archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2 Commits
1 Branch
0 Tags
4.9 GiB
Tree: 7b07a90fc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '7b07a90fc1'
${ noResults }
windows-server-2003/termsrv/notify/ctxmon.c

629 lines
17 KiB
Raw Normal View History

commiting as it is
4 years ago
  1. /*******************************************************************************
  2. *
  3. * CTXMON.C
  4. *
  5. * This module contains code to monitor user processes
  6. *
  7. * Copyright Microsoft, 1997
  8. *
  9. * Author:
  10. *
  11. *
  12. *******************************************************************************/
  13. #include "precomp.h"
  14. #pragma hdrstop
  15. #include <ntexapi.h>
  16. #include "winreg.h"
  18. /*=============================================================================
  19. == Local Defines
  20. =============================================================================*/
  22. #define BUFFER_SIZE 32*1024
  23. #define MAXNAME 18
  26. BOOL IsSystemLUID(HANDLE ProcessId);
  27. //
  28. // This table contains common NT system programs
  29. //
  30. DWORD dwNumberofSysProcs = 0;
  31. LPTSTR *SysProcTable;
  33. typedef struct {
  34. HANDLE hProcess;
  35. HANDLE TerminateEvent;
  36. //HWND hwndNotify;
  37. HANDLE Thread;
  38. } USER_PROCESS_MONITOR, * PUSER_PROCESS_MONITOR;
  41. /*=============================================================================
  42. == Internal Procedures
  43. =============================================================================*/
  45. HANDLE OpenUserProcessHandle();
  46. BOOLEAN IsSystemProcess( PSYSTEM_PROCESS_INFORMATION);
  48. /*=============================================================================
  49. == External Procedures
  50. =============================================================================*/
  52. VOID LookupSidUser( PSID pSid, PWCHAR pUserName, PULONG pcbUserName );
  54. HANDLE
  55. ImpersonateUser(
  56. HANDLE UserToken,
  57. HANDLE ThreadHandle
  58. );
  60. BOOL
  61. StopImpersonating(
  62. HANDLE ThreadHandle
  63. );
  66. BOOL CreateSystemProcList ()
  67. {
  68. DWORD dwIndex;
  69. DWORD dwLongestProcName = 0;
  70. DWORD dwSize = 0;
  71. HKEY hKeySysProcs = NULL;
  72. DWORD iValueIndex = 0;
  73. LONG lResult;
  75. const LPCTSTR SYS_PROC_KEY = TEXT("SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\SysProcs");
  77. // to start with.
  78. SysProcTable = NULL;
  79. dwNumberofSysProcs = 0;
  82. lResult = RegOpenKeyEx(
  83. HKEY_LOCAL_MACHINE, // handle of open key
  84. SYS_PROC_KEY, // address of name of subkey to open
  85. 0 , // reserved
  86. KEY_READ, // security access mask
  87. &hKeySysProcs // address of handle of open key
  88. );
  90. if (lResult != ERROR_SUCCESS)
  91. {
  92. return FALSE;
  93. }
  95. lResult = RegQueryInfoKey(
  96. hKeySysProcs, // handle to key
  97. NULL, // class buffer
  98. NULL, // size of class buffer
  99. NULL, // reserved
  100. NULL, // number of subkeys
  101. NULL, // longest subkey name
  102. NULL, // longest class string
  103. &dwNumberofSysProcs, // number of value entries
  104. &dwLongestProcName, // longest value name
  105. NULL, // longest value data
  106. NULL, // descriptor length
  107. NULL // last write time
  108. );
  110. if (lResult != ERROR_SUCCESS || dwNumberofSysProcs == 0)
  111. {
  112. dwNumberofSysProcs = 0;
  113. RegCloseKey(hKeySysProcs);
  114. return FALSE;
  115. }
  118. dwLongestProcName += 1; // provision for the terminating null
  119. SysProcTable = LocalAlloc(LPTR, sizeof(LPTSTR) * dwNumberofSysProcs);
  120. if (!SysProcTable)
  121. {
  122. SysProcTable = NULL;
  123. dwNumberofSysProcs = 0;
  124. RegCloseKey(hKeySysProcs);
  125. return FALSE;
  126. }
  128. for (dwIndex = 0; dwIndex < dwNumberofSysProcs; dwIndex++)
  129. {
  130. SysProcTable[dwIndex] = (LPTSTR) LocalAlloc(LPTR, dwLongestProcName * sizeof(TCHAR));
  132. if (SysProcTable[dwIndex] == NULL)
  133. {
  134. //
  135. // if we failed to alloc bail out.
