to exit if it hasn't already */ if ( pWinStation->InitialCommandProcess ) { DWORD WaitStatus;
/*
* If initial program has already exited, then we can skip this */ WaitStatus = WaitForSingleObject( pWinStation->InitialCommandProcess, 0 ); if ( WaitStatus != 0 ) {
TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: Terminating initial command, LogonId=%d\n", pWinStation->LogonId ));
//
// if we are asked to terminate winstation that initiated the shutdown
// there is no point in sending SMWinStationExitWindows to this window, as its
// winlogons main thread is already busy waiting for this (RpcWinStationShutdownSystem) lpc
//.
if (!ShutDownFromSessionID || ShutDownFromSessionID != pWinStation->LogonId) { /*
* Tell the WinStation to logoff */ msg.ApiNumber = SMWinStationExitWindows; msg.u.ExitWindows.Flags = EWX_LOGOFF | EWX_FORCE; Status = SendWinStationCommand( pWinStation, &msg, 10 ); if ( NT_SUCCESS( Status ) && ( pWinStation->InitialCommandProcess != NULL ) ) { ULONG i;
if ( ShutDownFromSessionID ) Timeout = RtlEnlargedIntegerMultiply( 1, -10000 ); else Timeout = RtlEnlargedIntegerMultiply( 2000, -10000 );
TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: Waiting for InitialCommand (ID=0x%x) to exit\n", pWinStation->InitialCommandProcessId ));
for ( i = 0; i < gLogoffTimeout; i++ ) { HANDLE CommandHandle = pWinStation->InitialCommandProcess;
UnlockWinStation( pWinStation ); Status = NtWaitForSingleObject( CommandHandle, FALSE, &Timeout ); RelockWinStation( pWinStation ); if ( Status == STATUS_SUCCESS ) break;
TRACE((hTrace,TC_ICASRV,TT_API1, "." ));
}
TRACE((hTrace,TC_ICASRV,TT_API1, "\nTERMSRV: Wait for InitialCommand to exit, Status=0x%x\n", Status )); } } else { // we are not going to have to terminate winlogon for the session that initiated shutdown.
Status = STATUS_UNSUCCESSFUL; }
/*
* If unable to connect to the WinStation, then we must use * the brute force method - just terminate the initial command. */ if ( ( Status != STATUS_SUCCESS ) && ( pWinStation->InitialCommandProcess != NULL ) ) {
TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: Waiting for InitialCommand to terminate\n" ));
Status = TerminateProcessAndWait( pWinStation->InitialCommandProcessId, pWinStation->InitialCommandProcess, 120 ); if ( Status != STATUS_SUCCESS ) { DBGPRINT(( "TERMSRV: InitialCommand failed to terminate, Status=%x\n", Status ));
/*
* We can fail terminating initial process if it is waiting * for a user validation in the Hard Error popup. In this case it is * Ok to proceceed as sending SMWinStationTerminate message bellow * will trigger Win32k cleanup code that will dismiss the popup. */ ASSERT(pWinStation->WindowsSubSysProcess); } } } }
/*
* Now check to see if there are any remaining processes in * the system other than CSRSS with this SessionId. If so, terminate them now. */
for (i = 0 ; i < 45; i++) {
ULONG NumTerminated = 0; AllExited = WinStationTerminateProcesses( pWinStation, &NumTerminated );
/*
* If we found any processes other than CSRSS that had to be terminated, we * have to re-enumerate all the process and make sure that no new processes * in this session were created in the windows between the call to NtQuerySystemInformation * and terminating all the found processes. If we only find CSRSS we don't have to * re-enumerate since CSRSS does not create any processes. */ if (AllExited && (NumTerminated == 0)) { break; }
/*
* This is a hack to give enough time to processess to terminate */ Sleep(2*1000); }
if (pWinStation->WindowsSubSysProcess) { /*
* Send terminate message to this subsystem */ msg.ApiNumber = SMWinStationTerminate; /*
* We used to not wait for this. However, if the reverse LPC is * hung, the CSR is not going to exit anyway and we don't want * to silently forget about the WinStation. (It takes up memory.) * * Also, if we kill the thread prematurely W32 is never going to exit. */ Status = SendWinStationCommand( pWinStation, &msg, -1 );
TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: Call to SMWinStationTerminate returned Status=0x%x\n", Status));
if ((Status != STATUS_SUCCESS) && (Status != STATUS_CTX_CLOSE_PENDING) ) { SetRefLockDeleteProc(&pWinStation->Lock, WinStationZombieProc); }
/*
* Now check to see if there are any remaining processes in * the system other than CSRSS with this SessionId. If so, terminate them now. */
for (i = 0 ; i < 45; i++) {
ULONG NumTerminated = 0; AllExited = WinStationTerminateProcesses( pWinStation, &NumTerminated );
/*
* If we found any processes other than CSRSS that had to be terminated, we * have to re-enumerate all the process and make sure that no new processes * in this session were created in the windows between the call to NtQuerySystemInformation * and terminating all the found processes. If we only find CSRSS we don't have to * re-enumerate since CSRSS does not create any processes. */ if (AllExited && (NumTerminated == 0)) { break; }
/*
* This is a hack to give enough time to processess to terminate */ Sleep(2*1000); }
/*
* Force the windows subsystem to exit. Only terminate CSRSS it all other processes * have terminated */ if ( AllExited ) {
TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: All process exited in Session %d\n",pWinStation->LogonId ));
/*
* Wait for the subsystem to exit */ if ( NT_SUCCESS(Status) || ( Status == STATUS_CTX_WINSTATION_BUSY ) || (Status == STATUS_CTX_CLOSE_PENDING ) ) {
ASSERT(!(pWinStation->Flags & WSF_LISTEN));// ENTERCRIT( &WinStationStartCsrLock );
// Status = SmStopCsr( IcaSmApiPort,
// pWinStation->LogonId );
// LEAVECRIT( &WinStationStartCsrLock );
// DBGPRINT(( "TERMSRV: SmStopCsr on CSRSS for Session=%d returned Status=%x\n",
// pWinStation->LogonId, Status ));
//
// ASSERT(NT_SUCCESS(Status));
// if (!NT_SUCCESS(Status)) {
// DBGPRINT(( "TERMSRV: SmStopCsr Failed for Session=%d returned Status=%x\n",
// pWinStation->LogonId, Status ));
// DbgBreakPoint();
//}
} } else {
DBGPRINT(("TERMSRV: Did not terminate all the session processes\n")); SetRefLockDeleteProc(&pWinStation->Lock, WinStationZombieProc);
// DbgBreakPoint();
} }
}
/*******************************************************************************
* WinStationTerminateProcesses * * Terminate all processes executing on the specified WinStation ******************************************************************************/BOOL WinStationTerminateProcesses( PWINSTATION pWinStation, ULONG *pNumTerminated){ PCHAR pBuffer; ULONG ByteCount; NTSTATUS Status; PSYSTEM_PROCESS_INFORMATION ProcessInfo; UNICODE_STRING CsrssName; UNICODE_STRING NtsdName; BOOL retval = TRUE; WCHAR ProcessName[MAX_PATH]; SYSTEM_SESSION_PROCESS_INFORMATION SessionProcessInfo; ULONG retlen = 0;
ByteCount = 32 * 1024;
*pNumTerminated = 0;
SessionProcessInfo.SessionId = pWinStation->LogonId; for ( ; ; ) { if ( (pBuffer = MemAlloc( ByteCount )) == NULL ) return (FALSE);
SessionProcessInfo.Buffer = pBuffer; SessionProcessInfo.SizeOfBuf = ByteCount;
/*
* get process info */
Status = NtQuerySystemInformation( SystemSessionProcessInformation, &SessionProcessInfo, sizeof(SessionProcessInfo), &retlen );
if ( NT_SUCCESS( Status ) ) break;
/*
* Make sure buffer is big enough */ MemFree( pBuffer ); if ( Status != STATUS_INFO_LENGTH_MISMATCH ) return (FALSE); ByteCount *= 2; }
if (retlen == 0) { MemFree(pBuffer); return TRUE; }
RtlInitUnicodeString(&CsrssName,L"CSRSS");
ProcessInfo = (PSYSTEM_PROCESS_INFORMATION)pBuffer; for ( ; ; ) { HANDLE ProcessHandle; CLIENT_ID ClientId; OBJECT_ATTRIBUTES ObjA;
if (RtlPrefixUnicodeString(&CsrssName,&(ProcessInfo->ImageName),TRUE)) { if (ProcessInfo->NextEntryOffset == 0) break; ProcessInfo = (PSYSTEM_PROCESS_INFORMATION) ((ULONG_PTR)ProcessInfo + ProcessInfo->NextEntryOffset); continue; }
RtlInitUnicodeString(&NtsdName,L"ntsd"); if (! RtlPrefixUnicodeString(&NtsdName,&(ProcessInfo->ImageName),TRUE) ) { // If we found any process other than CSRSS and ntsd.exe, bump the
// the count
(*pNumTerminated) += 1; }
/*
* Found a process with a matching LogonId. * Attempt to open the process and terminate it. */ TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: TerminateProcesses, found processid 0x%x for LogonId %d\n", ProcessInfo->UniqueProcessId, ProcessInfo->SessionId )); TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: Process Name %ws for LogonId %d\n", ProcessInfo->ImageName.Buffer, ProcessInfo->SessionId ));
ClientId.UniqueThread = 0; ClientId.UniqueProcess = (HANDLE)ProcessInfo->UniqueProcessId;
InitializeObjectAttributes( &ObjA, NULL, 0, NULL, NULL ); Status = NtOpenProcess( &ProcessHandle, PROCESS_ALL_ACCESS, &ObjA, &ClientId ); if (!NT_SUCCESS(Status)) { DBGPRINT(("TERMSRV: Unable to open processid 0x%x, status=0x%x\n", ProcessInfo->UniqueProcessId, Status )); retval = FALSE; } else { Status = TerminateProcessAndWait( ProcessInfo->UniqueProcessId, ProcessHandle, 60 ); NtClose( ProcessHandle ); if ( Status != STATUS_SUCCESS ) { DBGPRINT(("TERMSRV: Unable to terminate processid 0x%x, status=0x%x\n", ProcessInfo->UniqueProcessId, Status ));
retval = FALSE; } }
if ( ProcessInfo->NextEntryOffset == 0 ) break; ProcessInfo = (PSYSTEM_PROCESS_INFORMATION) ((ULONG_PTR)ProcessInfo + ProcessInfo->NextEntryOffset); }
/*
* free buffer */ MemFree( pBuffer );
return retval;}
/*******************************************************************************
* WinStationDeleteWorker * * Delete a WinStation. ******************************************************************************/VOID WinStationDeleteWorker(PWINSTATION pWinStation){ TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: WinStationDeleteWorker, %S (LogonId=%d)\n", pWinStation->WinStationName, pWinStation->LogonId ));
/*
* If this is the last reference, then * Initial program and all subsystems should be terminated by now. */ ENTERCRIT( &WinStationListLock ); ASSERT( (pWinStation->Links.Flink != NULL) && (pWinStation->Links.Blink != NULL)); RemoveEntryList( &pWinStation->Links );#if DBG
pWinStation->Links.Flink = pWinStation->Links.Blink = NULL;#endif
// Keep track of total session count for Load Balancing Indicator but don't
// track listen winstations
if (!(pWinStation->Flags & WSF_LISTEN)) WinStationTotalCount--;
// If we're resetting a disconnected session then adjust LB counter
if (pWinStation->State == State_Disconnected) { WinStationDiscCount--; }
LEAVECRIT( &WinStationListLock );
/*
* Unlock WinStation and delete it */ DeleteRefLock( &pWinStation->Lock );
/*
* Notify clients of deletion */ NotifySystemEvent( WEVENT_DELETE );}
/*******************************************************************************
* WinStationDeleteProc * * Delete the WinStation containing the specified RefLock. * * ENTRY: * pLock (input) * Pointer to RefLock of WinStation to delete ******************************************************************************/VOID WinStationDeleteProc(PREFLOCK pLock){ PWINSTATION pWinStation; ICA_TRACE IcaTrace; NTSTATUS Status = STATUS_SUCCESS;
/*
* See if we need to wakeup IdleControlThread to maintain Console session */
if ((USER_SHARED_DATA->ActiveConsoleId == -1) && (gConsoleCreationDisable == 0) ) { NtSetEvent(WinStationIdleControlEvent, NULL); }
/*
* Get a pointer to the containing WinStation */ pWinStation = CONTAINING_RECORD( pLock, WINSTATION, Lock );
/*
* Release filtered address */
if (pWinStation->pRememberedAddress != NULL) { Filter_RemoveOutstandingConnection( &pWinStation->pRememberedAddress->addr[0], pWinStation->pRememberedAddress->length ); MemFree(pWinStation->pRememberedAddress); pWinStation->pRememberedAddress = NULL; if( (ULONG)InterlockedDecrement( &NumOutStandingConnect ) == MaxOutStandingConnect ) { if (hConnectEvent != NULL) { SetEvent(hConnectEvent); } }
}
/*
* Release last remote ip address */
if( pWinStation->pLastClientAddress != NULL ) { MemFree( pWinStation->pLastClientAddress ); pWinStation->pLastClientAddress = NULL; }
/*
* If this hasn't yet been cleaned up do it now. */ if (pWinStation->ConnectEvent) { NtClose( pWinStation->ConnectEvent ); pWinStation->ConnectEvent = NULL; } if (pWinStation->CreateEvent) { NtClose( pWinStation->CreateEvent ); pWinStation->CreateEvent = NULL; }
if (pWinStation->SessionInitializedEvent) { CloseHandle(pWinStation->SessionInitializedEvent); pWinStation->SessionInitializedEvent = NULL; }
/*
* In the case where we timed out disconnecting the session we had * to delay the stack unload till here to avoid situation where Win32k * Display driver believe the session is still connected while the WD * is already unloaded. */ if ( pWinStation->hStack && (pWinStation->StateFlags & WSF_ST_DELAYED_STACK_TERMINATE) ) { pWinStation->StateFlags &= ~WSF_ST_DELAYED_STACK_TERMINATE;
/*
* Close the connection endpoint, if any */ if ( pWinStation->pEndpoint ) { /*
* First notify Wsx that connection is going away */ WsxBrokenConnection( pWinStation );
IcaStackConnectionClose( pWinStation->hStack, &pWinStation->Config, pWinStation->pEndpoint, pWinStation->EndpointLength ); MemFree( pWinStation->pEndpoint ); pWinStation->pEndpoint = NULL; pWinStation->EndpointLength = 0; }
IcaStackTerminate( pWinStation->hStack ); } /* close cdm */ if ( pWinStation->pWsx && pWinStation->pWsx->pWsxCdmDisconnect ) { pWinStation->pWsx->pWsxCdmDisconnect( pWinStation->pWsxContext, pWinStation->LogonId, pWinStation->hIca ); }
/*
* Call WinStation rundown function before killing the stack */ if ( pWinStation->pWsxContext ) { if ( pWinStation->pWsx && pWinStation->pWsx->pWsxWinStationRundown ) { pWinStation->pWsx->pWsxWinStationRundown( pWinStation->pWsxContext ); } pWinStation->pWsxContext = NULL; }
/*
* Close ICA stack and device handles */ if ( pWinStation->hStack ) { IcaStackClose( pWinStation->hStack ); pWinStation->hStack = NULL; }
if ( pWinStation->hIca ) { /* close trace */ memset( &IcaTrace, 0, sizeof(IcaTrace) ); (void) IcaIoControl( pWinStation->hIca, IOCTL_ICA_SET_TRACE, &IcaTrace, sizeof(IcaTrace), NULL, 0, NULL );
/* close handle */ IcaClose( pWinStation->hIca ); pWinStation->hIca = NULL; }
/*
* Close various ICA channel handles */ if ( pWinStation->hIcaBeepChannel ) { (void) IcaChannelClose( pWinStation->hIcaBeepChannel ); pWinStation->hIcaBeepChannel = NULL; }
if ( pWinStation->hIcaThinwireChannel ) { (void) IcaChannelClose( pWinStation->hIcaThinwireChannel ); pWinStation->hIcaThinwireChannel = NULL; }
if ( pWinStation->hConnectThread ) { NtClose( pWinStation->hConnectThread ); pWinStation->hConnectThread = NULL; }
/*
* Free security structures */ WinStationFreeSecurityDescriptor( pWinStation );
if ( pWinStation->pUserSid ) { pWinStation->pProfileSid = pWinStation->pUserSid; pWinStation->pUserSid = NULL; }
if (pWinStation->pProfileSid) { WinstationUnloadProfile(pWinStation); MemFree( pWinStation->pProfileSid ); pWinStation->pProfileSid = NULL; }
/*
* Cleanup UserToken */ if ( pWinStation->UserToken ) { NtClose( pWinStation->UserToken ); pWinStation->UserToken = NULL; }
if (pWinStation->LogonId > 0) { ENTERCRIT( &WinStationStartCsrLock ); Status = SmStopCsr( IcaSmApiPort, pWinStation->LogonId ); LEAVECRIT( &WinStationStartCsrLock ); } // Clean up the New Client Credentials struct for Long UserName
if (pWinStation->pNewClientCredentials != NULL) { MemFree(pWinStation->pNewClientCredentials); pWinStation->pNewClientCredentials = NULL; }
// Clean up the updated Notification Credentials
if (pWinStation->pNewNotificationCredentials != NULL) { MemFree(pWinStation->pNewNotificationCredentials); pWinStation->pNewNotificationCredentials = NULL; }
/*
* Close the handles to the initial command process and sub-system process here. */ if (pWinStation->WindowsSubSysProcess) { NtClose( pWinStation->WindowsSubSysProcess ); pWinStation->WindowsSubSysProcess = NULL; }
// Close the InitialCommandProcess
if (pWinStation->InitialCommandProcess) { NtClose( pWinStation->InitialCommandProcess ); pWinStation->InitialCommandProcess = NULL; }
/*
* Cleanup licensing context */ LCDestroyContext(pWinStation);
TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: SmStopCsr on CSRSS for Session=%d returned Status=%x\n", pWinStation->LogonId, Status )); ASSERT(NT_SUCCESS(Status));
if (!NT_SUCCESS(Status)) { DBGPRINT(( "TERMSRV: SmStopCsr Failed for Session=%d returned Status=%x\n", pWinStation->LogonId, Status )); // DbgBreakPoint();
ENTERCRIT( &WinStationZombieLock ); InsertTailList( &ZombieListHead, &pWinStation->Links ); LEAVECRIT( &WinStationZombieLock ); return; }
/*
* Zero WinStation name buffer */ RtlZeroMemory( pWinStation->WinStationName, sizeof(pWinStation->WinStationName) );
MemFree( pWinStation );}
/*******************************************************************************
* WinStationZombieProc * * Puts WinStation containing the specified RefLock in the zombie list. * * ENTRY: * pLock (input) * Pointer to RefLock of WinStation to delete ******************************************************************************/VOID WinStationZombieProc(PREFLOCK pLock){ PWINSTATION pWinStation;
pWinStation = CONTAINING_RECORD( pLock, WINSTATION, Lock ); ENTERCRIT( &WinStationZombieLock ); InsertTailList( &ZombieListHead, &pWinStation->Links ); LEAVECRIT( &WinStationZombieLock );}
/*******************************************************************************
* CopyReconnectInfo * * * ENTRY: ******************************************************************************/BOOL CopyReconnectInfo(PWINSTATION pWinStation, PRECONNECT_INFO pReconnectInfo){ NTSTATUS Status;
RtlZeroMemory( pReconnectInfo, sizeof(*pReconnectInfo) );
/*
* Save WinStation name and configuration data. */ RtlCopyMemory( pReconnectInfo->WinStationName, pWinStation->WinStationName, sizeof(WINSTATIONNAME) ); RtlCopyMemory( pReconnectInfo->ListenName, pWinStation->ListenName, sizeof(WINSTATIONNAME) ); RtlCopyMemory( pReconnectInfo->ProtocolName, pWinStation->ProtocolName, sizeof(pWinStation->ProtocolName) ); RtlCopyMemory( pReconnectInfo->DisplayDriverName, pWinStation->DisplayDriverName, sizeof(pWinStation->DisplayDriverName) ); pReconnectInfo->Config = pWinStation->Config; pReconnectInfo->Client = pWinStation->Client;
/*
* Open a new TS connection to temporarily attach the stack to. */ Status = IcaOpen( &pReconnectInfo->hIca ); if (Status != STATUS_SUCCESS ) { return FALSE; }
Status = IcaStackDisconnect( pWinStation->hStack, pReconnectInfo->hIca, NULL ); if ( !NT_SUCCESS( Status ) ){ IcaClose( pReconnectInfo->hIca ); pReconnectInfo->hIca = NULL; return FALSE; }
/*
* Save stack and endpoint data */ pReconnectInfo->hStack = pWinStation->hStack; pReconnectInfo->pEndpoint = pWinStation->pEndpoint; pReconnectInfo->EndpointLength = pWinStation->EndpointLength;
/*
* Indicate no stack or connection endpoint for this WinStation */ pWinStation->hStack = NULL; pWinStation->pEndpoint = NULL; pWinStation->EndpointLength = 0;
/*
* Reopen a stack for this WinStation */ Status = IcaStackOpen( pWinStation->hIca, Stack_Primary, (PROC)WsxStackIoControl, pWinStation, &pWinStation->hStack );
/*
* Save the licensing stuff to move to other winstation */ if ( pWinStation->pWsx && pWinStation->pWsx->pWsxDuplicateContext ) { pReconnectInfo->pWsx = pWinStation->pWsx; pWinStation->pWsx->pWsxDuplicateContext( pWinStation->pWsxContext, &pReconnectInfo->pWsxContext ); }
/*
* Copy console owner info */ pReconnectInfo->fOwnsConsoleTerminal = pWinStation->fOwnsConsoleTerminal;
/*
* Copy the notification Credentials to move to other winstation */ if (pWinStation->pNewNotificationCredentials) { pReconnectInfo->pNotificationCredentials = pWinStation->pNewNotificationCredentials; } else { pReconnectInfo->pNotificationCredentials = NULL; }
/*
* Copy the remote client ip address to move to the other winstation */
if( pReconnectInfo->pRememberedAddress != NULL ) { MemFree( pReconnectInfo->pRememberedAddress ); pReconnectInfo->pRememberedAddress = NULL; }
if( pWinStation->pLastClientAddress != NULL ) { pReconnectInfo->pRememberedAddress = ( PREMEMBERED_CLIENT_ADDRESS )MemAlloc( sizeof( REMEMBERED_CLIENT_ADDRESS ) + pWinStation->pLastClientAddress->length - 1);
if( pReconnectInfo->pRememberedAddress != NULL ) { RtlCopyMemory( &pReconnectInfo->pRememberedAddress->addr[0] , &pWinStation->pLastClientAddress->addr[0] , pWinStation->pLastClientAddress->length );
pReconnectInfo->pRememberedAddress->length = pWinStation->pLastClientAddress->length; } } return TRUE;
}
/*******************************************************************************
* WinStationDoDisconnect * * Send disconnect message to a WinStation and optionally close connection * * ENTRY: * pWinStation (input) * Pointer to WinStation to disconnect * pReconnectInfo (input) OPTIONAL * Pointer to RECONNECT_INFO buffer * If NULL, this is a terminate disconnect. * * EXIT: * STATUS_SUCCESS - if successful * STATUS_CTX_WINSTATION_BUSY - if session is already disconnected, or busy ******************************************************************************/NTSTATUS WinStationDoDisconnect( PWINSTATION pWinStation, PRECONNECT_INFO pReconnectInfo, BOOLEAN bSyncNotify){ WINSTATION_APIMSG DisconnectMsg; NTSTATUS Status; ULONG ulTimeout; BOOLEAN fOwnsConsoleTerminal = pWinStation->fOwnsConsoleTerminal; FILETIME DiscTime; DWORD SessionID; BOOLEAN bInformSessionDirectory = FALSE; TS_AUTORECONNECTINFO SCAutoReconnectInfo; ULONG BytesGot; BOOLEAN noTimeOutForConsoleOrSession0;
// We need to prevent from WinStationDoDisconnect being called twice
if ( pWinStation->State == State_Disconnected || pWinStation->StateFlags & WSF_ST_IN_DISCONNECT) { // The session is already disconnected.
