//****************************************************************************/ // winsta.c // // TermSrv session and session stack related code. // // Copyright (C) 1997-2000 Microsoft Corporation /****************************************************************************/ #include "precomp.h" #pragma hdrstop #include "icaevent.h" #include "tsappcmp.h" // for TermsrvAppInstallMode #include #include "sessdir.h" #include #include #include #include "conntfy.h" #include "tsremdsk.h" #include #include #include #include "tssec.h" // // Autoreconnect security headers // #include #include // performance flags #include "tsperf.h" // DoS attack Filters #include "filters.h" #ifndef MAX_WORD #define MAX_WORD 0xffff #endif // // SIGN_BYPASS_OPTION #define should be removed before WIN64 SHIPS!!!!! // #ifdef _WIN64 #define SIGN_BYPASS_OPTION #endif /* * Local defines */ #define SETUP_REG_PATH L"\\Registry\\Machine\\System\\Setup" #define REG_WINDOWS_KEY TEXT("SOFTWARE\\Microsoft\\Windows\\CurrentVersion") #define MAXIMUM_WAIT_WINSTATIONS ((MAXIMUM_WAIT_OBJECTS >> 1) - 1) #define MAX_STRING_BYTES 512 #define MAX_ALLOWED_PASSWORD_LEN 126 BOOL gbFirtsConnectionThread = TRUE; WINSTATIONCONFIG2 gConsoleConfig; WCHAR g_DigProductId[CLIENT_PRODUCT_ID_LENGTH]; RECONNECT_INFO ConsoleReconnectInfo; ULONG gLogoffTimeout = 90; /*90 seconds default value for logoff timeout*/ /* * Globals to support load balancing. Since this is queried frequently we can't * afford to lock the winstation list and count them up. Note that they are * modified only when we have the WinStationListLock to avoid mutual exclusion * issues. */ ULONG WinStationTotalCount = 0; ULONG WinStationDiscCount = 0; LOAD_BALANCING_METRICS gLB; BOOL g_fGetLocalIP = FALSE; /* * External procedures defined */ VOID StartAllWinStations(HKEY); NTSTATUS QueueWinStationCreate( PWINSTATIONNAME ); NTSTATUS WinStationCreateWorker(PWINSTATIONNAME pWinStationName, PULONG pLogonId, BOOLEAN fStartWinStation ); VOID WinStationTerminate( PWINSTATION ); VOID WinStationDeleteWorker( PWINSTATION ); NTSTATUS WinStationDoDisconnect( PWINSTATION, PRECONNECT_INFO, BOOLEAN ); NTSTATUS WinStationDoReconnect( PWINSTATION, PRECONNECT_INFO ); BOOL CopyReconnectInfo(PWINSTATION, PRECONNECT_INFO); VOID CleanupReconnect( PRECONNECT_INFO ); NTSTATUS WinStationExceptionFilter( PWSTR, PEXCEPTION_POINTERS ); NTSTATUS IcaWinStationNameFromLogonId( ULONG, PWINSTATIONNAME ); VOID WriteErrorLogEntry( IN NTSTATUS NtStatusCode, IN PVOID pRawData, IN ULONG RawDataLength ); NTSTATUS CheckIdleWinstation(VOID); BOOL IsKernelDebuggerAttached(); /* * Internal procedures defined */ NTSTATUS WinStationTerminateThread( PVOID ); NTSTATUS WinStationIdleControlThread( PVOID ); NTSTATUS WinStationConnectThread( ULONG ); NTSTATUS WinStationTransferThread( PVOID ); NTSTATUS ConnectSmWinStationApiPort( VOID ); NTSTATUS IcaRegWinStationEnumerate( PULONG, PWINSTATIONNAME, PULONG ); NTSTATUS WinStationStart( PWINSTATION ); NTSTATUS StartWinStationDeviceAndStack(PWINSTATION pWinStation); NTSTATUS WinStationCreateComplete(PWINSTATION pWinStation); BOOL WinStationTerminateProcesses( PWINSTATION, ULONG *pNumTerminated ); VOID WinStationDeleteProc( PREFLOCK ); VOID WinStationZombieProc( PREFLOCK ); NTSTATUS SetRefLockDeleteProc( PREFLOCK, PREFLOCKDELETEPROCEDURE ); VOID WsxBrokenConnection( PWINSTATION ); NTSTATUS TerminateProcessAndWait( HANDLE, HANDLE, ULONG ); VOID ResetAutoReconnectInfo( PWINSTATION ); ULONG WinStationShutdownReset( PVOID ); ULONG WinStationLogoff( PVOID ); NTSTATUS DoForWinStationGroup( PULONG, ULONG, LPTHREAD_START_ROUTINE ); NTSTATUS LogoffWinStation( PWINSTATION, ULONG ); PWINSTATION FindIdleWinStation( VOID ); ULONG CountWinStationType( PWINSTATIONNAME pListenName, BOOLEAN bActiveOnly, BOOLEAN bLockHeld); NTSTATUS _CloseEndpoint( IN PWINSTATIONCONFIG2 pWinStationConfig, IN PVOID pEndpoint, IN ULONG EndpointLength, IN PWINSTATION pWinStation, IN BOOLEAN bNeedStack ); NTSTATUS _VerifyStackModules(PWINSTATION); NTSTATUS _ImpersonateClient(HANDLE, HANDLE *); WinstationRegUnLoadKey(HKEY hKey, LPWSTR lpSubKey); ULONG WinstationCountUserSessions(PSID, ULONG); BOOLEAN WinStationCheckConsoleSession(VOID); NTSTATUS WinStationWinerrorToNtStatus(ULONG ulWinError); VOID WinStationSetMaxOustandingConnections(); VOID ReadDoSParametersFromRegistry( HKEY hKeyTermSrv ); NTSTATUS GetProductIdFromRegistry( WCHAR* DigProductId, DWORD dwSize ); /* * External procedures used */ NTSTATUS WinStationInitRPC( VOID ); NTSTATUS WinStationInitLPC( VOID ); RPC_STATUS RegisterRPCInterface( BOOL bReregister ); NTSTATUS WinStationStopAllShadows( PWINSTATION ); VOID NotifySystemEvent( ULONG ); NTSTATUS SendWinStationCommand( PWINSTATION, PWINSTATION_APIMSG, ULONG ); NTSTATUS RpcCheckClientAccess( PWINSTATION, ACCESS_MASK, BOOLEAN ); NTSTATUS WinStationSecurityInit( VOID ); VOID DisconnectTimeout( ULONG LogonId ); PWSEXTENSION FindWinStationExtensionDll( PWSTR, ULONG ); PSECURITY_DESCRIPTOR WinStationGetSecurityDescriptor( PWINSTATION pWinStation ); VOID WinStationFreeSecurityDescriptor( PWINSTATION pWinStation ); NTSTATUS WinStationInheritSecurityDescriptor( PVOID pSecurityDescriptor, PWINSTATION pTargetWinStation ); NTSTATUS ReadWinStationSecurityDescriptor( PWINSTATION pWinStation ); NTSTATUS WinStationKeepAlive(); NTSTATUS WinStationReadRegistryWorker(); void PostErrorValueEvent( unsigned EventCode, DWORD ErrVal); BOOL Filter_AddOutstandingConnection( IN HANDLE pContext, IN PVOID pEndpoint, IN ULONG EndpointLength, OUT PBYTE pin_addr, OUT PUINT puAddrSize, OUT BOOLEAN *pbBlocked ); BOOL Filter_RemoveOutstandingConnection( IN PBYTE pin_addr, IN UINT uAddrSize ); RTL_GENERIC_COMPARE_RESULTS NTAPI Filter_CompareConnectionEntry( IN struct _RTL_GENERIC_TABLE *Table, IN PVOID FirstInstance, IN PVOID SecondInstance ); RTL_GENERIC_COMPARE_RESULTS NTAPI Filter_CompareFailedConnectionEntry( IN struct _RTL_GENERIC_TABLE *Table, IN PVOID FirstInstance, IN PVOID SecondInstance ); PVOID Filter_AllocateConnectionEntry( IN struct _RTL_GENERIC_TABLE *Table, IN CLONG ByteSize ); PVOID Filter_AllocateConnectionEntry( IN struct _RTL_GENERIC_TABLE *Table, IN CLONG ByteSize ); VOID Filter_FreeConnectionEntry ( IN struct _RTL_GENERIC_TABLE *Table, IN PVOID Buffer ); BOOL FindFirstListeningWinStationName( PWINSTATIONNAMEW pListenName, PWINSTATIONCONFIG2 pConfig ); typedef struct _TRANSFER_INFO { ULONG LogonId; PVOID pEndpoint; ULONG EndpointLength; } TRANSFER_INFO, *PTRANSFER_INFO; VOID AuditEvent( PWINSTATION pWinstation, ULONG EventId ); VOID AuditShutdownEvent(VOID); NTSTATUS IsZeroterminateStringW( PWCHAR pwString, DWORD dwLength ); // //From regapi.dll // BOOLEAN RegIsTimeZoneRedirectionEnabled(); /* * Local variables */ RTL_CRITICAL_SECTION WinStationListLock; RTL_CRITICAL_SECTION WinStationListenersLock; RTL_CRITICAL_SECTION WinStationStartCsrLock; RTL_CRITICAL_SECTION TimerCritSec; RTL_CRITICAL_SECTION WinStationZombieLock; RTL_CRITICAL_SECTION UserProfileLock; RTL_CRITICAL_SECTION ConsoleLock; RTL_RESOURCE WinStationSecurityLock; // This synchronization counter prevents WinStationIdleControlThread from // Trying to create a console session when there is not one. There are two // Situations where we do no want it to create such session: // - At initialization time before we create session Zero which is the initial // console session. // - During reconnect in the window were we just disconnected the console session // (so there is no console session) but we know we are we going to reconnect // an other session to the console. ULONG gConsoleCreationDisable = 1; LIST_ENTRY WinStationListHead; // protected by WinStationListLock LIST_ENTRY SystemEventHead; // protected by WinStationListLock LIST_ENTRY ZombieListHead; ULONG LogonId; LARGE_INTEGER TimeoutZero; HANDLE WinStationEvent = NULL; HANDLE WinStationIdleControlEvent = NULL; HANDLE ConsoleLogoffEvent = NULL; HANDLE g_hMachineGPEvent=NULL; static HANDLE WinStationApiPort = NULL; BOOLEAN StopOnDown = FALSE; HANDLE hTrace = NULL; //BOOLEAN ShutdownTerminateNoWait = FALSE; ULONG ShutDownFromSessionID = 0; // IdleWinStationPoolCount made 0 -- change necessiated by DoS attack prevention logic added to TS ULONG IdleWinStationPoolCount = 0; ULONG_PTR gMinPerSessionPageCommitMB = 20; #define REG_MIN_PERSESSION_PAGECOMMIT L"MinPerSessionPageCommit" PVOID glpAddress; ULONG_PTR gMinPerSessionPageCommit; typedef struct _TS_OUTSTANDINGCONNECTION { ULONGLONG blockUntilTime; ULONG NumOutStandingConnect; UINT uAddrSize; BYTE addr[16]; struct _TS_OUTSTANDINGCONNECTION *pNext; } TS_OUTSTANDINGCONNECTION, *PTS_OUTSTANDINGCONNECTION; PTS_OUTSTANDINGCONNECTION g_pBlockedConnections = NULL; // Table used to keep track of Outstanding connections (DoS) RTL_GENERIC_TABLE gOutStandingConnections; RTL_CRITICAL_SECTION FilterLock; ULONG MaxOutStandingConnect; ULONG NumOutStandingConnect; ULONG MaxSingleOutStandingConnect; // maximum number of outstanding connections from a single IP ULONG DelayConnectionTime = 30*1000; // // DoS // If a bad IP (attacker) has 'MaxFailedConnect' # of failed Pre Auth in 'TimeLimitForFailedConnections' ms, block the IP for 'DoSBlockTime' ms // ULONG MaxFailedConnect; // max number of PreAuth failed connections from a single IP ULONG DoSBlockTime; // Block IP for this much time, if they fail PreAuth simulate 5 mins block for now ULONG TimeLimitForFailedConnections; ULONG CleanupTimeout; // Timeout to fire a routine to cleanup our Bad IP addr table for DoS SYSTEMTIME LastLoggedDelayConnection; ULONGLONG LastLoggedBlockedConnection = 0; BOOLEAN gbNeverLoggedDelayConnection = TRUE; HANDLE hConnectEvent; BOOLEAN gbWinSockInitialized = FALSE; /* * Global data */ extern BOOL g_fAppCompat; extern BOOL g_SafeBootWithNetwork; RTL_CRITICAL_SECTION g_AuthzCritSection; extern HANDLE gReadyEventHandle; extern BOOLEAN RegDenyTSConnectionsPolicy(); //extern BOOLEAN IsPreAuthEnabled(POLICY_TS_MACHINE *p ); extern DWORD WaitForTSConnectionsPolicyChanges( BOOLEAN bWaitForAccept, HANDLE hEvent ); extern void InitializeConsoleClientData( PWINSTATIONCLIENTW pWC ); // defines in REGAPI extern BOOLEAN RegGetMachinePolicyEx( BOOLEAN forcePolicyRead, FILETIME *pTime , PPOLICY_TS_MACHINE pPolicy ); extern BOOLEAN RegIsMachineInHelpMode(); // Global TermSrv counter values DWORD g_TermSrvTotalSessions; DWORD g_TermSrvDiscSessions; DWORD g_TermSrvReconSessions; DWORD g_TermSrvSuccTotalLogons; DWORD g_TermSrvSuccRemoteLogons; DWORD g_TermSrvSuccLocalLogons; DWORD g_TermSrvSuccSession0Logons; // Global system SID PSID gSystemSid = NULL; PSID gAdminSid = NULL; PSID gAnonymousSid = NULL; BOOLEAN g_fDenyTSConnectionsPolicy = 0; POLICY_TS_MACHINE g_MachinePolicy; /****************************************************************************/ // IsEmbedded // // Service-load-time initialization. /****************************************************************************/ BOOL IsEmbedded() { static int fResult = -1; if(fResult == -1) { OSVERSIONINFOEX ovix; BOOL b; fResult = 0; ovix.dwOSVersionInfoSize = sizeof(ovix); b = GetVersionEx((LPOSVERSIONINFO) &ovix); ASSERT(b); if(b && (ovix.wSuiteMask & VER_SUITE_EMBEDDEDNT)) { fResult = 1; } } return (fResult == 1); } /****************************************************************************/ // InitTermSrv // // Service-load-time initialization. /****************************************************************************/ NTSTATUS InitTermSrv(HKEY hKeyTermSrv) { NTSTATUS Status; DWORD dwLen; DWORD dwType; ULONG szBuffer[MAX_PATH/sizeof(ULONG)]; FILETIME policyTime; WSADATA wsaData; #define MAX_DEFAULT_CONNECTIONS 50 #define MAX_CONNECT_LOW_THRESHOLD 5 #define MAX_SINGLE_CONNECT_THRESHOLD_DIFF 5 #define MAX_DEFAULT_CONNECTIONS_PRO 3 #define MAX_DEFAULT_SINGLE_CONNECTIONS_PRO 2 ASSERT(hKeyTermSrv != NULL); g_TermSrvTotalSessions = 0; g_TermSrvDiscSessions = 0; g_TermSrvReconSessions = 0; g_TermSrvSuccTotalLogons = 0; g_TermSrvSuccRemoteLogons = 0; g_TermSrvSuccLocalLogons = 0; g_TermSrvSuccSession0Logons = 0; // Set default value for maximum simultaneous connection attempts WinStationSetMaxOustandingConnections(); NumOutStandingConnect = 0; hConnectEvent = NULL; ShutdownInProgress = FALSE; //ShutdownTerminateNoWait = FALSE; ShutDownFromSessionID = 0; // don't bother saving the policy time, the thread that waits for policy update will save it's own copy at the // cost of running the 1st time around. Alternatively, I need to use another global var for the policy update value. RegGetMachinePolicyEx( TRUE, &policyTime, &g_MachinePolicy ); // see if keep alive is required, then IOCTL it to TermDD WinStationKeepAlive(); Status = RtlInitializeCriticalSection( &FilterLock ); ASSERT( NT_SUCCESS( Status )); if (!NT_SUCCESS(Status)) { goto badFilterLock; } // Table to keep track of OutStanding Sessions RtlInitializeGenericTable( &gOutStandingConnections, Filter_CompareConnectionEntry, Filter_AllocateConnectionEntry, Filter_FreeConnectionEntry, NULL ); // // Following code is for PreAuthenticating client + DoS attack - commented out for now // #if 0 // Lock to serialize access to list of sessions which failed PreAuthentication (DoS attack) Status = RtlInitializeCriticalSection( &DoSLock ); if (!NT_SUCCESS(Status)) { goto badFilterLock; } // Table to keep track of sessions which failed PreAuthentication RtlInitializeGenericTable( &gFailedConnections, Filter_CompareFailedConnectionEntry, Filter_AllocateConnectionEntry, Filter_FreeConnectionEntry, NULL ); #endif Status = RtlInitializeCriticalSection( &ConsoleLock ); ASSERT( NT_SUCCESS( Status ) ); if (!NT_SUCCESS(Status)) { goto badConsoleLock; } Status = RtlInitializeCriticalSection( &UserProfileLock ); ASSERT( NT_SUCCESS( Status ) ); if (!NT_SUCCESS(Status)) { goto badUserProfileLock; } Status = RtlInitializeCriticalSection( &WinStationListLock ); ASSERT( NT_SUCCESS( Status ) ); if (!NT_SUCCESS(Status)) { goto badWinstationListLock; } if (gbListenerOff) { Status = RtlInitializeCriticalSection( &WinStationListenersLock ); ASSERT( NT_SUCCESS( Status ) ); if (!NT_SUCCESS(Status)) { goto badWinStationListenersLock; } } Status = RtlInitializeCriticalSection( &WinStationZombieLock ); ASSERT( NT_SUCCESS( Status ) ); if (!NT_SUCCESS(Status)) { goto badWinStationZombieLock; } Status = RtlInitializeCriticalSection( &TimerCritSec ); ASSERT( NT_SUCCESS( Status ) ); if (!NT_SUCCESS(Status)) { goto badTimerCritsec; } Status = RtlInitializeCriticalSection( &g_AuthzCritSection ); ASSERT( NT_SUCCESS( Status ) ); if (!NT_SUCCESS(Status)) { goto badAuthzCritSection; } InitializeListHead( &WinStationListHead ); InitializeListHead( &SystemEventHead ); InitializeListHead( &ZombieListHead ); Status = InitializeConsoleNotification (); if (!NT_SUCCESS(Status)) { goto badinitStartCsrLock; } Status = RtlInitializeCriticalSection( &WinStationStartCsrLock ); ASSERT( NT_SUCCESS( Status ) ); if (!NT_SUCCESS(Status)) { goto badinitStartCsrLock; } Status = LCInitialize( g_bPersonalTS ? LC_INIT_LIMITED : LC_INIT_ALL, g_fAppCompat ); if (!NT_SUCCESS(Status)) { goto badLcInit; } // // Listener winstations always get LogonId above 65536 and are // assigned by Terminal Server. LogonId's for sessions are // generated by mm in the range 0-65535 // LogonId = MAX_WORD + 1; TimeoutZero = RtlConvertLongToLargeInteger( 0 ); Status = NtCreateEvent( &WinStationEvent, EVENT_ALL_ACCESS, NULL, NotificationEvent, FALSE ); Status = NtCreateEvent( &WinStationIdleControlEvent, EVENT_ALL_ACCESS, NULL, SynchronizationEvent, FALSE ); ASSERT( NT_SUCCESS( Status ) ); if (!NT_SUCCESS(Status)) { goto badEvent; } Status = NtCreateEvent( &ConsoleLogoffEvent, EVENT_ALL_ACCESS, NULL, NotificationEvent, TRUE ); ASSERT( NT_SUCCESS( Status ) ); if (!NT_SUCCESS(Status)) { goto badEvent; } /* * Initialize WinStation security */ RtlAcquireResourceExclusive(&WinStationSecurityLock, TRUE); Status = WinStationSecurityInit(); RtlReleaseResource(&WinStationSecurityLock); ASSERT( NT_SUCCESS( Status ) ); if (!NT_SUCCESS(Status)) { goto badInitSecurity; } Status = WinStationInitLPC(); ASSERT( NT_SUCCESS( Status ) ); if (!NT_SUCCESS(Status)) { goto badInitLPC; } // // Read the registry to determine if maximum outstanding connections // policy is turned on and the value for it // // // Get MaxOutstandingCon string value // dwLen = sizeof(MaxOutStandingConnect); if (RegQueryValueEx(hKeyTermSrv, MAX_OUTSTD_CONNECT, NULL, &dwType, (PCHAR)&szBuffer, &dwLen) == ERROR_SUCCESS) { if (*(PULONG)szBuffer > 0) { MaxOutStandingConnect = *(PULONG)szBuffer; } } dwLen = sizeof(MaxSingleOutStandingConnect); if (RegQueryValueEx(hKeyTermSrv, MAX_SINGLE_OUTSTD_CONNECT, NULL, &dwType, (PCHAR)&szBuffer, &dwLen) == ERROR_SUCCESS) { if (*(PULONG)szBuffer > 0) { MaxSingleOutStandingConnect = *(PULONG)szBuffer; } } //ReadDoSParametersFromRegistry(hKeyTermSrv); dwLen = sizeof(gLogoffTimeout); if (RegQueryValueEx(hKeyTermSrv, LOGOFF_TIMEOUT, NULL, &dwType, (PCHAR)&szBuffer, &dwLen) == ERROR_SUCCESS) { gLogoffTimeout = *(PULONG)szBuffer; } // // Read the logoff timeout value. This timeout is used by termsrv to force terminate // winlogon, if winlogon does not complete logoff after ExitWindows message was sent to him // // // set max number of outstanding connection from single IP // if ( MaxOutStandingConnect < MAX_SINGLE_CONNECT_THRESHOLD_DIFF*5) { MaxSingleOutStandingConnect = MaxOutStandingConnect - 1; } else { MaxSingleOutStandingConnect = MaxOutStandingConnect - MAX_SINGLE_CONNECT_THRESHOLD_DIFF; } // // Create the connect Event // if (MaxOutStandingConnect != 0) { hConnectEvent = CreateEvent(NULL, TRUE, FALSE, NULL); if (hConnectEvent == NULL) { MaxOutStandingConnect = 0; } } // // Initialize winsock // // Ask for Winsock version 2.2. if (WSAStartup(MAKEWORD(2, 2), &wsaData) == 0) { gbWinSockInitialized = TRUE; } // // Initialize the Cleanup Timer used to cleanup the Bad IP addr for DoS attacks // Just create the timer, do not start it now - it will be started when there is a entry in the table // Not used now but may be turned on at a later state // Status = IcaTimerCreate( 0, &hCleanupTimer ); return(Status); /* * Clean up on failure. Clean up is not implemented for * all cases of failure. However most of it will be done implicitly * by the exit from termsrv process. Failure at this point means anyway * there will be no multi-user feature. */ badInitLPC: // Cleanup code not implemented badInitSecurity: badEvent: if (WinStationEvent != NULL) NtClose(WinStationEvent); if (WinStationIdleControlEvent != NULL) NtClose(WinStationIdleControlEvent); if (ConsoleLogoffEvent != NULL) NtClose(ConsoleLogoffEvent); badLcInit: RtlDeleteCriticalSection( &WinStationStartCsrLock ); badinitStartCsrLock: RtlDeleteCriticalSection( &TimerCritSec ); badTimerCritsec: badWinStationZombieLock: if (gbListenerOff) { RtlDeleteCriticalSection( &WinStationListenersLock ); } badWinStationListenersLock: RtlDeleteCriticalSection( &WinStationListLock ); badWinstationListLock: RtlDeleteCriticalSection( &UserProfileLock ); badUserProfileLock: RtlDeleteCriticalSection( &ConsoleLock ); badAuthzCritSection: RtlDeleteCriticalSection( &g_AuthzCritSection ); badConsoleLock: RtlDeleteCriticalSection( &FilterLock ); badFilterLock: return Status; } /******************************************************************************* * * GroupPOlicyChangeStartSalem() * * This routine is called by timer to start Salem. * * Entry: * None, not using any input parameter, refer to WAITORTIMERCALLBACK * for function declaration. * * *******************************************************************************/ VOID CALLBACK GroupPOlicyChangeStartSalem( PVOID lParm, BOOLEAN TimerOrWait ) { // Policy might change during wait, check if policy still allow // to get help from local machine, if so, startup Salem. if( TSIsMachinePolicyAllowHelp() && RegIsMachineInHelpMode() ) { TSStartupSalem(); } return; } /******************************************************************************* * * GroupPolicyNotifyThread * Entry: * nothing * * *******************************************************************************/ DWORD GroupPolicyNotifyThread(DWORD notUsed ) { DWORD dwError; BOOL rc; HANDLE hEvent; BOOLEAN bWaitForAccept; BOOLEAN bSystemStartup; HANDLE hStartupSalemTimer = NULL; HANDLE hStartupSalemTimerQueue = NULL; BOOL bTimerStatus; static FILETIME timeOfLastPolicyRead = { 0 , 0 } ; rc = RegisterGPNotification( g_hMachineGPEvent, TRUE); if (rc) { hEvent = g_hMachineGPEvent; } else { // TS can still run with the default set of config data, besides // if there were any machine group policy data, TS got them on the // last reboot cycle. // hEvent = NULL; } hStartupSalemTimerQueue = CreateTimerQueue(); if( NULL == hStartupSalemTimerQueue ) { // non-critical, we just can't startup Salem to punch firewall or // ICS port. DBGPRINT(("TERMSRV: Error %d in CreateTimerQueue\n", GetLastError())); } // // At the beginning the listeners are not started. // So wait (or test) for the connections to be accepted. // bWaitForAccept = TRUE; bSystemStartup = TRUE; // // Query and set the global flag before entering any wait. // g_fDenyTSConnectionsPolicy = RegDenyTSConnectionsPolicy(); while (TRUE) { dwError = WaitForTSConnectionsPolicyChanges( bWaitForAccept, hEvent ); if( hStartupSalemTimerQueue && (dwError == WAIT_OBJECT_0 || dwError == WAIT_OBJECT_0 + 1) ) { // refer to WaitForTSConnectionsPolicyChanges() for return code. if( hStartupSalemTimer != NULL ) { // Delete the timer-queue timer and wait for callback to complete DeleteTimerQueueTimer( hStartupSalemTimerQueue, hStartupSalemTimer, INVALID_HANDLE_VALUE ); hStartupSalemTimer = NULL; } // // Delay startup Salem, user might change mind or policy might change especially // domain policy. // bTimerStatus = CreateTimerQueueTimer( &hStartupSalemTimer, hStartupSalemTimerQueue, GroupPOlicyChangeStartSalem, NULL, DELAY_STARTUP_SALEM_TIME, 0, WT_EXECUTEONLYONCE ); if( FALSE == bTimerStatus ) { // non-critical, we just can't startup Salem to punch firewall or // ICS port. DBGPRINT(("TERMSRV: Error %d in CreateTimerQueueTimer\n", GetLastError())); } } // // Both GP changes and reg changes can affect this one. // g_fDenyTSConnectionsPolicy = RegDenyTSConnectionsPolicy(); if (dwError == WAIT_OBJECT_0) { // // A change in the TS connections policy has occurred. // if (bWaitForAccept) { // are the connections really accepted? if (!(g_fDenyTSConnectionsPolicy && !