  136. //
  138. while (dwIndex)
  139. {
  140. LocalFree(SysProcTable[dwIndex-1]);
  141. dwIndex--;
  142. }
  144. LocalFree(SysProcTable);
  145. SysProcTable = NULL;
  146. dwNumberofSysProcs = 0;
  147. RegCloseKey(hKeySysProcs);
  150. return FALSE;
  151. }
  153. }
  155. iValueIndex = 0;
  156. while (iValueIndex < dwNumberofSysProcs)
  157. {
  158. dwSize = dwLongestProcName;
  159. lResult = RegEnumValue(
  160. hKeySysProcs, // handle of key to query
  161. iValueIndex, // index of value to query
  162. SysProcTable[iValueIndex], // address of buffer for value string
  163. &dwSize, // address for size of value buffer
  164. 0, // reserved
  165. NULL, // address of buffer for type code
  166. NULL, // address of buffer for value data
  167. NULL // address for size of data buffer
  168. );
  170. if (lResult != ERROR_SUCCESS)
  171. {
  172. lstrcpy(SysProcTable[iValueIndex], TEXT("")); // this is an invalid entry.
  174. if (lResult == ERROR_NO_MORE_ITEMS)
  175. break;
  176. }
  178. iValueIndex++;
  179. }
  182. return TRUE;
  183. }
  185. void DestroySystemprocList ()
  186. {
  187. DWORD dwIndex;
  188. if (SysProcTable)
  189. {
  190. for (dwIndex = 0; dwIndex < dwNumberofSysProcs; dwIndex++)
  191. {
  192. if (SysProcTable[dwIndex])
  193. {
  194. LocalFree(SysProcTable[dwIndex]);
  195. }
  197. }
  199. LocalFree(SysProcTable);
  200. SysProcTable = NULL;
  201. dwNumberofSysProcs = 0;
  202. }
  203. }
  205. /***************************************************************************\
  206. * FUNCTION: UserProcessMonitorThread
  207. *
  208. * Thread monitoring user processes. It intiates a LOGOFF when there
  209. * are no more user processes.
  210. *
  211. *
  212. \***************************************************************************/
  214. DWORD UserProcessMonitorThread(
  215. LPVOID lpThreadParameter
  216. )
  217. {
  218. PUSER_PROCESS_MONITOR pMonitor = (PUSER_PROCESS_MONITOR)lpThreadParameter;
  219. HANDLE ImpersonationHandle;
  220. DWORD WaitResult;
  221. HANDLE WaitHandle;
  222. HKEY hKey;
  223. DWORD dwVal = 0;
  226. //This value should be per user
  227. if (RegOpenKeyEx (HKEY_LOCAL_MACHINE, L"System\\CurrentControlSet\\Control\\WOW", 0,
  228. KEY_WRITE, &hKey) == ERROR_SUCCESS) {
  230. //
  231. // Set the SharedWowTimeout to zero so that WOW exits as soon as all the 16 bit
  232. // processes are gone
  233. //
  234. RegSetValueEx (hKey, L"SharedWowTimeout", 0, REG_DWORD, (LPBYTE)&dwVal,
  235. sizeof(DWORD));
  237. RegCloseKey(hKey);
  239. }
  241. if (!CreateSystemProcList ())
  242. DebugLog((DEB_ERROR, "ERROR, CreateSystemProcList failed.\n", GetLastError()));
  244. for (;;) {
  245. if ( !(pMonitor->hProcess = OpenUserProcessHandle()) ) {
  247. break;
  249. }
  251. // Wait for process to exit or terminate event to be signaled
  252. WaitResult = WaitForMultipleObjects( 2, &pMonitor->hProcess,
  253. FALSE, (DWORD)-1 );
  255. if ( WaitResult == 1 ) { // if terminate event was signaled