// BUBUG a specific error code STATUS_CTX_SESSION_DICONNECTED would be better.
return (STATUS_CTX_WINSTATION_BUSY); } pWinStation->StateFlags |= WSF_ST_IN_DISCONNECT;
// console session or session0 behave like the physical console, they are special, no time out.
noTimeOutForConsoleOrSession0 = ( pWinStation->LogonId == 0 ) || (pWinStation->LogonId == (USER_SHARED_DATA->ActiveConsoleId) );
if (! noTimeOutForConsoleOrSession0 ) { /*
* Start disconnect timer if enabled */ if ( ulTimeout = pWinStation->Config.Config.User.MaxDisconnectionTime ) { if ( !pWinStation->fDisconnectTimer ) { Status = IcaTimerCreate( 0, &pWinStation->hDisconnectTimer ); if ( NT_SUCCESS( Status ) ) pWinStation->fDisconnectTimer = TRUE; else DBGPRINT(("xxxWinStationDisconnect - failed to create timer \n")); } if ( pWinStation->fDisconnectTimer ) IcaTimerStart( pWinStation->hDisconnectTimer, DisconnectTimeout, LongToPtr( pWinStation->LogonId ), ulTimeout ); } }
/*
* Stop any shadowing for this WinStation */ WinStationStopAllShadows( pWinStation );
/*
* Tell Win32k about the disconnect */ if (pWinStation->StateFlags & WSF_ST_CONNECTED_TO_CSRSS) { DisconnectMsg.ApiNumber = SMWinStationDoDisconnect; DisconnectMsg.u.DoDisconnect.ConsoleShadowFlag = FALSE;
Status = SendWinStationCommand( pWinStation, &DisconnectMsg, 600 ); if ( !NT_SUCCESS(Status) ) { TRACE((hTrace,TC_ICASRV,TT_ERROR, "TERMSRV: CSR DoDisconnect failed LogonId=%d Status=0x%x\n", pWinStation->LogonId, Status )); goto badwin32disconnect; } else {
ULONG WaitTime = 0;
/*
* Tell csrss to notify winlogon for the disconnect. */ if (pWinStation->UserName[0] != L'\0') { DisconnectMsg.WaitForReply = TRUE; WaitTime = 10; } else { DisconnectMsg.WaitForReply = FALSE; } DisconnectMsg.ApiNumber = SMWinStationNotify; if (bSyncNotify) { DisconnectMsg.u.DoNotify.NotifyEvent = WinStation_Notify_SyncDisconnect; } else { DisconnectMsg.u.DoNotify.NotifyEvent = WinStation_Notify_Disconnect; } Status = SendWinStationCommand( pWinStation, &DisconnectMsg, WaitTime );
pWinStation->StateFlags &= ~WSF_ST_CONNECTED_TO_CSRSS; pWinStation->fOwnsConsoleTerminal = FALSE; } }
/*
* close cdm */ if ( pWinStation->pWsx && pWinStation->pWsx->pWsxCdmDisconnect ) { pWinStation->pWsx->pWsxCdmDisconnect( pWinStation->pWsxContext, pWinStation->LogonId, pWinStation->hIca ); }
/*
* If a reconnect info struct has been specified, then this is NOT * a terminate disconnect. Save the current WinStation name, * WinStation and client configuration info, and license data. * Also disconnect the current stack and save the stack handle * and connection endpoint data. */ if ( pReconnectInfo || fOwnsConsoleTerminal) {
if ((pReconnectInfo == NULL) && fOwnsConsoleTerminal) { pReconnectInfo = &ConsoleReconnectInfo; if (ConsoleReconnectInfo.hIca) { CleanupReconnect(&ConsoleReconnectInfo); RtlZeroMemory(&ConsoleReconnectInfo,sizeof(RECONNECT_INFO)); } }
if (!CopyReconnectInfo(pWinStation, pReconnectInfo)) { Status = STATUS_UNSUCCESSFUL; goto badstackopen;
} /*
* Copy console owner info */ pReconnectInfo->fOwnsConsoleTerminal = fOwnsConsoleTerminal;
/*
* This is a terminate disconnect. * If there is a connection endpoint, then close it now. */ } else if (pWinStation->pEndpoint ) {
/*
* First grab any autoreconnect info state and save it * in the winstation */
TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: Disconnecting - grabbing SC autoreconnect from stack\n"));
if (pWinStation->pWsx && pWinStation->pWsx->pWsxEscape) { Status = pWinStation->pWsx->pWsxEscape( pWinStation->pWsxContext, GET_SC_AUTORECONNECT_INFO, NULL, 0, &SCAutoReconnectInfo, sizeof(SCAutoReconnectInfo), &BytesGot);
if (NT_SUCCESS(Status)) {
//
// Valid the length of the SC info and save it into the winstation
// this will be used later on. We need to grab the info now
// before the stack handle is closed as we won't be able to IOCTL
// down to the stack at autoreconnect time.
//
if (SCAutoReconnectInfo.cbAutoReconnectInfo == sizeof(pWinStation->AutoReconnectInfo.ArcRandomBits)) {
TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: Disconnecting - got SC ARC from stack\n"));
pWinStation->AutoReconnectInfo.Valid = TRUE; memcpy(&pWinStation->AutoReconnectInfo.ArcRandomBits, &SCAutoReconnectInfo.AutoReconnectInfo, sizeof(pWinStation->AutoReconnectInfo.ArcRandomBits)); } else { TRACE((hTrace,TC_ICASRV,TT_ERROR, "TERMSRV: Disconnecting - got invalid len SC ARC from stack\n")); ResetAutoReconnectInfo(pWinStation); } } else {
TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: Disconnecting - did not get SC ARC from stack\n")); ResetAutoReconnectInfo(pWinStation); } }
/*
* First notify Wsx that connection is going away */ WsxBrokenConnection( pWinStation );
if (pWinStation->hStack != NULL) { Status = IcaStackConnectionClose( pWinStation->hStack, &pWinStation->Config, pWinStation->pEndpoint, pWinStation->EndpointLength ); ASSERT( NT_SUCCESS(Status) ); if ( !NT_SUCCESS(Status) ) { TRACE((hTrace,TC_ICASRV,TT_ERROR, "TERMSRV: StackConnectionClose failed LogonId=%d Status=0x%x\n", pWinStation->LogonId, Status )); } }
MemFree( pWinStation->pEndpoint ); pWinStation->pEndpoint = NULL; pWinStation->EndpointLength = 0;
/*
* Close the stack and reopen it. * What we really need is a function to unload the stack drivers * but leave the stack handle open. */
if (pWinStation->hStack != NULL) { Status = IcaStackClose( pWinStation->hStack ); ASSERT( NT_SUCCESS( Status ) ); pWinStation->hStack = NULL; }
Status = IcaStackOpen( pWinStation->hIca, Stack_Primary, (PROC)WsxStackIoControl, pWinStation, &pWinStation->hStack );
/*
* Since this is a terminate disconnect, clear all client * license data and indicate it no longer holds a license. */ if ( pWinStation->pWsx && pWinStation->pWsx->pWsxClearContext ) { pWinStation->pWsx->pWsxClearContext( pWinStation->pWsxContext ); } /*
* Session 0, we want to get rid of any protocol extension so that next remote * connection could happen with a different protocol. */ if (pWinStation->LogonId == 0 ) { if ( pWinStation->pWsxContext ) { if ( pWinStation->pWsx && pWinStation->pWsx->pWsxWinStationRundown ) { pWinStation->pWsx->pWsxWinStationRundown( pWinStation->pWsxContext ); } pWinStation->pWsxContext = NULL; } pWinStation->pWsx = NULL; pWinStation->Client.ProtocolType = PROTOCOL_CONSOLE; } }
/*
* Cancel timers */ if ( pWinStation->fIdleTimer ) { pWinStation->fIdleTimer = FALSE; IcaTimerClose( pWinStation->hIdleTimer ); } if ( pWinStation->fLogonTimer ) { pWinStation->fLogonTimer = FALSE; IcaTimerClose( pWinStation->hLogonTimer ); }
// Send Audit Information only for actual disconnects
if (pWinStation->UserName && (wcslen(pWinStation->UserName) > 0)) { AuditEvent( pWinStation, SE_AUDITID_SESSION_DISCONNECTED ); }
// before we change state to disconnect, we want to give repopulating thread
// enough time to pick up winstation/report to SD, then this thread
// can notify SD to change state to disconnect.
// wait here before we ENTERCRIT() because repopulate thread
// also doing the same sequence.
if (!g_bPersonalTS && g_fAppCompat && g_bAdvancedServer) { SessDirWaitForRepopulate(); }
{ ENTERCRIT( &WinStationListLock ); (VOID) NtQuerySystemTime( &pWinStation->DisconnectTime );
if ((pWinStation->State == State_Active) || (pWinStation->State == State_Shadow)) { // If the session was active or in a shadow state and is being
// disconnected...
//
// Copy off the session ID and disconnection FileTime for the
// session directory call below. We do not want to hold locks when
// calling the directory interface.
memcpy(&DiscTime, &pWinStation->DisconnectTime, sizeof(DiscTime)); SessionID = pWinStation->LogonId;
// Set flag that we need to notify the session directory.
bInformSessionDirectory = TRUE; }
pWinStation->State = State_Disconnected; RtlZeroMemory( pWinStation->WinStationName, sizeof(pWinStation->WinStationName) ); RtlZeroMemory( pWinStation->ListenName, sizeof(pWinStation->ListenName) );
// Keep track of disconnected session count for Load Balancing
// Indicator.
WinStationDiscCount++;
LEAVECRIT( &WinStationListLock );
NotifySystemEvent( WEVENT_DISCONNECT | WEVENT_STATECHANGE ); }
// Call the session directory to inform of the disconnection.
if (!g_bPersonalTS && g_fAppCompat && g_bAdvancedServer && bInformSessionDirectory) SessDirNotifyDisconnection(SessionID, DiscTime);
TRACE((hTrace, TC_ICASRV, TT_API1, "TERMSRV: WinStationDoDisconnect, rc=0x0\n" ));
Status = NotifyDisconnect(pWinStation, fOwnsConsoleTerminal); if ( !NT_SUCCESS(Status) ) { DBGPRINT(("NotifyConsoleDisconnect failed, SessionId = %d, Status = " "%d", pWinStation->LogonId, Status)); } pWinStation->StateFlags &= ~WSF_ST_IN_DISCONNECT;
return STATUS_SUCCESS;
/*=============================================================================
== Error returns=============================================================================*/
badstackopen:badwin32disconnect: TRACE((hTrace, TC_ICASRV, TT_API1, "TERMSRV: WinStationDoDisconnect, rc=0x%x\n", Status )); pWinStation->StateFlags &= ~WSF_ST_IN_DISCONNECT; return Status;}
/*******************************************************************************
* ImperonateClient * * Giving a client primary, make the calling thread impersonate the client * * ENTRY: * ClientToken (input) * A client primary token * pImpersonationToken (output) * Pointer to an impersonation token ******************************************************************************/NTSTATUS _ImpersonateClient(HANDLE ClientToken, HANDLE *pImpersonationToken){ SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService; OBJECT_ATTRIBUTES ObjA; NTSTATUS Status;
//
// ClientToken is a primary token - create an impersonation token
// version of it so we can set it on our thread
//
InitializeObjectAttributes( &ObjA, NULL, 0L, NULL, NULL );
SecurityQualityOfService.Length = sizeof(SECURITY_QUALITY_OF_SERVICE); SecurityQualityOfService.ImpersonationLevel = SecurityImpersonation; SecurityQualityOfService.ContextTrackingMode = SECURITY_DYNAMIC_TRACKING; SecurityQualityOfService.EffectiveOnly = FALSE;
ObjA.SecurityQualityOfService = &SecurityQualityOfService;
Status = NtDuplicateToken( ClientToken, TOKEN_IMPERSONATE, &ObjA, FALSE, TokenImpersonation, pImpersonationToken ); if ( !NT_SUCCESS( Status ) ) { TRACE( ( hTrace, TC_ICASRV, TT_ERROR, "ImpersonateClient: cannot get impersonation token: 0x%x\n", Status ) ); return( Status ); }
//
// Impersonate the client
//
Status = NtSetInformationThread( NtCurrentThread(), ThreadImpersonationToken, ( PVOID )pImpersonationToken, ( ULONG )sizeof( HANDLE ) ); if ( !NT_SUCCESS( Status ) ) { TRACE( ( hTrace, TC_ICASRV, TT_ERROR, "ImpersonateClient: cannot impersonate client: 0x%x\n", Status ) ); }
return Status;}
/*******************************************************************************
* WinStationDoReconnect * * Send connect Api message to a WinStation. * * ENTRY: * pWinStation (input) * Pointer to WinStation to connect * pReconnectInfo (input) * Pointer to RECONNECT_INFO buffer ******************************************************************************/NTSTATUS WinStationDoReconnect( PWINSTATION pWinStation, PRECONNECT_INFO pReconnectInfo){ WINSTATION_APIMSG ReconnectMsg; NTSTATUS Status; BOOLEAN fDisableCdm; BOOLEAN fDisableCpm; BOOLEAN fDisableLPT; BOOLEAN fDisableCcm; BOOLEAN fDisableClip; SHADOWCLASS Shadow; NTSTATUS TempStatus; PWINSTATIONCONFIG2 pCurConfig = NULL; PWINSTATIONCLIENT pCurClient = NULL;
// WinStation should not currently be connected
ASSERT( pWinStation->pEndpoint == NULL );
// Mark that Reconnect is still pending for this winstation
pWinStation->fReconnectPending = TRUE;
// Check if we r going to reconnect a session to the Console - this Flag is used in SendWinStationCommand
pWinStation->fReconnectingToConsole = pReconnectInfo->fOwnsConsoleTerminal ;
// Save the shadow state
Shadow = pWinStation->Config.Config.User.Shadow;
//
// Allocate and initialize CurConfig struct
//
if ( (pCurConfig = MemAlloc( sizeof(WINSTATIONCONFIG2) )) == NULL ) { Status = STATUS_NO_MEMORY; goto nomem; } RtlZeroMemory( pCurConfig, sizeof(WINSTATIONCONFIG2) );
//
// Allocate and initialize CurClient struct
//
if ( (pCurClient = MemAlloc( sizeof(WINSTATIONCLIENT) )) == NULL ) { Status = STATUS_NO_MEMORY; goto nomem; } RtlZeroMemory( pCurClient, sizeof(WINSTATIONCLIENT) );
//
// Config info has to be set prior to calling CSRSS. CSRSS notifies winlogon
// which in turn sends reconnect messages to notification dlls. We query
// protocol info from termsrv notification dll which is stored in config
// data
//
*pCurConfig = pWinStation->Config; pWinStation->Config = pReconnectInfo->Config;
*pCurClient = pWinStation->Client; pWinStation->Client = pReconnectInfo->Client;
if ((pWinStation->LogonId == 0) && (pWinStation->UserName[0] == L'\0')) { ReconnectMsg.ApiNumber = SMWinStationNotify; ReconnectMsg.WaitForReply = TRUE; ReconnectMsg.u.DoNotify.NotifyEvent = WinStation_Notify_PreReconnect; Status = SendWinStationCommand( pWinStation, &ReconnectMsg, 60 ); }
/*
* Unconditionally, we will send the PreReconnectDesktopSwitch event. */ ReconnectMsg.ApiNumber = SMWinStationNotify; ReconnectMsg.WaitForReply = TRUE; ReconnectMsg.u.DoNotify.NotifyEvent = WinStation_Notify_PreReconnectDesktopSwitch; Status = SendWinStationCommand( pWinStation, &ReconnectMsg, 60 );
/*
* Close the current stack and reconnect the saved stack to this WinStation */ if (pWinStation->hStack != NULL) { IcaStackClose( pWinStation->hStack ); pWinStation->hStack = NULL; }
Status = IcaStackReconnect( pReconnectInfo->hStack, pWinStation->hIca, pWinStation, pWinStation->LogonId ); if ( !NT_SUCCESS( Status ) ){ pWinStation->Config = *pCurConfig; pWinStation->Client = *pCurClient; goto badstackreconnect; }
/*
* Save stack and endpoint data */ pWinStation->hStack = pReconnectInfo->hStack; pWinStation->pEndpoint = pReconnectInfo->pEndpoint; pWinStation->EndpointLength = pReconnectInfo->EndpointLength;
/*
* Save the notification Credentials in the new winstation */ if (pReconnectInfo->pNotificationCredentials) {
if (pWinStation->pNewNotificationCredentials == NULL) { pWinStation->pNewNotificationCredentials = MemAlloc(sizeof(CLIENTNOTIFICATIONCREDENTIALS)); if (pWinStation->pNewNotificationCredentials == NULL) { Status = STATUS_NO_MEMORY ; goto nomem ; } }
RtlCopyMemory( pWinStation->pNewNotificationCredentials->Domain, pReconnectInfo->pNotificationCredentials->Domain, sizeof(pReconnectInfo->pNotificationCredentials->Domain) );
RtlCopyMemory( pWinStation->pNewNotificationCredentials->UserName, pReconnectInfo->pNotificationCredentials->UserName, sizeof(pReconnectInfo->pNotificationCredentials->UserName) );
} else { pWinStation->pNewNotificationCredentials = NULL; }
pReconnectInfo->hStack = NULL; pReconnectInfo->pEndpoint = NULL; pReconnectInfo->EndpointLength = 0; pReconnectInfo->pNotificationCredentials = NULL;
/*
* Copy remote ip to winstation */
if( pWinStation->pLastClientAddress != NULL ) { MemFree( pWinStation->pLastClientAddress ); pWinStation->pLastClientAddress = NULL; }
if( pReconnectInfo->pRememberedAddress != NULL ) { pWinStation->pLastClientAddress = pReconnectInfo->pRememberedAddress; pReconnectInfo->pRememberedAddress = NULL; }
/*
* Tell Win32k about the reconnect */ ReconnectMsg.ApiNumber = SMWinStationDoReconnect; ReconnectMsg.u.DoReconnect.fMouse = (BOOLEAN)pReconnectInfo->Client.fMouse; ReconnectMsg.u.DoReconnect.fClientDoubleClickSupport = (BOOLEAN)pReconnectInfo->Client.fDoubleClickDetect; ReconnectMsg.u.DoReconnect.fEnableWindowsKey = (BOOLEAN)pReconnectInfo->Client.fEnableWindowsKey; RtlCopyMemory( ReconnectMsg.u.DoReconnect.WinStationName, pReconnectInfo->WinStationName, sizeof(WINSTATIONNAME) ); RtlCopyMemory( ReconnectMsg.u.DoReconnect.AudioDriverName, pReconnectInfo->Client.AudioDriverName, sizeof( ReconnectMsg.u.DoReconnect.AudioDriverName ) ); RtlCopyMemory( ReconnectMsg.u.DoReconnect.DisplayDriverName, pReconnectInfo->DisplayDriverName, sizeof( ReconnectMsg.u.DoReconnect.DisplayDriverName ) ); RtlCopyMemory( ReconnectMsg.u.DoReconnect.ProtocolName, pReconnectInfo->ProtocolName, sizeof( ReconnectMsg.u.DoReconnect.ProtocolName ) );
/*
* Set the display resolution information in the message for reconnection */ ReconnectMsg.u.DoReconnect.HRes = pReconnectInfo->Client.HRes; ReconnectMsg.u.DoReconnect.VRes = pReconnectInfo->Client.VRes; ReconnectMsg.u.DoReconnect.ProtocolType = pReconnectInfo->Client.ProtocolType; ReconnectMsg.u.DoReconnect.fDynamicReconnect = (BOOLEAN)(pWinStation->Config.Wd.WdFlag & WDF_DYNAMIC_RECONNECT );
/*
* Translate the color to the format excpected in winsrv */ switch (pReconnectInfo->Client.ColorDepth) { case 1: ReconnectMsg.u.DoReconnect.ColorDepth=4 ; // 16 colors
break; case 2: ReconnectMsg.u.DoReconnect.ColorDepth=8 ; // 256
break; case 4: ReconnectMsg.u.DoReconnect.ColorDepth= 16;// 64K
break; case 8: ReconnectMsg.u.DoReconnect.ColorDepth= 24;// 16M
break;#define DC_HICOLOR
#ifdef DC_HICOLOR
case 16: ReconnectMsg.u.DoReconnect.ColorDepth= 15;// 32K
break;#endif
default: ReconnectMsg.u.DoReconnect.ColorDepth=8 ; break; }
ReconnectMsg.u.DoReconnect.KeyboardType = pWinStation->Client.KeyboardType; ReconnectMsg.u.DoReconnect.KeyboardSubType = pWinStation->Client.KeyboardSubType; ReconnectMsg.u.DoReconnect.KeyboardFunctionKey = pWinStation->Client.KeyboardFunctionKey;
if (pWinStation->LogonId == 0 || g_bPersonalTS) { if (pWinStation->hWinmmConsoleAudioEvent) { if (pWinStation->Client.fRemoteConsoleAudio) { // set the remoting audio on console flag
SetEvent(pWinStation->hWinmmConsoleAudioEvent);
} else { // don't set the remoting audio on console flag
ResetEvent(pWinStation->hWinmmConsoleAudioEvent); } } if ( pWinStation->hRDPAudioDisabledEvent ) { if ( pWinStation->Config.Config.User.fDisableCam ) { SetEvent( pWinStation->hRDPAudioDisabledEvent ); } else { ResetEvent( pWinStation->hRDPAudioDisabledEvent ); } } }
if (WaitForSingleObject(pWinStation->hReconnectReadyEvent, 45*1000) != WAIT_OBJECT_0) { DbgPrint("Wait Failed for hReconnectReadyEvent for Session %d\n", pWinStation->LogonId); SetEvent(pWinStation->hReconnectReadyEvent); }
Status = SendWinStationCommand( pWinStation, &ReconnectMsg, 600 ); if ( !NT_SUCCESS(Status) ) {
TRACE((hTrace,TC_ICASRV,TT_ERROR, "TERMSRV: CSR DoReconnect failed LogonId=%d Status=0x%x\n", pWinStation->LogonId, Status )); pWinStation->Config = *pCurConfig; pWinStation->Client = *pCurClient; goto badreconnect; } else { pWinStation->StateFlags |= WSF_ST_CONNECTED_TO_CSRSS; }
//
// Update protocol and display driver names.