(TSIsMachinePolicyAllowHelp() && RegIsMachineInHelpMode()))) { // Start the listeners. if ( bSystemStartup ) { // the first time, start all listeners StartStopListeners(NULL, TRUE); } else { // after the first time, use this function to start // listeners only as needed. WinStationReadRegistryWorker(); } // Switch to a wait for denied connections. bWaitForAccept = FALSE; bSystemStartup = FALSE; } } else { // are the connections really denied? if (g_fDenyTSConnectionsPolicy && !(TSIsMachinePolicyAllowHelp() && RegIsMachineInHelpMode())) { // Stop the listeners. StartStopListeners(NULL, FALSE); // Switch to a wait for accepted connections. bWaitForAccept = TRUE; } } } else if (dwError == WAIT_OBJECT_0 + 1) { // // We got notified that the GP has changed. // if ( RegGetMachinePolicyEx( FALSE, & timeOfLastPolicyRead, &g_MachinePolicy ) ) { // there has been a change, go ahead with the actual updates WinStationReadRegistryWorker(); // Also update the session directory settings if on an app // server. if (!g_bPersonalTS && g_fAppCompat && g_bAdvancedServer) { UpdateSessionDirectory(0); } RegisterRPCInterface( TRUE ); } } else { // should we not do something else? Sleep( 5000 ); continue; } } if (rc) { UnregisterGPNotification(g_hMachineGPEvent); } if( hStartupSalemTimerQueue ) { if( hStartupSalemTimer != NULL ) { // Delete the timer-queue timer and wait for callback to complete DeleteTimerQueueTimer( hStartupSalemTimerQueue, hStartupSalemTimer, INVALID_HANDLE_VALUE ); } DeleteTimerQueueEx( hStartupSalemTimerQueue, NULL ); } return 0; } /******************************************************************************* * * StartAllWinStations * * Get list of configured WinStations from the registry, * start the Console, and then start all remaining WinStations. * * ENTRY: * nothing * * EXIT: * nothing * ******************************************************************************/ void StartAllWinStations(HKEY hKeyTermSrv) { OBJECT_ATTRIBUTES ObjectAttributes; UNICODE_STRING KeyPath; HANDLE KeyHandle; UNICODE_STRING ValueName; #define VALUE_BUFFER_SIZE (sizeof(KEY_VALUE_PARTIAL_INFORMATION) + 256 * sizeof(WCHAR)) CHAR ValueBuffer[VALUE_BUFFER_SIZE]; PKEY_VALUE_PARTIAL_INFORMATION KeyValueInfo; ULONG ValueLength; DWORD ThreadId; NTSTATUS Status; DWORD ValueType; DWORD ValueSize; #define AUTOSTARTTIME 600000 ASSERT(hKeyTermSrv != NULL); /* * Initialize the number of idle winstations and gMinPerSessionPageCommitMB, * if this value is in the registry. */ ValueSize = sizeof(IdleWinStationPoolCount); Status = RegQueryValueEx(hKeyTermSrv, REG_CITRIX_IDLEWINSTATIONPOOLCOUNT, NULL, &ValueType, (LPBYTE) &ValueBuffer, &ValueSize ); if ( Status == ERROR_SUCCESS ) { IdleWinStationPoolCount = *(PULONG)ValueBuffer; } // IdleWinStationPoolCount made 0 -- change necessiated by DoS attack prevention logic added to TS // Also Idle WinStations are not very useful anymore because CSR and Winlogon is started much later than before // So set it to Zero here, irrespective of what its value is in the Registry IdleWinStationPoolCount = 0; //get the product id from registry for use in detecting shadow loop GetProductIdFromRegistry( g_DigProductId, sizeof( g_DigProductId ) ); //Terminal Service needs to skip Memory check in Embedded images //when the TS service starts //bug #246972 if(!IsEmbedded()) { ValueSize = sizeof(gMinPerSessionPageCommitMB); Status = RegQueryValueEx(hKeyTermSrv, REG_MIN_PERSESSION_PAGECOMMIT, NULL, &ValueType, (LPBYTE) &ValueBuffer, &ValueSize ); if ( Status == ERROR_SUCCESS ) { gMinPerSessionPageCommitMB = *(PULONG)ValueBuffer; } gMinPerSessionPageCommit = gMinPerSessionPageCommitMB * 1024 * 1024; Status = NtAllocateVirtualMemory( NtCurrentProcess(), &glpAddress, 0, &gMinPerSessionPageCommit, MEM_RESERVE, PAGE_READWRITE ); ASSERT( NT_SUCCESS( Status ) ); } /* * Open connection to our WinStationApiPort. This will be used to * queue requests to our API thread instead of doing them inline. */ Status = ConnectSmWinStationApiPort(); ASSERT( NT_SUCCESS( Status ) ); /* * Create Console WinStation first */ Status = WinStationCreateWorker( L"Console", NULL, TRUE ); if ( !NT_SUCCESS( Status ) ) { DBGPRINT(("INIT: Failed to create Console WinStation, status=0x%08x\n", Status)); } else { /* * From now on,WinStationIdleControlThread can create console sessions if needed */ InterlockedDecrement(&gConsoleCreationDisable); } /* * Open the Setup key and look for the valuename "SystemSetupInProgress". * If found and it has a value of TRUE (non-zero), then setup is in * progress and we skip starting WinStations other than the Console. */ RtlInitUnicodeString( &KeyPath, SETUP_REG_PATH ); InitializeObjectAttributes( &ObjectAttributes, &KeyPath, OBJ_CASE_INSENSITIVE, NULL, NULL ); Status = NtOpenKey( &KeyHandle, GENERIC_READ, &ObjectAttributes ); if ( NT_SUCCESS( Status ) ) { RtlInitUnicodeString( &ValueName, L"SystemSetupInProgress" ); KeyValueInfo = (PKEY_VALUE_PARTIAL_INFORMATION)ValueBuffer; Status = NtQueryValueKey( KeyHandle, &ValueName, KeyValuePartialInformation, (PVOID)KeyValueInfo, VALUE_BUFFER_SIZE, &ValueLength ); NtClose( KeyHandle ); if ( NT_SUCCESS( Status ) ) { ASSERT( ValueLength < VALUE_BUFFER_SIZE ); if ( KeyValueInfo->Type == REG_DWORD && KeyValueInfo->DataLength == sizeof(ULONG) && *(PULONG)(KeyValueInfo->Data) != 0 ) { return; } } } /* * Start a policy notfiy thread. * */ { HANDLE hGroupPolicyNotifyThread; DWORD dwID; g_hMachineGPEvent = CreateEvent (NULL, FALSE, FALSE, TEXT("TermSrv: machine GP event")); if (g_hMachineGPEvent) { hGroupPolicyNotifyThread = CreateThread ( NULL, 0, (LPTHREAD_START_ROUTINE) GroupPolicyNotifyThread, 0, 0, &dwID); if ( hGroupPolicyNotifyThread ) { NtClose( hGroupPolicyNotifyThread ); } } } /* * If necessary, create the thread in charge of the regulation of the idle sessions */ { HANDLE hIdleControlThread = CreateThread( NULL, 0, // use Default stack size of the svchost process (LPTHREAD_START_ROUTINE)WinStationIdleControlThread, NULL, THREAD_SET_INFORMATION, &ThreadId ); if (hIdleControlThread) { NtClose(hIdleControlThread); } } /* * Finally, create the terminate thread */ { HANDLE hTerminateThread = CreateThread( NULL, 0, // use Default stack size of the svchost process (LPTHREAD_START_ROUTINE)WinStationTerminateThread, NULL, THREAD_SET_INFORMATION, &ThreadId ); if ( hTerminateThread ) NtClose( hTerminateThread ); } } /******************************************************************************* * * StartStopListeners * * Get list of configured WinStations from the registry, * and start the WinStations. * * ENTRY: * bStart * if TRUE start the listeners. * if FALSE stop the listeners if no connections related to them exist * anymore. However we do this only on PRO and PER as on a server we * don't mind keeping the listeners. * * EXIT: * nothing * ******************************************************************************/ BOOL StartStopListeners(LPWSTR WinStationName, BOOLEAN bStart) { ULONG i; ULONG WinStationCount, ByteCount; PWINSTATIONNAME pBuffer; PWINSTATIONNAME pWinStationName; PLIST_ENTRY Head, Next; PWINSTATION pWinStation; NTSTATUS Status; BOOL bReturn = FALSE; if (bStart) { /* * Get list of WinStations from registry */ pBuffer = NULL; WinStationCount = 0; Status = IcaRegWinStationEnumerate( &WinStationCount, NULL, &ByteCount ); if ( NT_SUCCESS(Status) ) { pBuffer = pWinStationName = MemAlloc( ByteCount ); WinStationCount = (ULONG) -1; if (pBuffer) { IcaRegWinStationEnumerate( &WinStationCount, pWinStationName, &ByteCount ); } } /* * Now create all remaining WinStations defined in registry * Note that every 4th WinStation we do the WinStationCreate inline * instead of queueing it. This is so we don't create an excess * number of API threads right off the bat. */ if ( pBuffer ) { for ( i = 0; i < WinStationCount; i++ ) { if ( _wcsicmp( pWinStationName, L"Console" ) ) { if ( i % 4 ) QueueWinStationCreate( pWinStationName ); else { // Don't queue more than 4 at a time (void) WinStationCreateWorker( pWinStationName, NULL, TRUE ); } } (char *)pWinStationName += sizeof(WINSTATIONNAME); } MemFree( pBuffer ); } bReturn = TRUE; } else { if ( !gbListenerOff ) { return FALSE; } ENTERCRIT( &WinStationListenersLock ); // Test if TS connections are denied or not in case we are called from a // terminate or a disconnect. if ( g_fDenyTSConnectionsPolicy && // Performance, we only want to check if policy enable help when connection is denied (!TSIsMachineInHelpMode() || !TSIsMachinePolicyAllowHelp()) ) { ULONG ulLogonId; if( WinStationName ) { // note that this function doesn't handle renamed listeners WinStationCount = CountWinStationType( WinStationName, TRUE, FALSE ); if ( WinStationCount == 0 ) { pWinStation = FindWinStationByName( WinStationName, FALSE ); if ( pWinStation ) { ulLogonId = pWinStation->LogonId; ReleaseWinStation( pWinStation ); // reset it and don't recreate it WinStationResetWorker( ulLogonId, TRUE, FALSE, FALSE ); } } } else { // terminate all listeners searchagain: Head = &WinStationListHead; ENTERCRIT( &WinStationListLock ); for ( Next = Head->Flink; Next != Head; Next = Next->Flink ) { pWinStation = CONTAINING_RECORD( Next, WINSTATION, Links ); // // Only check listening winstations // if ( (pWinStation->Flags & WSF_LISTEN) && !(pWinStation->Flags & (WSF_RESET | WSF_DELETE)) ) { ulLogonId = pWinStation->LogonId; // note that this function doesn't handle renamed listeners WinStationCount = CountWinStationType( pWinStation->WinStationName, TRUE, TRUE ); if ( WinStationCount == 0 ) { LEAVECRIT( &WinStationListLock ); // reset it and don't recreate it WinStationResetWorker( ulLogonId, TRUE, FALSE, FALSE ); goto searchagain; } } } LEAVECRIT( &WinStationListLock ); } bReturn = TRUE; } LEAVECRIT( &WinStationListenersLock ); } return bReturn; } /******************************************************************************* * WinStationIdleControlThread * * This routine will control the number of idle sessions. ******************************************************************************/ NTSTATUS WinStationIdleControlThread(PVOID Parameter) { ULONG i; NTSTATUS Status = STATUS_SUCCESS; PLIST_ENTRY Head, Next; PWINSTATION pWinStation; ULONG IdleCount = 0; ULONG j; LARGE_INTEGER Timeout; PLARGE_INTEGER pTimeout; ULONG ulSleepDuration; ULONG ulRetries = 0; ulSleepDuration = 60*1000; // 1 minute pTimeout = NULL; /* * Now create the pool of idle WinStations waiting for a connection. * we need to wait for termsrv to be fully up, otherwise Winlogon will * fail its RPC call to termsrv (WaitForConnectWorker). */ if (gReadyEventHandle != NULL) { WaitForSingleObject(gReadyEventHandle, (DWORD)-1); } for ( i = 0; i < IdleWinStationPoolCount; i++ ) { (void) WinStationCreateWorker( NULL, NULL, FALSE ); } Timeout = RtlEnlargedIntegerMultiply( ulSleepDuration, -10000); if (WinStationIdleControlEvent != NULL) { while (TRUE) { Status = NtWaitForSingleObject(WinStationIdleControlEvent,FALSE, pTimeout); if ( !NT_SUCCESS(Status) && (Status != STATUS_TIMEOUT)) { Sleep(1000); // don't eat too much CPU continue; } pTimeout = &Timeout; /* * See if we need to create a console session * If if we fail creating a console session, we'll set a timeout so that we will * retry . */ ENTERCRIT( &ConsoleLock ); if (gConsoleCreationDisable == 0) { if (WinStationCheckConsoleSession()) { pTimeout = NULL; } } LEAVECRIT( &ConsoleLock ); /* * Now count the number of IDLE WinStations and ensure there * are enough available. */ if (IdleWinStationPoolCount != 0) { ENTERCRIT( &WinStationListLock ); IdleCount = 0; Head = &WinStationListHead; for ( Next = Head->Flink; Next != Head; Next = Next->Flink ) { pWinStation = CONTAINING_RECORD( Next, WINSTATION, Links ); if ( pWinStation->Flags & WSF_IDLE ) IdleCount++; } LEAVECRIT( &WinStationListLock ); for ( j = IdleCount; j < IdleWinStationPoolCount; j++ ) { WinStationCreateWorker( NULL, NULL, FALSE ); } } } } return STATUS_SUCCESS; } #if _MSC_FULL_VER >= 13008827 #pragma warning(push) #pragma warning(disable:4715) // Not all control paths return (due to infinite loop) #endif /******************************************************************************* * WinStationTerminateThread * * This routine will wait for WinStation processes to terminate, * and will then reset the corresponding WinStation. ******************************************************************************/ NTSTATUS WinStationTerminateThread(PVOID Parameter) { LONG ThreadIndex = (LONG)(INT_PTR)Parameter; LONG WinStationIndex; PLIST_ENTRY Head, Next; PWINSTATION pWinStation; LONG EventCount; LONG EventIndex, i; int WaitCount; int HandleCount; int HandleArraySize = 0; PHANDLE pHandleArray = NULL; PULONG pIdArray = NULL; ULONG ThreadsNeeded; ULONG ThreadsRunning = 1; ULONG j; NTSTATUS Status; LARGE_INTEGER Timeout; PLARGE_INTEGER pTimeout; ULONG ulSleepDuration; HANDLE DupHandle; /* * We need some timer values for the diferent cases of failure in * the thread's loop: * - If we fail creating a new WinstationterminateThread, * then we will do a WaitFormulpipleObjects with a timer instead of a wait without * time out. This will give a new chance to create the thread when timout is over. * if we fail allocating a new buffer to extend handle array, we will wait a timeout * duration before we retry. */ ulSleepDuration = 3*60*1000; Timeout = RtlEnlargedIntegerMultiply( ulSleepDuration, -10000); /* * Loop forever waiting for WinStation processes to terminate */ for ( ; ; ) { /* * Determine number of WinStations */ pTimeout = NULL; WaitCount = 0; Head = &WinStationListHead; ENTERCRIT( &WinStationListLock ); for ( Next = Head->Flink; Next != Head; Next = Next->Flink ) WaitCount++; /* * If there are more than the maximum number of objects that * can be specified to NtWaitForMultipleObjects, then determine * if we must start up additional thread(s). */ if ( WaitCount > MAXIMUM_WAIT_WINSTATIONS ) { ThreadsNeeded = (WaitCount + MAXIMUM_WAIT_WINSTATIONS - 1) / MAXIMUM_WAIT_WINSTATIONS; WaitCount = MAXIMUM_WAIT_WINSTATIONS; if ( ThreadIndex == 0 && ThreadsNeeded > ThreadsRunning ) { LEAVECRIT( &WinStationListLock ); for ( j = ThreadsRunning; j < ThreadsNeeded; j++ ) { DWORD ThreadId; HANDLE Handle; Handle = CreateThread( NULL, 0, // use Default stack size of the svchost process (LPTHREAD_START_ROUTINE) WinStationTerminateThread, ULongToPtr( j * MAXIMUM_WAIT_WINSTATIONS ), THREAD_SET_INFORMATION, &ThreadId ); if ( !Handle ) { pTimeout = &Timeout; break; } // makarp: 182597 - close handle to the thread. CloseHandle(Handle); ThreadsRunning++; } ENTERCRIT( &WinStationListLock ); } } /* * If we need a larger handle array, then release the * WinStationList lock, allocate the new handle array, * and go start the loop again. */ HandleCount = (WaitCount << 1) + 1; ASSERT( HandleCount < MAXIMUM_WAIT_OBJECTS ); if ( HandleCount > HandleArraySize || HandleCount < HandleArraySize - 10 ) { LEAVECRIT( &WinStationListLock ); if ( pHandleArray ){ MemFree( pHandleArray ); } pHandleArray = MemAlloc( HandleCount * sizeof(HANDLE) ); if ( pIdArray ) { MemFree( pIdArray ); } pIdArray = MemAlloc( HandleCount * sizeof(ULONG) ); /* makarp: check for allocation failures #182597 */ if (!pIdArray || !pHandleArray) { if (pIdArray) { MemFree(pIdArray); pIdArray = NULL; } if (pHandleArray){ MemFree(pHandleArray); pHandleArray = NULL; } HandleArraySize = 0; Sleep(ulSleepDuration); continue; } HandleArraySize = HandleCount; continue; } /* * Build list of handles to wait on */ EventCount = 0; pIdArray[EventCount] = 0; pHandleArray[EventCount++] = WinStationEvent; WinStationIndex = 0; for ( Next = Head->Flink; Next != Head; Next = Next->Flink ) { if ( WinStationIndex++ < ThreadIndex ) continue; pWinStation = CONTAINING_RECORD( Next, WINSTATION, Links ); if ( !pWinStation->LogonId ) // no waiting on console continue; if ( pWinStation->Starting ) continue; if (pWinStation->Terminating) { continue; } /* * Do not use handles to subsystem and initial command. These handles may get closed in Winstation * Terminate routine and there is no easy way to synchronize this with Terminate routine using those * handles. So, duplicated those handles. * * NOTE: If the duplication of the handles fails below, the winstation remains unmonitored. */ // Duplicate the subsystem process handle. DupHandle = NULL; if ( pWinStation->WindowsSubSysProcess ) { Status = NtDuplicateObject( NtCurrentProcess(), pWinStation->WindowsSubSysProcess, NtCurrentProcess(), &DupHandle, 0, 0, DUPLICATE_SAME_ACCESS ); if (NT_SUCCESS(Status)) { pIdArray[EventCount] = pWinStation->LogonId; pHandleArray[EventCount++] = DupHandle; } } // Duplicate the initial command process handle. DupHandle = NULL; if ( pWinStation->InitialCommandProcess ) { Status = NtDuplicateObject( NtCurrentProcess(), pWinStation->InitialCommandProcess, NtCurrentProcess(), &DupHandle, 0, 0, DUPLICATE_SAME_ACCESS ); if (NT_SUCCESS(Status)) { pIdArray[EventCount] = pWinStation->LogonId; pHandleArray[EventCount++] = DupHandle; } } if ( WinStationIndex - ThreadIndex >= WaitCount ) break; } /* * Reset WinStationEvent and release the WinStationList lock */ NtResetEvent( WinStationEvent, NULL ); LEAVECRIT( &WinStationListLock ); /* * Wait for WinStationEvent to trigger (meaning that the * WinStationList has changed), or for one of the existing * Win32 subsystems or initial commands to terminate. */ TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: TerminateThread, Waiting for initial command exit (ArraySize=%d)\n", EventCount )); Status = NtWaitForMultipleObjects( EventCount, pHandleArray, WaitAny, FALSE, pTimeout ); TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: TerminateThread, WaitForMultipleObjects, rc=%x\n", Status )); /* * Cleanup the handles array immediately. Close the duplicated handles. Just make sure we are closing a valid handle. * Do not close the handle[0]. It's WinstationEvent handle. */ for ( i = 1; i < EventCount; i++) { if (pHandleArray[i]) { NtClose(pHandleArray[i]); pHandleArray[i] = NULL; } } if ( !NT_SUCCESS(Status) || Status >= EventCount ) { //WinStationVerifyHandles(); continue; } /* * If WinStationEvent triggered, then just go recompute handle list */ if ( (EventIndex = Status) == STATUS_WAIT_0 ) continue; /* * Find the WinStation for the process that terminated and * mark it as terminating. This prevents us from waiting * on that WinStation's processes next time through the loop. * (NOTE: The 'Terminating' field is protected by the global * WinStationListLock instead of the WinStation mutex.) */ Head = &WinStationListHead; ENTERCRIT( &WinStationListLock ); for ( Next = Head->Flink; Next != Head; Next = Next->Flink ) { pWinStation = CONTAINING_RECORD( Next, WINSTATION, Links ); if ( pWinStation->LogonId == pIdArray[EventIndex] ) { pWinStation->Terminating = TRUE; break; } } LEAVECRIT( &WinStationListLock ); /* * Wake up the WinStationIdleControlThread */ NtSetEvent(WinStationIdleControlEvent, NULL); /* * If there are multiple terminate threads, cause the other * threads to wakeup in order to recompute their wait lists. */ NtSetEvent( WinStationEvent, NULL ); /* * One of the initial command processes has terminated, * queue a request to reset the WinStation. */ QueueWinStationReset( pIdArray[EventIndex]); } // make the compiler happy return STATUS_SUCCESS; } #if _MSC_FULL_VER >= 13008827 #pragma warning(pop) #endif /******************************************************************************* * InvalidateTerminateWaitList * * Wakes up WinStationTerminateThread to force it to reinitialize its * wait list. Used when we detect that the initial process was ntsd, * and we change the initial process to WinLogon. * * ENTRY: * The WinStationListLock must not be held. ******************************************************************************/ VOID InvalidateTerminateWaitList(void) { ENTERCRIT( &WinStationListLock ); NtSetEvent( WinStationEvent, NULL ); LEAVECRIT( &WinStationListLock ); } /******************************************************************************* * WinStationConnectThread * * This routine will wait for and process incoming connections * for a specified WinStation. ******************************************************************************/ NTSTATUS WinStationConnectThread(ULONG Parameter) { typedef struct _TRANSFERTHREAD { LIST_ENTRY Entry; HANDLE hThread; } TRANSFERTHREAD, *PTRANSFERTHREAD; LIST_ENTRY TransferThreadList; PTRANSFERTHREAD pTransferThread; PLIST_ENTRY Next; PWINSTATION pListenWinStation; PVOID pEndpoint = NULL; ULONG EndpointLength; ULONG WinStationCount; ULONG TransferThreadCount; BOOLEAN rc; BOOLEAN bConnectSuccess = FALSE; BOOLEAN bTerminate = FALSE; NTSTATUS Status; SYSTEMTIME currentSystemTime; #define MODULE_SIZE 1024 #define _WAIT_ERROR_LIMIT 10 ULONG WaitErrorLimit = _WAIT_ERROR_LIMIT; // # of consecutive errors allowed /* * Initialize list of transfer threads */ InitializeListHead( &TransferThreadList ); /* * Find and lock the WinStation */ pListenWinStation = FindWinStationById( Parameter, FALSE ); if ( pListenWinStation == NULL ) { return( STATUS_ACCESS_DENIED ); } /* * Ensure only authorized Session Driver and Video Driver stack * modules will be loaded as a result of this connection thread. * * If any module fails verification, mark the WinStation in the * DOWN state and exit WITHOUT error. * * NOTE: * The silent exit is very much intentional so as not to aid in * a third party's attempt to circumvent this security measure. */ Status = _VerifyStackModules( pListenWinStation ); if ( Status != STATUS_SUCCESS ) { pListenWinStation->State = State_Down; ReleaseWinStation( pListenWinStation ); return( STATUS_SUCCESS ); } /* * Indicate we got this far successfully. */ pListenWinStation->CreateStatus = STATUS_SUCCESS; /* * Load the WinStation extension dll for this WinStation. * Note that we don't save the result in pListenWinStation->pWsx * since we don't want to make callouts to it for the * listen WinStation. */ (VOID) FindWinStationExtensionDll( pListenWinStation->Config.Wd.WsxDLL, pListenWinStation->Config.Wd.WdFlag ); /* * Do not start accepting client connections before termsrv is totaly UP */ if (gReadyEventHandle != NULL) { WaitForSingleObject(gReadyEventHandle, (DWORD)-1); } /* * for perf reason termsrv startup is delayed. We the need to also delay * accepting connections so that if a console logon hapened before termsrv * was up, we get the delayed logon notification before we accept a * client connection. */ if (gbFirtsConnectionThread) { Sleep(5*1000); gbFirtsConnectionThread = FALSE; } // Get the local IP address enabled for rdp for Session Directory Use if (!g_bPersonalTS && g_fAppCompat && g_bAdvancedServer && !g_fGetLocalIP) { ULONG LocalIPAddress, LocalIPAddressLength; struct sockaddr_in6 addr6; Status = IcaStackQueryLocalAddress( pListenWinStation->hStack, pListenWinStation->WinStationName, &pListenWinStation->Config, NULL, (PVOID)&addr6, sizeof(addr6), &LocalIPAddressLength ); if( NT_SUCCESS(Status) ) { g_fGetLocalIP = TRUE; if( AF_INET == addr6.sin6_family ) { struct sockaddr_in* pAddr = (struct sockaddr_in *)&addr6; LocalIPAddress = pAddr->sin_addr.s_addr; } else { // Support of IPV6 is for next release. ; } if (g_LocalIPAddress != LocalIPAddress) { g_LocalIPAddress = LocalIPAddress; UpdateSessionDirectory(0); } } } /* * Loop waiting for connection requests and passing them off * to an idle WinStation. */ for ( ; ; ) { /* * Abort retries if this listener has been terminated */ if ( pListenWinStation->Terminating ) { break; } /* * Allocate an endpoint buffer */ pEndpoint = MemAlloc( MODULE_SIZE ); if ( !pEndpoint ) { Status = STATUS_NO_MEMORY; // Sleep for 30 seconds and try again. Listener thread should not exit // simply just in low memory condition UnlockWinStation(pListenWinStation); Sleep(30000); if (!RelockWinStation(pListenWinStation)) break; continue; } /* * Unlock listen WinStation while we wait for a connection */ UnlockWinStation( pListenWinStation ); /* * Check if # outstanding connections reaches max value * If so, wait for the event when the connection # drops * below the max. There is a timeout value of 30 seconds * for the wait */ if (hConnectEvent != NULL) { if (NumOutStandingConnect > MaxOutStandingConnect) { DWORD rc; // Event log we have exceeded max outstanding connections. but not more than // once in a day. GetSystemTime(¤tSystemTime); if ( currentSystemTime.wYear != LastLoggedDelayConnection.wYear || currentSystemTime.wMonth != LastLoggedDelayConnection.wMonth || currentSystemTime.wDay != LastLoggedDelayConnection.wDay || gbNeverLoggedDelayConnection ) { gbNeverLoggedDelayConnection = FALSE; LastLoggedDelayConnection = currentSystemTime; WriteErrorLogEntry(EVENT_TOO_MANY_CONNECTIONS, pListenWinStation->WinStationName, sizeof(pListenWinStation->WinStationName)); } // manual reset the ConnectEvent before wait ResetEvent(hConnectEvent); rc = WAIT_TIMEOUT; // wait for Connect Event for 30 secs while (rc == WAIT_TIMEOUT) { rc = WaitForSingleObject(hConnectEvent, DelayConnectionTime); if (NumOutStandingConnect <= MaxOutStandingConnect) { break; } if (rc == WAIT_TIMEOUT) { KdPrint(("TermSrv: Reached 30 secs timeout\n")); } else { KdPrint(("TermSrv: WaitForSingleObject return status=%x\n", rc)); } } } } /* * Wait for connection */ Status = IcaStackConnectionWait( pListenWinStation->hStack, pListenWinStation->WinStationName, &pListenWinStation->Config, NULL, pEndpoint, MODULE_SIZE, &EndpointLength ); if ( Status == STATUS_BUFFER_TOO_SMALL ) { MemFree( pEndpoint ); pEndpoint = MemAlloc( EndpointLength ); if ( !pEndpoint ) { Status = STATUS_NO_MEMORY; // Sleep for 30 seconds and try again. Listener thread should not exit // simply just in low memory condition Sleep(30000); if (!RelockWinStation( pListenWinStation )) break; continue; } Status = IcaStackConnectionWait( pListenWinStation->hStack, pListenWinStation->WinStationName, &pListenWinStation->Config, NULL, pEndpoint, EndpointLength, &EndpointLength ); } /* * If ConnectionWait was not successful, * check to see if the consecutive error limit has been reached. */ if ( !NT_SUCCESS( Status ) ) { MemFree( pEndpoint ); pEndpoint = NULL; if (Status == STATUS_SHARING_VIOLATION && _wcsicmp(pListenWinStation->Config.Pd[0].Create.PdName, L"tcp") == 0) { /* * This status means that our port is opened by some other process. * Lets log an event about this. */ static BOOL bPortTakenEventlogged = FALSE; if (!bPortTakenEventlogged) { PostErrorValueEvent(EVENT_TS_WINSTATION_START_FAILED, WSAEADDRINUSE); bPortTakenEventlogged = TRUE; } } /* * If status is DEVICE_DOES_NOT_EXIST, then we want to wait before retrying * otherwise, this prioritary thread will take all the CPU trying 10 times * lo load the listener stack. Such an error takes time to be fixed (either * changing the NIC or going into tscc to have the NIC GUID table updated. */ if ((Status == STATUS_DEVICE_DOES_NOT_EXIST) || (!bConnectSuccess) || (Status == STATUS_INVALID_ADDRESS_COMPONENT) ) { Sleep(30000); } if ( WaitErrorLimit--) { if (!RelockWinStation( pListenWinStation )) break; /* * If we have had a successful connection, * then skip the stack close/reopen since this would * terminate any existing connections. */ if ( !bConnectSuccess ) { /* * What we really need is a function to unload the * stack drivers but leave the stack handle open. */ Status = IcaStackClose( pListenWinStation->hStack ); ASSERT( NT_SUCCESS( Status ) ); pListenWinStation->hStack = NULL; Status = IcaStackOpen( pListenWinStation->hIca, Stack_Primary, (PROC)WsxStackIoControl, pListenWinStation, &pListenWinStation->hStack ); if ( !NT_SUCCESS( Status ) ) { pListenWinStation->State = State_Down; break; } } continue; } else { // Sleep for 30 seconds and try again. Listener thread should not exit Sleep(30000); if (!RelockWinStation( pListenWinStation )) break; // Reset the error count WaitErrorLimit = _WAIT_ERROR_LIMIT; continue; } } else { bConnectSuccess = TRUE; WaitErrorLimit = _WAIT_ERROR_LIMIT; } /* * Check for Shutdown and MaxInstance */ rc = RelockWinStation( pListenWinStation ); if ( !rc ) { Status = _CloseEndpoint( &pListenWinStation->Config, pEndpoint, EndpointLength, pListenWinStation, TRUE ); // Use a temporary stack MemFree( pEndpoint ); pEndpoint = NULL; break; } /* * Reject all connections if a shutdown is in progress */ if ( ShutdownInProgress ) { Status = _CloseEndpoint( &pListenWinStation->Config, pEndpoint, EndpointLength, pListenWinStation, TRUE ); // Use a temporary stack MemFree( pEndpoint ); pEndpoint = NULL; continue; } /* * Reject all connections if user or the Group-Policy has disabled accepting connections */ if ( g_fDenyTSConnectionsPolicy ) { // // Performance, we only want to check if policy enable help when connection is denied // if( !TSIsMachineInHelpMode() || !TSIsMachinePolicyAllowHelp() ) { Status = _CloseEndpoint( &pListenWinStation->Config, pEndpoint, EndpointLength, pListenWinStation, TRUE ); // Use a temporary stack MemFree( pEndpoint ); pEndpoint = NULL; if ( gbListenerOff ) { // // if there are no more connections associated // to this listener, then terminate it. // // note that this function doesn't handle renamed listeners WinStationCount = CountWinStationType( pListenWinStation->WinStationName, TRUE, FALSE ); if ( WinStationCount == 0 ) { bTerminate = TRUE; break; } } Sleep( 5000 ); // sleep for 5 seconds, defense against // denial of service attacks. continue; } } /* * Check to see how many transfer threads we have active. * If more than the MaxInstance count, we won't start any more. */ TransferThreadCount = 0; Next = TransferThreadList.Flink; while ( Next != &TransferThreadList ) { pTransferThread = CONTAINING_RECORD( Next, TRANSFERTHREAD, Entry ); Next = Next->Flink; /* * If thread is still active, bump the thread count */ if ( WaitForSingleObject( pTransferThread->hThread, 0 ) != 0 ) { TransferThreadCount++; /* * Thread has exited, so close the thread handle and free memory */ } else { RemoveEntryList( &pTransferThread->Entry ); CloseHandle( pTransferThread->hThread ); MemFree( pTransferThread ); } } /* * If this is not a single-instance connection * and there is a MaxInstance count specified, * then check whether the MaxInstance limit will be exceeded. */ if ( !(pListenWinStation->Config.Pd[0].Create.PdFlag & PD_SINGLE_INST) && pListenWinStation->Config.Create.MaxInstanceCount != (ULONG)-1 ) { ULONG Count; /* * Count number of currently active WinStations */ WinStationCount = CountWinStationType( pListenWinStation->WinStationName, FALSE, FALSE ); /* * Get larger of WinStation and TransferThread count */ Count = max( WinStationCount, TransferThreadCount ); TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: Count %d\n", Count )); TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: MaxInstanceCount %d\n", pListenWinStation->Config.Create.MaxInstanceCount )); if ( pListenWinStation->Config.Create.MaxInstanceCount <= Count ) { Status = _CloseEndpoint( &pListenWinStation->Config, pEndpoint, EndpointLength, pListenWinStation, TRUE ); // Use a temporary stack MemFree( pEndpoint ); pEndpoint = NULL; continue; } } UnlockWinStation( pListenWinStation ); /* * Increment the counter of pending connections. */ InterlockedIncrement( &NumOutStandingConnect ); /* * If this is a single instance connection, * then handle the transfer of the connection endpoint to * an idle WinStation directly. */ if ( pListenWinStation->Config.Pd[0].Create.PdFlag & PD_SINGLE_INST ) { Status = TransferConnectionToIdleWinStation( pListenWinStation, pEndpoint, EndpointLength, NULL ); pEndpoint = NULL; /* * If the transfer was successful, then for a single instance * connection, we must now exit the wait for connect loop. */ if ( NT_SUCCESS( Status ) ) { RelockWinStation( pListenWinStation ); break; } else { bConnectSuccess = FALSE; } /* * For non-single instance WinStations, let the worker thread * handle the connection handoff so this thread can go back * and listen for another connection immediately. */ } else { PTRANSFER_INFO pInfo; DWORD ThreadId; HANDLE hTransferThread; BOOLEAN bTransferThreadCreated = FALSE; pInfo = MemAlloc( sizeof(*pInfo) ); pTransferThread = MemAlloc( sizeof(*pTransferThread) ); if (pInfo && pTransferThread) { pInfo->LogonId = pListenWinStation->LogonId; pInfo->pEndpoint = pEndpoint; pInfo->EndpointLength = EndpointLength; pTransferThread->hThread = CreateThread( NULL, 0, // use Default stack size of the svchost process (LPTHREAD_START_ROUTINE)WinStationTransferThread, (PVOID)pInfo, 0, &ThreadId ); if ( pTransferThread->hThread ) { bTransferThreadCreated = TRUE; InsertTailList( &TransferThreadList, &pTransferThread->Entry ); } } if (!bTransferThreadCreated) { if (pInfo) { MemFree( pInfo ); } if (pTransferThread) { MemFree( pTransferThread ); } TransferConnectionToIdleWinStation( pListenWinStation, pEndpoint, EndpointLength, NULL ); } pEndpoint = NULL; } /* * Relock the listen WinStation */ if (!RelockWinStation( pListenWinStation ) ) break; } // for - wait for connection /* * Clean up the transfer thread list. * (There's no need to wait for them to exit.) */ Next = TransferThreadList.Flink; while ( Next != &TransferThreadList ) { pTransferThread = CONTAINING_RECORD( Next, TRANSFERTHREAD, Entry ); Next = Next->Flink; RemoveEntryList( &pTransferThread->Entry ); CloseHandle( pTransferThread->hThread ); MemFree( pTransferThread ); } /* * If after exiting the connect loop above, the WinStation is marked down, * then write the error status to the event log. */ if ( pListenWinStation->State == State_Down ) { ReleaseWinStation( pListenWinStation ); if ( Status != STATUS_CTX_CLOSE_PENDING ) { PostErrorValueEvent(EVENT_TS_LISTNER_WINSTATION_ISDOWN, Status); } } else { /* * If not a single-instance transport release the WinStation; * otherwise, delete the listener WinStation. */ if (!(pListenWinStation->Config.Pd[0].Create.PdFlag & PD_SINGLE_INST) && !bTerminate) { ReleaseWinStation( pListenWinStation ); } else { /* * Mark the listen winstation as being deleted. * If a reset/delete operation is already in progress * on this winstation, then don't proceed with the delete. */ if ( pListenWinStation->Flags & (WSF_RESET | WSF_DELETE) ) { ReleaseWinStation( pListenWinStation ); Status = STATUS_CTX_WINSTATION_BUSY; } else { pListenWinStation->Flags |= WSF_DELETE; /* * Make sure this WinStation is ready to delete */ WinStationTerminate( pListenWinStation ); /* * Call the WinStationDelete worker */ WinStationDeleteWorker( pListenWinStation ); } } } return Status; } /******************************************************************************* * WinStationTransferThread ******************************************************************************/ NTSTATUS WinStationTransferThread(PVOID Parameter) { PTRANSFER_INFO pInfo; PWINSTATION pListenWinStation; NTSTATUS Status; /* * Find and lock the listen WinStation * (We MUST do this so that it doesn't get deleted while * we are attempting to transfer the new connection.) */ pInfo = (PTRANSFER_INFO)Parameter; pListenWinStation = FindWinStationById( pInfo->LogonId, FALSE ); if ( pListenWinStation == NULL ) { MemFree( pInfo ); if( InterlockedDecrement( &NumOutStandingConnect ) == MaxOutStandingConnect ) { if (hConnectEvent != NULL) { SetEvent(hConnectEvent); } } return( STATUS_ACCESS_DENIED ); } /* * Unlock the listen WinStation but hold a reference to it. */ UnlockWinStation( pListenWinStation ); /* * Transfer the connection to an idle WinStation */ Status = TransferConnectionToIdleWinStation( pListenWinStation, pInfo->pEndpoint, pInfo->EndpointLength, NULL ); /* * Relock and release the listen WinStation */ RelockWinStation( pListenWinStation ); ReleaseWinStation( pListenWinStation ); MemFree(pInfo); return Status; } NTSTATUS TransferConnectionToIdleWinStation( PWINSTATION pListenWinStation, PVOID pEndpoint, ULONG EndpointLength, PICA_STACK_ADDRESS pStackAddress) { PWINSTATION pTargetWinStation = NULL; ULONG ReturnLength; BOOLEAN rc; BOOLEAN CreatedIdle = FALSE; BOOLEAN ConnectionAccepted = FALSE; NTSTATUS Status; ICA_TRACE Trace; LS_STATUS_CODE LlsStatus; NT_LS_DATA LsData; BOOLEAN bBlockThis; PWCHAR pListenName; PWINSTATIONCONFIG2 pConfig; BOOL bPolicyAllowHelp; BYTE in_addr[16]; UINT uAddrSize, index; BOOL bSuccessAdded = FALSE; WINSTATIONNAME szDefaultConfigWinstationName; BOOL bCanCallout; // error code we need to pass back to client NTSTATUS StatusCallback = STATUS_SUCCESS; // Flag to detemine if session is a RA login BOOL bSessionIsHelpSession; BOOL bValidRAConnect; // Flag to determine if we can Queue the winstation for Reset - used in Error paths BOOL bQueueForReset = FALSE; BOOL bBlocked = FALSE; // // Check AllowGetHelp policy is enabled and salem has pending help session // bPolicyAllowHelp = TSIsMachinePolicyAllowHelp() & TSIsMachineInHelpMode(); if( g_fDenyTSConnectionsPolicy && !bPolicyAllowHelp ) { // // Close the connection if TS policy deny connection and // help is disabled. // TRACE((hTrace, TC_ICASRV, TT_ERROR, "TERMSRV: Denying TS connection due to GP\n")); if ( pListenWinStation && pEndpoint ) { Status = _CloseEndpoint( &pListenWinStation->Config, pEndpoint, EndpointLength, pListenWinStation, TRUE ); // Use a temporary stack MemFree(pEndpoint); pEndpoint = NULL; if( InterlockedDecrement( &NumOutStandingConnect ) == MaxOutStandingConnect ) { if (hConnectEvent != NULL) { SetEvent(hConnectEvent); } } } return STATUS_CTX_WINSTATION_ACCESS_DENIED; } // // check for rejected connections // This includes many pending Sessions as well as sessions failing PreAuthentication // if( pListenWinStation ) { uAddrSize = sizeof( in_addr ); bSuccessAdded = Filter_AddOutstandingConnection( pListenWinStation->hStack, pEndpoint, EndpointLength, in_addr, &uAddrSize, &bBlockThis ); // // connection blocked, close and exit // if ( bBlockThis ) { TRACE((hTrace, TC_ICASRV, TT_ERROR, "TERMSRV: Excessive number of pending connections\n")); if ( bSuccessAdded ) { Filter_RemoveOutstandingConnection( in_addr, uAddrSize ); } Status = _CloseEndpoint( &pListenWinStation->Config, pEndpoint, EndpointLength, pListenWinStation, TRUE ); // Use a temporary stack MemFree( pEndpoint ); pEndpoint = NULL; if( InterlockedDecrement( &NumOutStandingConnect ) == MaxOutStandingConnect ) { if (hConnectEvent != NULL) { SetEvent(hConnectEvent); } } return STATUS_CTX_WINSTATION_ACCESS_DENIED; } // Look to see if this connection is to be blocked because of repeated Failure of PreAuthentication // No PreAuthentication for now - this code will be needed later when we add PreAuthentication feature #if 0 ENTERCRIT( &DoSLock ); bBlocked = Filter_CheckIfBlocked( in_addr, uAddrSize ) ; LEAVECRIT( &DoSLock ); if (bBlocked) { TRACE((hTrace, TC_ICASRV, TT_ERROR, "TERMSRV: Excessive number of connections which failed PreAuthentication. \n")); if ( bSuccessAdded ) { Filter_RemoveOutstandingConnection( in_addr, uAddrSize ); } Status = _CloseEndpoint( &pListenWinStation->Config, pEndpoint, EndpointLength, pListenWinStation, TRUE ); // Use a temporary stack MemFree( pEndpoint ); pEndpoint = NULL; if( InterlockedDecrement( &NumOutStandingConnect ) == MaxOutStandingConnect ) { if (hConnectEvent != NULL) { SetEvent(hConnectEvent); } } return STATUS_CTX_WINSTATION_ACCESS_DENIED; } #endif } else { // Make sure variable bBlockThis = FALSE; bSuccessAdded = FALSE; } // // /* * Now find an idle WinStation to transfer this connection to. * If there is not one available, then we attempt to create one. * if this also fails, then we have no choice but to close * the connection endpoint and wait again. */ pTargetWinStation = FindIdleWinStation(); if ( pTargetWinStation == NULL ) { /* * Create another idle WinStation but do not start it as yet */ Status = WinStationCreateWorker( NULL, NULL, FALSE ); if ( NT_SUCCESS( Status ) ) CreatedIdle = TRUE; pTargetWinStation = FindIdleWinStation(); if ( pTargetWinStation == NULL ) { TRACE((hTrace, TC_ICASRV, TT_ERROR, "TERMSRV: Could not get an idle WinStation!\n")); goto releaseresources; } } ASSERT( pTargetWinStation->Flags & WSF_IDLE ); ASSERT( pTargetWinStation->WinStationName[0] == UNICODE_NULL ); if ( pListenWinStation ) { pConfig = &(pListenWinStation->Config); pListenName = pListenWinStation->WinStationName; } else { // // For Whistler, callback is only for Salem, we can pick // configuration from any listening winstation as // 1) All we need is HelpAssistant logon/shadow right, which // is already in default. // 2) No listening winstation, system is either no pending help // or not allow to get help, so we need to bail out. // 3) Additional check at the bottom to make sure login // from callback is HelpAssistant only. // // If we going support this for the general case, we need // to take a default configuration, make connection and issue // a new IOCTL call into tdtcp.sys to determine NIC card/IP address // that establish connection and from there, map to right winstation // configuration. // // Setup initial callback configuration, this is only // heruristic, we will reset the configuration after // determine which NIC is used to connect to TS client // bCanCallout = FindFirstListeningWinStationName( szDefaultConfigWinstationName, &pTargetWinStation->Config ); if( FALSE == bCanCallout ) { // If no listening thread, connection is not active, don't allow // callback Status = STATUS_ACCESS_DENIED; // It's ok to go to releaseresources even if pConfig is not set // because in this case pListenWinStation and pEndpoint are NULL. goto releaseresources; } pListenName = szDefaultConfigWinstationName; pConfig = &(pTargetWinStation->Config); } /* * Check for MaxInstance */ if ( !(pConfig->Pd[0].Create.PdFlag & PD_SINGLE_INST) ) { ULONG Count; Count = CountWinStationType( pListenName, FALSE, FALSE ); TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: Count %d\n", Count )); TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: MaxInstanceCount %d\n", pConfig->Create.MaxInstanceCount)); if ( pConfig->Create.MaxInstanceCount <= Count ) { TRACE((hTrace, TC_ICASRV, TT_ERROR, "TERMSRV: Exceeded maximum instance count [%ld >= %ld]\n", Count, pConfig->Create.MaxInstanceCount)); goto releaseresources; } } /* * Copy the listen name to the target WinStation. * This is done to enable tracing on the new stack. * * Also, this is done BEFORE the connection accept so that if the * listen WinStation is reset before the accept completes, the * target WinStation will also be reset. */ RtlCopyMemory( pTargetWinStation->ListenName, pListenName, sizeof(pTargetWinStation->ListenName) ); /* * Enable trace */ RtlZeroMemory( &Trace , sizeof( ICA_TRACE ) ); InitializeTrace( pTargetWinStation, FALSE, &Trace ); /* * Hook extensions for this target */ pTargetWinStation->pWsx = FindWinStationExtensionDll( pConfig->Wd.WsxDLL, pConfig->Wd.WdFlag ); /* * Initialize winstation extension context structure */ if (pTargetWinStation->pWsx && pTargetWinStation->pWsx->pWsxWinStationInitialize) { Status = pTargetWinStation->pWsx->pWsxWinStationInitialize( &pTargetWinStation->pWsxContext); if (Status != STATUS_SUCCESS) { TRACE((hTrace, TC_ICASRV, TT_ERROR, "TERMSRV: WsxWinStationInitialize failed [%lx]\n", Status)); goto badconnect; } } /* * Terminate Listen stack of single-instance transports now, so that * the underlying CancelIo doesn't disturb the Accept stack. */ // this one can prevent from generalizing efficiently the transfer function if (pListenWinStation && (pListenWinStation->Config.Pd[0].Create.PdFlag & PD_SINGLE_INST)) { IcaStackTerminate(pListenWinStation->hStack); } /* * Change state to ConnectQuery while we try to accept the connection */ pTargetWinStation->State = State_ConnectQuery; NotifySystemEvent(WEVENT_STATECHANGE); /* * Since the ConnectionAccept may take a while, we have to unlock * the target WinStation before the call. However, we set the * WSF_IDLEBUSY flag so that the WinStation does not appear idle. */ pTargetWinStation->Flags |= WSF_IDLEBUSY; UnlockWinStation( pTargetWinStation ); if ( !pListenWinStation && pStackAddress) { // must have extension DLL loaded if( !pTargetWinStation->pWsx || !pTargetWinStation->pWsx->pWsxIcaStackIoControl ) { Status = STATUS_UNSUCCESSFUL; goto badconnect; } // // Allocate an endpoint buffer // EndpointLength = MODULE_SIZE; pEndpoint = MemAlloc( MODULE_SIZE ); if ( !pEndpoint ) { Status = STATUS_NO_MEMORY; goto badconnect; } Status = IcaStackConnectionRequest( pTargetWinStation->hStack, pTargetWinStation->ListenName, pConfig, pStackAddress, pEndpoint, EndpointLength, &ReturnLength ); if ( Status == STATUS_BUFFER_TOO_SMALL ) { MemFree( pEndpoint ); pEndpoint = MemAlloc( ReturnLength ); if ( !pEndpoint ) { Status = STATUS_NO_MEMORY; goto badconnect; } EndpointLength = ReturnLength; Status = IcaStackConnectionRequest( pTargetWinStation->hStack, pTargetWinStation->ListenName, pConfig, pStackAddress, pEndpoint, EndpointLength, &ReturnLength ); } if ( !NT_SUCCESS(Status) ) { // special error code to pass back to client StatusCallback = Status; goto badconnect; } } /* * Now accept the connection for the target WinStation * using the new endpoint. */ Status = IcaStackConnectionAccept(pTargetWinStation->hIca, pTargetWinStation->hStack, pListenName, pConfig, pEndpoint, EndpointLength, NULL, 0, &Trace); ConnectionAccepted = (Status == STATUS_SUCCESS); TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: IcaStackConnectionAccept, Status=0x%x\n", Status)); if (NT_SUCCESS(Status)) { // In post-logon SD work, quering load balancing info has been moved // to