  256. CloseHandle( pMonitor->hProcess );
  257. DestroySystemprocList ();
  259. return(0);
  260. }
  261. }
  263. DestroySystemprocList ();
  266. //
  267. // Initiate logoff
  268. //
  270. ImpersonationHandle = ImpersonateUser(g_UserToken , NULL );
  272. if( ImpersonationHandle ) {
  273. ExitWindowsEx(EWX_LOGOFF, 0);
  274. StopImpersonating(ImpersonationHandle);
  275. }
  277. WaitForSingleObject( pMonitor->TerminateEvent, (DWORD)-1 );
  279. return(0);
  280. }
  283. /***************************************************************************\
  284. * FUNCTION: StartUserProcessMonitor
  285. *
  286. * PURPOSE: Creates a thread to monitor user processes
  287. *
  288. \***************************************************************************/
  290. LPVOID
  291. StartUserProcessMonitor(
  292. //HWND hwndNotify
  293. )
  294. {
  295. PUSER_PROCESS_MONITOR pMonitor;
  296. DWORD ThreadId;
  298. pMonitor = LocalAlloc(LPTR, sizeof(USER_PROCESS_MONITOR));
  299. if (pMonitor == NULL) {
  300. return(NULL);
  301. }
  303. //
  304. // Initialize monitor fields
  305. //
  307. //pMonitor->hwndNotify = hwndNotify;
  308. pMonitor->TerminateEvent = CreateEvent( NULL, TRUE, FALSE, NULL );
  310. //
  311. // Create the monitor thread
  312. //
  314. pMonitor->Thread = CreateThread(
  315. NULL, // Use default ACL
  316. 0, // Same stack size
  317. UserProcessMonitorThread, // Start address
  318. (LPVOID)pMonitor, // Parameter
  319. 0, // Creation flags
  320. &ThreadId // Get the id back here
  321. );
  322. if (pMonitor->Thread == NULL) {
  323. DebugLog((DEB_ERROR, "Failed to create monitor thread, error = %d", GetLastError()));
  324. LocalFree(pMonitor);
  325. return(NULL);
  326. }
  328. return((LPVOID)pMonitor);
  329. }
  333. VOID
  334. DeleteUserProcessMonitor(
  335. LPVOID Parameter
  336. )
  337. {
  338. PUSER_PROCESS_MONITOR pMonitor = (PUSER_PROCESS_MONITOR)Parameter;
  339. BOOL Result;
  342. if (!pMonitor)
  343. return;
  345. // Set the terminate event for this monitor
  346. // and wait for the monitor thread to exit
  347. SetEvent( pMonitor->TerminateEvent );
  348. if ( WaitForSingleObject( pMonitor->Thread, 5000 ) == WAIT_TIMEOUT )
  349. (VOID)TerminateThread(pMonitor->Thread, ERROR_SUCCESS);
  351. //
  352. // Close our handle to the monitor thread
  353. //
  355. Result = CloseHandle(pMonitor->Thread);
  356. if (!Result) {
  357. DebugLog((DEB_ERROR, "DeleteUserProcessMonitor: failed to close monitor thread, error = %d\n", GetLastError()));
  358. }
  360. //
  361. // Delete monitor object
  362. //
  364. CloseHandle(pMonitor->TerminateEvent);
  365. LocalFree(pMonitor);
  366. }
  369. HANDLE
  370. OpenUserProcessHandle()
  371. {
  372. HANDLE ProcessHandle = NULL; // handle to notify process
  373. int rc;
  374. //WCHAR UserName[USERNAME_LENGTH];
  375. ULONG SessionId;
  376. //PSID pUserSid;
  377. PSYSTEM_PROCESS_INFORMATION ProcessInfo;
  378. SYSTEM_SESSION_PROCESS_INFORMATION SessionProcessInfo;