//
RtlCopyMemory( pWinStation->ProtocolName, pReconnectInfo->ProtocolName, sizeof(pWinStation->ProtocolName) ); RtlCopyMemory( pWinStation->DisplayDriverName, pReconnectInfo->DisplayDriverName, sizeof(pWinStation->DisplayDriverName) ); /*
* Copy console owner info */ pWinStation->fOwnsConsoleTerminal = pReconnectInfo->fOwnsConsoleTerminal;
//
// Set session time zone information.
//
if(pWinStation->LogonId != 0 && !pWinStation->fOwnsConsoleTerminal && RegIsTimeZoneRedirectionEnabled()) { WINSTATION_APIMSG TimezoneMsg;
memset( &TimezoneMsg, 0, sizeof(TimezoneMsg) ); TimezoneMsg.ApiNumber = SMWinStationSetTimeZone; memcpy(&(TimezoneMsg.u.SetTimeZone.TimeZone),&(pReconnectInfo->Client.ClientTimeZone), sizeof(TS_TIME_ZONE_INFORMATION)); SendWinStationCommand( pWinStation, &TimezoneMsg, 600 ); } /*
* Close temporary ICA connection that was opened for the reconnect */ IcaClose( pReconnectInfo->hIca ); pReconnectInfo->hIca = NULL;
/*
* Move all of the licensing stuff to the new WinStation */
/*
* we may not have pWsx if the ReconnectInfo is from a session * that was connected to the local console */ if ( pReconnectInfo->pWsxContext ) { if ( pWinStation->pWsx == NULL ) { //
// This means that we are reconnecting remotely to a session
// that comes from the console. So create a new extension.
//
pWinStation->pWsx = FindWinStationExtensionDll( pWinStation->Config.Wd.WsxDLL, pWinStation->Config.Wd.WdFlag );
//
// Initialize winstation extension context structure
//
if ( pWinStation->pWsx && pWinStation->pWsx->pWsxWinStationInitialize ) { Status = pWinStation->pWsx->pWsxWinStationInitialize( &pWinStation->pWsxContext);
if (!NT_SUCCESS(Status)) { pWinStation->pWsx = NULL; } }
if ( pWinStation->pWsx && pWinStation->pWsx->pWsxWinStationReInitialize ) { WSX_INFO WsxInfo;
WsxInfo.Version = WSX_INFO_VERSION_1; WsxInfo.hIca = pWinStation->hIca; WsxInfo.hStack = pWinStation->hStack; WsxInfo.SessionId = pWinStation->LogonId; WsxInfo.pDomain = pWinStation->Domain; WsxInfo.pUserName = pWinStation->UserName;
Status = pWinStation->pWsx->pWsxWinStationReInitialize( pWinStation->pWsxContext, &WsxInfo );
if (!NT_SUCCESS(Status)) { pWinStation->pWsx = NULL; } } }
if ( pWinStation->pWsx && pWinStation->pWsx->pWsxCopyContext ) { pWinStation->pWsx->pWsxCopyContext( pWinStation->pWsxContext, pReconnectInfo->pWsxContext ); } if ( pReconnectInfo->pWsx && pReconnectInfo->pWsx->pWsxWinStationRundown ) { pReconnectInfo->pWsx->pWsxWinStationRundown( pReconnectInfo->pWsxContext ); } pReconnectInfo->pWsxContext = NULL;
} else { // pReconnectInfo->pWsxContext == NULL
//
// This means that we are reconnecting to the console.
//
if ( pWinStation->pWsx && pWinStation->pWsx->pWsxWinStationRundown ) { //
// Reconnecting a remote session to the console.
// Delete the extension.
//
pWinStation->pWsx->pWsxWinStationRundown( pWinStation->pWsxContext ); } pWinStation->pWsxContext = NULL; pWinStation->pWsx = NULL;
//
// In the case where both are NULL, we are reconnecting
// to the console a session that comes from the console.
//
}
//
// Anytime we change state, we need to make sure session directory
// does not pick up wrong state.
// We need this because Repopulate release the lock before calling
// SD so there might be small timing that we might send this reconnect
// first because repopulate come back.
//
if (!g_bPersonalTS && g_fAppCompat && g_bAdvancedServer) { SessDirWaitForRepopulate(); }
RtlEnterCriticalSection( &WinStationListLock ); if (pWinStation->UserName[0] != (WCHAR) 0) { pWinStation->State = State_Active; } else { pWinStation->State = State_Connected; } RtlCopyMemory( pWinStation->WinStationName, pReconnectInfo->WinStationName, sizeof(WINSTATIONNAME) );
/*
* Copy the original listen name for instance checking. */ RtlCopyMemory( pWinStation->ListenName, pReconnectInfo->ListenName, sizeof(WINSTATIONNAME) );
// Keep track of disconnected session count for Load Balancing Indicator
WinStationDiscCount--;
RtlLeaveCriticalSection( &WinStationListLock );
/*
* Disable virtual channel flags are from the transport setup. * Do not overwrite them. */ fDisableCdm = (BOOLEAN) pWinStation->Config.Config.User.fDisableCdm; fDisableCpm = (BOOLEAN) pWinStation->Config.Config.User.fDisableCpm; fDisableLPT = (BOOLEAN) pWinStation->Config.Config.User.fDisableLPT; fDisableCcm = (BOOLEAN) pWinStation->Config.Config.User.fDisableCcm; fDisableClip = (BOOLEAN) pWinStation->Config.Config.User.fDisableClip;
pWinStation->Config = pReconnectInfo->Config;
pWinStation->Config.Config.User.fDisableCdm = fDisableCdm; pWinStation->Config.Config.User.fDisableCpm = fDisableCpm; pWinStation->Config.Config.User.fDisableLPT = fDisableLPT; pWinStation->Config.Config.User.fDisableCcm = fDisableCcm; pWinStation->Config.Config.User.fDisableClip = fDisableClip; pWinStation->Config.Config.User.Shadow = Shadow;
/*
* Disable virtual channels if needed. */ VirtualChannelSecurity( pWinStation ); /*
* Notify the CDM channel of reconnection. */ if ( pWinStation->pWsx && pWinStation->pWsx->pWsxCdmConnect ) { (VOID) pWinStation->pWsx->pWsxCdmConnect( pWinStation->pWsxContext, pWinStation->LogonId, pWinStation->hIca ); }
/*
* Reset any autoreconnect information prior to reconnection * as it is stale. New information will be generated by the stack * when login completes. */ ResetAutoReconnectInfo(pWinStation);
if ( pWinStation->pWsx && pWinStation->pWsx->pWsxLogonNotify ) {
PWCHAR pUserNameToSend, pDomainToSend ; // Use the New notification credentials sent from Gina for the call below if they are available
if (pWinStation->pNewNotificationCredentials) { pUserNameToSend = pWinStation->pNewNotificationCredentials->UserName; pDomainToSend = pWinStation->pNewNotificationCredentials->Domain; } else { pUserNameToSend = pWinStation->UserName; pDomainToSend = pWinStation->Domain ; }
Status = pWinStation->pWsx->pWsxLogonNotify( pWinStation->pWsxContext, pWinStation->LogonId, NULL, pDomainToSend, pUserNameToSend );
if (pWinStation->pNewNotificationCredentials != NULL) { MemFree(pWinStation->pNewNotificationCredentials); pWinStation->pNewNotificationCredentials = NULL; }
if(!NT_SUCCESS(Status)) { TRACE((hTrace, TC_ICASRV, TT_API1, "TERMSRV: WinStationDoReconnect: LogonNotify rc=0x%x\n", Status )); } }
NotifySystemEvent( WEVENT_CONNECT | WEVENT_STATECHANGE );
/*
* Cleanup any allocated buffers. * The endpoint buffer was transfered to the WinStation above. */ pReconnectInfo->pEndpoint = NULL; pReconnectInfo->EndpointLength = 0;
/*
* Set connect time and stop disconnect timer */ NtQuerySystemTime(&pWinStation->ConnectTime); if (pWinStation->fDisconnectTimer) { pWinStation->fDisconnectTimer = FALSE; IcaTimerClose( pWinStation->hDisconnectTimer ); }
/*
* Start logon timers */ StartLogonTimers(pWinStation);
// Notify the session directory of the reconnection.
if (!g_bPersonalTS && g_fAppCompat && g_bAdvancedServer) { TSSD_ReconnectSessionInfo ReconnInfo;
ReconnInfo.SessionID = pWinStation->LogonId; ReconnInfo.TSProtocol = pWinStation->Client.ProtocolType; ReconnInfo.ResolutionWidth = pWinStation->Client.HRes; ReconnInfo.ResolutionHeight = pWinStation->Client.VRes; ReconnInfo.ColorDepth = pWinStation->Client.ColorDepth; SessDirNotifyReconnection(pWinStation, &ReconnInfo); }
TRACE((hTrace, TC_ICASRV, TT_API1, "TERMSRV: WinStationDoReconnect, rc=0x0\n" )); AuditEvent( pWinStation, SE_AUDITID_SESSION_RECONNECTED );
/*
* Tell csrss to notify winlogon for the reconnect then notify any process * that registred for notification. */
ReconnectMsg.ApiNumber = SMWinStationNotify; ReconnectMsg.WaitForReply = FALSE; ReconnectMsg.u.DoNotify.NotifyEvent = WinStation_Notify_Reconnect; Status = SendWinStationCommand( pWinStation, &ReconnectMsg, 0 );
Status = NotifyConnect(pWinStation, pWinStation->fOwnsConsoleTerminal); if ( !NT_SUCCESS(Status) ) { DBGPRINT(("NotifyConsoleConnect failed, SessionId = %d, Status = %d", pWinStation->LogonId, Status)); }
// Free up allocated Memory
if (pCurConfig != NULL) { MemFree( pCurConfig ); pCurConfig = NULL; } if (pCurClient != NULL) { MemFree( pCurClient ); pCurClient = NULL; }
if (pWinStation->pNewNotificationCredentials != NULL) { MemFree(pWinStation->pNewNotificationCredentials); pWinStation->pNewNotificationCredentials = NULL; }
// Since the winstation has reconnected, we can allow further autoreconnects
pWinStation->fDisallowAutoReconnect = FALSE;
// Reset ReconnectPending Flag
pWinStation->fReconnectPending = FALSE; pWinStation->fReconnectingToConsole = FALSE;
return STATUS_SUCCESS;
/*=============================================================================
== Error returns=============================================================================*/
/*
* Failure from Win32 reconnect call. * Disconnect the stack again, and indicate the WinStation * does not have a stack or endpoint connection. */badreconnect: TempStatus = IcaStackDisconnect( pWinStation->hStack, pReconnectInfo->hIca, NULL ); //ASSERT( NT_SUCCESS( TempStatus ) );
pReconnectInfo->hStack = pWinStation->hStack; pReconnectInfo->pEndpoint = pWinStation->pEndpoint; pReconnectInfo->EndpointLength = pWinStation->EndpointLength; pWinStation->hStack = NULL; pWinStation->pEndpoint = NULL; pWinStation->EndpointLength = 0;
badstackreconnect: TempStatus = IcaStackOpen( pWinStation->hIca, Stack_Primary, (PROC)WsxStackIoControl, pWinStation, &pWinStation->hStack ); //ASSERT( NT_SUCCESS( TempStatus ) ); // don't know how to handle any error here
nomem: // Free up allocated Memory
if (pCurConfig != NULL) { MemFree( pCurConfig ); pCurConfig = NULL; } if (pCurClient != NULL) { MemFree( pCurClient ); pCurClient = NULL; }
if (pWinStation->pNewNotificationCredentials != NULL) { MemFree(pWinStation->pNewNotificationCredentials); pWinStation->pNewNotificationCredentials = NULL; }
TRACE((hTrace, TC_ICASRV, TT_API1, "TERMSRV: WinStationDoReconnect, rc=0x%x\n", Status ));
// Reset ReconnectPending Flag
pWinStation->fReconnectPending = FALSE; pWinStation->fReconnectingToConsole = FALSE;
return( Status );}
/*******************************************************************************
* WsxBrokenConnection * * Send broken connection notification to the WinStation extension DLL ******************************************************************************/VOID WsxBrokenConnection(PWINSTATION pWinStation){ /*
* Only send notification if there is a reason */ if ( pWinStation->BrokenReason ) { if ( pWinStation->pWsx && pWinStation->pWsx->pWsxBrokenConnection ) { ICA_BROKEN_CONNECTION Broken;
Broken.Reason = pWinStation->BrokenReason; Broken.Source = pWinStation->BrokenSource; pWinStation->pWsx->pWsxBrokenConnection( pWinStation->pWsxContext, pWinStation->hStack, &Broken ); }
/*
* Clear these once we have tried to send them */ pWinStation->BrokenReason = 0; pWinStation->BrokenSource = 0; }}
/*******************************************************************************
* CleanupReconnect * * Cleanup the specified RECONNECT_INFO structure * * ENTRY: * pReconnectInfo (input) * Pointer to RECONNECT_INFO buffer ******************************************************************************/VOID CleanupReconnect(PRECONNECT_INFO pReconnectInfo){ NTSTATUS Status;
/*
* If there is a connection endpoint, then close it now. * When done, we also free the endpoint structure. */ if ( (pReconnectInfo->pEndpoint != NULL) && (pReconnectInfo->hStack != NULL)) { Status = IcaStackConnectionClose( pReconnectInfo->hStack, &pReconnectInfo->Config, pReconnectInfo->pEndpoint, pReconnectInfo->EndpointLength );
ASSERT( Status == STATUS_SUCCESS ); MemFree( pReconnectInfo->pEndpoint ); pReconnectInfo->pEndpoint = NULL; }
if ( pReconnectInfo->pWsxContext ) { if ( pReconnectInfo->pWsx && pReconnectInfo->pWsx->pWsxWinStationRundown ) { pReconnectInfo->pWsx->pWsxWinStationRundown( pReconnectInfo->pWsxContext ); } pReconnectInfo->pWsxContext = NULL; }
if ( pReconnectInfo->hStack ) { IcaStackClose( pReconnectInfo->hStack ); pReconnectInfo->hStack = NULL; }
if ( pReconnectInfo->hIca ) { IcaClose( pReconnectInfo->hIca ); pReconnectInfo->hIca = NULL; }
if( pReconnectInfo->pRememberedAddress != NULL ) { MemFree( pReconnectInfo->pRememberedAddress ); pReconnectInfo->pRememberedAddress = NULL; }}
NTSTATUS _CloseEndpoint( IN PWINSTATIONCONFIG2 pWinStationConfig, IN PVOID pEndpoint, IN ULONG EndpointLength, IN PWINSTATION pWinStation, IN BOOLEAN bNeedStack){ HANDLE hIca; HANDLE hStack; NTSTATUS Status;
/*
* Open a stack handle that we can use to close the specified endpoint. */
TRACE((hTrace, TC_ICASRV, TT_ERROR, "TERMSRV: _CloseEndpoint [%p] on %s stack\n", pEndpoint, bNeedStack ? "Temporary" : "Primary"));
if (bNeedStack) { Status = IcaOpen( &hIca ); if ( NT_SUCCESS( Status ) ) { Status = IcaStackOpen( hIca, Stack_Primary, NULL, NULL, &hStack ); if ( NT_SUCCESS( Status ) ) { Status = IcaStackConnectionClose( hStack, pWinStationConfig, pEndpoint, EndpointLength ); IcaStackClose( hStack ); } IcaClose( hIca ); } }
else { Status = IcaStackConnectionClose( pWinStation->hStack, pWinStationConfig, pEndpoint, EndpointLength ); } if ( !NT_SUCCESS( Status ) ) { TRACE((hTrace, TC_ICASRV, TT_ERROR, "TERMSRV: _CloseEndpoint failed [%s], Status=%x\n", bNeedStack ? "Temporary" : "Primary", Status )); }
return Status;}
/*******************************************************************************
* WinStationExceptionFilter * * Handle exception from a WinStation thread * * ENTRY: * pExceptionInfo (input) * pointer to EXCEPTION_POINTERS struct * * EXIT: * EXCEPTION_EXECUTE_HANDLER -- always ******************************************************************************/NTSTATUS WinStationExceptionFilter( PWSTR OutputString, PEXCEPTION_POINTERS pexi){ PLIST_ENTRY Head, Next; PWINSTATION pWinStation; MUTANT_BASIC_INFORMATION MutexInfo; NTSTATUS Status;
DbgPrint( "TERMSRV: %S\n", OutputString ); DbgPrint( "TERMSRV: ExceptionRecord=%p ContextRecord=%p\n", pexi->ExceptionRecord, pexi->ContextRecord ); DbgPrint( "TERMSRV: Exception code=%08x, flags=%08x, addr=%p, IP=%p\n", pexi->ExceptionRecord->ExceptionCode, pexi->ExceptionRecord->ExceptionFlags, pexi->ExceptionRecord->ExceptionAddress, CONTEXT_TO_PROGRAM_COUNTER(pexi->ContextRecord) );#ifdef i386
DbgPrint( "TERMSRV: esp=%p ebp=%p\n", pexi->ContextRecord->Esp, pexi->ContextRecord->Ebp );#endif
DbgBreakPoint();
/*
* Lock the global WinStation critsec if we don't already own it */ if ( NtCurrentTeb()->ClientId.UniqueThread != WinStationListLock.OwningThread ) ENTERCRIT( &WinStationListLock );
/*
* Search the WinStation list to see if we had any locked */ Head = &WinStationListHead; for ( Next = Head->Flink; Next != Head; Next = Next->Flink ) { pWinStation = CONTAINING_RECORD( Next, WINSTATION, Links ); Status = NtQueryMutant( pWinStation->Lock.Mutex, MutantBasicInformation, &MutexInfo, sizeof(MutexInfo), NULL ); if ( NT_SUCCESS( Status ) && MutexInfo.OwnedByCaller ) { ReleaseWinStation( pWinStation ); break; // OK to quit now, we should never lock more than one
} }
LEAVECRIT( &WinStationListLock );
return EXCEPTION_EXECUTE_HANDLER;}
/*******************************************************************************
* GetProcessLogonId * * Get LogonId for a process * * ENTRY: * ProcessHandle (input) * handle of process to get LogonId for * pLogonId (output) * location to return LogonId of process ******************************************************************************/NTSTATUS GetProcessLogonId(HANDLE Process, PULONG pLogonId){ NTSTATUS Status; PROCESS_SESSION_INFORMATION ProcessInfo;
/*
* Get the LogonId for the process */ *pLogonId = 0; Status = NtQueryInformationProcess( Process, ProcessSessionInformation, &ProcessInfo, sizeof( ProcessInfo ), NULL ); if ( !NT_SUCCESS( Status ) ) { DBGPRINT(( "TERMSRV: GetProcessLogonId, Process=%x, Status=%x\n", Process, Status )); return( Status ); }
*pLogonId = ProcessInfo.SessionId; return Status;}
/*******************************************************************************
* SetProcessLogonId * * Set LogonId for a process * * ENTRY: * ProcessHandle (input) * handle of process to set LogonId for * LogonId (output) * LogonId to set for process ******************************************************************************/NTSTATUS SetProcessLogonId(HANDLE Process, ULONG LogonId){ NTSTATUS Status; PROCESS_SESSION_INFORMATION ProcessInfo;
/*
* Set the LogonId for the process */ ProcessInfo.SessionId = LogonId; Status = NtSetInformationProcess( Process, ProcessSessionInformation, &ProcessInfo, sizeof( ProcessInfo ) ); if ( !NT_SUCCESS( Status ) ) { DBGPRINT(( "TERMSRV: SetProcessLogonId, Process=%x, Status=%x\n", Process, Status )); return Status; }
return Status;}
/*******************************************************************************
* FindWinStationById * * Find and lock a WinStation given its LogonId * * ENTRY: * LogonId (input) * LogonId of WinStation to find * LockList (input) * BOOLEAN indicating whether WinStationListLock should be * left locked on return * * EXIT: * On success - Pointer to WinStation * On failure - NULL ******************************************************************************/PWINSTATION FindWinStationById(ULONG LogonId, BOOLEAN LockList){ PLIST_ENTRY Head, Next; PWINSTATION pWinStation; PWINSTATION pFoundWinStation = NULL; ULONG uCount;
Head = &WinStationListHead; ENTERCRIT( &WinStationListLock );
/*
* Search the list for a WinStation with the given logonid. */searchagain: uCount = 0; for ( Next = Head->Flink; Next != Head; Next = Next->Flink ) { pWinStation = CONTAINING_RECORD( Next, WINSTATION, Links ); if ( pWinStation->LogonId == LogonId ) { uCount++;
/*
* Now try to lock the WinStation. */ if (pFoundWinStation == NULL){ if ( !LockRefLock( &pWinStation->Lock ) ) goto searchagain; pFoundWinStation = pWinStation; }#if DBG
#else
break;#endif
} }
ASSERT((uCount <= 1) || (LogonId== -1) );
/*
* If the WinStationList lock should not be held, then release it now. */ if ( !LockList ) LEAVECRIT( &WinStationListLock );
if (pFoundWinStation == NULL) { TRACE((hTrace,TC_ICASRV,TT_API2,"TERMSRV: FindWinStationById: %d (not found)\n", LogonId )); }
return pFoundWinStation;}
BOOLFindFirstListeningWinStationName( PWINSTATIONNAMEW pListenName, PWINSTATIONCONFIG2 pConfig ){ PLIST_ENTRY Head, Next; PWINSTATION pWinStation; BOOL bFound = FALSE;
Head = &WinStationListHead; ENTERCRIT( &WinStationListLock );
searchagain: /*
* Search the list for a WinStation with the given name. */ for ( Next = Head->Flink; Next != Head; Next = Next->Flink ) { pWinStation = CONTAINING_RECORD( Next, WINSTATION, Links ); if ( pWinStation->Flags & WSF_LISTEN && pWinStation->Client.ProtocolType == PROTOCOL_RDP) {
// try to lock winstation.