WinStationNotifyLogonWorker // while this part of getting load balancing info is still here // because we rely on it to connect to the console TS_LOAD_BALANCE_INFO LBInfo; ULONG ReturnLength; // Get the client load balance capability info. // Note we use _IcaStackIoControl() instead of IcaStackIoControl() or // WsxIcaStackIoControl() since we still have the stack lock. memset(&LBInfo, 0, sizeof(LBInfo)); Status = _IcaStackIoControl(pTargetWinStation->hStack, IOCTL_TS_STACK_QUERY_LOAD_BALANCE_INFO, NULL, 0, &LBInfo, sizeof(LBInfo), &ReturnLength); // On non-success, we'll have FALSE for all of our entries, on // success valid values. So, save off the cluster info into the // WinStation struct now. pTargetWinStation->bClientSupportsRedirection = LBInfo.bClientSupportsRedirection; pTargetWinStation->bRequestedSessionIDFieldValid = LBInfo.bRequestedSessionIDFieldValid; pTargetWinStation->bClientRequireServerAddr = LBInfo.bClientRequireServerAddr; pTargetWinStation->RequestedSessionID = LBInfo.RequestedSessionID; /* * Attempt to license the client. Failure is fatal, do not let the * connection continue. */ LCAssignPolicy(pTargetWinStation); Status = LCProcessConnectionProtocol(pTargetWinStation); TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: LCProcessConnectionProtocol, LogonId=%d, Status=0x%x\n", pTargetWinStation->LogonId, Status)); // The stack was locked from successful IcaStackConnectionAccept(), // unlock it now. IcaStackUnlock(pTargetWinStation->hStack); } /* * Now relock the target WinStation */ rc = RelockWinStation(pTargetWinStation); /* * If the connection accept was not successful, * then we have no choice but to close the connection endpoint * and go back and wait for another connection. */ if (!NT_SUCCESS(Status) || !rc) { TRACE((hTrace, TC_ICASRV, TT_ERROR, "TERMSRV: Connection attempt failed, Status [%lx], rc [%lx]\n", Status, rc)); goto badconnect; } /* * Initialize client data */ pTargetWinStation->Client.ClientSessionId = LOGONID_NONE; ZeroMemory( pTargetWinStation->Client.clientDigProductId, sizeof( pTargetWinStation->Client.clientDigProductId )); pTargetWinStation->Client.PerformanceFlags = TS_PERF_DISABLE_NOTHING; // Reset the client ActiveInputLocale info pTargetWinStation->Client.ActiveInputLocale = 0; if ( pTargetWinStation->pWsx && pTargetWinStation->pWsx->pWsxIcaStackIoControl ) { (void) pTargetWinStation->pWsx->pWsxIcaStackIoControl( pTargetWinStation->pWsxContext, pTargetWinStation->hIca, pTargetWinStation->hStack, IOCTL_ICA_STACK_QUERY_CLIENT, NULL, 0, &pTargetWinStation->Client, sizeof(pTargetWinStation->Client), &ReturnLength ); } // // Clear helpassistant specific bits to indicate we still not sure // login user is a help assistant // pTargetWinStation->StateFlags &= ~WSF_ST_HELPSESSION_FLAGS; bSessionIsHelpSession = TSIsSessionHelpSession( pTargetWinStation, &bValidRAConnect ); /* * We have to start this new WinStation. * Before doing so, lets see if GP or WMI requires us to pre-authenticate this client connection * No Pre Auth if this is a RA Session */ // Note : g_PreAuthenticateClient is hard-coded to FALSE now -- we will call IsPreAuthEnabled later on when Preauth feature is included // So the block below will not be entered for now // g_PreAuthenticateClient = IsPreAuthEnabled( &g_MachinePolicy ); if ( (bSessionIsHelpSession == FALSE) && g_PreAuthenticateClient ) { pExtendedClientCredentials pPreAuthenticationCredentials = NULL; ULONG BytesGot ; pPreAuthenticationCredentials = MemAlloc( sizeof(ExtendedClientCredentials) ); if ( pPreAuthenticationCredentials == NULL ) { Status = STATUS_NO_MEMORY; goto badconnect; } RtlZeroMemory(pPreAuthenticationCredentials,sizeof(ExtendedClientCredentials)); // Try WsxEscape first to get long credentials if ( pTargetWinStation->pWsx && pTargetWinStation->pWsx->pWsxEscape ) { Status = pTargetWinStation->pWsx->pWsxEscape( pTargetWinStation->pWsxContext, GET_LONG_USERNAME, NULL, 0, pPreAuthenticationCredentials, sizeof(ExtendedClientCredentials), &BytesGot) ; } else if ( pTargetWinStation->pWsx && pTargetWinStation->pWsx->pWsxIcaStackIoControl ) { // We must never be here for RDP client as we support WsxEscape RtlCopyMemory(pPreAuthenticationCredentials->Domain, pTargetWinStation->Client.Domain, sizeof(pTargetWinStation->Client.Domain)); RtlCopyMemory(pPreAuthenticationCredentials->UserName, pTargetWinStation->Client.UserName, sizeof(pTargetWinStation->Client.UserName)); RtlCopyMemory(pPreAuthenticationCredentials->Password, pTargetWinStation->Client.Password, sizeof(pTargetWinStation->Client.Password)); } if (!NT_SUCCESS(Status)) { // WsxEscape for GET_LONG_USERNAME failed RtlSecureZeroMemory(pPreAuthenticationCredentials->Password, sizeof(pPreAuthenticationCredentials->Password)); MemFree(pPreAuthenticationCredentials); pPreAuthenticationCredentials = NULL; goto badconnect; } else { HANDLE hToken; BOOL Result; // If the UserName is a UPN name, then explicitly set the Domain name to NULL if ( wcschr(pPreAuthenticationCredentials->UserName, '@') != NULL ) { pPreAuthenticationCredentials->Domain[0] = L'\0'; } // If the password is bigger than max allowed password len, make it NULL if (wcslen(pPreAuthenticationCredentials->Password) > MAX_ALLOWED_PASSWORD_LEN) { pPreAuthenticationCredentials->Password[0] = L'\0'; } Result = LogonUser( pPreAuthenticationCredentials->UserName, pPreAuthenticationCredentials->Domain, pPreAuthenticationCredentials->Password, LOGON32_LOGON_INTERACTIVE, // Logon Type LOGON32_PROVIDER_WINNT50, // Logon Provider &hToken // Token that represents the account ); RtlSecureZeroMemory(pPreAuthenticationCredentials->Password, sizeof(pPreAuthenticationCredentials->Password)); /* * check for account restriction which indicates a blank password * on the account that is correct though - allow this thru on console */ if ( (!Result) && (GetLastError() == ERROR_ACCOUNT_RESTRICTION) ) { Result = TRUE; } if( !Result) { BOOL bSuccessfulAdded = TRUE ; if (g_BlackListPolicy) { bSuccessfulAdded = Filter_AddFailedConnection( in_addr, uAddrSize ); } MemFree(pPreAuthenticationCredentials); pPreAuthenticationCredentials = NULL; goto badconnect; } // LogonUser Successful ! /* * Close the token handle since we only needed to determine * if the account and password is still valid. */ CloseHandle( hToken ); MemFree(pPreAuthenticationCredentials); pPreAuthenticationCredentials = NULL; } } // if (bPreAuthenticateClient) //Since we don't need the password anymore, clean it up RtlSecureZeroMemory(pTargetWinStation->Client.Password, sizeof(pTargetWinStation->Client.Password)); // Start the WinStation now if its not already started if ( (pTargetWinStation->InitialCommandProcess == NULL) && (pTargetWinStation->WindowsSubSysProcess == NULL) ) { Status = WinStationStart( pTargetWinStation ) ; if (Status != STATUS_SUCCESS) { // Starting the winstation failed - close connection endpoint and go and wait for another connection TRACE((hTrace, TC_ICASRV, TT_ERROR, "TERMSRV: TransferConnectionToIdleWinStation: WinstationStart Failed : Connection attempt failed, Status [%lx]\n",Status )); goto badconnect; } Status = WinStationCreateComplete( pTargetWinStation) ; if (Status != STATUS_SUCCESS) { // WinstationCreateComplete failed - close connection endpoint and go and wait for another connection TRACE((hTrace, TC_ICASRV, TT_ERROR, "TERMSRV: TransferConnectionToIdleWinStation: WinstationCreateComplete Failed : Connection attempt failed, Status [%lx]\n",Status )); goto badconnect; } } ASSERT( pTargetWinStation->LogonId != -1 ); pTargetWinStation->Flags &= ~WSF_IDLEBUSY; // From this point on, it is ok to Queue the WinStation for Reset in case of error bQueueForReset = TRUE; /* * The connection accept was successful, save the * new endpoint in the target WinStation, copy the config * parameters to the target WinStation, and reset the WSF_IDLE flag. */ pTargetWinStation->pEndpoint = pEndpoint; pTargetWinStation->EndpointLength = EndpointLength; if ( pListenWinStation ) pTargetWinStation->Config = pListenWinStation->Config; pTargetWinStation->Flags &= ~WSF_IDLE; /* * Copy real name of Single-Instance transports */ if ( pConfig->Pd[0].Create.PdFlag & PD_SINGLE_INST ) { RtlCopyMemory( pTargetWinStation->WinStationName, pTargetWinStation->ListenName, sizeof(pTargetWinStation->WinStationName) ); /* * Otherwise, build dynamic name from Listen name and target LogonId. */ } else { int CopyCount; WINSTATIONNAME TempName; // swprintf( TempName, L"#%d", pTargetWinStation->LogonId ); ASSERT(pTargetWinStation->LogonId > 0 && pTargetWinStation->LogonId < 65536); swprintf( TempName, L"#%d", pTargetWinStation->SessionSerialNumber ); CopyCount = min( wcslen( pTargetWinStation->ListenName ), sizeof( pTargetWinStation->WinStationName ) / sizeof( pTargetWinStation->WinStationName[0] ) - wcslen( TempName ) - 1 ); wcsncpy( pTargetWinStation->WinStationName, pTargetWinStation->ListenName, CopyCount ); wcscpy( &pTargetWinStation->WinStationName[CopyCount], TempName ); } /* * Inherit the security descriptor from the listen WINSTATION to the * connected WINSTATION. */ if ( pListenWinStation ) { RtlAcquireResourceShared(&WinStationSecurityLock, TRUE); Status = WinStationInheritSecurityDescriptor( pListenWinStation->pSecurityDescriptor, pTargetWinStation ); RtlReleaseResource(&WinStationSecurityLock); if (Status != STATUS_SUCCESS) { // badconnect free pEndpoint, WinStationTerminate() will try to free this // end point again causing double free. pTargetWinStation->pEndpoint = NULL; goto badconnect; } } else { ReadWinStationSecurityDescriptor( pTargetWinStation ); } // // For non-experience-aware clients give as close an experience // as win2k. // if (pTargetWinStation->Client.PerformanceFlags & TS_PERF_DEFAULT_NONPERFCLIENT_SETTING) { pTargetWinStation->Client.PerformanceFlags = TS_PERF_DISABLE_MENUANIMATIONS | TS_PERF_DISABLE_THEMING | TS_PERF_DISABLE_CURSOR_SHADOW; } if ( pTargetWinStation->Config.Config.User.fWallPaperDisabled ) { pTargetWinStation->Client.PerformanceFlags |= TS_PERF_DISABLE_WALLPAPER; } if ( pTargetWinStation->Config.Config.User.fCursorBlinkDisabled ) { pTargetWinStation->Client.PerformanceFlags |= TS_PERF_DISABLE_CURSORSETTINGS; } // // If TS policy denies connection, only way to comes to // here is policy allow help, reject connection if logon // user is not salem help assistant. // if( TRUE == bSessionIsHelpSession ) { // // If invalid ticket or policy deny help, we immediately disconnect // if( FALSE == bValidRAConnect || FALSE == bPolicyAllowHelp ) { // Invalid ticket, disconnect immediately TRACE((hTrace, TC_ICASRV, TT_ERROR, "TERMSRV: Invalid RA login\n")); goto invalid_ra_connection; } } else if( !pListenWinStation && pStackAddress ) { // // Reverse Connect, parameter passed in pListenWinStation = NULL // and pStackAddress is not NULL, for normal connection, // pListenWinStation is not NULL but pStackAddress is NULL // // // Handle non-RA Reverse connection, Whistler revert connection // only allow RA login. // TRACE((hTrace, TC_ICASRV, TT_ERROR, "TERMSRV: Not/invalid Help Assistant logon\n")); goto invalid_ra_connection; } // // Connecting client must be either non-RA or valid RA connection. // // // Handle Safeboot with networking and TS deny non-RA connection, // safeboot with networking only allow RA connection. // // Disconnect client on following // // 1) Safeboot with networking if not RA connect. // 2) Reverse connection if not RA connect. // 3) TS not accepting connection via policy setting if not RA connect. // 4) Not allowing help if RA connect. // 5) Invalid RA connection if RA connect. // 6) if Home edition and not RA commection // if( g_SafeBootWithNetwork || g_fDenyTSConnectionsPolicy || g_bPersonalWks) { if( FALSE == bSessionIsHelpSession ) { TRACE((hTrace, TC_ICASRV, TT_ERROR, "TERMSRV: Policy or safeboot denied connection\n")); goto invalid_ra_connection; } } // // Only log Salem event for reverse connection // if( !pListenWinStation && pStackAddress ) { ASSERT( TRUE == bSessionIsHelpSession ); TSLogSalemReverseConnection(pTargetWinStation, pStackAddress); } /* * Set the connect event to wake up the target WinStation. */ if (pTargetWinStation->ConnectEvent != NULL) { NtSetEvent( pTargetWinStation->ConnectEvent, NULL ); } /* * Release target WinStation */ if( pListenWinStation ) { if (bSuccessAdded) { // If we could add this IP address to the per IP list then remember it. PREMEMBERED_CLIENT_ADDRESS pAddress; if ((uAddrSize != 0) && (pAddress = (PREMEMBERED_CLIENT_ADDRESS) MemAlloc( sizeof(REMEMBERED_CLIENT_ADDRESS) + uAddrSize -1 ))!= NULL ) { pAddress->length = uAddrSize; RtlCopyMemory( &pAddress->addr[0] , in_addr,uAddrSize ); pTargetWinStation->pRememberedAddress = pAddress; // at this point we have a valid remote address. We'll cache this address. pTargetWinStation->pLastClientAddress = ( PREMEMBERED_CLIENT_ADDRESS )MemAlloc( sizeof( REMEMBERED_CLIENT_ADDRESS ) + uAddrSize - 1 ); if( pTargetWinStation->pLastClientAddress != NULL ) { RtlCopyMemory( &pTargetWinStation->pLastClientAddress->addr[0] , &pTargetWinStation->pRememberedAddress->addr[0] , uAddrSize ); pTargetWinStation->pLastClientAddress->length = uAddrSize; } } else { Filter_RemoveOutstandingConnection( in_addr, uAddrSize ); if( (ULONG)InterlockedDecrement( &NumOutStandingConnect ) == MaxOutStandingConnect ) { if (hConnectEvent != NULL) { SetEvent(hConnectEvent); } } } } else{ // We could not add this IP address to the pr IP list if( (ULONG)InterlockedDecrement( &NumOutStandingConnect ) == MaxOutStandingConnect ) { if (hConnectEvent != NULL) { SetEvent(hConnectEvent); } } } } ReleaseWinStation( pTargetWinStation ); /* * If necessary, create another idle WinStation to replace the one being connected */ NtSetEvent(WinStationIdleControlEvent, NULL); return STATUS_SUCCESS; /*============================================================================= == Error returns =============================================================================*/ invalid_ra_connection: // badconnect free pEndpoint, WinStationTerminate() will try to free this // end point again causing double free. pTargetWinStation->pEndpoint = NULL; StatusCallback = STATUS_CTX_WINSTATION_ACCESS_DENIED; /* * Error during ConnectionAccept */ badconnect: /* * Clear the Listen name */ if (pTargetWinStation) { RtlZeroMemory( pTargetWinStation->ListenName, sizeof(pTargetWinStation->ListenName) ); /* * Call WinStation rundown function before killing the stack */ if (pTargetWinStation->pWsxContext) { if ( pTargetWinStation->pWsx && pTargetWinStation->pWsx->pWsxWinStationRundown ) { pTargetWinStation->pWsx->pWsxWinStationRundown( pTargetWinStation->pWsxContext ); } pTargetWinStation->pWsxContext = NULL; } pTargetWinStation->pWsx = NULL; } /* * Release system resources. This happens in two phases: * * a.) The connection endpoint - since endpoints are not reference counted * care must be taken to destroy the endpoint with the stack in which it * was loaded. In the event it was not loaded, we create a temporary * stack to do the dirty work. * * b.) The Winstation inself - if we had to create an idle winstation to * handle this connection, it is destroyed. Otherwise we just return * it back to the idle pool. * */ releaseresources: /* * If we created a target WinStation, then use its stack to close the * endpoint since the stack may have a reference to it. */ TRACE((hTrace, TC_ICASRV, TT_ERROR, "TERMSRV: Closing Endpoint [0x%p], winsta = 0x%p, Accepted = %ld\n", pEndpoint, pTargetWinStation, ConnectionAccepted)); if ((pTargetWinStation != NULL) && (ConnectionAccepted)) { Status = _CloseEndpoint( pConfig, pEndpoint, EndpointLength, pTargetWinStation, FALSE ); // Use the stack which already has // the endpoint loaded } /* * Otherwise, we failed before we got the endpoint loaded so close the * endpoint using a temporary stack. */ else if ( pListenWinStation ) { // note that: // 1. if pListenWinStation is NULL then pEndpoint is NULL, so nothing to close; // 2. use the config of pListenWinStation in case pConfig is not set yet. Status = _CloseEndpoint( &pListenWinStation->Config, pEndpoint, EndpointLength, pListenWinStation, TRUE ); // Use a temporary stack } if ( pEndpoint ) MemFree( pEndpoint ); pEndpoint = NULL; /* * Return the winstation if we got that far in the protocol sequence */ if (pTargetWinStation != NULL) { /* * If we created a WinStation above because there were no IDLE * WinStations available, then we will now have an extra IDLE * WinStation. In this case, reset the current IDLE WinStation. */ if ( CreatedIdle ) { // clear this so it doesn't get selected as idle when unlocked pTargetWinStation->Flags &= ~WSF_IDLE; if ( bQueueForReset == TRUE ) { QueueWinStationReset( pTargetWinStation->LogonId ); ReleaseWinStation( pTargetWinStation ); } else { if ( !(pTargetWinStation->Flags & (WSF_RESET | WSF_DELETE)) ) { pTargetWinStation->Flags |= WSF_DELETE; WinStationTerminate( pTargetWinStation ); pTargetWinStation->State = State_Down; //PostErrorValueEvent(EVENT_TS_WINSTATION_START_FAILED, Status); WinStationDeleteWorker(pTargetWinStation); } else { ReleaseWinStation(pTargetWinStation); } } } /* * Else return this WinStation to the idle pool after cleaning up the * stack. */ else { // // The licensing context needs to be freed and recreated to // ensure it is cleaned up properly. // LCDestroyContext(pTargetWinStation); Status = LCCreateContext(pTargetWinStation); if (NT_SUCCESS(Status)) { Status = IcaStackClose( pTargetWinStation->hStack ); ASSERT( NT_SUCCESS( Status ) ); pTargetWinStation->hStack = NULL; Status = IcaStackOpen( pTargetWinStation->hIca, Stack_Primary, (PROC)WsxStackIoControl, pTargetWinStation, &pTargetWinStation->hStack ); } if (NT_SUCCESS(Status)) { pTargetWinStation->Flags |= WSF_IDLE; pTargetWinStation->Flags &= ~WSF_IDLEBUSY; RtlZeroMemory(pTargetWinStation->WinStationName, sizeof(pTargetWinStation->WinStationName)); pTargetWinStation->State = State_Idle; NotifySystemEvent( WEVENT_STATECHANGE ); ReleaseWinStation( pTargetWinStation ); } else { pTargetWinStation->Flags &= ~WSF_IDLE; QueueWinStationReset( pTargetWinStation->LogonId); ReleaseWinStation( pTargetWinStation ); } } } if ( pListenWinStation ) { if (bSuccessAdded) { Filter_RemoveOutstandingConnection( in_addr, uAddrSize ); } if( (ULONG)InterlockedDecrement( &NumOutStandingConnect ) == MaxOutStandingConnect ) { if (hConnectEvent != NULL) { SetEvent(hConnectEvent); } } } // If error is due to call back, return meaningful error // code. if( STATUS_SUCCESS != StatusCallback ) { return StatusCallback; } return -1 /*STATUS_CTX_UNACCEPTED_CONNECTION*/; } /******************************************************************************* * ConnectSmWinStationApiPort * * Open a connection to the WinStationApiPort. This will be used * to queue requests to the Api Request thread instead of processing * them in line. ******************************************************************************/ NTSTATUS ConnectSmWinStationApiPort() { UNICODE_STRING PortName; SECURITY_QUALITY_OF_SERVICE DynamicQos; WINSTATIONAPI_CONNECT_INFO info; ULONG ConnectInfoLength; NTSTATUS Status; /* * Set up the security quality of service parameters to use over the * port. Use the most efficient (least overhead) - which is dynamic * rather than static tracking. */ DynamicQos.ImpersonationLevel = SecurityImpersonation; DynamicQos.ContextTrackingMode = SECURITY_DYNAMIC_TRACKING; DynamicQos.EffectiveOnly = TRUE; RtlInitUnicodeString( &PortName, L"\\SmSsWinStationApiPort" ); // Fill in the ConnectInfo structure with our access request mask info.Version = CITRIX_WINSTATIONAPI_VERSION; info.RequestedAccess = 0; ConnectInfoLength = sizeof(WINSTATIONAPI_CONNECT_INFO); Status = NtConnectPort( &WinStationApiPort, &PortName, &DynamicQos, NULL, NULL, NULL, // Max message length [select default] (PVOID)&info, &ConnectInfoLength ); if ( !NT_SUCCESS( Status ) ) { // Look at the returned INFO to see why if desired if ( ConnectInfoLength == sizeof(WINSTATIONAPI_CONNECT_INFO) ) { DBGPRINT(( "TERMSRV: Sm connect failed, Reason 0x%x\n", info.AcceptStatus)); } DBGPRINT(( "TERMSRV: Connect to SM failed %lx\n", Status )); } return Status; } /******************************************************************************* * QueueWinStationCreate * * Send a create message to the WinStationApiPort. * * ENTRY: * pWinStationName (input) * Pointer to WinStationName to be created ******************************************************************************/ NTSTATUS QueueWinStationCreate(PWINSTATIONNAME pWinStationName) { WINSTATION_APIMSG msg; NTSTATUS Status; TRACE((hTrace,TC_ICASRV,TT_API1,"TERMSRV: QueueWinStationCreate: %S\n", pWinStationName )); /* * Initialize msg */ msg.h.u1.s1.DataLength = sizeof(msg) - sizeof(PORT_MESSAGE); msg.h.u1.s1.TotalLength = sizeof(msg); msg.h.u2.s2.Type = 0; // Kernel will fill in message type msg.h.u2.s2.DataInfoOffset = 0; msg.ApiNumber = SMWinStationCreate; msg.WaitForReply = FALSE; if ( pWinStationName ) { RtlCopyMemory( msg.u.Create.WinStationName, pWinStationName, sizeof(msg.u.Create.WinStationName) ); } else { RtlZeroMemory( msg.u.Create.WinStationName, sizeof(msg.u.Create.WinStationName) ); } /* * Send create message to our API request thread * but don't wait for a reply. */ Status = NtRequestPort( WinStationApiPort, (PPORT_MESSAGE) &msg ); ASSERT( NT_SUCCESS( Status ) ); return Status; } /******************************************************************************* * QueueWinStationReset * * Send a reset message to the WinStationApiPort. * * ENTRY: * LogonId (input) * LogonId of WinStationName to reset ******************************************************************************/ NTSTATUS QueueWinStationReset(ULONG LogonId) { WINSTATION_APIMSG msg; NTSTATUS Status; TRACE((hTrace,TC_ICASRV,TT_API1,"TERMSRV: QueueWinStationReset: %u\n", LogonId )); /* * Initialize msg */ msg.h.u1.s1.DataLength = sizeof(msg) - sizeof(PORT_MESSAGE); msg.h.u1.s1.TotalLength = sizeof(msg); msg.h.u2.s2.Type = 0; // Kernel will fill in message type msg.h.u2.s2.DataInfoOffset = 0; msg.ApiNumber = SMWinStationReset; msg.WaitForReply = FALSE; msg.u.Reset.LogonId = LogonId; /* * Send reset message to our API request thread * but don't wait for a reply. */ Status = NtRequestPort( WinStationApiPort, (PPORT_MESSAGE) &msg ); ASSERT( NT_SUCCESS( Status ) ); return( Status ); } /******************************************************************************* * QueueWinStationDisconnect * * Send a disconnect message to the WinStationApiPort. * * ENTRY: * LogonId (input) * LogonId of WinStationName to disconnect ******************************************************************************/ NTSTATUS QueueWinStationDisconnect(ULONG LogonId) { WINSTATION_APIMSG msg; NTSTATUS Status; TRACE((hTrace,TC_ICASRV,TT_API1,"TERMSRV: QueueWinStationDisconnect: %u\n", LogonId )); /* * Initialize msg */ msg.h.u1.s1.DataLength = sizeof(msg) - sizeof(PORT_MESSAGE); msg.h.u1.s1.TotalLength = sizeof(msg); msg.h.u2.s2.Type = 0; // Kernel will fill in message type msg.h.u2.s2.DataInfoOffset = 0; msg.ApiNumber = SMWinStationDisconnect; msg.WaitForReply = FALSE; msg.u.Reset.LogonId = LogonId; /* * Send disconnect message to our API request thread * but don't wait for a reply. */ Status = NtRequestPort( WinStationApiPort, (PPORT_MESSAGE) &msg ); ASSERT( NT_SUCCESS( Status ) ); return( Status ); } /******************************************************************************* * IcaRegWinStationEnumerate * * Enumerate all WinStations configured in the registry. * * ENTRY: * pWinStationCount (input/output) * count of WinStation names to return, on return the number of * WinStation names actually returned in name buffer * pWinStationName (output) * pointer to buffer to return WinStation names * pByteCount (input/output) * size of WinStation name buffer, on return the number of * bytes actually returned in the name buffer ******************************************************************************/ NTSTATUS IcaRegWinStationEnumerate( PULONG pWinStationCount, PWINSTATIONNAME pWinStationName, PULONG pByteCount) { NTSTATUS Status; OBJECT_ATTRIBUTES ObjectAttributes; WCHAR PathBuffer[ 260 ]; UNICODE_STRING KeyPath; HANDLE Handle; ULONG i; ULONG Count; wcscpy( PathBuffer, REG_NTAPI_CONTROL_TSERVER L"\\" REG_WINSTATIONS ); RtlInitUnicodeString( &KeyPath, PathBuffer ); InitializeObjectAttributes( &ObjectAttributes, &KeyPath, OBJ_CASE_INSENSITIVE, NULL, NULL ); Status = NtOpenKey( &Handle, GENERIC_READ, &ObjectAttributes ); if ( !NT_SUCCESS( Status ) ) { DBGPRINT(( "TERMSRV: NtOpenKey failed, rc=%x\n", Status )); return( Status ); } Count = pWinStationName ? min( *pByteCount / sizeof(WINSTATIONNAME), *pWinStationCount ) : (ULONG) -1; *pWinStationCount = *pByteCount = 0; for ( i = 0; i < Count; i++ ) { WINSTATIONNAME WinStationName; UNICODE_STRING WinStationString; WinStationString.Length = 0; WinStationString.MaximumLength = sizeof(WinStationName); WinStationString.Buffer = WinStationName; Status = RtlpNtEnumerateSubKey( Handle, &WinStationString, i, NULL ); if ( !NT_SUCCESS( Status ) ) { if ( Status != STATUS_NO_MORE_ENTRIES ) { DBGPRINT(( "TERMSRV: RtlpNtEnumerateSubKey failed, rc=%x\n", Status )); } break; } if ( pWinStationName ) { RtlCopyMemory( pWinStationName, WinStationName, WinStationString.Length ); pWinStationName[WinStationString.Length>>1] = UNICODE_NULL; (char*)pWinStationName += sizeof(WINSTATIONNAME); } (*pWinStationCount)++; *pByteCount += sizeof(WINSTATIONNAME); } NtClose( Handle ); return STATUS_SUCCESS; } /******************************************************************************* * WinStationCreateWorker * * Worker routine to create/start a WinStation. * * ENTRY: * pWinStationName (input) (optional) * Pointer to WinStationName to be created * pLogonId (output) * location to return LogonId of new WinStation * fStartWinStation (input) * Tells if we need to Start the winstation after creating it * * NOTE: If a WinStation name is specified, then this will become the * "listening" WinStation for the specified name. * If a WinStation name is not specified, then this will become * part of the free pool of idle/disconnected WinStations. ******************************************************************************/ NTSTATUS WinStationCreateWorker( PWINSTATIONNAME pWinStationName, PULONG pLogonId, BOOLEAN fStartWinStation ) { BOOL fConsole; PWINSTATION pWinStation = NULL; PWINSTATION pCurWinStation; NTSTATUS Status; UNICODE_STRING WinStationString; ULONG ReturnLength; /* * If system shutdown is in progress, then don't allow create */ if ( ShutdownInProgress ) { Status = STATUS_ACCESS_DENIED; goto shutdown; } if (pWinStationName == NULL) { fConsole = FALSE; } else { fConsole = (_wcsicmp(pWinStationName, L"Console") == 0); } /* * If not the Console, then verify the WinStation name is defined * in the registry and that it is enabled. */ if ( pWinStationName && !fConsole ) { Status = CheckWinStationEnable( pWinStationName ); if ( Status != STATUS_SUCCESS ) { DBGPRINT(( "TERMSRV: WinStation '%ws' is disabled\n", pWinStationName )); goto disabled; } } /* * Allocate and initialize WinStation struct */ if ( (pWinStation = MemAlloc( sizeof(WINSTATION) )) == NULL ) { Status = STATUS_NO_MEMORY; goto nomem; } RtlZeroMemory( pWinStation, sizeof(WINSTATION) ); pWinStation->Starting = TRUE; pWinStation->NeverConnected = TRUE; pWinStation->State = State_Init; pWinStation->pNewNotificationCredentials = NULL; pWinStation->fReconnectPending = FALSE; pWinStation->fReconnectingToConsole = FALSE; pWinStation->LastReconnectType = NeverReconnected; pWinStation->fDisallowAutoReconnect = FALSE; pWinStation->fSmartCardLogon = FALSE; pWinStation->fSDRedirectedSmartCardLogon = FALSE; memset( pWinStation->ExecSrvSystemPipe, 0, EXECSRVPIPENAMELEN*sizeof(WCHAR) ); // Create the Session Initialized event which will be set when Winlogon calls after creating a Desktop pWinStation->SessionInitializedEvent = CreateEvent(NULL, TRUE, // Manual Reset FALSE, // Initial State is non signaled NULL); if (pWinStation->SessionInitializedEvent == NULL) { Status = STATUS_INSUFFICIENT_RESOURCES; goto nomem; } InitializeListHead( &pWinStation->ShadowHead ); InitializeListHead( &pWinStation->Win32CommandHead ); // Create the licensing context Status = LCCreateContext(pWinStation); if ( !NT_SUCCESS( Status ) ) goto nolicensecontext; // Create and lock winstation mutex Status = InitRefLock( &pWinStation->Lock, WinStationDeleteProc ); if ( !NT_SUCCESS( Status ) ) goto nolock; /* * If a WinStation name was specified, see if it already exists * (on return, WinStationListLock will be locked). */ if ( pWinStationName ) { if ( pCurWinStation = FindWinStationByName( pWinStationName, TRUE ) ) { ReleaseWinStation( pCurWinStation ); LEAVECRIT( &WinStationListLock ); Status = STATUS_CTX_WINSTATION_NAME_COLLISION; goto alreadyexists; } TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: Creating WinStation %ws\n", pWinStationName )); LEAVECRIT( &WinStationListLock ); wcscpy( pWinStation->WinStationName, pWinStationName ); /* * If not the console, then this will become a "listen" WinStation */ if ( !fConsole ) { pWinStation->Flags |= WSF_LISTEN; // // Listener winstations always get LogonId above 65536 and are // assigned by Terminal Server. LogonId's for sessions are // generated by mm in the range 0-65535 // pWinStation->LogonId = LogonId++; ASSERT(pWinStation->LogonId >= 65536); } else { // // Console always get 0 // pWinStation->LogonId = 0; pWinStation->fOwnsConsoleTerminal = TRUE; } /* * No WinStation name was specified. * This will be an idle WinStation waiting for a connection. */ } else { TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: Creating IDLE WinStation\n" )); pWinStation->Flags |= WSF_IDLE; pWinStation->LogonId = -1; // MM will asssign session IDs } /* * Initialize WinStation configuration data */ #ifdef NO_CONSOLE_REGISTRY if ( pWinStation->LogonId ) { #endif /* * Read winstation configuration data from registry */ if ( pWinStationName ) { Status = RegWinStationQueryEx( SERVERNAME_CURRENT, &g_MachinePolicy, pWinStationName, &pWinStation->Config, sizeof(WINSTATIONCONFIG2), &ReturnLength, TRUE ); if ( !NT_SUCCESS(Status) ) { goto badregdata; } if (pWinStation->Config.Wd.WdFlag & WDF_TSHARE) { pWinStation->Client.ProtocolType = PROTOCOL_RDP; } else if (pWinStation->Config.Wd.WdFlag & WDF_ICA) { pWinStation->Client.ProtocolType = PROTOCOL_ICA; } else { pWinStation->Client.ProtocolType = PROTOCOL_CONSOLE; } /* * Save console config for console sessions. */ if (pWinStation->LogonId == 0) { gConsoleConfig = pWinStation->Config; // initalize client data, since there isn't any real rdp client sending anythhing to us InitializeConsoleClientData( & pWinStation->Client ); } } #ifdef NO_CONSOLE_REGISTRY } else { /* * Hand craft the console configuration data */ PWDCONFIG pWdConfig = &pWinStation->Config.Wd; PPDCONFIGW pPdConfig = &pWinStation->Config.Pd[0]; wcscpy( pWdConfig->WdName, L"Console" ); pWdConfig->WdFlag = WDF_NOT_IN_LIST; wcscpy( pPdConfig->Create.PdName, L"Console" ); pPdConfig->Create.PdClass = PdConsole; pPdConfig->Create.PdFlag = PD_USE_WD | PD_RELIABLE | PD_FRAME | PD_CONNECTION | PD_CONSOLE; RegQueryOEMId( (PBYTE) &pWinStation->Config.Config.OEMId, sizeof(pWinStation->Config.Config.OEMId) ); } #endif /* * Allocate LogonId and insert in WinStation list */ ENTERCRIT( &WinStationListLock ); InsertTailList( &WinStationListHead, &pWinStation->Links ); LEAVECRIT( &WinStationListLock ); if (pWinStation->LogonId == 0 || g_bPersonalTS) { // Create a named event for console session so that winmm can check if we // are remoting audio on the console itself. Use a global event is for // fast check { BYTE bSA[SECURITY_DESCRIPTOR_MIN_LENGTH]; PSECURITY_DESCRIPTOR pSD = &bSA; SECURITY_ATTRIBUTES SA; EXPLICIT_ACCESS ea[2]; SID_IDENTIFIER_AUTHORITY siaWorld = SECURITY_WORLD_SID_AUTHORITY; SID_IDENTIFIER_AUTHORITY siaNT = SECURITY_NT_AUTHORITY; PSID pSidWorld; PSID pSidNT; PACL pNewDAcl; DWORD dwres; if ( AllocateAndInitializeSid( &siaWorld, 1, SECURITY_WORLD_RID, 0, 0, 0, 0, 0, 0, 0, &pSidWorld)) { if ( AllocateAndInitializeSid( &siaNT, 1, SECURITY_LOCAL_SYSTEM_RID, 0, 0, 0, 0, 0, 0, 0, &pSidNT)) { ZeroMemory(ea, sizeof(ea)); ea[0].grfAccessPermissions = SYNCHRONIZE; ea[0].grfAccessMode = GRANT_ACCESS; ea[0].Trustee.TrusteeForm = TRUSTEE_IS_SID; ea[0].Trustee.ptstrName = (LPTSTR)pSidWorld; ea[1].grfAccessPermissions = GENERIC_ALL; ea[1].grfAccessMode = GRANT_ACCESS; ea[1].Trustee.TrusteeForm = TRUSTEE_IS_SID; ea[1].Trustee.ptstrName = (LPTSTR)pSidNT; dwres = SetEntriesInAcl(2, ea, NULL, &pNewDAcl ); if ( ERROR_SUCCESS == dwres ) { if (InitializeSecurityDescriptor(pSD, SECURITY_DESCRIPTOR_REVISION)) { if (SetSecurityDescriptorDacl(pSD, TRUE, pNewDAcl, FALSE )) { SA.nLength = sizeof( SA ); SA.lpSecurityDescriptor = pSD; SA.bInheritHandle = FALSE; pWinStation->hWinmmConsoleAudioEvent = CreateEvent( &SA, TRUE, FALSE, L"Global\\WinMMConsoleAudioEvent"); if ( pWinStation->LogonId == 0 ) { pWinStation->hRDPAudioDisabledEvent = CreateEvent( &SA, TRUE, FALSE, L"Global\\RDPAudioDisabledEvent"); } else { pWinStation->hRDPAudioDisabledEvent = NULL; } } } LocalFree( pNewDAcl ); } LocalFree( pSidNT ); } LocalFree( pSidWorld ); } } } else { pWinStation->hWinmmConsoleAudioEvent = NULL; pWinStation->hRDPAudioDisabledEvent = NULL; } /* * Start the WinStation's primary device and stack */ Status = StartWinStationDeviceAndStack( pWinStation ) ; /* * Ignore errors from console, otherwise keep going */ if ( ( pWinStation->LogonId ) && ( Status != STATUS_SUCCESS ) ) { goto starterror; } /* * Start the WinStation - do this only for the Listener and Console Sessions or if last param is TRUE * For idle winstations, we start the Csr and Winlogon later on when Transferring connection */ if (( pWinStation->Flags & WSF_LISTEN ) || (pWinStation->LogonId == 0) || (fStartWinStation)) { Status = WinStationStart( pWinStation ); /* * Ignore errors from console, otherwise keep going */ if ( ( pWinStation->LogonId ) && ( Status != STATUS_SUCCESS ) ) goto starterror; Status = WinStationCreateComplete( pWinStation ) ; if (Status != STATUS_SUCCESS) { TRACE((hTrace, TC_ICASRV, TT_ERROR, "TERMSRV: WinstationCreateComplete Failed : Connection attempt failed, Status [%lx]\n",Status )); goto starterror; } } /* * Return LogonId to caller * At this point LogonId is really -1 for idle sessions because we delay the starting of Csr and winlogon */ if ( pLogonId ) *pLogonId = pWinStation->LogonId; pWinStation->Starting = FALSE; /* * Release WinStation now */ ReleaseWinStation( pWinStation ); return( STATUS_SUCCESS ); /*============================================================================= == Error returns =============================================================================*/ /* * WinStationStart returned error * WinStation kernel object could not be created */ starterror: if ( !(pWinStation->Flags & (WSF_RESET | WSF_DELETE)) ) { if ( StopOnDown ) DbgBreakPoint(); pWinStation->Flags |= WSF_DELETE; WinStationTerminate( pWinStation ); pWinStation->State = State_Down; PostErrorValueEvent(EVENT_TS_WINSTATION_START_FAILED, Status); WinStationDeleteWorker(pWinStation); } else { ReleaseWinStation( pWinStation ); } return Status; /* * Error reading registry data */ badregdata: /* * WinStation name already exists */ alreadyexists: NtClose( pWinStation->Lock.Mutex ); /* * Could not create WinStation lock */ nolock: LCDestroyContext(pWinStation); /* * Could not allocate licensing context */ nolicensecontext: /* * Close the session initialization event if created successfully. */ if (pWinStation->SessionInitializedEvent) { CloseHandle(pWinStation->SessionInitializedEvent); pWinStation->SessionInitializedEvent = NULL; } /* * Could not allocate WinStation */ nomem: PostErrorValueEvent(EVENT_TS_WINSTATION_START_FAILED, Status); if (pWinStation) { MemFree(pWinStation); } /* * WinStation is disabled * System shutdown is in progress */ disabled: shutdown: return Status; } /******************************************************************************* * StartWinStationDeviceAndStack * Open the primary Device and primary Stack of the WinStation. * * ENTRY: * pWinStation (input) * Pointer to WinStation to start ******************************************************************************/ NTSTATUS StartWinStationDeviceAndStack(PWINSTATION pWinStation) { NTSTATUS Status = STATUS_SUCCESS; ICA_TRACE Trace; TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: StartWinStationDeviceAndStack, %S (LogonId=%d)\n", pWinStation->WinStationName, pWinStation->LogonId )); /* * If its a WSF_LISTEN WinStation, see if a specific ACL has * been set for it. * * This ACL will be inherited by WinStations that are * connected to from this thread. * * If not specific ACL has been set, the system default * will be used. */ if (( pWinStation->Flags & WSF_LISTEN ) || (pWinStation->LogonId == 0)){ ReadWinStationSecurityDescriptor( pWinStation ); } /* * Open an instance of the TermDD device driver */ Status = IcaOpen( &pWinStation->hIca ); if ( !NT_SUCCESS( Status ) ) { DBGPRINT(( "TERMSRV StartWinStationDeviceAndStack : IcaOpen: Error 0x%x from IcaOpen, last error %d\n", Status, GetLastError() )); goto done; } /* * Open a stack instance */ Status = IcaStackOpen( pWinStation->hIca, Stack_Primary, (PROC)WsxStackIoControl, pWinStation, &pWinStation->hStack); if ( !NT_SUCCESS( Status ) ) { IcaClose( pWinStation->hIca ); pWinStation->hIca = NULL; DBGPRINT(( "TERMSRV StartWinStationDeviceAndStack : IcaStackOpen: Error 0x%x from IcaStackOpen, last error %d\n", Status, GetLastError() )); goto done; } /* * Enable trace */ RtlZeroMemory( &Trace , sizeof( ICA_TRACE ) ); InitializeTrace( pWinStation, FALSE, &Trace ); done: TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: StartWinStationDeviceAndStack, Status = 0x%x\n", Status)); return Status; } /******************************************************************************* * WinStationStart * * Start a WinStation. This involves reading the * execute list from the registry, loading the WinStation * subsystems, and starting the initial program. * * ENTRY: * pWinStation (input) * Pointer to WinStation to start ******************************************************************************/ NTSTATUS WinStationStart(PWINSTATION pWinStation) { OBJECT_ATTRIBUTES ObjA; LARGE_INTEGER Timeout; NTSTATUS Status; UNICODE_STRING InitialCommand; PUNICODE_STRING pInitialCommand; PWCHAR pExecuteBuffer = NULL; ULONG CommandSize; PWCHAR pszCsrStartEvent = NULL; PWCHAR pszReconEvent = NULL; UNICODE_STRING EventName; TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: WinStationStart, %S (LogonId=%d)\n", pWinStation->WinStationName, pWinStation->LogonId )); // allocate memory pExecuteBuffer = MemAlloc( MAX_STRING_BYTES * sizeof(WCHAR) ); if (pExecuteBuffer == NULL) { Status = STATUS_NO_MEMORY; goto done; } pszCsrStartEvent = MemAlloc( MAX_PATH * sizeof(WCHAR) ); if (pszCsrStartEvent == NULL) { Status = STATUS_NO_MEMORY; goto done; } pszReconEvent = MemAlloc( MAX_PATH * sizeof(WCHAR) ); if (pszReconEvent == NULL) { Status = STATUS_NO_MEMORY; goto done; } /* * If this is a "listening" WinStation, then we don't load the * subsystems and initial command. Instead we create a service * thread to wait for new connections and service them. */ if ( pWinStation->Flags & WSF_LISTEN ) { DWORD ThreadId; pWinStation->hConnectThread = CreateThread( NULL, 0, // use Default stack size of the svchost process (LPTHREAD_START_ROUTINE)WinStationConnectThread, LongToPtr( pWinStation->LogonId ), 0, &ThreadId ); pWinStation->CreateStatus = STATUS_SUCCESS; Status = pWinStation->CreateStatus; pWinStation->NeverConnected = FALSE; pWinStation->State = State_Listen; NotifySystemEvent( WEVENT_STATECHANGE ); /* * Load subsystems and initial command * * Session Manager starts the console itself, but returns the * process ID's. For all others, this actually starts CSR * and winlogon. */ } else { /* * Create event we will wait on below */ if ( pWinStation->LogonId ) { InitializeObjectAttributes( &ObjA, NULL, 0, NULL, NULL ); Status = NtCreateEvent( &pWinStation->CreateEvent, EVENT_ALL_ACCESS, &ObjA, NotificationEvent, FALSE ); if ( !NT_SUCCESS( Status ) ) goto done; } UnlockWinStation( pWinStation ); /* * Check debugging options */ Status = RegWinStationQueryValueW( SERVERNAME_CURRENT, pWinStation->WinStationName, L"Execute", pExecuteBuffer, MAX_STRING_BYTES * sizeof(WCHAR), &CommandSize ); if ( !Status && CommandSize ) { RtlInitUnicodeString( &InitialCommand, pExecuteBuffer ); pInitialCommand = &InitialCommand; } else { pInitialCommand = NULL; } /* * For now only do one winstation start at a time. This is because of * WinStation space problems. The Session manager maps it's self into * the WinStation space of the CSR it wants to start so the CSR inherits * the space. That means only one CSR can be started at a time. */ ENTERCRIT( &WinStationStartCsrLock ); //Terminal Service needs to skip Memory check in Embedded images //when the TS service starts //bug #246972 if(!IsEmbedded()) { /* * Make sure we have enough resources to start a new session */ Status = NtAllocateVirtualMemory( NtCurrentProcess(), &glpAddress, 0, &gMinPerSessionPageCommit, MEM_COMMIT, PAGE_READWRITE ); if (!NT_SUCCESS(Status)) { DBGPRINT(( "TERMSRV: NtAllocateVirtualMemory failed with Status %lx for Size %lx(MB)\n",Status,gMinPerSessionPageCommitMB)); LEAVECRIT( &WinStationStartCsrLock ); goto done; } else { Status = NtFreeVirtualMemory( NtCurrentProcess(), &glpAddress, &gMinPerSessionPageCommit, MEM_DECOMMIT ); if (!NT_SUCCESS(Status)) { DBGPRINT(( "TERMSRV: NtFreeVirtualMemory failed with Status %lx \n",Status)); ASSERT(NT_SUCCESS(Status)); } } } Status = SmStartCsr( IcaSmApiPort, &pWinStation->LogonId, pInitialCommand, (PULONG_PTR)&pWinStation->InitialCommandProcessId, (PULONG_PTR)&pWinStation->WindowsSubSysProcessId ); LEAVECRIT( &WinStationStartCsrLock ); if ( !RelockWinStation( pWinStation ) ) Status = STATUS_CTX_CLOSE_PENDING; if ( Status != STATUS_SUCCESS) { DBGPRINT(("TERMSRV: SmStartCsr failed\n")); goto done; } /* * Close handle to initial command process, if already opened */ if ( pWinStation->InitialCommandProcess ) { NtClose( pWinStation->InitialCommandProcess ); pWinStation->InitialCommandProcess = NULL; } /* * Open handle to initial command process */ pWinStation->InitialCommandProcess = OpenProcess( PROCESS_ALL_ACCESS, FALSE, (DWORD)(ULONG_PTR)(pWinStation->InitialCommandProcessId) ); if ( pWinStation->InitialCommandProcess == NULL ) { TRACE((hTrace,TC_ICASRV,TT_ERROR,"TERMSRV: Logon %d cannot open Initial command process\n", pWinStation->LogonId)); Status = STATUS_ACCESS_DENIED; goto done; } /* * Open handle to WIN32 subsystem process */ pWinStation->WindowsSubSysProcess = OpenProcess( PROCESS_ALL_ACCESS, FALSE, (DWORD)(ULONG_PTR)(pWinStation->WindowsSubSysProcessId) ); if ( pWinStation->WindowsSubSysProcess == NULL ) { TRACE((hTrace,TC_ICASRV,TT_ERROR,"TERMSRV: Logon %d cannot open windows subsystem process\n", pWinStation->LogonId)); Status = STATUS_ACCESS_DENIED; goto done; } // // Terminal Server calls into Session Manager to create a new Hydra session. // The session manager creates and resume a new session and returns to Terminal // server the session id of the new session. There is a race condition where // CSR can resume and call into terminal server before terminal server can // store the session id in its internal structure. To prevent this CSR will // wait here on a named event which will be set by Terminal server once it // gets the sessionid for the newly created session // Create CsrStartEvent // if ( NT_SUCCESS( Status ) && pWinStation->LogonId ) { wsprintf(pszCsrStartEvent, L"\\Sessions\\%d\\BaseNamedObjects\\CsrStartEvent",pWinStation->LogonId); RtlInitUnicodeString( &EventName,pszCsrStartEvent); InitializeObjectAttributes( &ObjA, &EventName, OBJ_OPENIF, NULL, NULL ); Status = NtCreateEvent( &(pWinStation->CsrStartEventHandle), EVENT_ALL_ACCESS, &ObjA, NotificationEvent, FALSE ); if ( !NT_SUCCESS( Status ) ) { DBGPRINT(("TERMSRV: NtCreateEvent (%ws) failed (%lx)\n",pszCsrStartEvent, Status)); ASSERT(FALSE); pWinStation->CsrStartEventHandle = NULL; goto done; } // // Now that we have the sessionId(LogonId), set the CsrStartEvent so // CSR can connect to TerminalServer // NtSetEvent(pWinStation->CsrStartEventHandle, NULL); } { // // Create ReconnectReadyEvent // if ( pWinStation->LogonId == 0 ) { wsprintf(pszReconEvent, L"\\BaseNamedObjects\\ReconEvent"); } else { wsprintf(pszReconEvent, L"\\Sessions\\%d\\BaseNamedObjects\\ReconEvent",pWinStation->LogonId); } RtlInitUnicodeString( &EventName,pszReconEvent); InitializeObjectAttributes( &ObjA, &EventName, OBJ_OPENIF, NULL, NULL ); Status = NtCreateEvent( &(pWinStation->hReconnectReadyEvent), EVENT_ALL_ACCESS, &ObjA, NotificationEvent, TRUE ); if ( !NT_SUCCESS( Status ) ) { DBGPRINT(("TERMSRV: NtCreateEvent (%ws) failed (%lx)\n",pszReconEvent, Status)); ASSERT(FALSE); pWinStation->hReconnectReadyEvent = NULL; goto done; } } /* * For console, create is always successful - but do we need to * crank up the stack for the console session? */ if ( pWinStation->LogonId == 0 ) { pWinStation->CreateStatus = STATUS_SUCCESS; Status = pWinStation->CreateStatus; pWinStation->NeverConnected = FALSE; pWinStation->State = State_Connected; /* * Wait for create event to be triggered and get create status */ } else { Timeout = RtlEnlargedIntegerMultiply( 30000, -10000 ); UnlockWinStation( pWinStation ); Status = NtWaitForSingleObject( pWinStation->CreateEvent, FALSE, &Timeout ); if ( !RelockWinStation( pWinStation ) ) Status = STATUS_CTX_CLOSE_PENDING; if ( Status == STATUS_SUCCESS ) Status = pWinStation->CreateStatus; NtClose( pWinStation->CreateEvent ); pWinStation->CreateEvent = NULL; } } done: if (pExecuteBuffer != NULL) { MemFree(pExecuteBuffer); pExecuteBuffer = NULL; } if (pszCsrStartEvent != NULL) { MemFree(pszCsrStartEvent); pszCsrStartEvent = NULL; } if (pszReconEvent != NULL) { MemFree(pszReconEvent); pszReconEvent = NULL; } TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: WinStationStart Subsys PID=%d InitialProg PID=%d, Status=0x%x\n", pWinStation->WindowsSubSysProcessId, pWinStation->InitialCommandProcessId, Status )); return Status; } NTSTATUS WinStationCreateComplete(PWINSTATION pWinStation) { NTSTATUS Status = STATUS_SUCCESS; TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: WinStationCreateComplete, %S (LogonId=%d)\n", pWinStation->WinStationName, pWinStation->LogonId )); // Increment the total number of sessions created since TermSrv started. // we don't count the console and listener sessions if (pWinStation->LogonId > 0 && pWinStation->LogonId < 65536) { pWinStation->SessionSerialNumber = (ULONG) InterlockedIncrement(&g_TermSrvTotalSessions); } if (!