  379. PSYSTEM_THREAD_INFORMATION ThreadInfo;
  380. PBYTE pBuffer;
  381. ULONG ByteCount;
  382. NTSTATUS status;
  383. ULONG MaxLen;
  384. ULONG TotalOffset;
  385. BOOL RetryIfNoneFound;
  386. ULONG retlen = 0;
  388. ByteCount = BUFFER_SIZE;
  390. Retry:
  391. RetryIfNoneFound = FALSE;
  393. SessionProcessInfo.SessionId = g_SessionId;
  395. for(;;) {
  397. if ( (pBuffer = LocalAlloc(LPTR, ByteCount )) == NULL ) {
  398. return(NULL);
  399. }
  401. SessionProcessInfo.Buffer = pBuffer;
  402. SessionProcessInfo.SizeOfBuf = ByteCount;
  404. /*
  405. * get process info
  406. */
  407. status = NtQuerySystemInformation(
  408. SystemSessionProcessInformation,
  409. &SessionProcessInfo,
  410. sizeof(SessionProcessInfo),
  411. &retlen );
  413. if ( NT_SUCCESS(status) )
  414. break;
  416. /*
  417. * Make sure buffer is big enough
  418. */
  419. if ( status != STATUS_INFO_LENGTH_MISMATCH ) {
  420. LocalFree ( pBuffer );
  421. return(NULL);
  422. }
  424. LocalFree( pBuffer );
  425. ByteCount *= 2;
  426. }
  428. if (retlen == 0) {
  429. LocalFree(pBuffer);
  430. return NULL;
  431. }
  433. /*
  434. * Loop through all processes. Find first process running on this station
  435. */
  436. ProcessInfo = (PSYSTEM_PROCESS_INFORMATION)pBuffer;
  437. TotalOffset = 0;
  438. rc = 0;
  440. for(;;) {
  442. ThreadInfo = (PSYSTEM_THREAD_INFORMATION)(ProcessInfo + 1);
  444. // SessionId = ProcessInfo->SessionId;
  446. // if (SessionId == g_SessionId) {
  448. /*
  449. * Get the User name for the SID of the process.
  450. */
  451. MaxLen = USERNAME_LENGTH;
  453. //LookupSidUser( pUserSid, UserName, &MaxLen);
  455. ProcessHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE,
  456. (DWORD)(UINT_PTR)ProcessInfo->UniqueProcessId);
  458. //
  459. // OpenProcess may fail for System processes like csrss.exe if we do not have enough privilege
  460. // In that case, we just skip that process because we r not worried about System processes anyway
  461. //
  462. if (!ProcessHandle && (GetLastError() == ERROR_ACCESS_DENIED) ) {
  463. goto NextProcess;
  464. }
  466. if ( ProcessHandle && !IsSystemLUID(ProcessHandle) && !IsSystemProcess( ProcessInfo) &&
  467. (ThreadInfo->ThreadState != 4) ) {
  468. //
  469. // Open the process for the monitor thread.
  470. //
  473. break;
  474. }
  476. if (ProcessHandle) {
  477. CloseHandle(ProcessHandle);
  478. ProcessHandle = NULL;
  479. } else {
  481. //
  482. // When OpenProcess fails, it means the process is already
  483. // gone. This can happen if the list is sufficiently long.
  484. // If for example the process was userinit.exe, it may have
  485. // spawned progman and exited by the time we see the entry
  486. // for userinit. But, since this is a snapshot of the list
  487. // of processes, progman may not be in this snapshot. So,
  488. // if we don't find any processes in this list, we have to
  489. // get another snapshot to avoid prematurely logging off the
  490. // user.