if ( !LockRefLock( &pWinStation->Lock ) ) goto searchagain;
CopyMemory( pConfig, &(pWinStation->Config), sizeof(WINSTATIONCONFIG2) ); lstrcpy( pListenName, pWinStation->WinStationName ); ReleaseWinStation( pWinStation ); bFound = TRUE; } }
LEAVECRIT( &WinStationListLock );
TRACE((hTrace,TC_ICASRV,TT_API3,"TERMSRV: FindFirstListeningWinStationName: %ws\n", (bFound) ? pListenName : L"Not Found" ));
return bFound;}
/*******************************************************************************
* FindWinStationByName * * Find and lock a WinStation given its Name * * ENTRY: * WinStationName (input) * Name of WinStation to find * LockList (input) * BOOLEAN indicating whether WinStationListLock should be * left locked on return * * EXIT: * On success - Pointer to WinStation * On failure - NULL ******************************************************************************/PWINSTATION FindWinStationByName(LPWSTR WinStationName, BOOLEAN LockList){ PLIST_ENTRY Head, Next; PWINSTATION pWinStation;
Head = &WinStationListHead; ENTERCRIT( &WinStationListLock );
/*
* Search the list for a WinStation with the given name. */searchagain: for ( Next = Head->Flink; Next != Head; Next = Next->Flink ) { pWinStation = CONTAINING_RECORD( Next, WINSTATION, Links ); if ( !_wcsicmp( pWinStation->WinStationName, WinStationName ) ) {
/*
* Now try to lock the WinStation. If this succeeds, * then ensure it still has the name we're searching for. */ if ( !LockRefLock( &pWinStation->Lock ) ) goto searchagain; if ( _wcsicmp( pWinStation->WinStationName, WinStationName ) ) { ReleaseWinStation( pWinStation ); goto searchagain; }
/*
* If the WinStationList lock should not be held, then release it now. */ if ( !LockList ) LEAVECRIT( &WinStationListLock );
TRACE((hTrace,TC_ICASRV,TT_API3,"TERMSRV: FindWinStationByName: %S, LogonId %u\n", WinStationName, pWinStation->LogonId )); return( pWinStation ); } }
/*
* If the WinStationList lock should not be held, then release it now. */ if ( !LockList ) LEAVECRIT( &WinStationListLock );
TRACE((hTrace,TC_ICASRV,TT_API3,"TERMSRV: FindWinStationByName: %S, (not found)\n", WinStationName )); return NULL;}
/*******************************************************************************
* FindIdleWinStation * * Find and lock an idle WinStation * * EXIT: * On success - Pointer to WinStation * On failure - NULL ******************************************************************************/PWINSTATION FindIdleWinStation(){ PLIST_ENTRY Head, Next; PWINSTATION pWinStation; BOOLEAN bFirstTime = TRUE;
Head = &WinStationListHead; ENTERCRIT( &WinStationListLock );
/*
* Search the list for an idle WinStation */searchagain: for ( Next = Head->Flink; Next != Head; Next = Next->Flink ) { pWinStation = CONTAINING_RECORD( Next, WINSTATION, Links ); if ( (pWinStation->Flags & WSF_IDLE) && !(pWinStation->Flags & WSF_IDLEBUSY) && !pWinStation->Starting ) {
/*
* Now try to lock the WinStation. If this succeeds, * then ensure it is still marked as idle. */ if ( !LockRefLock( &pWinStation->Lock ) ) { goto searchagain; } if ( !(pWinStation->Flags & WSF_IDLE) || (pWinStation->Flags & WSF_IDLEBUSY) || pWinStation->Starting ) { ReleaseWinStation( pWinStation ); goto searchagain; }
LEAVECRIT( &WinStationListLock ); return( pWinStation ); } }
LEAVECRIT( &WinStationListLock );
TRACE((hTrace,TC_ICASRV,TT_API2,"TERMSRV: FindIdleWinStation: (none found)\n" )); return NULL;}
/*******************************************************************************
* CountWinStationType * * Count the number of matching Winstation Listen Names * * ENTRY: * Listen Name * * bActiveOnly if TRUE, count only active WinStations * * EXIT: * Number ******************************************************************************/ULONG CountWinStationType( PWINSTATIONNAME pListenName, BOOLEAN bActiveOnly, BOOLEAN bLockHeld){ PLIST_ENTRY Head, Next; PWINSTATION pWinStation; ULONG Count = 0;
Head = &WinStationListHead;
if ( !bLockHeld ) { ENTERCRIT( &WinStationListLock ); }
/*
* Search the list for an idle WinStation */ for ( Next = Head->Flink; Next != Head; Next = Next->Flink ) { pWinStation = CONTAINING_RECORD( Next, WINSTATION, Links ); if ( !wcscmp( pWinStation->ListenName, pListenName ) ) { if ( !bActiveOnly ) Count++; else if ( pWinStation->State == State_Active || pWinStation->State == State_Shadow ) Count++; } }
if ( !bLockHeld ) { LEAVECRIT( &WinStationListLock ); }
TRACE((hTrace,TC_ICASRV,TT_API2,"TERMSRV: CountWinstationType %d\n", Count )); return Count;}
/*******************************************************************************
* IncrementReference * * Increments refcount on a WinStation given a pointer * * NOTE: * WinStationListLock must be locked on entry and will be locked on return. * * ENTRY: * pWinStation (input) * Pointer to WinStation to lock * ******************************************************************************/void IncrementReference(PWINSTATION pWinStation){ /*
* increment the ref count on winstation. */
InterlockedIncrement( &pWinStation->Lock.RefCount );}
/*******************************************************************************
* InitRefLock * * Initialize a RefLock and lock it. * * ENTRY: * pLock (input) * Pointer to RefLock to init * pDeleteProcedure (input) * Pointer to delete procedure for object ******************************************************************************/NTSTATUS InitRefLock(PREFLOCK pLock, PREFLOCKDELETEPROCEDURE pDeleteProcedure){ NTSTATUS Status;
// Create and lock winstation mutex
Status = NtCreateMutant( &pLock->Mutex, MUTANT_ALL_ACCESS, NULL, TRUE ); if ( !NT_SUCCESS( Status ) ) return( Status );
pLock->RefCount = 1; pLock->Invalid = FALSE; pLock->pDeleteProcedure = pDeleteProcedure;
return STATUS_SUCCESS;}
/*******************************************************************************
* SetRefLockDeleteProc * * Cahnge a RefLock DeleteProc. * * ENTRY: * pLock (input) * Pointer to RefLock to init * pDeleteProcedure (input) * Pointer to delete procedure for object ******************************************************************************/NTSTATUS SetRefLockDeleteProc( PREFLOCK pLock, PREFLOCKDELETEPROCEDURE pDeleteProcedure){ pLock->pDeleteProcedure = pDeleteProcedure; return STATUS_SUCCESS;}
/*******************************************************************************
* LockRefLock * * Increment the reference count for a RefLock and lock it. * * NOTE: * WinStationListLock must be locked on entry and will be locked on return. * * ENTRY: * pLock (input) * Pointer to RefLock to lock * * EXIT: * TRUE - if object was locked successfully * FALSE - otherwise ******************************************************************************/BOOLEAN LockRefLock(PREFLOCK pLock){ /*
* Increment reference count for this RefLock. */ InterlockedIncrement( &pLock->RefCount );
/*
* If mutex cannot be locked without blocking, * then unlock the WinStation list lock, wait for the mutex, * and relock the WinStation list lock. */ if ( NtWaitForSingleObject( pLock->Mutex, FALSE, &TimeoutZero ) != STATUS_SUCCESS ) { LEAVECRIT( &WinStationListLock ); NtWaitForSingleObject( pLock->Mutex, FALSE, NULL ); ENTERCRIT( &WinStationListLock );
/*
* If the object is marked as invalid, it was removed while * we waited for the lock. Release our lock and return FALSE, * indicating we were unable to lock it. */ if ( pLock->Invalid ) { /*
* Release the winstationlist lock because the Winstation * migth go away as a result of releasing its lock, */ LEAVECRIT( &WinStationListLock ); ReleaseRefLock( pLock ); ENTERCRIT( &WinStationListLock ); return FALSE; } }
return TRUE;}
/*******************************************************************************
* RelockRefLock * * Relock a RefLock which has been unlocked but still has a reference. * * NOTE: * Object must have been previously unlocked by calling UnlockRefLock. * * EXIT: * TRUE - if object is still valid * FALSE - if object was marked invalid while unlocked ******************************************************************************/BOOLEAN RelockRefLock(PREFLOCK pLock){ /*
* Lock the mutex */ NtWaitForSingleObject( pLock->Mutex, FALSE, NULL );
/*
* If the object is marked as invalid, * it was removed while it was unlocked so we return FALSE. */ return !pLock->Invalid;}
/*******************************************************************************
* UnlockRefLock * * Unlock a RefLock but keep a reference to it (don't decrement * the reference count). Caller must use RelockWinRefLock * to relock the object. * * ENTRY: * pLock (input) * Pointer to RefLock to unlock ******************************************************************************/VOID UnlockRefLock(PREFLOCK pLock){ NtReleaseMutant(pLock->Mutex, NULL);}
/*******************************************************************************
* ReleaseRefLock * * Unlock and dereference a RefLock. * * ENTRY: * pLock (input) * Pointer to RefLock to release ******************************************************************************/VOID ReleaseRefLock(PREFLOCK pLock){ ASSERT( pLock->RefCount > 0 );
/*
* If object has been marked invalid and we are the * last reference, then finish deleting it now. */ if ( pLock->Invalid ) { ULONG RefCount;
RefCount = InterlockedDecrement( &pLock->RefCount ); NtReleaseMutant( pLock->Mutex, NULL ); if ( RefCount == 0 ) { NtClose( pLock->Mutex ); (*pLock->pDeleteProcedure)( pLock ); }
} else { InterlockedDecrement( &pLock->RefCount ); NtReleaseMutant( pLock->Mutex, NULL ); }}
/*******************************************************************************
* DeleteRefLock * * Unlock, dereference, and delete a RefLock. * * ENTRY: * pLock (input) * Pointer to RefLock to delete ******************************************************************************/VOID DeleteRefLock(PREFLOCK pLock){ ASSERT( pLock->RefCount > 0 );
/*
* If we are the last reference, then delete the object now */ if ( InterlockedDecrement( &pLock->RefCount ) == 0 ) { NtReleaseMutant( pLock->Mutex, NULL ); NtClose( pLock->Mutex ); (*pLock->pDeleteProcedure)( pLock );
/*
* Otherwise, just mark the object invalid */ } else { pLock->Invalid = TRUE; NtReleaseMutant( pLock->Mutex, NULL ); }}
BOOLEAN IsWinStationLockedByCaller(PWINSTATION pWinStation){ MUTANT_BASIC_INFORMATION MutantInfo; NTSTATUS Status;
Status = NtQueryMutant( pWinStation->Lock.Mutex, MutantBasicInformation, &MutantInfo, sizeof(MutantInfo), NULL ); if ( NT_SUCCESS( Status ) ) return MutantInfo.OwnedByCaller;
return FALSE;}
/*******************************************************************************
* WinStationEnumerateWorker * * Enumerate the WinStation list and return LogonIds and WinStation * names to the caller. * * NOTE: * This version only returns one entry at a time. There is no guarantee * across calls that the list will not change, causing the users Index * to miss an entry or get the same entry twice. * * ENTRY: * pEntries (input/output) * Pointer to number of entries to return/number actually returned * pWin (output) * Pointer to buffer to return entries * pByteCount (input/output) * Pointer to size of buffer/length of data returned in buffer * pIndex (input/output) * Pointer to WinStation index to return/next index ******************************************************************************/NTSTATUS WinStationEnumerateWorker( PULONG pEntries, PLOGONID pWin, PULONG pByteCount, PULONG pIndex){ PLIST_ENTRY Head, Next; PWINSTATION pWinStation; ULONG WinStationIndex; ULONG MaxEntries, MaxByteCount; NTSTATUS Status; NTSTATUS Error = STATUS_NO_MORE_ENTRIES;
WinStationIndex = 0; MaxEntries = *pEntries; MaxByteCount = *pByteCount; *pEntries = 0; *pByteCount = 0; Head = &WinStationListHead; ENTERCRIT( &WinStationListLock ); for ( Next = Head->Flink; Next != Head; Next = Next->Flink ) {
if ( *pEntries >= MaxEntries || *pByteCount + sizeof(LOGONID) > MaxByteCount ) { break; }
pWinStation = CONTAINING_RECORD( Next, WINSTATION, Links );
//
// If Session has not yet been fully Started, skip this session during Enumeration
//
if (pWinStation->LogonId == -1) { continue; }
if ( *pIndex == WinStationIndex ) { (*pIndex)++; // set Index to next entry
/*
* Verify that client has QUERY access before * returning it in the enumerate list. * (Note that RpcCheckClientAccess only references the WinStation * to get the LogonId, so it is safe to call this routine without * locking the WinStation since we hold the WinStationListLock * which prevents the WinStation from being deleted.) */ Status = RpcCheckClientAccess( pWinStation, WINSTATION_QUERY, FALSE ); if ( NT_SUCCESS( Status ) ) { Error = STATUS_SUCCESS;
/*
* It's possible that the LPC client can go away while we * are processing this call. Its also possible that another * server thread handles the LPC_PORT_CLOSED message and closes * the port, which deletes the view memory, which is what * pWin points to. In this case the pWin references below * will trap. We catch this and just break out of the loop. */ try { pWin->LogonId = pWinStation->LogonId; if ( pWinStation->Terminating ) pWin->State = State_Down; else pWin->State = pWinStation->State; wcscpy( pWin->WinStationName, pWinStation->WinStationName ); } except( EXCEPTION_EXECUTE_HANDLER ) { break; } pWin++; (*pEntries)++; *pByteCount += sizeof(LOGONID); } } WinStationIndex++; }
LEAVECRIT( &WinStationListLock ); return Error;}
/*******************************************************************************
* LogonIdFromWinStationNameWorker * * Return the LogonId for a given WinStation name. * * ENTRY: * WinStationName (input) * name of WinStation to query * pLogonId (output) * Pointer to location to return LogonId ******************************************************************************/NTSTATUS LogonIdFromWinStationNameWorker( PWINSTATIONNAME WinStationName, ULONG NameSize, PULONG pLogonId){ PLIST_ENTRY Head, Next; PWINSTATION pWinStation; NTSTATUS Status; UINT uiLength;
// make sure we don't go beyond the end of one of the two strings
// (and work around bug #229753 : NameSize is in bytes, not a characters count)
if (NameSize > sizeof(WINSTATIONNAME)) { uiLength = sizeof(WINSTATIONNAME)/sizeof(WCHAR); } else { uiLength = NameSize/sizeof(WCHAR); }
Head = &WinStationListHead; ENTERCRIT( &WinStationListLock ); for ( Next = Head->Flink; Next != Head; Next = Next->Flink ) { pWinStation = CONTAINING_RECORD( Next, WINSTATION, Links );
if ( !_wcsnicmp( pWinStation->WinStationName, WinStationName, uiLength ) ) {
/*
* If client doesn't have QUERY access, return NOT_FOUND error */ Status = RpcCheckClientAccess( pWinStation, WINSTATION_QUERY, FALSE ); if ( !NT_SUCCESS( Status ) ) break; *pLogonId = pWinStation->LogonId; LEAVECRIT( &WinStationListLock ); return( STATUS_SUCCESS ); } }
LEAVECRIT( &WinStationListLock ); return STATUS_CTX_WINSTATION_NOT_FOUND;}
/*******************************************************************************
* IcaWinStationNameFromLogonId * * Return the WinStation name for a given LogonId. * * ENTRY: * LogonId (output) * LogonId to query * pWinStationName (input) * pointer to location to return WinStation name ******************************************************************************/NTSTATUS IcaWinStationNameFromLogonId( ULONG LogonId, PWINSTATIONNAME pWinStationName){ PLIST_ENTRY Head, Next; PWINSTATION pWinStation; NTSTATUS Status;
Head = &WinStationListHead; ENTERCRIT( &WinStationListLock ); for ( Next = Head->Flink; Next != Head; Next = Next->Flink ) { pWinStation = CONTAINING_RECORD( Next, WINSTATION, Links );
if ( pWinStation->LogonId == LogonId ) { /*
* If client doesn't have QUERY access, return NOT_FOUND error */ Status = RpcCheckClientAccess( pWinStation, WINSTATION_QUERY, FALSE ); if ( !NT_SUCCESS( Status ) ) break; wcscpy( pWinStationName, pWinStation->WinStationName ); LEAVECRIT( &WinStationListLock ); return( STATUS_SUCCESS ); } }
LEAVECRIT( &WinStationListLock ); return STATUS_CTX_WINSTATION_NOT_FOUND;}
NTSTATUS TerminateProcessAndWait( HANDLE ProcessId, HANDLE Process, ULONG Seconds){ NTSTATUS Status; ULONG mSecs; LARGE_INTEGER Timeout;
/*
* Try to terminate the process */ TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: TerminateProcessAndWait, process=0x%x, ", ProcessId ));
Status = NtTerminateProcess( Process, STATUS_SUCCESS ); if ( !NT_SUCCESS( Status ) && Status != STATUS_PROCESS_IS_TERMINATING ) { DBGPRINT(("Terminate=0x%x\n", Status )); return( Status ); } TRACE((hTrace,TC_ICASRV,TT_API1, "Terminate=0x%x, ", Status ));
/*
* Wait for the process to die */ mSecs = Seconds * 1000; Timeout = RtlEnlargedIntegerMultiply( mSecs, -10000 ); Status = NtWaitForSingleObject( Process, FALSE, &Timeout );
TRACE((hTrace,TC_ICASRV,TT_API1, "Wait=0x%x\n", Status ));
return Status;}
/*****************************************************************************
* ShutdownLogoff * * Worker function to handle logoff notify of WinStations when * the system is being shutdown. * * It is built from the code in WinStationReset * * ENTRY: * Client LogonId (input) * LogonId of the client Winstation doing the shutdown. This is so * that he does not get reset. * Flags (input) * The shutdown flags. ****************************************************************************/NTSTATUS ShutdownLogoff(ULONG ClientLogonId, ULONG Flags){ PLIST_ENTRY Head, Next; PWINSTATION pWinStation, pConsole = NULL; PULONG Tmp; PULONG Ids = NULL; ULONG IdCount = 0; ULONG IdAllocCount = 0; NTSTATUS Status = STATUS_SUCCESS;
TRACE((hTrace,TC_ICASRV,TT_API1, "ShutdownLogoff: Called from WinStation %d Flags %x\n", ClientLogonId, Flags ));
/*
* Loop through all the WinStations getting the LogonId's * of active Winstations */ Head = &WinStationListHead; ENTERCRIT( &WinStationListLock );
for ( Next = Head->Flink; Next != Head; Next = Next->Flink ) { pWinStation = CONTAINING_RECORD( Next, WINSTATION, Links );
//
// take a reference on the console
//
if ( pWinStation->fOwnsConsoleTerminal ) { if (!pConsole) { IncrementReference( pWinStation ); pConsole = pWinStation; } }
//
// just skip :
// - the caller's session
// - the console (because winsrv!W32WinStationExitWindows would fail for the console)
// - the listener
//
if ( ( pWinStation->LogonId == ClientLogonId ) || ( pWinStation->LogonId == 0) || ( pWinStation->Flags & WSF_LISTEN ) ) { // Skip this one, or it's a listen
continue; }
if ( IdCount >= IdAllocCount ) { // Reallocate the array
IdAllocCount += 16; Tmp = RtlAllocateHeap( RtlProcessHeap(), 0, IdAllocCount * sizeof(ULONG) ); if ( Tmp == NULL ) { Status = STATUS_NO_MEMORY; if ( Ids ) RtlFreeHeap( RtlProcessHeap(), 0, Ids ); IdCount = 0; break; } if ( Ids ) { RtlCopyMemory( Tmp, Ids, IdCount*sizeof(ULONG) ); RtlFreeHeap( RtlProcessHeap(), 0, Ids ); } Ids = Tmp; } // Copy the LogonId into our array
Ids[IdCount++] = pWinStation->LogonId; }
//
// We are protected by new winstations starting up by the shutdown
// global flags.
//
// The actual WinStation reset routine will validate that the LogonId
// is still valid
//
LEAVECRIT( &WinStationListLock );
//
// see if the console is being shadowed
//
if ( pConsole ) { RelockWinStation( pConsole ); WinStationStopAllShadows( pConsole ); ReleaseWinStation( pConsole ); }
if (IdCount !=0) { //
// Ids[] holds the LogonId's of valid Winstations, IdCount is the number
//
/*
* Now do the actual logout and/or reset of the WinStations. */ if (Flags & WSD_LOGOFF) { Status = DoForWinStationGroup( Ids, IdCount, (LPTHREAD_START_ROUTINE) WinStationLogoff); }
if (Flags & WSD_SHUTDOWN) { Status = DoForWinStationGroup( Ids, IdCount, (LPTHREAD_START_ROUTINE) WinStationShutdownReset); } }
return Status;}
/*****************************************************************************
* DoForWinStationGroup * * Executes a function for each WinStation in the group. * The group is passed as an array of LogonId's. * * ENTRY: * Ids (input) * Array of LogonId's of WinStations to reset * * IdCount (input) * Count of LogonId's in array * * ThreadProc (input) * The thread routine executed for each WinStation. ****************************************************************************/NTSTATUS DoForWinStationGroup( PULONG Ids, ULONG IdCount, LPTHREAD_START_ROUTINE ThreadProc){ ULONG Index; NTSTATUS Status; LARGE_INTEGER Timeout; PHANDLE ThreadHandles = NULL;
ThreadHandles = RtlAllocateHeap( RtlProcessHeap(), 0, IdCount * sizeof(HANDLE) ); if( ThreadHandles == NULL ) { return( STATUS_NO_MEMORY ); }
/*
* Wait a max of 60 seconds for thread to exit */ Timeout = RtlEnlargedIntegerMultiply( 60000, -10000 );
for( Index=0; Index < IdCount; Index++ ) {
//
// Here we create a thread to run the actual reset function.
// Since we are holding the lists crit sect, the threads will
// wait until we are done, then wake up when we release it
//
DWORD ThreadId;
ThreadHandles[Index] = CreateThread( NULL, 0, // use Default stack size of the svchost process
ThreadProc, LongToPtr( Ids[Index] ), // LogonId
THREAD_SET_INFORMATION, &ThreadId ); if ( !ThreadHandles[Index] ) { ThreadHandles[Index] = (HANDLE)(-1); TRACE((hTrace,TC_ICASRV,TT_ERROR,"TERMSRV: Shutdown: Could not create thread for WinStation %d Shutdown\n", Ids[Index])); } }
//
// Now wait for the threads to exit. Each will reset their
// WinStation and be signal by the kernel when the thread is
// exited.