(pWinStation->Flags & WSF_LISTEN)) { Status = InitializeSessionNotification(pWinStation); if ( !NT_SUCCESS( Status ) ) { goto done; } } /* * Set WinStationEvent to indicate another WinStation has been created */ ENTERCRIT( &WinStationListLock ); NtSetEvent( WinStationEvent, NULL ); // Keep track of total session count for Load Balancing Indicator but // don't count listen winstations if (!(pWinStation->Flags & WSF_LISTEN)) WinStationTotalCount++; LEAVECRIT( &WinStationListLock ); /* * Notify clients of WinStation create */ NotifySystemEvent( WEVENT_CREATE ); done : TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: WinStationCreateComplete, %S (LogonId=%d) Status = 0x%x \n", pWinStation->WinStationName, pWinStation->LogonId, Status )); return Status ; } /******************************************************************************* * WinStationRenameWorker * * Worker routine to rename a WinStation. * * ENTRY: * pWinStationNameOld (input) * Pointer to old WinStationName * pWinStationNameNew (input) * Pointer to new WinStationName ******************************************************************************/ NTSTATUS WinStationRenameWorker( PWINSTATIONNAME pWinStationNameOld, ULONG NameOldSize, PWINSTATIONNAME pWinStationNameNew, ULONG NameNewSize) { PWINSTATION pWinStation; PLIST_ENTRY Head, Next; NTSTATUS Status; ULONG ulNewNameLength; /* * Ensure new WinStation name is non-zero length */ // // The new WinStationName is allocated by the RPC server stub and the // size is sent over by the client (this is part of the existing interface. // Therefore, it is sufficient to assert for the pWinStationNameNew to be // non-null AND the New size to be non-zero. If it asserts, this is a serious // problem with the rpc stub that should never happen in a released build. // // The old WinStationName also poses a problem. It is assumed in the code // that follows that the old WinStationName is NULL terminated. The RPC // interface does not say that. Which means the call to FindWinStation by // name can potentially AV. if (!( (pWinStationNameNew != 0 ) && (NameNewSize != 0 ) && !IsBadWritePtr( pWinStationNameNew, NameNewSize ) ) ) { return( STATUS_CTX_WINSTATION_NAME_INVALID ); } if (!( (pWinStationNameOld != 0 ) && (NameOldSize != 0 ) && !IsBadReadPtr( pWinStationNameOld, NameOldSize ) && !IsBadWritePtr( pWinStationNameOld, NameOldSize))) { return( STATUS_CTX_WINSTATION_NAME_INVALID ); } /* * Find and lock the WinStation * (Note that we hold the WinStationList lock while changing the name.) */ // We will add a NULL Terminator to the end of the old winstation name pWinStationNameOld[ NameOldSize - 1 ] = 0; pWinStationNameNew[ NameNewSize - 1 ] = 0; /* * Ensure new WinStation name is non-zero length and not too long */ ulNewNameLength = wcslen( pWinStationNameNew ); if ( ( ulNewNameLength == 0 ) || ( ulNewNameLength > WINSTATIONNAME_LENGTH ) ) return( STATUS_CTX_WINSTATION_NAME_INVALID ); pWinStation = FindWinStationByName( pWinStationNameOld, TRUE ); if ( pWinStation == NULL ) { LEAVECRIT( &WinStationListLock ); return( STATUS_CTX_WINSTATION_NOT_FOUND ); } /* * Verify that client has DELETE access */ Status = RpcCheckClientAccess( pWinStation, DELETE, FALSE ); if ( !NT_SUCCESS( Status ) ) { LEAVECRIT( &WinStationListLock ); ReleaseWinStation( pWinStation ); return( Status ); } /* * Now search the WinStation list to see if the new WinStation name * is already used. If so then this is an error. */ Head = &WinStationListHead; for ( Next = Head->Flink; Next != Head; Next = Next->Flink ) { PWINSTATION pWinStationTemp; pWinStationTemp = CONTAINING_RECORD( Next, WINSTATION, Links ); if ( !_wcsicmp( pWinStationTemp->WinStationName, pWinStationNameNew ) ) { LEAVECRIT( &WinStationListLock ); ReleaseWinStation( pWinStation ); return( STATUS_CTX_WINSTATION_NAME_COLLISION ); } } /* * Free the old name and set the new one, then release * the WinStationList lock and the WinStation mutex. */ wcsncpy( pWinStation->WinStationName, pWinStationNameNew, WINSTATIONNAME_LENGTH ); pWinStation->WinStationName[ WINSTATIONNAME_LENGTH ] = 0; LEAVECRIT( &WinStationListLock ); ReleaseWinStation( pWinStation ); /* * Notify clients of WinStation rename */ NotifySystemEvent( WEVENT_RENAME ); return STATUS_SUCCESS; } /******************************************************************************* * WinStationTerminate * * Terminate a WinStation. This involves causing the WinStation initial * program to logoff, terminating the initial program, and terminating * all subsystems. * * ENTRY: * pWinStation (input) * Pointer to WinStation to terminate ******************************************************************************/ VOID WinStationTerminate(PWINSTATION pWinStation) { WINSTATION_APIMSG msg; LARGE_INTEGER Timeout; NTSTATUS Status = 0; BOOL AllExited = FALSE; BOOL bDoDisconnectFailed = FALSE; int i, iLoop; TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: WinStationTerminate, %S (LogonId=%d)\n", pWinStation->WinStationName, pWinStation->LogonId )); // // Release filtered address // /* if (pWinStation->pRememberedAddress != NULL) { Filter_RemoveOutstandingConnection( &pWinStation->pRememberedAddress->addr[0], pWinStation->pRememberedAddress->length ); MemFree(pWinStation->pRememberedAddress); pWinStation->pRememberedAddress = NULL; if( (ULONG)InterlockedDecrement( &NumOutStandingConnect ) == MaxOutStandingConnect ) { if (hConnectEvent != NULL) { SetEvent(hConnectEvent); } } } */ if (pWinStation->fOwnsConsoleTerminal) { CopyReconnectInfo(pWinStation, &ConsoleReconnectInfo); } /* * If not already set, mark the WinStation as terminating. * This prevents our WinStation Terminate thread from waiting on * the initial program or Win32 subsystem processes. */ ENTERCRIT( &WinStationListLock ); if ( !pWinStation->Terminating ) { pWinStation->Terminating = TRUE; NtSetEvent( WinStationEvent, NULL ); } if (!(pWinStation->StateFlags & WSF_ST_WINSTATIONTERMINATE)) { pWinStation->StateFlags |= WSF_ST_WINSTATIONTERMINATE; } else { DBGPRINT(("Termsrv: WinstationTerminate: Session %ld has already been terminated \n",pWinStation->LogonId)); LEAVECRIT( &WinStationListLock ); return; } LEAVECRIT( &WinStationListLock ); /* * If WinStation is idle waiting for a connection, signal connect event * - this will return an error back to winlogon */ if ( pWinStation->ConnectEvent ) { NtSetEvent( pWinStation->ConnectEvent, NULL ); } /* * Stop any shadowing for this WinStation */ WinStationStopAllShadows( pWinStation ); /* * Tell Win32 to disconnect. * This puts up the disconnected desktop among other things. */ if ( ( pWinStation->WinStationName[0] ) && ( !pWinStation->NeverConnected ) && ( !(pWinStation->Flags & WSF_LISTEN) ) && ( !(pWinStation->Flags & WSF_DISCONNECT) ) && ( !(pWinStation->StateFlags & WSF_ST_IN_DISCONNECT )) && ( (pWinStation->StateFlags & WSF_ST_CONNECTED_TO_CSRSS) ) ) { msg.ApiNumber = SMWinStationDoDisconnect; msg.u.DoDisconnect.ConsoleShadowFlag = FALSE; /* * Insignia really wants the video driver to be notified before * the transport is closed. */ pWinStation->StateFlags |= WSF_ST_IN_DISCONNECT; Status = SendWinStationCommand( pWinStation, &msg, 600 ); if (!NT_SUCCESS(Status)) { bDoDisconnectFailed = TRUE; }else { /* * Tell csrss to notify winlogon for the disconnect. */ msg.ApiNumber = SMWinStationNotify; msg.WaitForReply = FALSE; msg.u.DoNotify.NotifyEvent = WinStation_Notify_Disconnect; Status = SendWinStationCommand( pWinStation, &msg, 0 ); pWinStation->StateFlags &= ~WSF_ST_CONNECTED_TO_CSRSS; } } /* * In case, the winstation termination is called without logoff notification, we will have to * carry out the post logoff licensing. */ if (pWinStation->StateFlags & WSF_ST_LICENSING) { (VOID)LCProcessConnectionLogoff(pWinStation); pWinStation->StateFlags &= ~WSF_ST_LICENSING; } /* * Free Timers */ if ( pWinStation->fIdleTimer ) { IcaTimerClose( pWinStation->hIdleTimer ); pWinStation->fIdleTimer = FALSE; } if ( pWinStation->fLogonTimer ) { IcaTimerClose( pWinStation->hLogonTimer ); pWinStation->fLogonTimer = FALSE; } if ( pWinStation->fDisconnectTimer ) { IcaTimerClose( pWinStation->hDisconnectTimer ); pWinStation->fDisconnectTimer = FALSE; } /* * Free events */ if ((pWinStation->LogonId == 0 || g_bPersonalTS)) { if ( pWinStation->hWinmmConsoleAudioEvent) { CloseHandle(pWinStation->hWinmmConsoleAudioEvent); } if ( pWinStation->hRDPAudioDisabledEvent) { CloseHandle(pWinStation->hRDPAudioDisabledEvent); } } /* * Notify clients of WinStation delete * * This mimics what happened in 1.6, but the state of the winstation hasn't changed * yet and it's still in the list, so it's not "deleted". Maybe we should add * a State_Exiting. Right now, it's marked down when it loses the LPC connection * with the CSR. Later, it's removed from the list and another WEVENT_DELETE is sent. */ NotifySystemEvent( WEVENT_DELETE ); if (!(pWinStation->Flags & WSF_LISTEN)) { UnlockWinStation(pWinStation); RemoveSessionNotification( pWinStation->LogonId, pWinStation->SessionSerialNumber ); /* * WinStationDeleteWorker, deletes the lock, which is always called after WinStationTerminate. * therefore we should always succeed in Relock here. */ RTL_VERIFY(RelockWinStation(pWinStation)); } /* * Terminate ICA stack */ if ( pWinStation->hStack && (!bDoDisconnectFailed) ) { /* * Close the connection endpoint, if any */ if ( pWinStation->pEndpoint ) { /* * First notify Wsx that connection is going away */ WsxBrokenConnection( pWinStation ); IcaStackConnectionClose( pWinStation->hStack, &pWinStation->Config, pWinStation->pEndpoint, pWinStation->EndpointLength ); MemFree( pWinStation->pEndpoint ); pWinStation->pEndpoint = NULL; pWinStation->EndpointLength = 0; } IcaStackTerminate( pWinStation->hStack ); } else{ pWinStation->StateFlags |= WSF_ST_DELAYED_STACK_TERMINATE; } /* * Flush the Win32 command queue. * If the Win32 command list is not empty, then loop through each * entry on the list and unlink it and trigger the wait event. */ while ( !IsListEmpty( &pWinStation->Win32CommandHead ) ) { PLIST_ENTRY Head; PCOMMAND_ENTRY pCommand; Head = pWinStation->Win32CommandHead.Flink; pCommand = CONTAINING_RECORD( Head, COMMAND_ENTRY, Links ); RemoveEntryList( &pCommand->Links ); if ( !pCommand->pMsg->WaitForReply ) { ASSERT( pCommand->Event == NULL ); MemFree( pCommand ); } else { pCommand->Links.Flink = NULL; pCommand->pMsg->ReturnedStatus = STATUS_CTX_WINSTATION_BUSY; NtSetEvent( pCommand->Event, NULL ); } } // // close CsrStartEvent // if (pWinStation->CsrStartEventHandle != NULL) { NtClose(pWinStation->CsrStartEventHandle); } // // close hReconnectReadyEvent // if (pWinStation->hReconnectReadyEvent != NULL) { NtClose(pWinStation->hReconnectReadyEvent); } /* * Force initial program to exit if it hasn't already */ if ( pWinStation->InitialCommandProcess ) { DWORD WaitStatus; /* * If initial program has already exited, then we can skip this */ WaitStatus = WaitForSingleObject( pWinStation->InitialCommandProcess, 0 ); if ( WaitStatus != 0 ) { TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: Terminating initial command, LogonId=%d\n", pWinStation->LogonId )); // // if we are asked to terminate winstation that initiated the shutdown // there is no point in sending SMWinStationExitWindows to this window, as its // winlogons main thread is already busy waiting for this (RpcWinStationShutdownSystem) lpc //. if (!ShutDownFromSessionID || ShutDownFromSessionID != pWinStation->LogonId) { /* * Tell the WinStation to logoff */ msg.ApiNumber = SMWinStationExitWindows; msg.u.ExitWindows.Flags = EWX_LOGOFF | EWX_FORCE; Status = SendWinStationCommand( pWinStation, &msg, 10 ); if ( NT_SUCCESS( Status ) && ( pWinStation->InitialCommandProcess != NULL ) ) { ULONG i; if ( ShutDownFromSessionID ) Timeout = RtlEnlargedIntegerMultiply( 1, -10000 ); else Timeout = RtlEnlargedIntegerMultiply( 2000, -10000 ); TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: Waiting for InitialCommand (ID=0x%x) to exit\n", pWinStation->InitialCommandProcessId )); for ( i = 0; i < gLogoffTimeout; i++ ) { HANDLE CommandHandle = pWinStation->InitialCommandProcess; UnlockWinStation( pWinStation ); Status = NtWaitForSingleObject( CommandHandle, FALSE, &Timeout ); RelockWinStation( pWinStation ); if ( Status == STATUS_SUCCESS ) break; TRACE((hTrace,TC_ICASRV,TT_API1, "." )); } TRACE((hTrace,TC_ICASRV,TT_API1, "\nTERMSRV: Wait for InitialCommand to exit, Status=0x%x\n", Status )); } } else { // we are not going to have to terminate winlogon for the session that initiated shutdown. Status = STATUS_UNSUCCESSFUL; } /* * If unable to connect to the WinStation, then we must use * the brute force method - just terminate the initial command. */ if ( ( Status != STATUS_SUCCESS ) && ( pWinStation->InitialCommandProcess != NULL ) ) { TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: Waiting for InitialCommand to terminate\n" )); Status = TerminateProcessAndWait( pWinStation->InitialCommandProcessId, pWinStation->InitialCommandProcess, 120 ); if ( Status != STATUS_SUCCESS ) { DBGPRINT(( "TERMSRV: InitialCommand failed to terminate, Status=%x\n", Status )); /* * We can fail terminating initial process if it is waiting * for a user validation in the Hard Error popup. In this case it is * Ok to proceceed as sending SMWinStationTerminate message bellow * will trigger Win32k cleanup code that will dismiss the popup. */ ASSERT(pWinStation->WindowsSubSysProcess); } } } } /* * Now check to see if there are any remaining processes in * the system other than CSRSS with this SessionId. If so, terminate them now. */ for (i = 0 ; i < 45; i++) { ULONG NumTerminated = 0; AllExited = WinStationTerminateProcesses( pWinStation, &NumTerminated ); /* * If we found any processes other than CSRSS that had to be terminated, we * have to re-enumerate all the process and make sure that no new processes * in this session were created in the windows between the call to NtQuerySystemInformation * and terminating all the found processes. If we only find CSRSS we don't have to * re-enumerate since CSRSS does not create any processes. */ if (AllExited && (NumTerminated == 0)) { break; } /* * This is a hack to give enough time to processess to terminate */ Sleep(2*1000); } if (pWinStation->WindowsSubSysProcess) { /* * Send terminate message to this subsystem */ msg.ApiNumber = SMWinStationTerminate; /* * We used to not wait for this. However, if the reverse LPC is * hung, the CSR is not going to exit anyway and we don't want * to silently forget about the WinStation. (It takes up memory.) * * Also, if we kill the thread prematurely W32 is never going to exit. */ Status = SendWinStationCommand( pWinStation, &msg, -1 ); TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: Call to SMWinStationTerminate returned Status=0x%x\n", Status)); if ((Status != STATUS_SUCCESS) && (Status != STATUS_CTX_CLOSE_PENDING) ) { SetRefLockDeleteProc(&pWinStation->Lock, WinStationZombieProc); } /* * Now check to see if there are any remaining processes in * the system other than CSRSS with this SessionId. If so, terminate them now. */ for (i = 0 ; i < 45; i++) { ULONG NumTerminated = 0; AllExited = WinStationTerminateProcesses( pWinStation, &NumTerminated ); /* * If we found any processes other than CSRSS that had to be terminated, we * have to re-enumerate all the process and make sure that no new processes * in this session were created in the windows between the call to NtQuerySystemInformation * and terminating all the found processes. If we only find CSRSS we don't have to * re-enumerate since CSRSS does not create any processes. */ if (AllExited && (NumTerminated == 0)) { break; } /* * This is a hack to give enough time to processess to terminate */ Sleep(2*1000); } /* * Force the windows subsystem to exit. Only terminate CSRSS it all other processes * have terminated */ if ( AllExited ) { TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: All process exited in Session %d\n",pWinStation->LogonId )); /* * Wait for the subsystem to exit */ if ( NT_SUCCESS(Status) || ( Status == STATUS_CTX_WINSTATION_BUSY ) || (Status == STATUS_CTX_CLOSE_PENDING ) ) { ASSERT(!(pWinStation->Flags & WSF_LISTEN)); // ENTERCRIT( &WinStationStartCsrLock ); // Status = SmStopCsr( IcaSmApiPort, // pWinStation->LogonId ); // LEAVECRIT( &WinStationStartCsrLock ); // DBGPRINT(( "TERMSRV: SmStopCsr on CSRSS for Session=%d returned Status=%x\n", // pWinStation->LogonId, Status )); // // ASSERT(NT_SUCCESS(Status)); // if (!NT_SUCCESS(Status)) { // DBGPRINT(( "TERMSRV: SmStopCsr Failed for Session=%d returned Status=%x\n", // pWinStation->LogonId, Status )); // DbgBreakPoint(); //} } } else { DBGPRINT(("TERMSRV: Did not terminate all the session processes\n")); SetRefLockDeleteProc(&pWinStation->Lock, WinStationZombieProc); // DbgBreakPoint(); } } } /******************************************************************************* * WinStationTerminateProcesses * * Terminate all processes executing on the specified WinStation ******************************************************************************/ BOOL WinStationTerminateProcesses( PWINSTATION pWinStation, ULONG *pNumTerminated) { PCHAR pBuffer; ULONG ByteCount; NTSTATUS Status; PSYSTEM_PROCESS_INFORMATION ProcessInfo; UNICODE_STRING CsrssName; UNICODE_STRING NtsdName; BOOL retval = TRUE; WCHAR ProcessName[MAX_PATH]; SYSTEM_SESSION_PROCESS_INFORMATION SessionProcessInfo; ULONG retlen = 0; ByteCount = 32 * 1024; *pNumTerminated = 0; SessionProcessInfo.SessionId = pWinStation->LogonId; for ( ; ; ) { if ( (pBuffer = MemAlloc( ByteCount )) == NULL ) return (FALSE); SessionProcessInfo.Buffer = pBuffer; SessionProcessInfo.SizeOfBuf = ByteCount; /* * get process info */ Status = NtQuerySystemInformation( SystemSessionProcessInformation, &SessionProcessInfo, sizeof(SessionProcessInfo), &retlen ); if ( NT_SUCCESS( Status ) ) break; /* * Make sure buffer is big enough */ MemFree( pBuffer ); if ( Status != STATUS_INFO_LENGTH_MISMATCH ) return (FALSE); ByteCount *= 2; } if (retlen == 0) { MemFree(pBuffer); return TRUE; } RtlInitUnicodeString(&CsrssName,L"CSRSS"); ProcessInfo = (PSYSTEM_PROCESS_INFORMATION)pBuffer; for ( ; ; ) { HANDLE ProcessHandle; CLIENT_ID ClientId; OBJECT_ATTRIBUTES ObjA; if (RtlPrefixUnicodeString(&CsrssName,&(ProcessInfo->ImageName),TRUE)) { if (ProcessInfo->NextEntryOffset == 0) break; ProcessInfo = (PSYSTEM_PROCESS_INFORMATION) ((ULONG_PTR)ProcessInfo + ProcessInfo->NextEntryOffset); continue; } RtlInitUnicodeString(&NtsdName,L"ntsd"); if (! RtlPrefixUnicodeString(&NtsdName,&(ProcessInfo->ImageName),TRUE) ) { // If we found any process other than CSRSS and ntsd.exe, bump the // the count (*pNumTerminated) += 1; } /* * Found a process with a matching LogonId. * Attempt to open the process and terminate it. */ TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: TerminateProcesses, found processid 0x%x for LogonId %d\n", ProcessInfo->UniqueProcessId, ProcessInfo->SessionId )); TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: Process Name %ws for LogonId %d\n", ProcessInfo->ImageName.Buffer, ProcessInfo->SessionId )); ClientId.UniqueThread = 0; ClientId.UniqueProcess = (HANDLE)ProcessInfo->UniqueProcessId; InitializeObjectAttributes( &ObjA, NULL, 0, NULL, NULL ); Status = NtOpenProcess( &ProcessHandle, PROCESS_ALL_ACCESS, &ObjA, &ClientId ); if (!NT_SUCCESS(Status)) { DBGPRINT(("TERMSRV: Unable to open processid 0x%x, status=0x%x\n", ProcessInfo->UniqueProcessId, Status )); retval = FALSE; } else { Status = TerminateProcessAndWait( ProcessInfo->UniqueProcessId, ProcessHandle, 60 ); NtClose( ProcessHandle ); if ( Status != STATUS_SUCCESS ) { DBGPRINT(("TERMSRV: Unable to terminate processid 0x%x, status=0x%x\n", ProcessInfo->UniqueProcessId, Status )); retval = FALSE; } } if ( ProcessInfo->NextEntryOffset == 0 ) break; ProcessInfo = (PSYSTEM_PROCESS_INFORMATION) ((ULONG_PTR)ProcessInfo + ProcessInfo->NextEntryOffset); } /* * free buffer */ MemFree( pBuffer ); return retval; } /******************************************************************************* * WinStationDeleteWorker * * Delete a WinStation. ******************************************************************************/ VOID WinStationDeleteWorker(PWINSTATION pWinStation) { TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: WinStationDeleteWorker, %S (LogonId=%d)\n", pWinStation->WinStationName, pWinStation->LogonId )); /* * If this is the last reference, then * Initial program and all subsystems should be terminated by now. */ ENTERCRIT( &WinStationListLock ); ASSERT( (pWinStation->Links.Flink != NULL) && (pWinStation->Links.Blink != NULL)); RemoveEntryList( &pWinStation->Links ); #if DBG pWinStation->Links.Flink = pWinStation->Links.Blink = NULL; #endif // Keep track of total session count for Load Balancing Indicator but don't // track listen winstations if (!