  491. //
  492. RetryIfNoneFound = TRUE;
  494. }
  496. // }
  498. NextProcess:
  499. if( ProcessInfo->NextEntryOffset == 0 ) {
  500. break;
  501. }
  502. TotalOffset += ProcessInfo->NextEntryOffset;
  503. ProcessInfo = (PSYSTEM_PROCESS_INFORMATION)&pBuffer[TotalOffset];
  504. }
  506. LocalFree( pBuffer );
  508. if (!ProcessHandle && RetryIfNoneFound) {
  509. Sleep(4000);
  510. goto Retry;
  511. }
  513. return(ProcessHandle);
  514. }
  519. BOOL IsSystemLUID(HANDLE ProcessId)
  520. {
  521. HANDLE TokenHandle;
  522. UCHAR TokenInformation[ sizeof( TOKEN_STATISTICS ) ];
  523. ULONG ReturnLength;
  524. LUID CurrentLUID = { 0, 0 };
  525. LUID SystemLUID = SYSTEM_LUID;
  526. NTSTATUS Status;
  529. Status = NtOpenProcessToken( ProcessId,
  530. TOKEN_QUERY,
  531. &TokenHandle );
  532. if ( !NT_SUCCESS( Status ) )
  533. return(TRUE);
  535. NtQueryInformationToken( TokenHandle, TokenStatistics, &TokenInformation,
  536. sizeof(TokenInformation), &ReturnLength );
  537. NtClose( TokenHandle );
  539. RtlCopyLuid(&CurrentLUID,
  540. &(((PTOKEN_STATISTICS)TokenInformation)->AuthenticationId));
  543. if (RtlEqualLuid(&CurrentLUID, &SystemLUID)) {
  544. return(TRUE);
  545. } else {
  546. return(FALSE );
  547. }
  548. }
  551. /******************************************************************************
  552. *
  553. * IsSystemProcess
  554. *
  555. * Return whether the given process described by SYSTEM_PROCESS_INFORMATION
  556. * is an NT "system" process, and not a user program.
  557. *
  558. * ENTRY:
  559. * pProcessInfo (input)
  560. * Pointer to an NT SYSTEM_PROCESS_INFORMATION structure for a single
  561. * process.
  562. * EXIT:
  563. * TRUE if this is an NT system process; FALSE if a general user process.
  564. *
  565. *****************************************************************************/
  567. BOOLEAN
  568. IsSystemProcess( PSYSTEM_PROCESS_INFORMATION pSysProcessInfo)
  569. {
  570. DWORD dwIndex;
  571. WCHAR *WellKnownSysProcTable[] = {
  572. L"csrss.exe",
  573. L"smss.exe",
  574. L"screg.exe",
  575. L"lsass.exe",
  576. L"spoolss.exe",
  577. L"EventLog.exe",
  578. L"netdde.exe",
  579. L"clipsrv.exe",
  580. L"lmsvcs.exe",
  581. L"MsgSvc.exe",
  582. L"winlogon.exe",
  583. L"NETSTRS.EXE",
  584. L"nddeagnt.exe",
  585. L"os2srv.exe",
  586. L"wfshell.exe",
  587. L"win.com",
  588. L"rdpclip.exe",
  589. L"conime.exe",
  590. L"proquota.exe",
  591. L"imepadsv.exe",
  592. L"ctfmon.exe",
  593. NULL
  594. };
  597. if (dwNumberofSysProcs == 0)
  598. {
  599. /*
  600. * we failed to read the sys processes from registry. so lets fall back to our well known proc list.
  601. */
  602. for( dwIndex=0; WellKnownSysProcTable[dwIndex]; dwIndex++) {
  603. if ( !_wcsnicmp( pSysProcessInfo->ImageName.Buffer,
  604. WellKnownSysProcTable[dwIndex],
  605. pSysProcessInfo->ImageName.Length) ) {
  606. return(TRUE);
  607. }
  608. }
  611. }
  612. else
  613. {
  614. /*
  615. * Compare its image name against some well known system image names.
  616. */
  617. for( dwIndex=0; dwIndex < dwNumberofSysProcs; dwIndex++) {
  618. if ( !_wcsnicmp( pSysProcessInfo->ImageName.Buffer,
  619. SysProcTable[dwIndex],
  620. pSysProcessInfo->ImageName.Length) ) {
  621. return(TRUE);
  622. }
  623. }
  624. }
  625. return(FALSE);
  627. } /* IsSystemProcess() */