//
for (Index=0; Index < IdCount; Index++) { if ( ThreadHandles[Index] != (HANDLE)(-1) ) { Status = NtWaitForSingleObject( ThreadHandles[Index], FALSE, // Not alertable
&Timeout );
if( Status == STATUS_TIMEOUT ) { TRACE((hTrace,TC_ICASRV,TT_ERROR,"TERMSRV: DoForWinStationGroup: Timeout Waiting for Thread\n")); } else if (!NT_SUCCESS( Status ) ) { TRACE((hTrace,TC_ICASRV,TT_ERROR,"TERMSRV: DoForWinStationGroup: Error waiting for Thread Status 0x%x\n", Status)); } NtClose( ThreadHandles[Index] ); } }
/* makarp:free the ThreadHandles. // #182609 */ RtlFreeHeap( RtlProcessHeap(), 0, ThreadHandles );
return STATUS_SUCCESS;}
/*****************************************************************************
* WinStationShutdownReset * * Reset a WinStation due to a system shutdown. Does not re-create * it. * * ENTRY: * ThreadArg (input) * WinStation logonId ****************************************************************************/ULONG WinStationShutdownReset(PVOID ThreadArg){ ULONG LogonId = (ULONG)(INT_PTR)ThreadArg; PWINSTATION pWinStation; NTSTATUS Status; ULONG ulIndex; BOOL bConnectDisconnectPending = TRUE;
TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: ShutdownReset, LogonId=%d\n", LogonId ));
/*
* Find and lock the WinStation struct for the specified LogonId */ pWinStation = FindWinStationById( LogonId, FALSE ); if ( pWinStation == NULL ) { Status = STATUS_CTX_WINSTATION_NOT_FOUND; goto done; }
/*
* Console is a special case since it only logs off */ if ( LogonId == 0 ) { Status = LogoffWinStation( pWinStation, (EWX_FORCE | EWX_LOGOFF) ); ReleaseWinStation( pWinStation ); goto done; }
/*
* Mark the winstation as being deleted. * If a reset/delete operation is already in progress * on this winstation, then don't proceed with the delete. * Also if there is a Connect/disconnect pending, give it * a chance to complete. */ for (ulIndex=0; ulIndex < WINSTATION_WAIT_COMPLETE_RETRIES; ulIndex++) {
if ( pWinStation->Flags & (WSF_RESET | WSF_DELETE) ) { ReleaseWinStation( pWinStation ); Status = STATUS_CTX_WINSTATION_BUSY; goto done; }
if ( pWinStation->Flags & (WSF_CONNECT | WSF_DISCONNECT) ) { LARGE_INTEGER Timeout; Timeout = RtlEnlargedIntegerMultiply( WINSTATION_WAIT_COMPLETE_DURATION, -10000 ); UnlockWinStation( pWinStation ); NtDelayExecution( FALSE, &Timeout ); if ( !RelockWinStation( pWinStation ) ) { ReleaseWinStation( pWinStation ); Status = STATUS_SUCCESS; goto done; } } else { bConnectDisconnectPending = FALSE; break; } }
if ( bConnectDisconnectPending ) { ReleaseWinStation( pWinStation ); Status = STATUS_CTX_WINSTATION_BUSY; goto done; }
pWinStation->Flags |= WSF_DELETE;
/*
* If no broken reason/source have been set, then set them here. */ if ( pWinStation->BrokenReason == 0 ) { pWinStation->BrokenReason = Broken_Terminate; pWinStation->BrokenSource = BrokenSource_Server; }
/*
* Make sure this WinStation is ready to delete */ WinStationTerminate( pWinStation );
/*
* Call the WinStationDelete worker */ WinStationDeleteWorker( pWinStation ); Status = STATUS_SUCCESS;
done: TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: ShutdownReset, Status=0x%x\n", Status )); ExitThread( 0 ); return Status;}
/*****************************************************************************
* WinStationLogoff * * Logoff the WinStation via ExitWindows. * * ENTRY: * ThreadArg (input) * WinStation logonId ****************************************************************************/ULONG WinStationLogoff(PVOID ThreadArg){ ULONG LogonId = (ULONG)(INT_PTR)ThreadArg; PWINSTATION pWinStation; NTSTATUS Status; LARGE_INTEGER Timeout;
/*
* Wait a maximum of 1 min for the session to logoff */ Timeout = RtlEnlargedIntegerMultiply( 60000, -10000 );
TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: WinStationLogoff, LogonId=%d\n", LogonId ));
/*
* Find and lock the WinStation struct for the specified LogonId */ pWinStation = FindWinStationById( LogonId, FALSE ); if ( pWinStation == NULL ) { Status = STATUS_CTX_WINSTATION_NOT_FOUND; } else { Status = LogoffWinStation( pWinStation, EWX_LOGOFF);
if (ShutdownInProgress && NT_SUCCESS(Status) && ((pWinStation->State == State_Active) || (pWinStation->State == State_Disconnected))) {
UnlockWinStation( pWinStation ); Status = NtWaitForSingleObject( pWinStation->InitialCommandProcess, FALSE, &Timeout ); RelockWinStation( pWinStation ); }
ReleaseWinStation( pWinStation ); }
TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: WinStationLogoff, Status=0x%x\n", Status )); ExitThread( 0 ); return Status;}
/*******************************************************************************
* ResetGroupByListener * * Resets all active winstations on the supplied listen name. * * ENTRY: * pListenName (input) * Type of Winstation (e.g. tcp, ipx) ******************************************************************************/VOID ResetGroupByListener(PWINSTATIONNAME pListenName){ PLIST_ENTRY Head, Next; PWINSTATION pWinStation;
Head = &WinStationListHead; ENTERCRIT( &WinStationListLock );
/*
* Search the list for all active WinStation with the given ListenName. */ for ( Next = Head->Flink; Next != Head; Next = Next->Flink ) { pWinStation = CONTAINING_RECORD( Next, WINSTATION, Links ); if (!wcscmp(pWinStation->ListenName, pListenName) && (!(pWinStation->Flags & (WSF_RESET | WSF_LISTEN)))) { QueueWinStationReset(pWinStation->LogonId); } }
LEAVECRIT( &WinStationListLock );}
NTSTATUS LogoffWinStation(PWINSTATION pWinStation, ULONG ExitWindowsFlags){ WINSTATION_APIMSG msg; NTSTATUS Status = 0;
/*
* Tell the WinStation to logoff */ msg.ApiNumber = SMWinStationExitWindows; msg.u.ExitWindows.Flags = ExitWindowsFlags; Status = SendWinStationCommand( pWinStation, &msg, 0 ); return Status;}
/*****************************************************************************
* * This section of the file contains the impementation of the digital * certification mechanism for the Stack and WinStation Extension DLLs. This * code is not in a separate file so that external symbols are not visible. * All routines are declared static. * ****************************************************************************/
//
// For security reasons, the TRACE statements in the following routine are
// normally not included. If you want to include them, uncomment the
// SIGN_DEBUG_WINSTA #define below.
//
// #define SIGN_DEBUG_WINSTA
#include <wincrypt.h>
#include <imagehlp.h>
#include <stddef.h>
#include "../../tscert/inc/pubblob.h" // needed by certvfy.inc
#include "../../tscert/inc/certvfy.inc" // VerifyFile()
//
// The following are initialized by VfyInit.
//
static RTL_CRITICAL_SECTION VfyLock;static WCHAR szSystemDir[ MAX_PATH + 1 ];static WCHAR szDriverDir[ MAX_PATH + 1 ];
/*******************************************************************************
* ReportStackLoadFailure * * Send a StackFailed message to the WinStationApiPort. * * ENTRY: * Module (input) * Name of Module to Log Error Against ******************************************************************************/static NTSTATUS ReportStackLoadFailure(PWCHAR Module){ HANDLE h; extern WCHAR gpszServiceName[];
h = RegisterEventSource(NULL, gpszServiceName); if (h != NULL) { if (!ReportEventW(h, // event log handle
EVENTLOG_ERROR_TYPE, // event type
0, // category zero
EVENT_BAD_STACK_MODULE,// event identifier
NULL, // no user security identifier
1, // one substitution string
0, // no data
&Module, // pointer to string array
NULL) // pointer to data
) { DBGPRINT(("ReportEvent Failed %ld. Event ID=%lx module=%ws\n",GetLastError(), EVENT_BAD_STACK_MODULE, Module)); }
DeregisterEventSource(h); } else { DBGPRINT(("Cannot RegisterEvent Source %ld Event ID=%lx module=%ws\n",GetLastError(), EVENT_BAD_STACK_MODULE, Module)); }
return STATUS_SUCCESS;}
/******************************************************************************
* _VerifyStackModules * Verifies the integrity of the stack modules and the authenticity * of the digital signature. * * ENTRY: * pWinStation (input) * Pointer to a Listen Winstation. * * EXIT: * STATUS_SUCCESS - no error * STATUS_UNSUCCESSFUL - DLL integrity check, authenticity check failed * or registry stucture invalid *****************************************************************************/static NTSTATUS _VerifyStackModules(IN PWINSTATION pWinStation){ PWCHAR pszModulePath = NULL; NTSTATUS Status = STATUS_SUCCESS; DWORD KeyIndex; DWORD Error;#ifdef SIGN_BYPASS_OPTION
HKEY hKey;#endif SIGN_BYPASS_OPTION
HKEY hVidKey; HKEY hVidDriverKey; UNICODE_STRING KeyPath; UNICODE_STRING ValueName; OBJECT_ATTRIBUTES ObjectAttributes; HANDLE hServiceKey; PKEY_VALUE_PARTIAL_INFORMATION KeyValueInfo; ULONG ValueLength;#define VALUE_BUFFER_SZ (sizeof(KEY_VALUE_PARTIAL_INFORMATION) + \
256 * sizeof( WCHAR)) PCHAR pValueBuffer = NULL; INT Entries; DWORD dwByteCount; PPDNAME pPdNames, p; INT i; DLLNAME WdDLL;
#ifdef SIGN_BYPASS_OPTION
//
// Check if Verification is to be bypassed
//
if ( RegOpenKeyEx( HKEY_LOCAL_MACHINE, REG_CONTROL_TSERVER L"\\BypassVerification", 0, KEY_READ, &hKey ) == ERROR_SUCCESS ) { RegCloseKey( hKey ); Status = STATUS_SUCCESS; goto exit; }
#endif //SIGN_BYPASS_OPTION
#ifdef SIGN_DEBUG_WINSTA
TRACE((hTrace,TC_ICASRV,TT_API1, "System Dir: %ws\n", szSystemDir ));#endif // SIGN_DEBUG_WINSTA
// allocate memory
pszModulePath = MemAlloc( (MAX_PATH + 1) * sizeof(WCHAR) ) ; if (pszModulePath == NULL) { Status = STATUS_NO_MEMORY; goto exit; }
pValueBuffer = MemAlloc( VALUE_BUFFER_SZ ); if (pValueBuffer == NULL) { Status = STATUS_NO_MEMORY; goto exit; }
//
// Verify the WSX DLL if defined
//
if ( pWinStation->Config.Wd.WsxDLL[0] != L'\0' ) { wcscpy( pszModulePath, szSystemDir ); wcscat( pszModulePath, pWinStation->Config.Wd.WsxDLL ); wcscat( pszModulePath, L".DLL" );#ifdef SIGN_DEBUG_WINSTA
TRACE((hTrace,TC_ICASRV,TT_API1, "==> WSX Path: %ws\n", pszModulePath ));#endif // SIGN_DEBUG_WINSTA
if ( !VerifyFile( pszModulePath, &VfyLock ) ) { ReportStackLoadFailure(pszModulePath); Status = STATUS_UNSUCCESSFUL; goto exit; } } //
// Verify the WD
//
wcscpy( WdDLL, pWinStation->Config.Wd.WdDLL ); wcscpy( pszModulePath, szDriverDir ); wcscat( pszModulePath, WdDLL ); wcscat( pszModulePath, L".SYS" );#ifdef SIGN_DEBUG_WINSTA
TRACE((hTrace,TC_ICASRV,TT_API1, "==> WD Path: %ws\n", pszModulePath ));#endif // SIGN_DEBUG_WINSTA
if ( !VerifyFile( pszModulePath, &VfyLock ) ) { ReportStackLoadFailure(pszModulePath); Status = STATUS_UNSUCCESSFUL; goto exit; } //
// Verify the TD which is in Pd[0]. Always defined for Listen Stack.
//
wcscpy( pszModulePath, szDriverDir ); wcscat( pszModulePath, pWinStation->Config.Pd[0].Create.PdDLL ); wcscat( pszModulePath, L".SYS" );#ifdef SIGN_DEBUG_WINSTA
TRACE((hTrace,TC_ICASRV,TT_API1, "==> WD Path: %ws\n", pszModulePath ));#endif // SIGN_DEBUG_WINSTA
if ( !VerifyFile( pszModulePath, &VfyLock ) ) { ReportStackLoadFailure(pszModulePath); Status = STATUS_UNSUCCESSFUL; goto exit; } //
// Enumerate the PDs for this WD and verify all the PDs.
// Can't depend on Pd[i] for this since optional PDs won't
// be present during Listen.
//
Entries = -1; dwByteCount = 0; i = 0; Error = RegPdEnumerate( NULL, WdDLL, FALSE, &i, &Entries, NULL, &dwByteCount );#ifdef SIGN_DEBUG_WINSTA
TRACE((hTrace,TC_ICASRV,TT_API1, "RegPdEnumerate 1 complete., Entries %d, Error %d\n", Entries, Error ));#endif // SIGN_DEBUG_WINSTA
if ( Error != ERROR_NO_MORE_ITEMS && Error != ERROR_CANTOPEN ) { Status = STATUS_UNSUCCESSFUL; goto exit; } //
// T.Share doesn't have PDs, so check if none
//
if ( Entries ) { dwByteCount = sizeof(PDNAME) * Entries; pPdNames = MemAlloc( dwByteCount ); if ( !pPdNames ) { Status = STATUS_UNSUCCESSFUL; goto exit; } i = 0; Error = RegPdEnumerate( NULL, WdDLL, FALSE, &i, &Entries, pPdNames, &dwByteCount ); if ( Error != ERROR_SUCCESS ) {
/* makarp #182610 */ MemFree( pPdNames );
Status = STATUS_UNSUCCESSFUL; goto exit; } //
// Open up the Registry entry for each named PD and pull out the value
// of the PdDLL. This is the name of the DLL to verify.
//
for ( i = 0, p = pPdNames; i < Entries; i++, (char*)p += sizeof(PDNAME) ) { HKEY hPdKey; PWCHAR pszPdDLL = NULL; PWCHAR pszRegPath = NULL; DWORD dwLen; DWORD dwType;
// allocate memory
pszPdDLL = MemAlloc( (MAX_PATH+1) * sizeof(WCHAR) ); if (pszPdDLL == NULL) { MemFree( pPdNames ); Status = STATUS_NO_MEMORY; goto exit; }
pszRegPath = MemAlloc( (MAX_PATH+1) * sizeof(WCHAR) ); if (pszRegPath == NULL) { MemFree( pszPdDLL ); MemFree( pPdNames ); Status = STATUS_NO_MEMORY; goto exit; } //
// Build up the Registry Path to open the PD's key
//
wcscpy( pszRegPath, WD_REG_NAME ); wcscat( pszRegPath, L"\\" ); wcscat( pszRegPath, WdDLL ); wcscat( pszRegPath, PD_REG_NAME L"\\" ); wcscat( pszRegPath, p );#ifdef SIGN_DEBUG_WINSTA
TRACE((hTrace,TC_ICASRV,TT_API1, "PdKeyPath: %ws\n", pszRegPath ));#endif // SIGN_DEBUG_WINSTA
if ( RegOpenKeyEx( HKEY_LOCAL_MACHINE, pszRegPath, 0, KEY_READ, &hPdKey ) != ERROR_SUCCESS ) { MemFree( pPdNames ); MemFree( pszPdDLL ); MemFree( pszRegPath ); Status = STATUS_UNSUCCESSFUL; goto exit; } //
// Get the name of the Pd DLL.
//
dwLen = (MAX_PATH + 1) * sizeof(WCHAR) ; if ( RegQueryValueEx( hPdKey, WIN_PDDLL, NULL, &dwType, (PCHAR) pszPdDLL, &dwLen ) != ERROR_SUCCESS ) { MemFree( pPdNames ); MemFree( pszPdDLL ); MemFree( pszRegPath );
// makarp:182610
RegCloseKey(hPdKey);
Status = STATUS_UNSUCCESSFUL; goto exit; }
// makarp:182610
RegCloseKey(hPdKey);
//
// Build path to DLL and attempt verification
//
wcscpy( pszModulePath, szDriverDir ); wcscat( pszModulePath, pszPdDLL ); wcscat( pszModulePath, L".SYS" );#ifdef SIGN_DEBUG_WINSTA
TRACE((hTrace,TC_ICASRV,TT_API1, "==> PD Path: %ws\n", pszModulePath ));#endif // SIGN_DEBUG_WINSTA
if ( !VerifyFile( pszModulePath, &VfyLock ) && GetLastError() != ERROR_CANTOPEN ) { MemFree( pPdNames ); MemFree( pszPdDLL ); MemFree( pszRegPath ); ReportStackLoadFailure(pszModulePath); Status = STATUS_UNSUCCESSFUL; goto exit; } MemFree( pszPdDLL ); MemFree( pszRegPath ); } MemFree( pPdNames ); }
//
// for all keys under HKLM\System\CCS\Control\Terminal Server\VIDEO
// open the subkey \Device\Video0 and use that value as
// a string to open
// \REGISTRY\Machine\System\CCS\Services\vdtw30\Device0
// DLL name is in Value "Installed Display Drivers"
//
// Open registry (LOCAL_MACHINE\System\CCS\Control\Terminal Server\VIDEO)
//
// NOTE: All video driver DLLs are verified since there isn't any simple
// method to determine which one is used for this stack.
//
if ( RegOpenKeyEx( HKEY_LOCAL_MACHINE, VIDEO_REG_NAME, 0, KEY_ENUMERATE_SUB_KEYS, &hVidKey ) != ERROR_SUCCESS ) { Status = STATUS_UNSUCCESSFUL; goto exit; }
for ( KeyIndex = 0 ;; KeyIndex++ ) { // For all VIDEO subkeys
PWCHAR pszVidDriverName = NULL; PWCHAR pszRegPath = NULL; PWCHAR pszDeviceKey = NULL; PWCHAR pszServiceKey = NULL; DWORD dwLen; DWORD dwType;
// allocate memory
pszVidDriverName = MemAlloc( (MAX_PATH + 1) * sizeof(WCHAR) ); if (pszVidDriverName == NULL) { Status = STATUS_NO_MEMORY; goto exit; }
pszRegPath = MemAlloc( (MAX_PATH + 1) * sizeof(WCHAR) ); if (pszRegPath == NULL) { MemFree(pszVidDriverName); Status = STATUS_NO_MEMORY; goto exit; }
pszDeviceKey = MemAlloc( (MAX_PATH + 1) * sizeof(WCHAR) ); if (pszDeviceKey == NULL) { MemFree(pszVidDriverName); MemFree(pszRegPath); Status = STATUS_NO_MEMORY; goto exit; }
pszServiceKey = MemAlloc( (MAX_PATH + 1) * sizeof(WCHAR) ); if (pszServiceKey == NULL) { MemFree(pszVidDriverName); MemFree(pszRegPath); MemFree(pszDeviceKey); Status = STATUS_NO_MEMORY; goto exit; }
//
// Get name of VIDEO driver subkey. If end of subkeys, exit loop.
//
if ((Error = RegEnumKey( hVidKey, KeyIndex, pszVidDriverName, MAX_PATH+1))!= ERROR_SUCCESS ){ MemFree(pszVidDriverName); MemFree(pszRegPath); MemFree(pszDeviceKey); MemFree(pszServiceKey);
break; // exit for loop
}
//
// Build up the Registry Path to open the VgaCompatible Value
//
wcscpy( pszRegPath, VIDEO_REG_NAME L"\\" ); wcscat( pszRegPath, pszVidDriverName );#ifdef SIGN_DEBUG_WINSTA
TRACE((hTrace,TC_ICASRV,TT_API1, "VidDriverKeyPath: %ws\n", pszRegPath ));#endif // SIGN_DEBUG_WINSTA
if ( RegOpenKeyEx( HKEY_LOCAL_MACHINE, pszRegPath, 0, KEY_READ, &hVidDriverKey ) != ERROR_SUCCESS ) { Status = STATUS_UNSUCCESSFUL; MemFree(pszVidDriverName); MemFree(pszRegPath); MemFree(pszDeviceKey); MemFree(pszServiceKey); goto closevidkey; }
//
// Don't like to use constant strings, but this is the way
// WINSRV does it...
//
dwLen = (MAX_PATH + 1) * sizeof(WCHAR) ;
if ( RegQueryValueEx( hVidDriverKey, L"VgaCompatible", NULL, &dwType, (PCHAR) pszDeviceKey, &dwLen ) != ERROR_SUCCESS ) { RegCloseKey( hVidDriverKey ); Status = STATUS_UNSUCCESSFUL; MemFree(pszVidDriverName); MemFree(pszRegPath); MemFree(pszDeviceKey); MemFree(pszServiceKey); goto closevidkey; }#ifdef SIGN_DEBUG_WINSTA
TRACE((hTrace,TC_ICASRV,TT_API1, "DeviceKey: %ws\n", pszDeviceKey ));#endif // SIGN_DEBUG_WINSTA
dwLen = (MAX_PATH + 1) * sizeof(WCHAR); if ( RegQueryValueEx( hVidDriverKey, pszDeviceKey, NULL, &dwType, (PCHAR) pszServiceKey, &dwLen ) != ERROR_SUCCESS ) { RegCloseKey( hVidDriverKey ); Status = STATUS_UNSUCCESSFUL; MemFree(pszVidDriverName); MemFree(pszRegPath); MemFree(pszDeviceKey); MemFree(pszServiceKey); goto closevidkey; } RegCloseKey( hVidDriverKey );#ifdef SIGN_DEBUG_WINSTA
TRACE((hTrace,TC_ICASRV,TT_API1, "ServiceKey: %ws\n", pszServiceKey ));#endif // SIGN_DEBUG_WINSTA
RtlInitUnicodeString( &KeyPath, pszServiceKey ); InitializeObjectAttributes( &ObjectAttributes, &KeyPath, OBJ_CASE_INSENSITIVE, NULL, NULL ); //
// Must use NT Registry APIs since the ServiceKey key name from
// the registry is in the form used by these APIs.
//
Status = NtOpenKey( &hServiceKey, GENERIC_READ, &ObjectAttributes ); if ( !NT_SUCCESS( Status ) ) { DBGPRINT(( "TERMSRV: NtOpenKey failed, rc=%x\n", Status )); Status = STATUS_UNSUCCESSFUL; MemFree(pszVidDriverName); MemFree(pszRegPath); MemFree(pszDeviceKey); MemFree(pszServiceKey); goto closevidkey; }
//
// Don't like to use constant strings, but this is the way
// WINSRV does it...
//
RtlInitUnicodeString( &ValueName, L"InstalledDisplayDrivers" ); KeyValueInfo = (PKEY_VALUE_PARTIAL_INFORMATION)pValueBuffer; Status = NtQueryValueKey( hServiceKey, &ValueName, KeyValuePartialInformation, (PVOID)KeyValueInfo, VALUE_BUFFER_SZ, &ValueLength ); NtClose( hServiceKey ); if ( !NT_SUCCESS( Status ) ) { Status = STATUS_UNSUCCESSFUL; MemFree(pszVidDriverName); MemFree(pszRegPath); MemFree(pszDeviceKey); MemFree(pszServiceKey); goto closevidkey; }
wcscpy( pszModulePath, szSystemDir ); wcscat( pszModulePath, (PWCHAR)&KeyValueInfo->Data ); wcscat( pszModulePath, L".DLL" );#ifdef SIGN_DEBUG_WINSTA
TRACE((hTrace,TC_ICASRV,TT_API1, "==> VidDriverDLLPath: %ws\n", pszModulePath ));#endif // SIGN_DEBUG_WINSTA
if ( !VerifyFile( pszModulePath, &VfyLock ) ) { ReportStackLoadFailure(pszModulePath); Status = STATUS_UNSUCCESSFUL; MemFree(pszVidDriverName); MemFree(pszRegPath); MemFree(pszDeviceKey); MemFree(pszServiceKey); goto closevidkey; }
MemFree(pszVidDriverName); MemFree(pszRegPath); MemFree(pszDeviceKey); MemFree(pszServiceKey);
} // for all VIDEO subkeys
closevidkey: RegCloseKey( hVidKey );
exit: if (pszModulePath != NULL) { MemFree(pszModulePath); pszModulePath = NULL; } if (pValueBuffer != NULL) { MemFree(pValueBuffer); pValueBuffer = NULL; } return Status;}
/*******************************************************************************
* VfyInit * Sets up environment for Stack DLL verification. ******************************************************************************/NTSTATUS VfyInit(){ GetSystemDirectory( szSystemDir, sizeof( szSystemDir )/ sizeof(WCHAR)); wcscat( szSystemDir, L"\\" ); wcscpy( szDriverDir, szSystemDir ); wcscat( szDriverDir, L"Drivers\\" );
return RtlInitializeCriticalSection(&VfyLock);}
VOID WinstationUnloadProfile(PWINSTATION pWinStation){#if 0
NTSTATUS NtStatus; UNICODE_STRING UnicodeString; BOOL bResult;
// if this is not the last session for this user, then we do nothing.
if (WinstationCountUserSessions(pWinStation->pProfileSid, pWinStation->LogonId) != 0) { return; }
// Get the user hive name from user Sid.