(pWinStation->Flags & WSF_LISTEN)) WinStationTotalCount--; // If we're resetting a disconnected session then adjust LB counter if (pWinStation->State == State_Disconnected) { WinStationDiscCount--; } LEAVECRIT( &WinStationListLock ); /* * Unlock WinStation and delete it */ DeleteRefLock( &pWinStation->Lock ); /* * Notify clients of deletion */ NotifySystemEvent( WEVENT_DELETE ); } /******************************************************************************* * WinStationDeleteProc * * Delete the WinStation containing the specified RefLock. * * ENTRY: * pLock (input) * Pointer to RefLock of WinStation to delete ******************************************************************************/ VOID WinStationDeleteProc(PREFLOCK pLock) { PWINSTATION pWinStation; ICA_TRACE IcaTrace; NTSTATUS Status = STATUS_SUCCESS; /* * See if we need to wakeup IdleControlThread to maintain Console session */ if ((USER_SHARED_DATA->ActiveConsoleId == -1) && (gConsoleCreationDisable == 0) ) { NtSetEvent(WinStationIdleControlEvent, NULL); } /* * Get a pointer to the containing WinStation */ pWinStation = CONTAINING_RECORD( pLock, WINSTATION, Lock ); /* * Release filtered address */ if (pWinStation->pRememberedAddress != NULL) { Filter_RemoveOutstandingConnection( &pWinStation->pRememberedAddress->addr[0], pWinStation->pRememberedAddress->length ); MemFree(pWinStation->pRememberedAddress); pWinStation->pRememberedAddress = NULL; if( (ULONG)InterlockedDecrement( &NumOutStandingConnect ) == MaxOutStandingConnect ) { if (hConnectEvent != NULL) { SetEvent(hConnectEvent); } } } /* * Release last remote ip address */ if( pWinStation->pLastClientAddress != NULL ) { MemFree( pWinStation->pLastClientAddress ); pWinStation->pLastClientAddress = NULL; } /* * If this hasn't yet been cleaned up do it now. */ if (pWinStation->ConnectEvent) { NtClose( pWinStation->ConnectEvent ); pWinStation->ConnectEvent = NULL; } if (pWinStation->CreateEvent) { NtClose( pWinStation->CreateEvent ); pWinStation->CreateEvent = NULL; } if (pWinStation->SessionInitializedEvent) { CloseHandle(pWinStation->SessionInitializedEvent); pWinStation->SessionInitializedEvent = NULL; } /* * In the case where we timed out disconnecting the session we had * to delay the stack unload till here to avoid situation where Win32k * Display driver believe the session is still connected while the WD * is already unloaded. */ if ( pWinStation->hStack && (pWinStation->StateFlags & WSF_ST_DELAYED_STACK_TERMINATE) ) { pWinStation->StateFlags &= ~WSF_ST_DELAYED_STACK_TERMINATE; /* * Close the connection endpoint, if any */ if ( pWinStation->pEndpoint ) { /* * First notify Wsx that connection is going away */ WsxBrokenConnection( pWinStation ); IcaStackConnectionClose( pWinStation->hStack, &pWinStation->Config, pWinStation->pEndpoint, pWinStation->EndpointLength ); MemFree( pWinStation->pEndpoint ); pWinStation->pEndpoint = NULL; pWinStation->EndpointLength = 0; } IcaStackTerminate( pWinStation->hStack ); } /* close cdm */ if ( pWinStation->pWsx && pWinStation->pWsx->pWsxCdmDisconnect ) { pWinStation->pWsx->pWsxCdmDisconnect( pWinStation->pWsxContext, pWinStation->LogonId, pWinStation->hIca ); } /* * Call WinStation rundown function before killing the stack */ if ( pWinStation->pWsxContext ) { if ( pWinStation->pWsx && pWinStation->pWsx->pWsxWinStationRundown ) { pWinStation->pWsx->pWsxWinStationRundown( pWinStation->pWsxContext ); } pWinStation->pWsxContext = NULL; } /* * Close ICA stack and device handles */ if ( pWinStation->hStack ) { IcaStackClose( pWinStation->hStack ); pWinStation->hStack = NULL; } if ( pWinStation->hIca ) { /* close trace */ memset( &IcaTrace, 0, sizeof(IcaTrace) ); (void) IcaIoControl( pWinStation->hIca, IOCTL_ICA_SET_TRACE, &IcaTrace, sizeof(IcaTrace), NULL, 0, NULL ); /* close handle */ IcaClose( pWinStation->hIca ); pWinStation->hIca = NULL; } /* * Close various ICA channel handles */ if ( pWinStation->hIcaBeepChannel ) { (void) IcaChannelClose( pWinStation->hIcaBeepChannel ); pWinStation->hIcaBeepChannel = NULL; } if ( pWinStation->hIcaThinwireChannel ) { (void) IcaChannelClose( pWinStation->hIcaThinwireChannel ); pWinStation->hIcaThinwireChannel = NULL; } if ( pWinStation->hConnectThread ) { NtClose( pWinStation->hConnectThread ); pWinStation->hConnectThread = NULL; } /* * Free security structures */ WinStationFreeSecurityDescriptor( pWinStation ); if ( pWinStation->pUserSid ) { pWinStation->pProfileSid = pWinStation->pUserSid; pWinStation->pUserSid = NULL; } if (pWinStation->pProfileSid) { WinstationUnloadProfile(pWinStation); MemFree( pWinStation->pProfileSid ); pWinStation->pProfileSid = NULL; } /* * Cleanup UserToken */ if ( pWinStation->UserToken ) { NtClose( pWinStation->UserToken ); pWinStation->UserToken = NULL; } if (pWinStation->LogonId > 0) { ENTERCRIT( &WinStationStartCsrLock ); Status = SmStopCsr( IcaSmApiPort, pWinStation->LogonId ); LEAVECRIT( &WinStationStartCsrLock ); } // Clean up the New Client Credentials struct for Long UserName if (pWinStation->pNewClientCredentials != NULL) { MemFree(pWinStation->pNewClientCredentials); pWinStation->pNewClientCredentials = NULL; } // Clean up the updated Notification Credentials if (pWinStation->pNewNotificationCredentials != NULL) { MemFree(pWinStation->pNewNotificationCredentials); pWinStation->pNewNotificationCredentials = NULL; } /* * Close the handles to the initial command process and sub-system process here. */ if (pWinStation->WindowsSubSysProcess) { NtClose( pWinStation->WindowsSubSysProcess ); pWinStation->WindowsSubSysProcess = NULL; } // Close the InitialCommandProcess if (pWinStation->InitialCommandProcess) { NtClose( pWinStation->InitialCommandProcess ); pWinStation->InitialCommandProcess = NULL; } /* * Cleanup licensing context */ LCDestroyContext(pWinStation); TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: SmStopCsr on CSRSS for Session=%d returned Status=%x\n", pWinStation->LogonId, Status )); ASSERT(NT_SUCCESS(Status)); if (!NT_SUCCESS(Status)) { DBGPRINT(( "TERMSRV: SmStopCsr Failed for Session=%d returned Status=%x\n", pWinStation->LogonId, Status )); // DbgBreakPoint(); ENTERCRIT( &WinStationZombieLock ); InsertTailList( &ZombieListHead, &pWinStation->Links ); LEAVECRIT( &WinStationZombieLock ); return; } /* * Zero WinStation name buffer */ RtlZeroMemory( pWinStation->WinStationName, sizeof(pWinStation->WinStationName) ); MemFree( pWinStation ); } /******************************************************************************* * WinStationZombieProc * * Puts WinStation containing the specified RefLock in the zombie list. * * ENTRY: * pLock (input) * Pointer to RefLock of WinStation to delete ******************************************************************************/ VOID WinStationZombieProc(PREFLOCK pLock) { PWINSTATION pWinStation; pWinStation = CONTAINING_RECORD( pLock, WINSTATION, Lock ); ENTERCRIT( &WinStationZombieLock ); InsertTailList( &ZombieListHead, &pWinStation->Links ); LEAVECRIT( &WinStationZombieLock ); } /******************************************************************************* * CopyReconnectInfo * * * ENTRY: ******************************************************************************/ BOOL CopyReconnectInfo(PWINSTATION pWinStation, PRECONNECT_INFO pReconnectInfo) { NTSTATUS Status; RtlZeroMemory( pReconnectInfo, sizeof(*pReconnectInfo) ); /* * Save WinStation name and configuration data. */ RtlCopyMemory( pReconnectInfo->WinStationName, pWinStation->WinStationName, sizeof(WINSTATIONNAME) ); RtlCopyMemory( pReconnectInfo->ListenName, pWinStation->ListenName, sizeof(WINSTATIONNAME) ); RtlCopyMemory( pReconnectInfo->ProtocolName, pWinStation->ProtocolName, sizeof(pWinStation->ProtocolName) ); RtlCopyMemory( pReconnectInfo->DisplayDriverName, pWinStation->DisplayDriverName, sizeof(pWinStation->DisplayDriverName) ); pReconnectInfo->Config = pWinStation->Config; pReconnectInfo->Client = pWinStation->Client; /* * Open a new TS connection to temporarily attach the stack to. */ Status = IcaOpen( &pReconnectInfo->hIca ); if (Status != STATUS_SUCCESS ) { return FALSE; } Status = IcaStackDisconnect( pWinStation->hStack, pReconnectInfo->hIca, NULL ); if ( !NT_SUCCESS( Status ) ){ IcaClose( pReconnectInfo->hIca ); pReconnectInfo->hIca = NULL; return FALSE; } /* * Save stack and endpoint data */ pReconnectInfo->hStack = pWinStation->hStack; pReconnectInfo->pEndpoint = pWinStation->pEndpoint; pReconnectInfo->EndpointLength = pWinStation->EndpointLength; /* * Indicate no stack or connection endpoint for this WinStation */ pWinStation->hStack = NULL; pWinStation->pEndpoint = NULL; pWinStation->EndpointLength = 0; /* * Reopen a stack for this WinStation */ Status = IcaStackOpen( pWinStation->hIca, Stack_Primary, (PROC)WsxStackIoControl, pWinStation, &pWinStation->hStack ); /* * Save the licensing stuff to move to other winstation */ if ( pWinStation->pWsx && pWinStation->pWsx->pWsxDuplicateContext ) { pReconnectInfo->pWsx = pWinStation->pWsx; pWinStation->pWsx->pWsxDuplicateContext( pWinStation->pWsxContext, &pReconnectInfo->pWsxContext ); } /* * Copy console owner info */ pReconnectInfo->fOwnsConsoleTerminal = pWinStation->fOwnsConsoleTerminal; /* * Copy the notification Credentials to move to other winstation */ if (pWinStation->pNewNotificationCredentials) { pReconnectInfo->pNotificationCredentials = pWinStation->pNewNotificationCredentials; } else { pReconnectInfo->pNotificationCredentials = NULL; } /* * Copy the remote client ip address to move to the other winstation */ if( pReconnectInfo->pRememberedAddress != NULL ) { MemFree( pReconnectInfo->pRememberedAddress ); pReconnectInfo->pRememberedAddress = NULL; } if( pWinStation->pLastClientAddress != NULL ) { pReconnectInfo->pRememberedAddress = ( PREMEMBERED_CLIENT_ADDRESS )MemAlloc( sizeof( REMEMBERED_CLIENT_ADDRESS ) + pWinStation->pLastClientAddress->length - 1); if( pReconnectInfo->pRememberedAddress != NULL ) { RtlCopyMemory( &pReconnectInfo->pRememberedAddress->addr[0] , &pWinStation->pLastClientAddress->addr[0] , pWinStation->pLastClientAddress->length ); pReconnectInfo->pRememberedAddress->length = pWinStation->pLastClientAddress->length; } } return TRUE; } /******************************************************************************* * WinStationDoDisconnect * * Send disconnect message to a WinStation and optionally close connection * * ENTRY: * pWinStation (input) * Pointer to WinStation to disconnect * pReconnectInfo (input) OPTIONAL * Pointer to RECONNECT_INFO buffer * If NULL, this is a terminate disconnect. * * EXIT: * STATUS_SUCCESS - if successful * STATUS_CTX_WINSTATION_BUSY - if session is already disconnected, or busy ******************************************************************************/ NTSTATUS WinStationDoDisconnect( PWINSTATION pWinStation, PRECONNECT_INFO pReconnectInfo, BOOLEAN bSyncNotify) { WINSTATION_APIMSG DisconnectMsg; NTSTATUS Status; ULONG ulTimeout; BOOLEAN fOwnsConsoleTerminal = pWinStation->fOwnsConsoleTerminal; FILETIME DiscTime; DWORD SessionID; BOOLEAN bInformSessionDirectory = FALSE; TS_AUTORECONNECTINFO SCAutoReconnectInfo; ULONG BytesGot; BOOLEAN noTimeOutForConsoleOrSession0; // We need to prevent from WinStationDoDisconnect being called twice if ( pWinStation->State == State_Disconnected || pWinStation->StateFlags & WSF_ST_IN_DISCONNECT) { // The session is already disconnected. // BUBUG a specific error code STATUS_CTX_SESSION_DICONNECTED would be better. return (STATUS_CTX_WINSTATION_BUSY); } pWinStation->StateFlags |= WSF_ST_IN_DISCONNECT; // console session or session0 behave like the physical console, they are special, no time out. noTimeOutForConsoleOrSession0 = ( pWinStation->LogonId == 0 ) || (pWinStation->LogonId == (USER_SHARED_DATA->ActiveConsoleId) ); if (! noTimeOutForConsoleOrSession0 ) { /* * Start disconnect timer if enabled */ if ( ulTimeout = pWinStation->Config.Config.User.MaxDisconnectionTime ) { if ( !pWinStation->fDisconnectTimer ) { Status = IcaTimerCreate( 0, &pWinStation->hDisconnectTimer ); if ( NT_SUCCESS( Status ) ) pWinStation->fDisconnectTimer = TRUE; else DBGPRINT(("xxxWinStationDisconnect - failed to create timer \n")); } if ( pWinStation->fDisconnectTimer ) IcaTimerStart( pWinStation->hDisconnectTimer, DisconnectTimeout, LongToPtr( pWinStation->LogonId ), ulTimeout ); } } /* * Stop any shadowing for this WinStation */ WinStationStopAllShadows( pWinStation ); /* * Tell Win32k about the disconnect */ if (pWinStation->StateFlags & WSF_ST_CONNECTED_TO_CSRSS) { DisconnectMsg.ApiNumber = SMWinStationDoDisconnect; DisconnectMsg.u.DoDisconnect.ConsoleShadowFlag = FALSE; Status = SendWinStationCommand( pWinStation, &DisconnectMsg, 600 ); if ( !NT_SUCCESS(Status) ) { TRACE((hTrace,TC_ICASRV,TT_ERROR, "TERMSRV: CSR DoDisconnect failed LogonId=%d Status=0x%x\n", pWinStation->LogonId, Status )); goto badwin32disconnect; } else { ULONG WaitTime = 0; /* * Tell csrss to notify winlogon for the disconnect. */ if (pWinStation->UserName[0] != L'\0') { DisconnectMsg.WaitForReply = TRUE; WaitTime = 10; } else { DisconnectMsg.WaitForReply = FALSE; } DisconnectMsg.ApiNumber = SMWinStationNotify; if (bSyncNotify) { DisconnectMsg.u.DoNotify.NotifyEvent = WinStation_Notify_SyncDisconnect; } else { DisconnectMsg.u.DoNotify.NotifyEvent = WinStation_Notify_Disconnect; } Status = SendWinStationCommand( pWinStation, &DisconnectMsg, WaitTime ); pWinStation->StateFlags &= ~WSF_ST_CONNECTED_TO_CSRSS; pWinStation->fOwnsConsoleTerminal = FALSE; } } /* * close cdm */ if ( pWinStation->pWsx && pWinStation->pWsx->pWsxCdmDisconnect ) { pWinStation->pWsx->pWsxCdmDisconnect( pWinStation->pWsxContext, pWinStation->LogonId, pWinStation->hIca ); } /* * If a reconnect info struct has been specified, then this is NOT * a terminate disconnect. Save the current WinStation name, * WinStation and client configuration info, and license data. * Also disconnect the current stack and save the stack handle * and connection endpoint data. */ if ( pReconnectInfo || fOwnsConsoleTerminal) { if ((pReconnectInfo == NULL) && fOwnsConsoleTerminal) { pReconnectInfo = &ConsoleReconnectInfo; if (ConsoleReconnectInfo.hIca) { CleanupReconnect(&ConsoleReconnectInfo); RtlZeroMemory(&ConsoleReconnectInfo,sizeof(RECONNECT_INFO)); } } if (!CopyReconnectInfo(pWinStation, pReconnectInfo)) { Status = STATUS_UNSUCCESSFUL; goto badstackopen; } /* * Copy console owner info */ pReconnectInfo->fOwnsConsoleTerminal = fOwnsConsoleTerminal; /* * This is a terminate disconnect. * If there is a connection endpoint, then close it now. */ } else if (pWinStation->pEndpoint ) { /* * First grab any autoreconnect info state and save it * in the winstation */ TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: Disconnecting - grabbing SC autoreconnect from stack\n")); if (pWinStation->pWsx && pWinStation->pWsx->pWsxEscape) { Status = pWinStation->pWsx->pWsxEscape( pWinStation->pWsxContext, GET_SC_AUTORECONNECT_INFO, NULL, 0, &SCAutoReconnectInfo, sizeof(SCAutoReconnectInfo), &BytesGot); if (NT_SUCCESS(Status)) { // // Valid the length of the SC info and save it into the winstation // this will be used later on. We need to grab the info now // before the stack handle is closed as we won't be able to IOCTL // down to the stack at autoreconnect time. // if (SCAutoReconnectInfo.cbAutoReconnectInfo == sizeof(pWinStation->AutoReconnectInfo.ArcRandomBits)) { TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: Disconnecting - got SC ARC from stack\n")); pWinStation->AutoReconnectInfo.Valid = TRUE; memcpy(&pWinStation->AutoReconnectInfo.ArcRandomBits, &SCAutoReconnectInfo.AutoReconnectInfo, sizeof(pWinStation->AutoReconnectInfo.ArcRandomBits)); } else { TRACE((hTrace,TC_ICASRV,TT_ERROR, "TERMSRV: Disconnecting - got invalid len SC ARC from stack\n")); ResetAutoReconnectInfo(pWinStation); } } else { TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: Disconnecting - did not get SC ARC from stack\n")); ResetAutoReconnectInfo(pWinStation); } } /* * First notify Wsx that connection is going away */ WsxBrokenConnection( pWinStation ); if (pWinStation->hStack != NULL) { Status = IcaStackConnectionClose( pWinStation->hStack, &pWinStation->Config, pWinStation->pEndpoint, pWinStation->EndpointLength ); ASSERT( NT_SUCCESS(Status) ); if ( !NT_SUCCESS(Status) ) { TRACE((hTrace,TC_ICASRV,TT_ERROR, "TERMSRV: StackConnectionClose failed LogonId=%d Status=0x%x\n", pWinStation->LogonId, Status )); } } MemFree( pWinStation->pEndpoint ); pWinStation->pEndpoint = NULL; pWinStation->EndpointLength = 0; /* * Close the stack and reopen it. * What we really need is a function to unload the stack drivers * but leave the stack handle open. */ if (pWinStation->hStack != NULL) { Status = IcaStackClose( pWinStation->hStack ); ASSERT( NT_SUCCESS( Status ) ); pWinStation->hStack = NULL; } Status = IcaStackOpen( pWinStation->hIca, Stack_Primary, (PROC)WsxStackIoControl, pWinStation, &pWinStation->hStack ); /* * Since this is a terminate disconnect, clear all client * license data and indicate it no longer holds a license. */ if ( pWinStation->pWsx && pWinStation->pWsx->pWsxClearContext ) { pWinStation->pWsx->pWsxClearContext( pWinStation->pWsxContext ); } /* * Session 0, we want to get rid of any protocol extension so that next remote * connection could happen with a different protocol. */ if (pWinStation->LogonId == 0 ) { if ( pWinStation->pWsxContext ) { if ( pWinStation->pWsx && pWinStation->pWsx->pWsxWinStationRundown ) { pWinStation->pWsx->pWsxWinStationRundown( pWinStation->pWsxContext ); } pWinStation->pWsxContext = NULL; } pWinStation->pWsx = NULL; pWinStation->Client.ProtocolType = PROTOCOL_CONSOLE; } } /* * Cancel timers */ if ( pWinStation->fIdleTimer ) { pWinStation->fIdleTimer = FALSE; IcaTimerClose( pWinStation->hIdleTimer ); } if ( pWinStation->fLogonTimer ) { pWinStation->fLogonTimer = FALSE; IcaTimerClose( pWinStation->hLogonTimer ); } // Send Audit Information only for actual disconnects if (pWinStation->UserName && (wcslen(pWinStation->UserName) > 0)) { AuditEvent( pWinStation, SE_AUDITID_SESSION_DISCONNECTED ); } // before we change state to disconnect, we want to give repopulating thread // enough time to pick up winstation/report to SD, then this thread // can notify SD to change state to disconnect. // wait here before we ENTERCRIT() because repopulate thread // also doing the same sequence. if (!g_bPersonalTS && g_fAppCompat && g_bAdvancedServer) { SessDirWaitForRepopulate(); } { ENTERCRIT( &WinStationListLock ); (VOID) NtQuerySystemTime( &pWinStation->DisconnectTime ); if ((pWinStation->State == State_Active) || (pWinStation->State == State_Shadow)) { // If the session was active or in a shadow state and is being // disconnected... // // Copy off the session ID and disconnection FileTime for the // session directory call below. We do not want to hold locks when // calling the directory interface. memcpy(&DiscTime, &pWinStation->DisconnectTime, sizeof(DiscTime)); SessionID = pWinStation->LogonId; // Set flag that we need to notify the session directory. bInformSessionDirectory = TRUE; } pWinStation->State = State_Disconnected; RtlZeroMemory( pWinStation->WinStationName, sizeof(pWinStation->WinStationName) ); RtlZeroMemory( pWinStation->ListenName, sizeof(pWinStation->ListenName) ); // Keep track of disconnected session count for Load Balancing // Indicator. WinStationDiscCount++; LEAVECRIT( &WinStationListLock ); NotifySystemEvent( WEVENT_DISCONNECT | WEVENT_STATECHANGE ); } // Call the session directory to inform of the disconnection. if (!g_bPersonalTS && g_fAppCompat && g_bAdvancedServer && bInformSessionDirectory) SessDirNotifyDisconnection(SessionID, DiscTime); TRACE((hTrace, TC_ICASRV, TT_API1, "TERMSRV: WinStationDoDisconnect, rc=0x0\n" )); Status = NotifyDisconnect(pWinStation, fOwnsConsoleTerminal); if ( !NT_SUCCESS(Status) ) { DBGPRINT(("NotifyConsoleDisconnect failed, SessionId = %d, Status = " "%d", pWinStation->LogonId, Status)); } pWinStation->StateFlags &= ~WSF_ST_IN_DISCONNECT; return STATUS_SUCCESS; /*============================================================================= == Error returns =============================================================================*/ badstackopen: badwin32disconnect: TRACE((hTrace, TC_ICASRV, TT_API1, "TERMSRV: WinStationDoDisconnect, rc=0x%x\n", Status )); pWinStation->StateFlags &= ~WSF_ST_IN_DISCONNECT; return Status; } /******************************************************************************* * ImperonateClient * * Giving a client primary, make the calling thread impersonate the client * * ENTRY: * ClientToken (input) * A client primary token * pImpersonationToken (output) * Pointer to an impersonation token ******************************************************************************/ NTSTATUS _ImpersonateClient(HANDLE ClientToken, HANDLE *pImpersonationToken) { SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService; OBJECT_ATTRIBUTES ObjA; NTSTATUS Status; // // ClientToken is a primary token - create an impersonation token // version of it so we can set it on our thread // InitializeObjectAttributes( &ObjA, NULL, 0L, NULL, NULL ); SecurityQualityOfService.Length = sizeof(SECURITY_QUALITY_OF_SERVICE); SecurityQualityOfService.ImpersonationLevel = SecurityImpersonation; SecurityQualityOfService.ContextTrackingMode = SECURITY_DYNAMIC_TRACKING; SecurityQualityOfService.EffectiveOnly = FALSE; ObjA.SecurityQualityOfService = &SecurityQualityOfService; Status = NtDuplicateToken( ClientToken, TOKEN_IMPERSONATE, &ObjA, FALSE, TokenImpersonation, pImpersonationToken ); if ( !NT_SUCCESS( Status ) ) { TRACE( ( hTrace, TC_ICASRV, TT_ERROR, "ImpersonateClient: cannot get impersonation token: 0x%x\n", Status ) ); return( Status ); } // // Impersonate the client // Status = NtSetInformationThread( NtCurrentThread(), ThreadImpersonationToken, ( PVOID )pImpersonationToken, ( ULONG )sizeof( HANDLE ) ); if ( !NT_SUCCESS( Status ) ) { TRACE( ( hTrace, TC_ICASRV, TT_ERROR, "ImpersonateClient: cannot impersonate client: 0x%x\n", Status ) ); } return Status; } /******************************************************************************* * WinStationDoReconnect * * Send connect Api message to a WinStation. * * ENTRY: * pWinStation (input) * Pointer to WinStation to connect * pReconnectInfo (input) * Pointer to RECONNECT_INFO buffer ******************************************************************************/ NTSTATUS WinStationDoReconnect( PWINSTATION pWinStation, PRECONNECT_INFO pReconnectInfo) { WINSTATION_APIMSG ReconnectMsg; NTSTATUS Status; BOOLEAN fDisableCdm; BOOLEAN fDisableCpm; BOOLEAN fDisableLPT; BOOLEAN fDisableCcm; BOOLEAN fDisableClip; SHADOWCLASS