NtStatus = RtlConvertSidToUnicodeString( &UnicodeString, pWinStation->pProfileSid, (BOOLEAN)TRUE ); if (!NT_SUCCESS(NtStatus)) { DBGPRINT(("TERMSRV: WinstationUnloadProfile couldn't convert Sid to string. \n")); return; }
// Unload the user's hive.
bResult = WinstationRegUnLoadKey(HKEY_USERS, UnicodeString.Buffer); if (!bResult) { DBGPRINT(("TERMSRV: WinstationUnloadProfile failed. \n")); }
// free allocated string.
RtlFreeUnicodeString(&UnicodeString);#endif
}
BOOL WinstationRegUnLoadKey(HKEY hKey, LPWSTR lpSubKey){ BOOL bResult = TRUE; LONG error; NTSTATUS Status; BOOLEAN WasEnabled;
ENTERCRIT(&UserProfileLock); //
// Enable the restore privilege
//
Status = RtlAdjustPrivilege(SE_RESTORE_PRIVILEGE, TRUE, FALSE, &WasEnabled);
if (NT_SUCCESS(Status)) {
error = RegUnLoadKey(hKey, lpSubKey);
if ( error != ERROR_SUCCESS) { DBGPRINT(("TERMSRV: WinstationRegUnLoadKey RegUnLoadKey failed. \n")); bResult = FALSE; }
//
// Restore the privilege to its previous state
//
Status = RtlAdjustPrivilege(SE_RESTORE_PRIVILEGE, WasEnabled, FALSE, &WasEnabled); } else { DBGPRINT(("TERMSRV: WinstationRegUnLoadKey adjust privilege failed. \n")); bResult = FALSE; }
LEAVECRIT(&UserProfileLock); return bResult;}
ULONG WinstationCountUserSessions(PSID pUserSid, ULONG CurrentLogonId){ PLIST_ENTRY Head, Next; PWINSTATION pWinStation; ULONG Count = 0; PSID pSid;
Head = &WinStationListHead; ENTERCRIT( &WinStationListLock );
// Search the list for WinStations with a matching ListenName
for ( Next = Head->Flink; Next != Head; Next = Next->Flink ) { pWinStation = CONTAINING_RECORD( Next, WINSTATION, Links ); if (pWinStation->LogonId == CurrentLogonId) { continue; } if (pWinStation->pUserSid != NULL) { pSid = pWinStation->pUserSid; } else { pSid = pWinStation->pProfileSid; } if ( (pSid != NULL) && RtlEqualSid( pSid, pUserSid ) ) { Count++; } }
LEAVECRIT( &WinStationListLock ); return Count;}
PWINSTATION FindConsoleSession(){ PLIST_ENTRY Head, Next; PWINSTATION pWinStation; PWINSTATION pFoundWinStation = NULL; ULONG uCount;
Head = &WinStationListHead; ENTERCRIT( &WinStationListLock );
/*
* Search the list for a WinStation with the Console Session. */searchagain: uCount = 0; for ( Next = Head->Flink; Next != Head; Next = Next->Flink ) { pWinStation = CONTAINING_RECORD( Next, WINSTATION, Links ); if ( pWinStation->fOwnsConsoleTerminal) { uCount++;
/*
* Now try to lock the WinStation. */ if (pFoundWinStation == NULL){ if ( !LockRefLock( &pWinStation->Lock ) ) goto searchagain; pFoundWinStation = pWinStation; }#if DBG
#else
break;#endif
} }
ASSERT((uCount <= 1));
/*
* If the WinStationList lock should not be held, then release it now. */ LEAVECRIT( &WinStationListLock );
return pFoundWinStation;}
PWINSTATION FindIdleSessionZero(){ PLIST_ENTRY Head, Next; PWINSTATION pWinStation; PWINSTATION pFoundWinStation = NULL; ULONG uCount;
Head = &WinStationListHead; ENTERCRIT( &WinStationListLock );
/*
* Search the list for a WinStation with the Console Session. */searchagain: uCount = 0; for ( Next = Head->Flink; Next != Head; Next = Next->Flink ) {
pWinStation = CONTAINING_RECORD( Next, WINSTATION, Links ); if (pWinStation->LogonId == 0) { uCount++;
/*
* Now try to lock the WinStation. */ if (pFoundWinStation == NULL){ if ( !LockRefLock( &pWinStation->Lock ) ) goto searchagain; pFoundWinStation = pWinStation; }#if DBG
#else
break;#endif
} }
ASSERT((uCount <= 1));
/*
* If the WinStationList lock should not be held, then release it now. */ LEAVECRIT( &WinStationListLock );
if (pFoundWinStation != NULL) { if ((pFoundWinStation->State == State_Disconnected) && (!pFoundWinStation->Flags) && (pFoundWinStation->UserName[0] == L'\0') ) { return pFoundWinStation; } else { ReleaseWinStation(pFoundWinStation); } } return NULL;}
BOOLEAN WinStationCheckConsoleSession(VOID){ PWINSTATION pWinStation; NTSTATUS Status;
// Check if there already is a console session
pWinStation = FindConsoleSession(); if (pWinStation != NULL) { ReleaseWinStation(pWinStation); return TRUE; } else { if (gConsoleCreationDisable > 0) { return FALSE; } }
//
// See if we can use a disconnected session zero that is not in use
//
if (ConsoleReconnectInfo.hStack != NULL) { pWinStation = FindIdleSessionZero();
if (gConsoleCreationDisable > 0) { if (pWinStation != NULL) { ReleaseWinStation(pWinStation); } return FALSE; }
if (pWinStation != NULL) {
NTSTATUS Status;
pWinStation->Flags |= WSF_CONNECT; Status = WinStationDoReconnect(pWinStation, &ConsoleReconnectInfo); pWinStation->Flags &= ~WSF_CONNECT;
ReleaseWinStation(pWinStation);
if (NT_SUCCESS(Status)) { RtlZeroMemory(&ConsoleReconnectInfo,sizeof(RECONNECT_INFO)); return TRUE; }else{ CleanupReconnect(&ConsoleReconnectInfo); RtlZeroMemory(&ConsoleReconnectInfo,sizeof(RECONNECT_INFO)); } }
}
// We nead to create a new session to connect to the Console
pWinStation = FindIdleWinStation(); if (pWinStation == NULL) { WinStationCreateWorker( NULL, NULL, TRUE); pWinStation = FindIdleWinStation(); if (pWinStation == NULL) { return FALSE; } }
// It is possible that we may have found a idle winstation which is not yet started
// We shud Start the Winstation now in that case
// To check this, check the Subsystem/Initial program is non null
if ( (pWinStation->InitialCommandProcess == NULL) && (pWinStation->WindowsSubSysProcess == NULL) ) {
// Protect this WinStation with WSF_IDLEBUSY flag because we want to use it (WinStationStart unlocks the winstation)
pWinStation->Flags |= WSF_IDLEBUSY;
Status = WinStationStart( pWinStation ) ; if (Status != STATUS_SUCCESS) { // Starting the winstation failed - close connection endpoint and go and wait for another connection
pWinStation->Flags &= ~WSF_IDLEBUSY; goto StartError; } pWinStation->Flags &= ~WSF_IDLEBUSY;
Status = WinStationCreateComplete( pWinStation) ; if (Status != STATUS_SUCCESS) { // WinstationCreateComplete failed - close connection endpoint and go and wait for another connection
goto StartError; } }
if (gConsoleCreationDisable > 0) { ReleaseWinStation(pWinStation); return FALSE; }
// Set the session as owning the Console and wakeup the WaitForConnectWorker
// Actually there is more to do than that and I will need to process LLS licensing here.
pWinStation->fOwnsConsoleTerminal = TRUE; pWinStation->State = State_ConnectQuery; pWinStation->Flags &= ~WSF_IDLE; wcscpy(pWinStation->WinStationName, L"Console");
CleanupReconnect(&ConsoleReconnectInfo); RtlZeroMemory(&ConsoleReconnectInfo,sizeof(RECONNECT_INFO)); NtSetEvent( pWinStation->ConnectEvent, NULL ); ReleaseWinStation(pWinStation);
// If necessary, create another idle WinStation to replace the one being connected
NtSetEvent(WinStationIdleControlEvent, NULL);
return TRUE;
StartError:
if ( !(pWinStation->Flags & (WSF_RESET | WSF_DELETE)) ) { pWinStation->Flags |= WSF_DELETE; WinStationTerminate( pWinStation ); pWinStation->State = State_Down; //PostErrorValueEvent(EVENT_TS_WINSTATION_START_FAILED, Status);
WinStationDeleteWorker(pWinStation); } else { ReleaseWinStation(pWinStation); }
return FALSE;}
/******************************************************************************
* Tells win32k to load the console shadow mirroring driver * * ENTRY: * pWinStation (input) * Pointer to the console Winstation. * pClientConfig (input) * Pointer to the configuration of the shadow client. * * EXIT: * STATUS_SUCCESS - no error * STATUS_xxx - error *****************************************************************************/NTSTATUS ConsoleShadowStart( IN PWINSTATION pWinStation, IN PWINSTATIONCONFIG2 pClientConfig, IN PVOID pModuleData, IN ULONG ModuleDataLength){ NTSTATUS Status; WINSTATION_APIMSG WMsg; ULONG ReturnLength;
TRACE((hTrace, TC_ICASRV, TT_API1, "CONSOLE REMOTING: LOAD DD\n"));
Status = NtCreateEvent( &pWinStation->ShadowDisplayChangeEvent, EVENT_ALL_ACCESS, NULL, NotificationEvent, FALSE ); if ( !NT_SUCCESS( Status) ) { goto badevent; }
Status = NtDuplicateObject( NtCurrentProcess(), pWinStation->ShadowDisplayChangeEvent, pWinStation->WindowsSubSysProcess, &WMsg.u.DoConnect.hDisplayChangeEvent, 0, 0, DUPLICATE_SAME_ACCESS ); if ( !NT_SUCCESS( Status ) ) { DBGPRINT(( "TERMSRV: ConsoleShadowStart, LogonId=%d, NtDuplicateObject 0x%x\n", pWinStation->LogonId, Status )); goto badevent; }
/*
* Read Wd, Cd and Pd configuration data from registry */ Status = RegConsoleShadowQuery( SERVERNAME_CURRENT, pWinStation->WinStationName, pClientConfig->Wd.WdPrefix, &pWinStation->Config, sizeof(WINSTATIONCONFIG2), &ReturnLength ); if ( !NT_SUCCESS(Status) ) { goto badconfig; }
/*
* Build the Console Stack. * We need this special stack for the Console Shadow. */ Status = IcaOpen( &pWinStation->hIca ); if ( !NT_SUCCESS( Status ) ) { DBGPRINT(( "TERMSRV IcaOpen for console stack : Error 0x%x from IcaOpen, last error %d\n", Status, GetLastError() )); goto badopen; }
Status = IcaStackOpen( pWinStation->hIca, Stack_Console, (PROC)WsxStackIoControl, pWinStation, &pWinStation->hStack ); if ( !NT_SUCCESS( Status ) ) { DBGPRINT(( "TERMSRV IcaOpen for console stack : Error 0x%x from IcaOpen, last error %d\n", Status, GetLastError() )); goto badstackopen; }
DBGPRINT(("WinStationStart: pushing stack for console...\n"));
/*
* Load and initialize the WinStation extensions */ pWinStation->pWsx = FindWinStationExtensionDll( pWinStation->Config.Wd.WsxDLL, pWinStation->Config.Wd.WdFlag ); if ( pWinStation->pWsx && pWinStation->pWsx->pWsxWinStationInitialize ) { Status = pWinStation->pWsx->pWsxWinStationInitialize( &pWinStation->pWsxContext ); }
if ( !NT_SUCCESS( Status ) ) { DBGPRINT(( "TERMSRV IcaOpen for console stack : Error 0x%x from IcaOpen, last error %d\n", Status, GetLastError() )); goto badextension; }
/*
* Load the stack */ Status = IcaPushConsoleStack( (HANDLE)(pWinStation->hStack), pWinStation->WinStationName, &pWinStation->Config, pModuleData, ModuleDataLength);
if ( !NT_SUCCESS( Status ) ) { DBGPRINT(( "TERMSRV IcaOpen for console stack : Error 0x%x from IcaOpen, last error %d\n", Status, GetLastError() )); goto badpushstack; }
DBGPRINT(("WinStationStart: pushed stack for console\n"));
/*
* This code is based on that in WaitForConnectWorker (see wait.c) */ if ( !(pWinStation->pWsx) || !(pWinStation->pWsx->pWsxInitializeClientData) ) { DBGPRINT(( "TERMSRV: ConsoleShadowStart, LogonId=%d, No pWsxInitializeClientData\n" )); Status = STATUS_CTX_SHADOW_INVALID; goto done; }
pWinStation->State = State_Idle;
/*
* Open the beep channel (if not already) and duplicate it. * This is one channel that both CSR and ICASRV have open. */ Status = IcaChannelOpen( pWinStation->hIca, Channel_Beep, NULL, &pWinStation->hIcaBeepChannel ); if ( !NT_SUCCESS( Status ) ) { DBGPRINT(( "TERMSRV: ConsoleShadowStart, LogonId=%d, IcaChannelOpen 0x%x\n", pWinStation->LogonId, Status )); goto done; }
Status = NtDuplicateObject( NtCurrentProcess(), pWinStation->hIcaBeepChannel, pWinStation->WindowsSubSysProcess, &WMsg.u.DoConnect.hIcaBeepChannel, 0, 0, DUPLICATE_SAME_ACCESS ); if ( !NT_SUCCESS( Status ) ) { DBGPRINT(( "TERMSRV: ConsoleShadowStart, LogonId=%d, NtDuplicateObject 0x%x\n", pWinStation->LogonId, Status )); goto done; }
/*
* Open the thinwire channel (if not already) and duplicate it. * This is one channel that both CSR and ICASRV have open. */ Status = IcaChannelOpen( pWinStation->hIca, Channel_Virtual, VIRTUAL_THINWIRE, &pWinStation->hIcaThinwireChannel ); if ( !NT_SUCCESS( Status ) ) { DBGPRINT(( "TERMSRV: ConsoleShadowStart, LogonId=%d, IcaChannelOpen 0x%x\n", pWinStation->LogonId, Status )); goto done; }
Status = NtDuplicateObject( NtCurrentProcess(), pWinStation->hIcaThinwireChannel, pWinStation->WindowsSubSysProcess, &WMsg.u.DoConnect.hIcaThinwireChannel, 0, 0, DUPLICATE_SAME_ACCESS ); if ( !NT_SUCCESS( Status ) ) { DBGPRINT(( "TERMSRV: ConsoleShadowStart, LogonId=%d, NtDuplicateObject 0x%x\n", pWinStation->LogonId, Status )); goto done; }
Status = IcaChannelIoControl( pWinStation->hIcaThinwireChannel, IOCTL_ICA_CHANNEL_ENABLE_SHADOW, NULL, 0, NULL, 0, NULL ); ASSERT( NT_SUCCESS( Status ) );
/*
* Video channel */ Status = WinStationOpenChannel( pWinStation->hIca, pWinStation->WindowsSubSysProcess, Channel_Video, NULL, &WMsg.u.DoConnect.hIcaVideoChannel ); if ( !NT_SUCCESS( Status ) ) { DBGPRINT(( "TERMSRV: ConsoleShadowStart, LogonId=%d, NtDuplicateObject 0x%x\n", pWinStation->LogonId, Status )); goto done; }
/*
* Keyboard channel */ Status = WinStationOpenChannel( pWinStation->hIca, pWinStation->WindowsSubSysProcess, Channel_Keyboard, NULL, &WMsg.u.DoConnect.hIcaKeyboardChannel ); if ( !NT_SUCCESS( Status ) ) { DBGPRINT(( "TERMSRV: ConsoleShadowStart, LogonId=%d, NtDuplicateObject 0x%x\n", pWinStation->LogonId, Status )); goto done; }
/*
* Mouse channel */ Status = WinStationOpenChannel( pWinStation->hIca, pWinStation->WindowsSubSysProcess, Channel_Mouse, NULL, &WMsg.u.DoConnect.hIcaMouseChannel ); if ( !NT_SUCCESS( Status ) ) { DBGPRINT(( "TERMSRV: ConsoleShadowStart, LogonId=%d, NtDuplicateObject 0x%x\n", pWinStation->LogonId, Status )); goto done; }
/*
* Command channel */ Status = WinStationOpenChannel( pWinStation->hIca, pWinStation->WindowsSubSysProcess, Channel_Command, NULL, &WMsg.u.DoConnect.hIcaCommandChannel ); if ( !NT_SUCCESS( Status ) ) { DBGPRINT(( "TERMSRV: ConsoleShadowStart, LogonId=%d, NtDuplicateObject 0x%x\n", pWinStation->LogonId, Status )); goto done; }
/*
* Secure any virtual channels */ VirtualChannelSecurity( pWinStation );
/*
* Get the client data */ Status = pWinStation->pWsx->pWsxInitializeClientData( pWinStation->pWsxContext, pWinStation->hStack, pWinStation->hIca, pWinStation->hIcaThinwireChannel, pWinStation->VideoModuleName, sizeof(pWinStation->VideoModuleName), &pWinStation->Config.Config.User, &pWinStation->Client.HRes, &pWinStation->Client.VRes, &pWinStation->Client.ColorDepth, &WMsg.u.DoConnect ); if ( !NT_SUCCESS( Status ) ) { DBGPRINT(( "TERMSRV: ConsoleShadowStart, LogonId=%d, InitializeClientData failed 0x%x\n", pWinStation->LogonId, Status )); goto done; }
/*
* Store WinStation name in connect msg */ RtlCopyMemory( WMsg.u.DoConnect.WinStationName, pWinStation->WinStationName, sizeof(WINSTATIONNAME) );
/*
* Save screen resolution, and color depth */ WMsg.u.DoConnect.HRes = pWinStation->Client.HRes; WMsg.u.DoConnect.VRes = pWinStation->Client.VRes;
/*
* Translate the color to the format excpected in winsrv */
switch(pWinStation->Client.ColorDepth){ case 1: WMsg.u.DoConnect.ColorDepth=4 ; // 16 colors
break; case 2: WMsg.u.DoConnect.ColorDepth=8 ; // 256
break; case 4: WMsg.u.DoConnect.ColorDepth= 16;// 64K
break; case 8: WMsg.u.DoConnect.ColorDepth= 24;// 16M
break;#define DC_HICOLOR
#ifdef DC_HICOLOR
case 16: WMsg.u.DoConnect.ColorDepth= 15;// 32K
break;#endif
default: WMsg.u.DoConnect.ColorDepth=8 ; break; }
/*
* Tell Win32 about the connection */ WMsg.ApiNumber = SMWinStationDoConnect; WMsg.u.DoConnect.ConsoleShadowFlag = TRUE;
Status = SendWinStationCommand( pWinStation, &WMsg, 60 );
TRACE((hTrace,TC_ICASRV,TT_API1,"TERMSRV: SMWinStationDoConnect %d Status=0x%x\n", pWinStation->LogonId, Status));
if ( !NT_SUCCESS( Status ) ) { DBGPRINT(( "TERMSRV: ConsoleShadowStart, LogonId=%d, SendWinStationCommand failed 0x%x\n", pWinStation->LogonId, Status )); goto done; }
/*
* This flag is important: without it, WinStationDoDisconnect won't let * Win32k know about the disconnection, so it can't unload the chained DD. */ pWinStation->StateFlags |= WSF_ST_CONNECTED_TO_CSRSS;
/*
* Set connect time */ NtQuerySystemTime( &pWinStation->ConnectTime );
/*
* no need for logon timers here - we don't want to * stop the console session! */
TRACE((hTrace, TC_ICASRV, TT_API1, "CONSOLE REMOTING: LOADED DD\n")); pWinStation->State = State_Active;
return Status;
/*
* Error paths: */done: // to undo the push stack, does the IcaStackClose below suffice?
pWinStation->State = State_Active;
badpushstack: if (pWinStation->pWsxContext) { if ( pWinStation->pWsx && pWinStation->pWsx->pWsxWinStationRundown ) { pWinStation->pWsx->pWsxWinStationRundown( pWinStation->pWsxContext ); } pWinStation->pWsxContext = NULL; }
badextension: pWinStation->pWsx = NULL;
IcaStackClose( pWinStation->hStack );
badstackopen: IcaClose( pWinStation->hIca );
badopen: pWinStation->Config = gConsoleConfig;
badconfig: NtClose(pWinStation->ShadowDisplayChangeEvent); pWinStation->ShadowDisplayChangeEvent = NULL;
badevent: return Status;}
/******************************************************************************
* Tells win32k to unload the console shadow mirroring driver * * ENTRY: * pWinStation (input) * Pointer to the console Winstation. * * EXIT: * STATUS_SUCCESS - no error * STATUS_xxx - error *****************************************************************************/NTSTATUS ConsoleShadowStop(PWINSTATION pWinStation){ WINSTATION_APIMSG ConsoleShadowStopMsg; NTSTATUS Status;
/*
* Tell Win32k to unload the chained DD */ ConsoleShadowStopMsg.ApiNumber = SMWinStationDoDisconnect; ConsoleShadowStopMsg.u.DoDisconnect.ConsoleShadowFlag = TRUE; Status = SendWinStationCommand( pWinStation, &ConsoleShadowStopMsg, 600 ); if ( !NT_SUCCESS(Status) ) { TRACE((hTrace,TC_ICASRV,TT_ERROR, "TERMSRV: CSR ConsoleShadowStop failed LogonId=%d Status=0x%x\n", pWinStation->LogonId, Status )); }
/*
* No matter what happened, everything must be undone. */ if (pWinStation->pWsxContext) { if ( pWinStation->pWsx && pWinStation->pWsx->pWsxWinStationRundown ) { pWinStation->pWsx->pWsxWinStationRundown( pWinStation->pWsxContext ); } pWinStation->pWsxContext = NULL; }
pWinStation->pWsx = NULL;
IcaStackClose( pWinStation->hStack );
IcaClose( pWinStation->hIca );
/*
* Close various ICA channel handles */ if ( pWinStation->hIcaBeepChannel ) { (void) IcaChannelClose( pWinStation->hIcaBeepChannel ); pWinStation->hIcaBeepChannel = NULL; }
if ( pWinStation->hIcaThinwireChannel ) { (void) IcaChannelClose( pWinStation->hIcaThinwireChannel ); pWinStation->hIcaThinwireChannel = NULL; }
/*
* Restore console config. */ pWinStation->Config = gConsoleConfig;
NtClose(pWinStation->ShadowDisplayChangeEvent); pWinStation->ShadowDisplayChangeEvent = NULL;
return Status;}
ULONG CodePairs[] = {
// Very general NT Status
STATUS_SUCCESS, NO_ERROR, STATUS_NO_MEMORY, ERROR_NOT_ENOUGH_MEMORY, STATUS_ACCESS_DENIED, ERROR_ACCESS_DENIED, STATUS_INSUFFICIENT_RESOURCES, ERROR_NO_SYSTEM_RESOURCES, STATUS_BUFFER_TOO_SMALL, ERROR_INSUFFICIENT_BUFFER, STATUS_OBJECT_NAME_NOT_FOUND, ERROR_FILE_NOT_FOUND, STATUS_NOT_SUPPORTED, ERROR_NOT_SUPPORTED, // RPC specific Status
RPC_NT_SERVER_UNAVAILABLE, RPC_S_SERVER_UNAVAILABLE, RPC_NT_INVALID_STRING_BINDING, RPC_S_INVALID_STRING_BINDING, RPC_NT_WRONG_KIND_OF_BINDING, RPC_S_WRONG_KIND_OF_BINDING, RPC_NT_PROTSEQ_NOT_SUPPORTED, RPC_S_PROTSEQ_NOT_SUPPORTED, RPC_NT_INVALID_RPC_PROTSEQ, RPC_S_INVALID_RPC_PROTSEQ, RPC_NT_INVALID_STRING_UUID, RPC_S_INVALID_STRING_UUID, RPC_NT_INVALID_ENDPOINT_FORMAT, RPC_S_INVALID_ENDPOINT_FORMAT, RPC_NT_INVALID_NET_ADDR, RPC_S_INVALID_NET_ADDR, RPC_NT_NO_ENDPOINT_FOUND, RPC_S_NO_ENDPOINT_FOUND, RPC_NT_INVALID_TIMEOUT, RPC_S_INVALID_TIMEOUT, RPC_NT_OBJECT_NOT_FOUND, RPC_S_OBJECT_NOT_FOUND, RPC_NT_ALREADY_REGISTERED, RPC_S_ALREADY_REGISTERED, RPC_NT_TYPE_ALREADY_REGISTERED, RPC_S_TYPE_ALREADY_REGISTERED, RPC_NT_ALREADY_LISTENING, RPC_S_ALREADY_LISTENING, RPC_NT_NO_PROTSEQS_REGISTERED, RPC_S_NO_PROTSEQS_REGISTERED, RPC_NT_NOT_LISTENING, RPC_S_NOT_LISTENING, RPC_NT_UNKNOWN_MGR_TYPE, RPC_S_UNKNOWN_MGR_TYPE, RPC_NT_UNKNOWN_IF, RPC_S_UNKNOWN_IF, RPC_NT_NO_BINDINGS, RPC_S_NO_BINDINGS, RPC_NT_NO_MORE_BINDINGS, RPC_S_NO_MORE_BINDINGS, RPC_NT_NO_PROTSEQS, RPC_S_NO_PROTSEQS, RPC_NT_CANT_CREATE_ENDPOINT, RPC_S_CANT_CREATE_ENDPOINT, RPC_NT_OUT_OF_RESOURCES, RPC_S_OUT_OF_RESOURCES, RPC_NT_SERVER_TOO_BUSY, RPC_S_SERVER_TOO_BUSY, RPC_NT_INVALID_NETWORK_OPTIONS, RPC_S_INVALID_NETWORK_OPTIONS, RPC_NT_NO_CALL_ACTIVE, RPC_S_NO_CALL_ACTIVE, RPC_NT_CALL_FAILED, RPC_S_CALL_FAILED, RPC_NT_CALL_FAILED_DNE, RPC_S_CALL_FAILED_DNE, RPC_NT_PROTOCOL_ERROR, RPC_S_PROTOCOL_ERROR, RPC_NT_UNSUPPORTED_TRANS_SYN, RPC_S_UNSUPPORTED_TRANS_SYN, RPC_NT_UNSUPPORTED_TYPE, RPC_S_UNSUPPORTED_TYPE, RPC_NT_INVALID_TAG, RPC_S_INVALID_TAG, RPC_NT_INVALID_BOUND, RPC_S_INVALID_BOUND, RPC_NT_NO_ENTRY_NAME, RPC_S_NO_ENTRY_NAME, RPC_NT_INVALID_NAME_SYNTAX, RPC_S_INVALID_NAME_SYNTAX, RPC_NT_UNSUPPORTED_NAME_SYNTAX, RPC_S_UNSUPPORTED_NAME_SYNTAX, RPC_NT_UUID_NO_ADDRESS, RPC_S_UUID_NO_ADDRESS, RPC_NT_DUPLICATE_ENDPOINT, RPC_S_DUPLICATE_ENDPOINT, RPC_NT_UNKNOWN_AUTHN_TYPE, RPC_S_UNKNOWN_AUTHN_TYPE, RPC_NT_MAX_CALLS_TOO_SMALL, RPC_S_MAX_CALLS_TOO_SMALL, RPC_NT_STRING_TOO_LONG, RPC_S_STRING_TOO_LONG, RPC_NT_PROTSEQ_NOT_FOUND, RPC_S_PROTSEQ_NOT_FOUND, RPC_NT_PROCNUM_OUT_OF_RANGE, RPC_S_PROCNUM_OUT_OF_RANGE, RPC_NT_BINDING_HAS_NO_AUTH, RPC_S_BINDING_HAS_NO_AUTH, RPC_NT_UNKNOWN_AUTHN_SERVICE, RPC_S_UNKNOWN_AUTHN_SERVICE, RPC_NT_UNKNOWN_AUTHN_LEVEL, RPC_S_UNKNOWN_AUTHN_LEVEL, RPC_NT_INVALID_AUTH_IDENTITY, RPC_S_INVALID_AUTH_IDENTITY, RPC_NT_UNKNOWN_AUTHZ_SERVICE, RPC_S_UNKNOWN_AUTHZ_SERVICE, RPC_NT_NOTHING_TO_EXPORT, RPC_S_NOTHING_TO_EXPORT, RPC_NT_INCOMPLETE_NAME, RPC_S_INCOMPLETE_NAME, RPC_NT_INVALID_VERS_OPTION, RPC_S_INVALID_VERS_OPTION, RPC_NT_NO_MORE_MEMBERS, RPC_S_NO_MORE_MEMBERS, RPC_NT_NOT_ALL_OBJS_UNEXPORTED, RPC_S_NOT_ALL_OBJS_UNEXPORTED, RPC_NT_INTERFACE_NOT_FOUND, RPC_S_INTERFACE_NOT_FOUND, RPC_NT_ENTRY_ALREADY_EXISTS, RPC_S_ENTRY_ALREADY_EXISTS, RPC_NT_ENTRY_NOT_FOUND, RPC_S_ENTRY_NOT_FOUND, RPC_NT_NAME_SERVICE_UNAVAILABLE, RPC_S_NAME_SERVICE_UNAVAILABLE, RPC_NT_INVALID_NAF_ID, RPC_S_INVALID_NAF_ID, RPC_NT_CANNOT_SUPPORT, RPC_S_CANNOT_SUPPORT, RPC_NT_NO_CONTEXT_AVAILABLE, RPC_S_NO_CONTEXT_AVAILABLE, RPC_NT_INTERNAL_ERROR, RPC_S_INTERNAL_ERROR, RPC_NT_ZERO_DIVIDE, RPC_S_ZERO_DIVIDE, RPC_NT_ADDRESS_ERROR, RPC_S_ADDRESS_ERROR, RPC_NT_FP_DIV_ZERO, RPC_S_FP_DIV_ZERO, RPC_NT_FP_UNDERFLOW, RPC_S_FP_UNDERFLOW, RPC_NT_FP_OVERFLOW, RPC_S_FP_OVERFLOW, RPC_NT_NO_MORE_ENTRIES, RPC_X_NO_MORE_ENTRIES, RPC_NT_SS_CHAR_TRANS_OPEN_FAIL, RPC_X_SS_CHAR_TRANS_OPEN_FAIL, RPC_NT_SS_CHAR_TRANS_SHORT_FILE, RPC_X_SS_CHAR_TRANS_SHORT_FILE, RPC_NT_SS_CONTEXT_MISMATCH, ERROR_INVALID_HANDLE, RPC_NT_SS_CONTEXT_DAMAGED, RPC_X_SS_CONTEXT_DAMAGED, RPC_NT_SS_HANDLES_MISMATCH, RPC_X_SS_HANDLES_MISMATCH, RPC_NT_SS_CANNOT_GET_CALL_HANDLE, RPC_X_SS_CANNOT_GET_CALL_HANDLE, RPC_NT_NULL_REF_POINTER, RPC_X_NULL_REF_POINTER, RPC_NT_ENUM_VALUE_OUT_OF_RANGE, RPC_X_ENUM_VALUE_OUT_OF_RANGE, RPC_NT_BYTE_COUNT_TOO_SMALL, RPC_X_BYTE_COUNT_TOO_SMALL, RPC_NT_BAD_STUB_DATA, RPC_X_BAD_STUB_DATA, RPC_NT_INVALID_OBJECT, RPC_S_INVALID_OBJECT, RPC_NT_GROUP_MEMBER_NOT_FOUND, RPC_S_GROUP_MEMBER_NOT_FOUND, RPC_NT_NO_INTERFACES, RPC_S_NO_INTERFACES, RPC_NT_CALL_CANCELLED, RPC_S_CALL_CANCELLED, RPC_NT_BINDING_INCOMPLETE, RPC_S_BINDING_INCOMPLETE, RPC_NT_COMM_FAILURE, RPC_S_COMM_FAILURE, RPC_NT_UNSUPPORTED_AUTHN_LEVEL, RPC_S_UNSUPPORTED_AUTHN_LEVEL, RPC_NT_NO_PRINC_NAME, RPC_S_NO_PRINC_NAME, RPC_NT_NOT_RPC_ERROR, RPC_S_NOT_RPC_ERROR, RPC_NT_UUID_LOCAL_ONLY, RPC_S_UUID_LOCAL_ONLY, RPC_NT_SEC_PKG_ERROR, RPC_S_SEC_PKG_ERROR, RPC_NT_NOT_CANCELLED, RPC_S_NOT_CANCELLED, RPC_NT_INVALID_ES_ACTION, RPC_X_INVALID_ES_ACTION, RPC_NT_WRONG_ES_VERSION, RPC_X_WRONG_ES_VERSION, RPC_NT_WRONG_STUB_VERSION, RPC_X_WRONG_STUB_VERSION, RPC_NT_INVALID_PIPE_OBJECT, RPC_X_INVALID_PIPE_OBJECT, RPC_NT_WRONG_PIPE_VERSION, RPC_X_WRONG_PIPE_VERSION, RPC_NT_SEND_INCOMPLETE, RPC_S_SEND_INCOMPLETE, RPC_NT_INVALID_ASYNC_HANDLE, RPC_S_INVALID_ASYNC_HANDLE, RPC_NT_INVALID_ASYNC_CALL, RPC_S_INVALID_ASYNC_CALL, RPC_NT_PIPE_CLOSED, RPC_X_PIPE_CLOSED, RPC_NT_PIPE_EMPTY, RPC_X_PIPE_EMPTY, RPC_NT_PIPE_DISCIPLINE_ERROR, RPC_X_PIPE_DISCIPLINE_ERROR,
// Terminal Server Specific Status.
STATUS_CTX_CLOSE_PENDING, ERROR_CTX_CLOSE_PENDING, STATUS_CTX_NO_OUTBUF, ERROR_CTX_NO_OUTBUF, STATUS_CTX_MODEM_INF_NOT_FOUND, ERROR_CTX_MODEM_INF_NOT_FOUND, STATUS_CTX_INVALID_MODEMNAME, ERROR_CTX_INVALID_MODEMNAME, STATUS_CTX_RESPONSE_ERROR, ERROR_CTX_MODEM_RESPONSE_ERROR, STATUS_CTX_MODEM_RESPONSE_TIMEOUT, ERROR_CTX_MODEM_RESPONSE_TIMEOUT, STATUS_CTX_MODEM_RESPONSE_NO_CARRIER, ERROR_CTX_MODEM_RESPONSE_NO_CARRIER, STATUS_CTX_MODEM_RESPONSE_NO_DIALTONE, ERROR_CTX_MODEM_RESPONSE_NO_DIALTONE, STATUS_CTX_MODEM_RESPONSE_BUSY, ERROR_CTX_MODEM_RESPONSE_BUSY, STATUS_CTX_MODEM_RESPONSE_VOICE, ERROR_CTX_MODEM_RESPONSE_VOICE, STATUS_CTX_TD_ERROR, ERROR_CTX_TD_ERROR, STATUS_LPC_REPLY_LOST, ERROR_CONNECTION_ABORTED, STATUS_CTX_WINSTATION_NAME_INVALID, ERROR_CTX_WINSTATION_NAME_INVALID, STATUS_CTX_WINSTATION_NOT_FOUND, ERROR_CTX_WINSTATION_NOT_FOUND, STATUS_CTX_WINSTATION_NAME_COLLISION, ERROR_CTX_WINSTATION_ALREADY_EXISTS, STATUS_CTX_WINSTATION_BUSY, ERROR_CTX_WINSTATION_BUSY, STATUS_CTX_GRAPHICS_INVALID, ERROR_CTX_GRAPHICS_INVALID, STATUS_CTX_BAD_VIDEO_MODE, ERROR_CTX_BAD_VIDEO_MODE, STATUS_CTX_NOT_CONSOLE, ERROR_CTX_NOT_CONSOLE, STATUS_CTX_CLIENT_QUERY_TIMEOUT, ERROR_CTX_CLIENT_QUERY_TIMEOUT, STATUS_CTX_CONSOLE_DISCONNECT, ERROR_CTX_CONSOLE_DISCONNECT, STATUS_CTX_CONSOLE_CONNECT, ERROR_CTX_CONSOLE_CONNECT, STATUS_CTX_SHADOW_DENIED, ERROR_CTX_SHADOW_DENIED, STATUS_CTX_SHADOW_INVALID, ERROR_CTX_SHADOW_INVALID, STATUS_CTX_SHADOW_DISABLED, ERROR_CTX_SHADOW_DISABLED, STATUS_CTX_WINSTATION_ACCESS_DENIED, ERROR_CTX_WINSTATION_ACCESS_DENIED, STATUS_CTX_INVALID_PD, ERROR_CTX_INVALID_PD, STATUS_CTX_PD_NOT_FOUND, ERROR_CTX_PD_NOT_FOUND, STATUS_CTX_INVALID_WD, ERROR_CTX_INVALID_WD, STATUS_CTX_WD_NOT_FOUND, ERROR_CTX_WD_NOT_FOUND, STATUS_CTX_CLIENT_LICENSE_IN_USE, ERROR_CTX_CLIENT_LICENSE_IN_USE, STATUS_CTX_CLIENT_LICENSE_NOT_SET, ERROR_CTX_CLIENT_LICENSE_NOT_SET, STATUS_CTX_LICENSE_NOT_AVAILABLE, ERROR_CTX_LICENSE_NOT_AVAILABLE, STATUS_CTX_LICENSE_CLIENT_INVALID, ERROR_CTX_LICENSE_CLIENT_INVALID, STATUS_CTX_LICENSE_EXPIRED, ERROR_CTX_LICENSE_EXPIRED,
};
/*
* WinStationWinerrorToNtStatus * Translate a Windows error code into an NTSTATUS code. */
NTSTATUSWinStationWinerrorToNtStatus(ULONG ulWinError){ ULONG ulIndex;
for (ulIndex = 0 ; ulIndex < sizeof(CodePairs)/sizeof(CodePairs[0]) ; ulIndex+=2) { if (CodePairs[ ulIndex+1 ] == ulWinError ) { return (NTSTATUS) CodePairs[ ulIndex]; } } return STATUS_UNSUCCESSFUL;}
/*
* WinStationSetMaxOustandingConnections() set the default values * for the maximum number of outstanding connection connections. * Reads the registry configuration for it if it exists. */
VOIDWinStationSetMaxOustandingConnections(){ SYSTEM_BASIC_INFORMATION BasicInfo; HKEY hKey; NTSTATUS Status; BOOL bLargeMachine = FALSE;
// Initialize date of last delayed connection that was logged into
// event log. In order not to flood event log with what may not be a DOS
// attack but just a normal regulation action, delayed connection are not
// logged more than once in 24h.
GetSystemTime(&LastLoggedDelayConnection);
// Init the default values for maximum outstanding connection and
// Maximumn outstanding connections from single IP address. For
// Non server platforms these are fixed values.
if (!gbServer) { MaxOutStandingConnect = MAX_DEFAULT_CONNECTIONS_PRO; MaxSingleOutStandingConnect = MAX_DEFAULT_SINGLE_CONNECTIONS_PRO; } else { // Determine if this Machine has over 512Mb of memory
// In order to set defaults Values (registry settings overide this anyway).
// Default value are not changed for machines over 512 Mb : Session regulation
// is trigered if we have 50 outstanding connection and we will wait 30 seconds
// before acception new connections. For machines with less than 512 Mb, regulation
// needs to be stronger : it is trigered at lower number of outstanding connections and we will
// wait 70 seconds before accepting new connections.
MaxOutStandingConnect = MAX_DEFAULT_CONNECTIONS;
Status = NtQuerySystemInformation( SystemBasicInformation, &BasicInfo, sizeof(BasicInfo), NULL );
if (NT_SUCCESS(Status)) { if (BasicInfo.PageSize > 1024*1024) { MaxOutStandingConnect = MAX_DEFAULT_CONNECTIONS; DelayConnectionTime = 30*1000;
}else{ ULONG ulPagesPerMeg = 1024*1024/BasicInfo.PageSize; ULONG ulMemSizeInMegabytes = (ULONG)BasicInfo.NumberOfPhysicalPages/ulPagesPerMeg ;
if (ulMemSizeInMegabytes >= 512) { MaxOutStandingConnect = MAX_DEFAULT_CONNECTIONS; DelayConnectionTime = 70*1000; } else if (ulMemSizeInMegabytes >= 256) { MaxOutStandingConnect = 15; DelayConnectionTime = 70*1000;
} else if (ulMemSizeInMegabytes >= 128) { MaxOutStandingConnect = 10; DelayConnectionTime = 70*1000; } else { MaxOutStandingConnect = 5; DelayConnectionTime = 70*1000; } } }
//
// set max number of outstanding connection from single IP
//
if ( MaxOutStandingConnect < MAX_SINGLE_CONNECT_THRESHOLD_DIFF*5) { MaxSingleOutStandingConnect = MaxOutStandingConnect - 1; } else { MaxSingleOutStandingConnect = MaxOutStandingConnect - MAX_SINGLE_CONNECT_THRESHOLD_DIFF; } }
}
/*
* Make sure we can Preallocate an Idle session before allowing console disconnect. * */
NTSTATUSCheckIdleWinstation(){ PWINSTATION pWinStation; NTSTATUS Status; pWinStation = FindIdleWinStation();
if ( pWinStation == NULL ) {
/*
* Create another idle WinStation */ Status = WinStationCreateWorker( NULL, NULL, TRUE ); if ( NT_SUCCESS( Status ) ) { pWinStation = FindIdleWinStation(); if ( pWinStation == NULL ) { return STATUS_INSUFFICIENT_RESOURCES; } } else { return STATUS_INSUFFICIENT_RESOURCES; }
}
ReleaseWinStation(pWinStation); return STATUS_SUCCESS;}
NTSTATUSInitializeWinStationSecurityLock( VOID ){ NTSTATUS Status ;
try { RtlInitializeResource( &WinStationSecurityLock ); Status = STATUS_SUCCESS ; } except (EXCEPTION_EXECUTE_HANDLER) { Status = GetExceptionCode(); }
return Status;}
//gets the product id from the registry
NTSTATUS GetProductIdFromRegistry( WCHAR* DigProductId, DWORD dwSize ){ HKEY hKey = NULL; NTSTATUS status = STATUS_UNSUCCESSFUL; ZeroMemory( DigProductId, dwSize ); if( RegOpenKeyEx( HKEY_LOCAL_MACHINE, REG_WINDOWS_KEY, 0, KEY_READ, &hKey) == ERROR_SUCCESS ) { DWORD dwType = REG_SZ; if( RegQueryValueEx( hKey, L"ProductId", NULL, &dwType, (LPBYTE)DigProductId, &dwSize ) == ERROR_SUCCESS ) status = STATUS_SUCCESS; }
if (hKey) RegCloseKey( hKey );
return status;}
//
// Gets the remote IP address of the connections
// and supports statistics of how many outstanding connections
// are there for this client, if the number of outstanding connections
// reaches MaxSingleOutStandingConnections, *pbBlocked is returned FALSE
// the functions returns TRUE on success
//
// Paramters:
// pContext
// pEndpoint - handle of this connection
// EndpointLength - td layer needs the length
// pin_addr - returns remote IP address
// pbBlocked - returns TRUE if the connection has to be blocked, because of excessive number of
// outstanding connections
//
BOOLFilter_AddOutstandingConnection( IN HANDLE pContext, IN PVOID pEndpoint, IN ULONG EndpointLength, OUT PBYTE pin_addr, OUT PUINT puAddrSize, OUT BOOLEAN *pbBlocked ){ BOOL rv = FALSE; PTS_OUTSTANDINGCONNECTION pIter, pPrev; TS_OUTSTANDINGCONNECTION key; struct sockaddr_in6 addr6; ULONG AddrBytesReturned; NTSTATUS Status; PVOID paddr; BOOL bLocked = FALSE; PVOID bSucc; BOOLEAN bNewElement; ULONGLONG currentTime;
*pbBlocked = FALSE;
Status = IcaStackIoControl( pContext, IOCTL_TS_STACK_QUERY_REMOTEADDRESS, pEndpoint, EndpointLength, &addr6, sizeof( addr6 ), &AddrBytesReturned ); if ( !NT_SUCCESS( Status )) { goto exitpt; }
if ( AF_INET == addr6.sin6_family ) { key.uAddrSize = 4; paddr = &(((struct sockaddr_in *)&addr6)->sin_addr.s_addr); } else if ( AF_INET6 == addr6.sin6_family ) { key.uAddrSize = 16; paddr = &(addr6.sin6_addr); } else { ASSERT( 0 ); } ASSERT ( *puAddrSize >= key.uAddrSize );
RtlCopyMemory( pin_addr, paddr, key.uAddrSize ); *puAddrSize = key.uAddrSize;
ENTERCRIT( &FilterLock ); bLocked = TRUE;
//
// Check first in the outstanding connections
//
RtlCopyMemory( key.addr, paddr, key.uAddrSize ); pIter = RtlLookupElementGenericTable( &gOutStandingConnections, &key );
if ( NULL == pIter ) {
//
// check in the blocked connections list
//
pPrev = NULL; pIter = g_pBlockedConnections; while ( NULL != pIter ) { if ( key.uAddrSize == pIter->uAddrSize && key.uAddrSize == RtlCompareMemory( pIter->addr, paddr, key.uAddrSize )) { break; } pPrev = pIter; pIter = pIter->pNext; }
if ( NULL != pIter ) { pIter->NumOutStandingConnect ++; //
// already blocked, check for exparation time
//
GetSystemTimeAsFileTime( (LPFILETIME)¤tTime ); if ( currentTime > pIter->blockUntilTime ) { //
// unblock, remove from list
//
pIter->blockUntilTime = 0; if ( NULL != pPrev ) { pPrev->pNext = pIter->pNext; } else { g_pBlockedConnections = pIter->pNext; }
bSucc = RtlInsertElementGenericTable( &gOutStandingConnections, pIter, sizeof( *pIter ), &bNewElement ); if ( !bSucc ) { MemFree( pIter ); goto exitpt; } ASSERT( bNewElement ); MemFree( pIter );
} else { *pbBlocked = TRUE; }
} else { //
// this will be a new connection
//
key.NumOutStandingConnect = 1;
bSucc = RtlInsertElementGenericTable( &gOutStandingConnections, &key, sizeof( key ), &bNewElement ); if ( !bSucc ) { goto exitpt; } ASSERT( bNewElement ); } } else {
pIter->NumOutStandingConnect ++; //
// Check if we need to block this connection
//
if ( pIter->NumOutStandingConnect > MaxSingleOutStandingConnect ) { *pbBlocked = TRUE; key.NumOutStandingConnect = pIter->NumOutStandingConnect;
GetSystemTimeAsFileTime( (LPFILETIME)¤tTime ); // DelayConnectionTime is in ms
// currentTime is in 100s ns
key.blockUntilTime = currentTime + ((ULONGLONG)10000) * ((ULONGLONG)DelayConnectionTime);
RtlDeleteElementGenericTable( &gOutStandingConnections, &key );
//
// add to the blocked connections
//
pIter = MemAlloc( sizeof( *pIter )); if ( NULL == pIter ) { goto exitpt; }
RtlCopyMemory( pIter, &key, sizeof( *pIter )); pIter->pNext = g_pBlockedConnections; g_pBlockedConnections = pIter;
//
// log at most one event on every 15 minutes
//
if ( LastLoggedBlockedConnection + ((ULONGLONG)10000) * (15 * 60 * 1000) < currentTime ) { LastLoggedBlockedConnection = currentTime; WriteErrorLogEntry( EVENT_TOO_MANY_CONNECTIONS, &key.addr, key.uAddrSize ); } }
}
rv = TRUE;
exitpt:
if ( bLocked ) { LEAVECRIT( &FilterLock ); }
return rv;}
//
// Removes outstanding connections added in AddOutStandingConnection
//
BOOLFilter_RemoveOutstandingConnection( IN PBYTE paddr, IN UINT uAddrSize ){ PTS_OUTSTANDINGCONNECTION pIter, pPrev, pNext; TS_OUTSTANDINGCONNECTION key; ULONGLONG currentTime; NTSTATUS Status; ULONG AddrBytesReturned;#if DBG
BOOL bFound = FALSE;#endif
pPrev = NULL; GetSystemTimeAsFileTime( (LPFILETIME)¤tTime );
key.uAddrSize = uAddrSize; RtlCopyMemory( key.addr, paddr, uAddrSize );
ENTERCRIT( &FilterLock );
pIter = RtlLookupElementGenericTable( &gOutStandingConnections, &key ); if ( NULL != pIter ) {#if DBG
bFound = TRUE;#endif
pIter->NumOutStandingConnect--;
//
// cleanup connections w/o reference
//
if ( 0 == pIter->NumOutStandingConnect ) { RtlDeleteElementGenericTable( &gOutStandingConnections, &key ); }
}
//
// work through the blocked list
//
pIter = g_pBlockedConnections;
while( pIter ) { if ( uAddrSize == pIter->uAddrSize && uAddrSize == RtlCompareMemory( pIter->addr, paddr, uAddrSize )) { ASSERT( 0 != pIter->NumOutStandingConnect ); pIter->NumOutStandingConnect--;#if DBG
ASSERT( !bFound ); bFound = TRUE;#endif
}
//
// cleanup all connections w/o references
//
if ( 0 == pIter->NumOutStandingConnect && currentTime > pIter->blockUntilTime ) { if ( NULL == pPrev ) { g_pBlockedConnections = pIter->pNext; } else { pPrev->pNext = pIter->pNext; } //
// remove item and advance to the next
//
pNext = pIter->pNext; MemFree( pIter ); pIter = pNext; } else { //
// advance to the next item
//
pPrev = pIter; pIter = pIter->pNext; }
}
ASSERT( bFound );
/*
* Decrement the number of outstanding connections. * If connections drop back to max value, set the connect event. */#if DBG
//
// ensure proper cleanup
//
bFound = ( 0 == gOutStandingConnections.NumberGenericTableElements ); for( pIter = g_pBlockedConnections; pIter; pIter = pIter->pNext ) { bFound = bFound & ( 0 == pIter->NumOutStandingConnect ); }
#endif
LEAVECRIT( &FilterLock );
return TRUE;}
/*****************************************************************************
* * Filter_CompareConnectionEntry * * Generic table support.Compare two connection entries * * ****************************************************************************/
RTL_GENERIC_COMPARE_RESULTSNTAPIFilter_CompareConnectionEntry( IN struct _RTL_GENERIC_TABLE *Table, IN PVOID FirstInstance, IN PVOID SecondInstance){ PTS_OUTSTANDINGCONNECTION pFirst, pSecond; INT rc;
pFirst = (PTS_OUTSTANDINGCONNECTION)FirstInstance; pSecond = (PTS_OUTSTANDINGCONNECTION)SecondInstance;
if ( pFirst->uAddrSize < pSecond->uAddrSize ) { return GenericLessThan; } else if ( pFirst->uAddrSize > pSecond->uAddrSize ) { return GenericGreaterThan; }
rc = memcmp( pFirst->addr, pSecond->addr, pFirst->uAddrSize ); return ( rc < 0 )?GenericLessThan: ( rc > 0 )?GenericGreaterThan: GenericEqual;}
/*****************************************************************************
* * Filter_AllocateConnectionEntry * * Generic table support. Allocates a new table entry * * ****************************************************************************/
PVOIDFilter_AllocateConnectionEntry( IN struct _RTL_GENERIC_TABLE *Table, IN CLONG ByteSize ){ return MemAlloc( ByteSize );}
/*****************************************************************************
* * Filter_FreeConnectionEntry * * Generic table support. frees a new table entry * * ****************************************************************************/
VOIDFilter_FreeConnectionEntry ( IN struct _RTL_GENERIC_TABLE *Table, IN PVOID Buffer ){ MemFree( Buffer );}
VOIDFilter_DestroyList( VOID ){ PTS_OUTSTANDINGCONNECTION p; TS_OUTSTANDINGCONNECTION con;
while ( NULL != g_pBlockedConnections ) { p = g_pBlockedConnections->pNext; MemFree( g_pBlockedConnections ); g_pBlockedConnections = p; }
while (p = RtlEnumerateGenericTable( &gOutStandingConnections, TRUE)) { RtlCopyMemory( &con, p, sizeof( con )); RtlDeleteElementGenericTable( &gOutStandingConnections, &con); }}
//
// ComputeHMACVerifier
// Compute the HMAC verifier from the random
// and the cookie
//
BOOLComputeHMACVerifier( PBYTE pCookie, //IN - the shared secret
LONG cbCookieLen, //IN - the shared secret len
PBYTE pRandom, //IN - the session random
LONG cbRandomLen, //IN - the session random len
PBYTE pVerifier, //OUT- the verifier
LONG cbVerifierLen //IN - the verifier buffer length
){ HMACMD5_CTX hmacctx; BOOL fRet = FALSE;
ASSERT(cbVerifierLen >= MD5DIGESTLEN);
if (!(pCookie && cbCookieLen && pRandom && cbRandomLen && pVerifier && cbVerifierLen)) { goto bail_out; }
HMACMD5Init(&hmacctx, pCookie, cbCookieLen);
HMACMD5Update(&hmacctx, pRandom, cbRandomLen); HMACMD5Final(&hmacctx, pVerifier);
fRet = TRUE;
bail_out: return fRet;}
//
// Extract the session to reconnect to from the ARC info
// also do the necessary security checks
//
// Params:
// pClientArcInfo - autoreconnect information from the client
//
// Returns:
// If all security checks pass and pArc is valid then winstation
// to reconnect to is returned. Else NULL
//
// NOTE: WinStation returned is left LOCKED.
//
PWINSTATIONGetWinStationFromArcInfo( PBYTE pClientRandom, LONG cbClientRandomLen, PTS_AUTORECONNECTINFO pClientArcInfo ){ NTSTATUS Status = STATUS_UNSUCCESSFUL; PWINSTATION pWinStation = NULL; PWINSTATION pFoundWinStation = NULL; ARC_CS_PRIVATE_PACKET UNALIGNED* pCSArcInfo = NULL; BYTE arcSCclientBlob[ARC_SC_SECURITY_TOKEN_LEN]; BYTE hmacVerifier[ARC_CS_SECURITY_TOKEN_LEN]; PBYTE pServerArcBits = NULL; ULONG BytesGot = 0; TS_AUTORECONNECTINFO SCAutoReconnectInfo;
TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: WinStation GetWinStationFromArcInfo pRandom:%p len:%d\n", pClientRandom, cbClientRandomLen));
if (!pClientArcInfo) { goto error; }
pCSArcInfo = (ARC_CS_PRIVATE_PACKET UNALIGNED*)pClientArcInfo->AutoReconnectInfo;
if (!pCSArcInfo->cbLen || pCSArcInfo->cbLen < sizeof(ARC_CS_PRIVATE_PACKET)) {
TRACE((hTrace,TC_ICASRV,TT_ERROR, "TERMSRV: GetWinStationFromArcInfo ARC length invalid bailing out\n")); goto error; }
memset(arcSCclientBlob, 0, sizeof(arcSCclientBlob)); pWinStation = FindWinStationById(pCSArcInfo->LogonId, FALSE); if (pWinStation) {
TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: GetWinStationFromArcInfo found arc winstation: %d\n", pCSArcInfo->LogonId)); //
// Do security checks to ensure this is the same winstation
// that was connected to the client
//
//
// First obtain the last autoreconnect blob sent to the client
// since we do an inline cookie update in rdpwd
//
if (pWinStation->AutoReconnectInfo.Valid) { pServerArcBits = pWinStation->AutoReconnectInfo.ArcRandomBits;
Status = STATUS_SUCCESS; } else { if (pWinStation->pWsx && pWinStation->pWsx->pWsxEscape) {
if (pWinStation->Terminating || pWinStation->StateFlags & WSF_ST_WINSTATIONTERMINATE || !pWinStation->WinStationName[0]) {
TRACE((hTrace,TC_ICASRV,TT_ERROR, "GetWinStationFromArcInfo skipping escape" "to closed stack disconnected %d\n", LogonId));
Status = STATUS_ACCESS_DENIED; goto error; }
Status = pWinStation->pWsx->pWsxEscape( pWinStation->pWsxContext, GET_SC_AUTORECONNECT_INFO, NULL, 0, &SCAutoReconnectInfo, sizeof(SCAutoReconnectInfo), &BytesGot);
if (NT_SUCCESS(Status)) { ASSERT(SCAutoReconnectInfo.cbAutoReconnectInfo == ARC_SC_SECURITY_TOKEN_LEN); }
pServerArcBits = SCAutoReconnectInfo.AutoReconnectInfo; } } } else { Status = STATUS_ACCESS_DENIED; }
if (NT_SUCCESS(Status)) {
//
// Ensure we got the correct length for the server->client
// data
//
ASSERT(pServerArcBits);
//
// Get random
//
if (ComputeHMACVerifier(pServerArcBits, ARC_SC_SECURITY_TOKEN_LEN, pClientRandom, cbClientRandomLen, (PBYTE)hmacVerifier, sizeof(hmacVerifier))) {
//
// Check that the verifier matches that sent by the client
//
if (!memcmp(hmacVerifier, pCSArcInfo->SecurityVerifier, sizeof(pCSArcInfo->SecurityVerifier))) {
TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: WinStation ARC info matches - will autoreconnect\n"));
} else {
TRACE((hTrace,TC_ICASRV,TT_ERROR, "TERMSRV: autoreconnect verifier does not match targid:%d!!!\n", pWinStation->LogonId));
//
// Reset the autoreconnect info
//
pWinStation->AutoReconnectInfo.Valid = FALSE; memset(pWinStation->AutoReconnectInfo.ArcRandomBits, 0, sizeof(pWinStation->AutoReconnectInfo.ArcRandomBits));
//
// Log an event
//
PostErrorValueEvent(EVENT_AUTORECONNECT_AUTHENTICATION_FAILED, Status);
//
// Mark that no winstation target was found
//
goto error; } } pFoundWinStation = pWinStation; }
error: if ((NULL == pFoundWinStation) && pWinStation) { ReleaseWinStation(pWinStation); pWinStation = NULL; }
return pFoundWinStation;}
//
// Extract the session to reconnect to from the ARC info
// also do the necessary security checks
//
// Params:
// pWinStation - winstation to reset autoreconnect info for
//
VOIDResetAutoReconnectInfo( PWINSTATION pWinStation){ pWinStation->AutoReconnectInfo.Valid = FALSE; memset(pWinStation->AutoReconnectInfo.ArcRandomBits, 0, sizeof(pWinStation->AutoReconnectInfo.ArcRandomBits));}
/*****************************************************************************
* * Filter_CompareConnectionEntry * * Generic table support.Compare two connection entries * * ****************************************************************************/
RTL_GENERIC_COMPARE_RESULTSNTAPIFilter_CompareFailedConnectionEntry( IN struct _RTL_GENERIC_TABLE *Table, IN PVOID FirstInstance, IN PVOID SecondInstance){ PTS_FAILEDCONNECTION pFirst, pSecond; INT rc;
pFirst = (PTS_FAILEDCONNECTION)FirstInstance; pSecond = (PTS_FAILEDCONNECTION)SecondInstance;
if ( pFirst->uAddrSize < pSecond->uAddrSize ) { return GenericLessThan; } else if ( pFirst->uAddrSize > pSecond->uAddrSize ) { return GenericGreaterThan; }
rc = memcmp( pFirst->addr, pSecond->addr, pFirst->uAddrSize ); return ( rc < 0 )?GenericLessThan: ( rc > 0 )?GenericGreaterThan: GenericEqual;}
VOID ReadDoSParametersFromRegistry( HKEY hKeyTermSrv ){ DWORD dwLen; DWORD dwType; ULONG TimeLimitForFailedConnectionsMins, DoSBlockTimeMins; ULONG szBuffer[MAX_PATH/sizeof(ULONG)];
// Set Default values if Reg values are not set
MaxFailedConnect = 5; DoSBlockTime = 5 * 60 * 1000; TimeLimitForFailedConnections = 2 * 60 * 1000; g_BlackListPolicy = TRUE;
//
// Get DoS parameters from Registry
//
dwLen = sizeof(MaxFailedConnect); if (RegQueryValueEx(hKeyTermSrv, MAX_FAILED_CONNECT, NULL, &dwType, (PCHAR)&szBuffer, &dwLen) == ERROR_SUCCESS) { if (*(PULONG)szBuffer > 0) { MaxFailedConnect = *(PULONG)szBuffer; } }
// Note - for the next 2 parameters, whatever is present in the registry is in minutes
// So convert it into milliseconds after reading
dwLen = sizeof(TimeLimitForFailedConnectionsMins); if (RegQueryValueEx(hKeyTermSrv, TIME_LIMIT_FAILED_CONNECT, NULL, &dwType, (PCHAR)&szBuffer, &dwLen) == ERROR_SUCCESS) { if (*(PULONG)szBuffer > 0) { TimeLimitForFailedConnectionsMins = *(PULONG)szBuffer; TimeLimitForFailedConnections = TimeLimitForFailedConnectionsMins * 60 * 1000; } }
dwLen = sizeof(DoSBlockTimeMins); if (RegQueryValueEx(hKeyTermSrv, DOS_BLOCK_TIME, NULL, &dwType, (PCHAR)&szBuffer, &dwLen) == ERROR_SUCCESS) { if (*(PULONG)szBuffer > 0) { DoSBlockTimeMins = *(PULONG)szBuffer; DoSBlockTime = DoSBlockTimeMins * 60 * 1000; } }
// Table Cleanup time is twice the time within which a IP has to make "n" bad connections to get blocked
// This should be in milliseconds
CleanupTimeout = 2 * TimeLimitForFailedConnections;
dwLen = sizeof(g_BlackListPolicy); if (RegQueryValueEx(hKeyTermSrv, BLACK_LIST_POLICY, NULL, &dwType, (PCHAR)&szBuffer, &dwLen) == ERROR_SUCCESS) { if (*(PULONG)szBuffer > 0) { g_BlackListPolicy = *(PULONG)szBuffer; } }
}
/*******************************************************************************
* IsConfigValid * * Check the validity of the Winstation Config struct. * It's used for now for the machine-to-machine shadow as input from the * shadower's machine should not be trusted and should be checked. * * ENTRY: * IN pConfig - Winstation config struct to be checked * * EXIT: * STATUS_SUCCESS - if the struct can be used * Other status - the check failed ******************************************************************************/NTSTATUS IsConfigValid(PWINSTATIONCONFIG2 pConfig){ ULONG i; NTSTATUS Status; PWCHAR pszModulePath = NULL;
// Verify that each member of the config is valid
//WINSTATIONCREATEW Create;
// ULONG fEnableWinStation : 1;
// ULONG MaxInstanceCount;
//PDCONFIGW Pd[ MAX_PDCONFIG ];
// PDCONFIG2W Create;
// PDNAMEW PdName; // descriptive name of PD
// SDCLASS SdClass; // type of PD
// DLLNAMEW PdDLL; // name of PD dll
// ULONG PdFlag; // PD flags
// ULONG OutBufLength; // optimal output buffer length
// ULONG OutBufCount; // optimal number of output buffers
// ULONG OutBufDelay; // write delay in msecs
// ULONG InteractiveDelay; // write delay during active input
// ULONG PortNumber; // network listen port number
// ULONG KeepAliveTimeout; // network watchdog frequence
// PDPARAMSW Params;
// SDCLASS SdClass;
// NETWORKCONFIGW Network;
// LONG LanAdapter;
// DEVICENAMEW NetworkName;
// ULONG Flags;
// ASYNCCONFIGW Async;
// DEVICENAMEW DeviceName;
// MODEMNAMEW ModemName;
// ULONG BaudRate;
// ULONG Parity;
// ULONG StopBits;
// ULONG ByteSize;
// ULONG fEnableDsrSensitivity: 1;
// ULONG fConnectionDriver: 1;
// FLOWCONTROLCONFIG FlowControl;
// CONNECTCONFIG Connect;
// NASICONFIGW Nasi;
// NASISPECIFICNAMEW SpecificName;
// NASIUSERNAMEW UserName;
// NASIPASSWORDW PassWord;
// NASISESIONNAMEW SessionName;
// NASIFILESERVERW FileServer;
// BOOLEAN GlobalSession;
// OEMTDCONFIGW OemTd;
// LONG Adapter;
// DEVICENAMEW DeviceName;
// ULONG Flags;
// allocate the path string to verify dlls and drivers
pszModulePath = MemAlloc( (MAX_PATH + 1) * sizeof(WCHAR) ); if (pszModulePath == NULL) { Status = STATUS_NO_MEMORY; goto done; }
if ((lstrlen(szDriverDir) + DLLNAME_LENGTH + 4 > MAX_PATH) || (lstrlen(szSystemDir) + DLLNAME_LENGTH + 4 > MAX_PATH)) { Status = STATUS_UNSUCCESSFUL; goto done; }
for (i=0; i < MAX_PDCONFIG; i++) {
PPDCONFIG pPdConfig;
pPdConfig = &(pConfig->Pd[i]);
if (pPdConfig->Create.SdClass == SdNone) break;
Status = IsZeroterminateStringW(pPdConfig->Create.PdName, PDNAME_LENGTH + 1); if (!NT_SUCCESS(Status)) goto done;
Status = IsZeroterminateStringW(pPdConfig->Create.PdDLL, DLLNAME_LENGTH + 1); if (!NT_SUCCESS(Status)) goto done;
lstrcpyn(pszModulePath, szDriverDir, MAX_PATH+1); lstrcat(pszModulePath, pPdConfig->Create.PdDLL); lstrcat(pszModulePath, L".SYS");
if (!VerifyFile(pszModulePath, &VfyLock)) { Status = STATUS_UNSUCCESSFUL; goto done; }
switch(pPdConfig->Params.SdClass) {
case SdNetwork: Status = IsZeroterminateStringW(pPdConfig->Params.Network.NetworkName, DEVICENAME_LENGTH + 1); if (!NT_SUCCESS(Status)) goto done; break;
case SdAsync: // needed ?
Status = IsZeroterminateStringW(pPdConfig->Params.Async.DeviceName, DEVICENAME_LENGTH + 1); if (!NT_SUCCESS(Status)) goto done;
Status = IsZeroterminateStringW(pPdConfig->Params.Async.ModemName, MODEMNAME_LENGTH + 1); if (!NT_SUCCESS(Status)) goto done; break;
case SdNasi: // needed ?
break;
case SdOemTransport: // needed ?
break;
default: break; } }
//WDCONFIGW Wd;
// WDNAMEW WdName;
// DLLNAMEW WdDLL;
// DLLNAMEW WsxDLL;
// ULONG WdFlag;
// ULONG WdInputBufferLength;
// DLLNAMEW CfgDLL;
// WDPREFIXW WdPrefix;
Status = IsZeroterminateStringW(pConfig->Wd.WdName, WDNAME_LENGTH + 1); if (!NT_SUCCESS(Status)) goto done;
Status = IsZeroterminateStringW(pConfig->Wd.WdDLL, DLLNAME_LENGTH + 1); if (!NT_SUCCESS(Status)) goto done;
// Verify the Wd
lstrcpyn(pszModulePath, szDriverDir, MAX_PATH+1); lstrcat(pszModulePath, pConfig->Wd.WdDLL); lstrcat(pszModulePath, L".SYS");
if (!VerifyFile(pszModulePath, &VfyLock)) { Status = STATUS_UNSUCCESSFUL; goto done; }
Status = IsZeroterminateStringW(pConfig->Wd.WsxDLL, DLLNAME_LENGTH + 1); if (!NT_SUCCESS(Status)) goto done;
// Verify the Wsx if defined
if ( pConfig->Wd.WsxDLL[0] != L'\0' ) {
lstrcpyn(pszModulePath, szSystemDir, MAX_PATH+1); lstrcat(pszModulePath, pConfig->Wd.WsxDLL); lstrcat(pszModulePath, L".DLL");
if (!VerifyFile(pszModulePath, &VfyLock)) { Status = STATUS_UNSUCCESSFUL; goto done; } }
Status = IsZeroterminateStringW(pConfig->Wd.CfgDLL, DLLNAME_LENGTH + 1); if (!NT_SUCCESS(Status)) goto done;
Status = IsZeroterminateStringW(pConfig->Wd.WdPrefix, WDPREFIX_LENGTH + 1); if (!NT_SUCCESS(Status)) goto done;
//CDCONFIGW Cd;
// CDCLASS CdClass;
// CDNAMEW CdName;
// DLLNAMEW CdDLL;
// ULONG CdFlag;
//
Status = IsZeroterminateStringW(pConfig->Cd.CdName, CDNAME_LENGTH + 1); if (!NT_SUCCESS(Status)) goto done;
Status = IsZeroterminateStringW(pConfig->Cd.CdDLL, DLLNAME_LENGTH + 1); if (!NT_SUCCESS(Status)) goto done;
//WINSTATIONCONFIGW Config;
// WCHAR Comment[ WINSTATIONCOMMENT_LENGTH + 1 ];
// USERCONFIGW User;
// char OEMId[4]; // WinFrame Server OEM Id
//
Status = IsZeroterminateStringW(pConfig->Config.Comment, WINSTATIONCOMMENT_LENGTH + 1); if (!NT_SUCCESS(Status)) goto done;
done: if (pszModulePath) MemFree(pszModulePath);
return Status;
}
|