Shadow; NTSTATUS TempStatus; PWINSTATIONCONFIG2 pCurConfig = NULL; PWINSTATIONCLIENT pCurClient = NULL; // WinStation should not currently be connected ASSERT( pWinStation->pEndpoint == NULL ); // Mark that Reconnect is still pending for this winstation pWinStation->fReconnectPending = TRUE; // Check if we r going to reconnect a session to the Console - this Flag is used in SendWinStationCommand pWinStation->fReconnectingToConsole = pReconnectInfo->fOwnsConsoleTerminal ; // Save the shadow state Shadow = pWinStation->Config.Config.User.Shadow; // // Allocate and initialize CurConfig struct // if ( (pCurConfig = MemAlloc( sizeof(WINSTATIONCONFIG2) )) == NULL ) { Status = STATUS_NO_MEMORY; goto nomem; } RtlZeroMemory( pCurConfig, sizeof(WINSTATIONCONFIG2) ); // // Allocate and initialize CurClient struct // if ( (pCurClient = MemAlloc( sizeof(WINSTATIONCLIENT) )) == NULL ) { Status = STATUS_NO_MEMORY; goto nomem; } RtlZeroMemory( pCurClient, sizeof(WINSTATIONCLIENT) ); // // Config info has to be set prior to calling CSRSS. CSRSS notifies winlogon // which in turn sends reconnect messages to notification dlls. We query // protocol info from termsrv notification dll which is stored in config // data // *pCurConfig = pWinStation->Config; pWinStation->Config = pReconnectInfo->Config; *pCurClient = pWinStation->Client; pWinStation->Client = pReconnectInfo->Client; if ((pWinStation->LogonId == 0) && (pWinStation->UserName[0] == L'\0')) { ReconnectMsg.ApiNumber = SMWinStationNotify; ReconnectMsg.WaitForReply = TRUE; ReconnectMsg.u.DoNotify.NotifyEvent = WinStation_Notify_PreReconnect; Status = SendWinStationCommand( pWinStation, &ReconnectMsg, 60 ); } /* * Unconditionally, we will send the PreReconnectDesktopSwitch event. */ ReconnectMsg.ApiNumber = SMWinStationNotify; ReconnectMsg.WaitForReply = TRUE; ReconnectMsg.u.DoNotify.NotifyEvent = WinStation_Notify_PreReconnectDesktopSwitch; Status = SendWinStationCommand( pWinStation, &ReconnectMsg, 60 ); /* * Close the current stack and reconnect the saved stack to this WinStation */ if (pWinStation->hStack != NULL) { IcaStackClose( pWinStation->hStack ); pWinStation->hStack = NULL; } Status = IcaStackReconnect( pReconnectInfo->hStack, pWinStation->hIca, pWinStation, pWinStation->LogonId ); if ( !NT_SUCCESS( Status ) ){ pWinStation->Config = *pCurConfig; pWinStation->Client = *pCurClient; goto badstackreconnect; } /* * Save stack and endpoint data */ pWinStation->hStack = pReconnectInfo->hStack; pWinStation->pEndpoint = pReconnectInfo->pEndpoint; pWinStation->EndpointLength = pReconnectInfo->EndpointLength; /* * Save the notification Credentials in the new winstation */ if (pReconnectInfo->pNotificationCredentials) { if (pWinStation->pNewNotificationCredentials == NULL) { pWinStation->pNewNotificationCredentials = MemAlloc(sizeof(CLIENTNOTIFICATIONCREDENTIALS)); if (pWinStation->pNewNotificationCredentials == NULL) { Status = STATUS_NO_MEMORY ; goto nomem ; } } RtlCopyMemory( pWinStation->pNewNotificationCredentials->Domain, pReconnectInfo->pNotificationCredentials->Domain, sizeof(pReconnectInfo->pNotificationCredentials->Domain) ); RtlCopyMemory( pWinStation->pNewNotificationCredentials->UserName, pReconnectInfo->pNotificationCredentials->UserName, sizeof(pReconnectInfo->pNotificationCredentials->UserName) ); } else { pWinStation->pNewNotificationCredentials = NULL; } pReconnectInfo->hStack = NULL; pReconnectInfo->pEndpoint = NULL; pReconnectInfo->EndpointLength = 0; pReconnectInfo->pNotificationCredentials = NULL; /* * Copy remote ip to winstation */ if( pWinStation->pLastClientAddress != NULL ) { MemFree( pWinStation->pLastClientAddress ); pWinStation->pLastClientAddress = NULL; } if( pReconnectInfo->pRememberedAddress != NULL ) { pWinStation->pLastClientAddress = pReconnectInfo->pRememberedAddress; pReconnectInfo->pRememberedAddress = NULL; } /* * Tell Win32k about the reconnect */ ReconnectMsg.ApiNumber = SMWinStationDoReconnect; ReconnectMsg.u.DoReconnect.fMouse = (BOOLEAN)pReconnectInfo->Client.fMouse; ReconnectMsg.u.DoReconnect.fClientDoubleClickSupport = (BOOLEAN)pReconnectInfo->Client.fDoubleClickDetect; ReconnectMsg.u.DoReconnect.fEnableWindowsKey = (BOOLEAN)pReconnectInfo->Client.fEnableWindowsKey; RtlCopyMemory( ReconnectMsg.u.DoReconnect.WinStationName, pReconnectInfo->WinStationName, sizeof(WINSTATIONNAME) ); RtlCopyMemory( ReconnectMsg.u.DoReconnect.AudioDriverName, pReconnectInfo->Client.AudioDriverName, sizeof( ReconnectMsg.u.DoReconnect.AudioDriverName ) ); RtlCopyMemory( ReconnectMsg.u.DoReconnect.DisplayDriverName, pReconnectInfo->DisplayDriverName, sizeof( ReconnectMsg.u.DoReconnect.DisplayDriverName ) ); RtlCopyMemory( ReconnectMsg.u.DoReconnect.ProtocolName, pReconnectInfo->ProtocolName, sizeof( ReconnectMsg.u.DoReconnect.ProtocolName ) ); /* * Set the display resolution information in the message for reconnection */ ReconnectMsg.u.DoReconnect.HRes = pReconnectInfo->Client.HRes; ReconnectMsg.u.DoReconnect.VRes = pReconnectInfo->Client.VRes; ReconnectMsg.u.DoReconnect.ProtocolType = pReconnectInfo->Client.ProtocolType; ReconnectMsg.u.DoReconnect.fDynamicReconnect = (BOOLEAN)(pWinStation->Config.Wd.WdFlag & WDF_DYNAMIC_RECONNECT ); /* * Translate the color to the format excpected in winsrv */ switch (pReconnectInfo->Client.ColorDepth) { case 1: ReconnectMsg.u.DoReconnect.ColorDepth=4 ; // 16 colors break; case 2: ReconnectMsg.u.DoReconnect.ColorDepth=8 ; // 256 break; case 4: ReconnectMsg.u.DoReconnect.ColorDepth= 16;// 64K break; case 8: ReconnectMsg.u.DoReconnect.ColorDepth= 24;// 16M break; #define DC_HICOLOR #ifdef DC_HICOLOR case 16: ReconnectMsg.u.DoReconnect.ColorDepth= 15;// 32K break; #endif default: ReconnectMsg.u.DoReconnect.ColorDepth=8 ; break; } ReconnectMsg.u.DoReconnect.KeyboardType = pWinStation->Client.KeyboardType; ReconnectMsg.u.DoReconnect.KeyboardSubType = pWinStation->Client.KeyboardSubType; ReconnectMsg.u.DoReconnect.KeyboardFunctionKey = pWinStation->Client.KeyboardFunctionKey; if (pWinStation->LogonId == 0 || g_bPersonalTS) { if (pWinStation->hWinmmConsoleAudioEvent) { if (pWinStation->Client.fRemoteConsoleAudio) { // set the remoting audio on console flag SetEvent(pWinStation->hWinmmConsoleAudioEvent); } else { // don't set the remoting audio on console flag ResetEvent(pWinStation->hWinmmConsoleAudioEvent); } } if ( pWinStation->hRDPAudioDisabledEvent ) { if ( pWinStation->Config.Config.User.fDisableCam ) { SetEvent( pWinStation->hRDPAudioDisabledEvent ); } else { ResetEvent( pWinStation->hRDPAudioDisabledEvent ); } } } if (WaitForSingleObject(pWinStation->hReconnectReadyEvent, 45*1000) != WAIT_OBJECT_0) { DbgPrint("Wait Failed for hReconnectReadyEvent for Session %d\n", pWinStation->LogonId); SetEvent(pWinStation->hReconnectReadyEvent); } Status = SendWinStationCommand( pWinStation, &ReconnectMsg, 600 ); if ( !NT_SUCCESS(Status) ) { TRACE((hTrace,TC_ICASRV,TT_ERROR, "TERMSRV: CSR DoReconnect failed LogonId=%d Status=0x%x\n", pWinStation->LogonId, Status )); pWinStation->Config = *pCurConfig; pWinStation->Client = *pCurClient; goto badreconnect; } else { pWinStation->StateFlags |= WSF_ST_CONNECTED_TO_CSRSS; } // // Update protocol and display driver names. // RtlCopyMemory( pWinStation->ProtocolName, pReconnectInfo->ProtocolName, sizeof(pWinStation->ProtocolName) ); RtlCopyMemory( pWinStation->DisplayDriverName, pReconnectInfo->DisplayDriverName, sizeof(pWinStation->DisplayDriverName) ); /* * Copy console owner info */ pWinStation->fOwnsConsoleTerminal = pReconnectInfo->fOwnsConsoleTerminal; // // Set session time zone information. // if(pWinStation->LogonId != 0 && !pWinStation->fOwnsConsoleTerminal && RegIsTimeZoneRedirectionEnabled()) { WINSTATION_APIMSG TimezoneMsg; memset( &TimezoneMsg, 0, sizeof(TimezoneMsg) ); TimezoneMsg.ApiNumber = SMWinStationSetTimeZone; memcpy(&(TimezoneMsg.u.SetTimeZone.TimeZone),&(pReconnectInfo->Client.ClientTimeZone), sizeof(TS_TIME_ZONE_INFORMATION)); SendWinStationCommand( pWinStation, &TimezoneMsg, 600 ); } /* * Close temporary ICA connection that was opened for the reconnect */ IcaClose( pReconnectInfo->hIca ); pReconnectInfo->hIca = NULL; /* * Move all of the licensing stuff to the new WinStation */ /* * we may not have pWsx if the ReconnectInfo is from a session * that was connected to the local console */ if ( pReconnectInfo->pWsxContext ) { if ( pWinStation->pWsx == NULL ) { // // This means that we are reconnecting remotely to a session // that comes from the console. So create a new extension. // pWinStation->pWsx = FindWinStationExtensionDll( pWinStation->Config.Wd.WsxDLL, pWinStation->Config.Wd.WdFlag ); // // Initialize winstation extension context structure // if ( pWinStation->pWsx && pWinStation->pWsx->pWsxWinStationInitialize ) { Status = pWinStation->pWsx->pWsxWinStationInitialize( &pWinStation->pWsxContext); if (!NT_SUCCESS(Status)) { pWinStation->pWsx = NULL; } } if ( pWinStation->pWsx && pWinStation->pWsx->pWsxWinStationReInitialize ) { WSX_INFO WsxInfo; WsxInfo.Version = WSX_INFO_VERSION_1; WsxInfo.hIca = pWinStation->hIca; WsxInfo.hStack = pWinStation->hStack; WsxInfo.SessionId = pWinStation->LogonId; WsxInfo.pDomain = pWinStation->Domain; WsxInfo.pUserName = pWinStation->UserName; Status = pWinStation->pWsx->pWsxWinStationReInitialize( pWinStation->pWsxContext, &WsxInfo ); if (!NT_SUCCESS(Status)) { pWinStation->pWsx = NULL; } } } if ( pWinStation->pWsx && pWinStation->pWsx->pWsxCopyContext ) { pWinStation->pWsx->pWsxCopyContext( pWinStation->pWsxContext, pReconnectInfo->pWsxContext ); } if ( pReconnectInfo->pWsx && pReconnectInfo->pWsx->pWsxWinStationRundown ) { pReconnectInfo->pWsx->pWsxWinStationRundown( pReconnectInfo->pWsxContext ); } pReconnectInfo->pWsxContext = NULL; } else { // pReconnectInfo->pWsxContext == NULL // // This means that we are reconnecting to the console. // if ( pWinStation->pWsx && pWinStation->pWsx->pWsxWinStationRundown ) { // // Reconnecting a remote session to the console. // Delete the extension. // pWinStation->pWsx->pWsxWinStationRundown( pWinStation->pWsxContext ); } pWinStation->pWsxContext = NULL; pWinStation->pWsx = NULL; // // In the case where both are NULL, we are reconnecting // to the console a session that comes from the console. // } // // Anytime we change state, we need to make sure session directory // does not pick up wrong state. // We need this because Repopulate release the lock before calling // SD so there might be small timing that we might send this reconnect // first because repopulate come back. // if (!g_bPersonalTS && g_fAppCompat && g_bAdvancedServer) { SessDirWaitForRepopulate(); } RtlEnterCriticalSection( &WinStationListLock ); if (pWinStation->UserName[0] != (WCHAR) 0) { pWinStation->State = State_Active; } else { pWinStation->State = State_Connected; } RtlCopyMemory( pWinStation->WinStationName, pReconnectInfo->WinStationName, sizeof(WINSTATIONNAME) ); /* * Copy the original listen name for instance checking. */ RtlCopyMemory( pWinStation->ListenName, pReconnectInfo->ListenName, sizeof(WINSTATIONNAME) ); // Keep track of disconnected session count for Load Balancing Indicator WinStationDiscCount--; RtlLeaveCriticalSection( &WinStationListLock ); /* * Disable virtual channel flags are from the transport setup. * Do not overwrite them. */ fDisableCdm = (BOOLEAN) pWinStation->Config.Config.User.fDisableCdm; fDisableCpm = (BOOLEAN) pWinStation->Config.Config.User.fDisableCpm; fDisableLPT = (BOOLEAN) pWinStation->Config.Config.User.fDisableLPT; fDisableCcm = (BOOLEAN) pWinStation->Config.Config.User.fDisableCcm; fDisableClip = (BOOLEAN) pWinStation->Config.Config.User.fDisableClip; pWinStation->Config = pReconnectInfo->Config; pWinStation->Config.Config.User.fDisableCdm = fDisableCdm; pWinStation->Config.Config.User.fDisableCpm = fDisableCpm; pWinStation->Config.Config.User.fDisableLPT = fDisableLPT; pWinStation->Config.Config.User.fDisableCcm = fDisableCcm; pWinStation->Config.Config.User.fDisableClip = fDisableClip; pWinStation->Config.Config.User.Shadow = Shadow; /* * Disable virtual channels if needed. */ VirtualChannelSecurity( pWinStation ); /* * Notify the CDM channel of reconnection. */ if ( pWinStation->pWsx && pWinStation->pWsx->pWsxCdmConnect ) { (VOID) pWinStation->pWsx->pWsxCdmConnect( pWinStation->pWsxContext, pWinStation->LogonId, pWinStation->hIca ); } /* * Reset any autoreconnect information prior to reconnection * as it is stale. New information will be generated by the stack * when login completes. */ ResetAutoReconnectInfo(pWinStation); if ( pWinStation->pWsx && pWinStation->pWsx->pWsxLogonNotify ) { PWCHAR pUserNameToSend, pDomainToSend ; // Use the New notification credentials sent from Gina for the call below if they are available if (pWinStation->pNewNotificationCredentials) { pUserNameToSend = pWinStation->pNewNotificationCredentials->UserName; pDomainToSend = pWinStation->pNewNotificationCredentials->Domain; } else { pUserNameToSend = pWinStation->UserName; pDomainToSend = pWinStation->Domain ; } Status = pWinStation->pWsx->pWsxLogonNotify( pWinStation->pWsxContext, pWinStation->LogonId, NULL, pDomainToSend, pUserNameToSend ); if (pWinStation->pNewNotificationCredentials != NULL) { MemFree(pWinStation->pNewNotificationCredentials); pWinStation->pNewNotificationCredentials = NULL; } if(!NT_SUCCESS(Status)) { TRACE((hTrace, TC_ICASRV, TT_API1, "TERMSRV: WinStationDoReconnect: LogonNotify rc=0x%x\n", Status )); } } NotifySystemEvent( WEVENT_CONNECT | WEVENT_STATECHANGE ); /* * Cleanup any allocated buffers. * The endpoint buffer was transfered to the WinStation above. */ pReconnectInfo->pEndpoint = NULL; pReconnectInfo->EndpointLength = 0; /* * Set connect time and stop disconnect timer */ NtQuerySystemTime(&pWinStation->ConnectTime); if (pWinStation->fDisconnectTimer) { pWinStation->fDisconnectTimer = FALSE; IcaTimerClose( pWinStation->hDisconnectTimer ); } /* * Start logon timers */ StartLogonTimers(pWinStation); // Notify the session directory of the reconnection. if (!g_bPersonalTS && g_fAppCompat && g_bAdvancedServer) { TSSD_ReconnectSessionInfo ReconnInfo; ReconnInfo.SessionID = pWinStation->LogonId; ReconnInfo.TSProtocol = pWinStation->Client.ProtocolType; ReconnInfo.ResolutionWidth = pWinStation->Client.HRes; ReconnInfo.ResolutionHeight = pWinStation->Client.VRes; ReconnInfo.ColorDepth = pWinStation->Client.ColorDepth; SessDirNotifyReconnection(pWinStation, &ReconnInfo); } TRACE((hTrace, TC_ICASRV, TT_API1, "TERMSRV: WinStationDoReconnect, rc=0x0\n" )); AuditEvent( pWinStation, SE_AUDITID_SESSION_RECONNECTED ); /* * Tell csrss to notify winlogon for the reconnect then notify any process * that registred for notification. */ ReconnectMsg.ApiNumber = SMWinStationNotify; ReconnectMsg.WaitForReply = FALSE; ReconnectMsg.u.DoNotify.NotifyEvent = WinStation_Notify_Reconnect; Status = SendWinStationCommand( pWinStation, &ReconnectMsg, 0 ); Status = NotifyConnect(pWinStation, pWinStation->fOwnsConsoleTerminal); if ( !NT_SUCCESS(Status) ) { DBGPRINT(("NotifyConsoleConnect failed, SessionId = %d, Status = %d", pWinStation->LogonId, Status)); } // Free up allocated Memory if (pCurConfig != NULL) { MemFree( pCurConfig ); pCurConfig = NULL; } if (pCurClient != NULL) { MemFree( pCurClient ); pCurClient = NULL; } if (pWinStation->pNewNotificationCredentials != NULL) { MemFree(pWinStation->pNewNotificationCredentials); pWinStation->pNewNotificationCredentials = NULL; } // Since the winstation has reconnected, we can allow further autoreconnects pWinStation->fDisallowAutoReconnect = FALSE; // Reset ReconnectPending Flag pWinStation->fReconnectPending = FALSE; pWinStation->fReconnectingToConsole = FALSE; return STATUS_SUCCESS; /*============================================================================= == Error returns =============================================================================*/ /* * Failure from Win32 reconnect call. * Disconnect the stack again, and indicate the WinStation * does not have a stack or endpoint connection. */ badreconnect: TempStatus = IcaStackDisconnect( pWinStation->hStack, pReconnectInfo->hIca, NULL ); //ASSERT( NT_SUCCESS( TempStatus ) ); pReconnectInfo->hStack = pWinStation->hStack; pReconnectInfo->pEndpoint = pWinStation->pEndpoint; pReconnectInfo->EndpointLength = pWinStation->EndpointLength; pWinStation->hStack = NULL; pWinStation->pEndpoint = NULL; pWinStation->EndpointLength = 0; badstackreconnect: TempStatus = IcaStackOpen( pWinStation->hIca, Stack_Primary, (PROC)WsxStackIoControl, pWinStation, &pWinStation->hStack ); //ASSERT( NT_SUCCESS( TempStatus ) ); // don't know how to handle any error here nomem: // Free up allocated Memory if (pCurConfig != NULL) { MemFree( pCurConfig ); pCurConfig = NULL; } if (pCurClient != NULL) { MemFree( pCurClient ); pCurClient = NULL; } if (pWinStation->pNewNotificationCredentials != NULL) { MemFree(pWinStation->pNewNotificationCredentials); pWinStation->pNewNotificationCredentials = NULL; } TRACE((hTrace, TC_ICASRV, TT_API1, "TERMSRV: WinStationDoReconnect, rc=0x%x\n", Status )); // Reset ReconnectPending Flag pWinStation->fReconnectPending = FALSE; pWinStation->fReconnectingToConsole = FALSE; return( Status ); } /******************************************************************************* * WsxBrokenConnection * * Send broken connection notification to the WinStation extension DLL ******************************************************************************/ VOID WsxBrokenConnection(PWINSTATION pWinStation) { /* * Only send notification if there is a reason */ if ( pWinStation->BrokenReason ) { if ( pWinStation->pWsx && pWinStation->pWsx->pWsxBrokenConnection ) { ICA_BROKEN_CONNECTION Broken; Broken.Reason = pWinStation->BrokenReason; Broken.Source = pWinStation->BrokenSource; pWinStation->pWsx->pWsxBrokenConnection( pWinStation->pWsxContext, pWinStation->hStack, &Broken ); } /* * Clear these once we have tried to send them */ pWinStation->BrokenReason = 0; pWinStation->BrokenSource = 0; } } /******************************************************************************* * CleanupReconnect * * Cleanup the specified RECONNECT_INFO structure * * ENTRY: * pReconnectInfo (input) * Pointer to RECONNECT_INFO buffer ******************************************************************************/ VOID CleanupReconnect(PRECONNECT_INFO pReconnectInfo) { NTSTATUS Status; /* * If there is a connection endpoint, then close it now. * When done, we also free the endpoint structure. */ if ( (pReconnectInfo->pEndpoint != NULL) && (pReconnectInfo->hStack != NULL)) { Status = IcaStackConnectionClose( pReconnectInfo->hStack, &pReconnectInfo->Config, pReconnectInfo->pEndpoint, pReconnectInfo->EndpointLength ); ASSERT( Status == STATUS_SUCCESS ); MemFree( pReconnectInfo->pEndpoint ); pReconnectInfo->pEndpoint = NULL; } if ( pReconnectInfo->pWsxContext ) { if ( pReconnectInfo->pWsx && pReconnectInfo->pWsx->pWsxWinStationRundown ) { pReconnectInfo->pWsx->pWsxWinStationRundown( pReconnectInfo->pWsxContext ); } pReconnectInfo->pWsxContext = NULL; } if ( pReconnectInfo->hStack ) { IcaStackClose( pReconnectInfo->hStack ); pReconnectInfo->hStack = NULL; } if ( pReconnectInfo->hIca ) { IcaClose( pReconnectInfo->hIca ); pReconnectInfo->hIca = NULL; } if( pReconnectInfo->pRememberedAddress != NULL ) { MemFree( pReconnectInfo->pRememberedAddress ); pReconnectInfo->pRememberedAddress = NULL; } } NTSTATUS _CloseEndpoint( IN PWINSTATIONCONFIG2 pWinStationConfig, IN PVOID pEndpoint, IN ULONG EndpointLength, IN PWINSTATION pWinStation, IN BOOLEAN bNeedStack) { HANDLE hIca; HANDLE hStack; NTSTATUS Status; /* * Open a stack handle that we can use to close the specified endpoint. */ TRACE((hTrace, TC_ICASRV, TT_ERROR, "TERMSRV: _CloseEndpoint [%p] on %s stack\n", pEndpoint, bNeedStack ? "Temporary" : "Primary")); if (bNeedStack) { Status = IcaOpen( &hIca ); if ( NT_SUCCESS( Status ) ) { Status = IcaStackOpen( hIca, Stack_Primary, NULL, NULL, &hStack ); if ( NT_SUCCESS( Status ) ) { Status = IcaStackConnectionClose( hStack, pWinStationConfig, pEndpoint, EndpointLength ); IcaStackClose( hStack ); } IcaClose( hIca ); } } else { Status = IcaStackConnectionClose( pWinStation->hStack, pWinStationConfig, pEndpoint, EndpointLength ); } if ( !NT_SUCCESS( Status ) ) { TRACE((hTrace, TC_ICASRV, TT_ERROR, "TERMSRV: _CloseEndpoint failed [%s], Status=%x\n", bNeedStack ? "Temporary" : "Primary", Status )); } return Status; } /******************************************************************************* * WinStationExceptionFilter * * Handle exception from a WinStation thread * * ENTRY: * pExceptionInfo (input) * pointer to EXCEPTION_POINTERS struct * * EXIT: * EXCEPTION_EXECUTE_HANDLER -- always ******************************************************************************/ NTSTATUS WinStationExceptionFilter( PWSTR OutputString, PEXCEPTION_POINTERS pexi) { PLIST_ENTRY Head, Next; PWINSTATION pWinStation; MUTANT_BASIC_INFORMATION MutexInfo; NTSTATUS Status; DbgPrint( "TERMSRV: %S\n", OutputString ); DbgPrint( "TERMSRV: ExceptionRecord=%p ContextRecord=%p\n", pexi->ExceptionRecord, pexi->ContextRecord ); DbgPrint( "TERMSRV: Exception code=%08x, flags=%08x, addr=%p, IP=%p\n", pexi->ExceptionRecord->ExceptionCode, pexi->ExceptionRecord->ExceptionFlags, pexi->ExceptionRecord->ExceptionAddress, CONTEXT_TO_PROGRAM_COUNTER(pexi->ContextRecord) ); #ifdef i386 DbgPrint( "TERMSRV: esp=%p ebp=%p\n", pexi->ContextRecord->Esp, pexi->ContextRecord->Ebp ); #endif DbgBreakPoint(); /* * Lock the global WinStation critsec if we don't already own it */ if ( NtCurrentTeb()->ClientId.UniqueThread != WinStationListLock.OwningThread ) ENTERCRIT( &WinStationListLock ); /* * Search the WinStation list to see if we had any locked */ Head = &WinStationListHead; for ( Next = Head->Flink; Next != Head; Next = Next->Flink ) { pWinStation = CONTAINING_RECORD( Next, WINSTATION, Links ); Status = NtQueryMutant( pWinStation->Lock.Mutex, MutantBasicInformation, &MutexInfo, sizeof(MutexInfo), NULL ); if ( NT_SUCCESS( Status ) && MutexInfo.OwnedByCaller ) { ReleaseWinStation( pWinStation ); break; // OK to quit now, we should never lock more than one } } LEAVECRIT( &WinStationListLock ); return EXCEPTION_EXECUTE_HANDLER; } /******************************************************************************* * GetProcessLogonId * * Get LogonId for a process * * ENTRY: * ProcessHandle (input) * handle of process to get LogonId for * pLogonId (output) * location to return LogonId of process ******************************************************************************/ NTSTATUS GetProcessLogonId(HANDLE Process, PULONG pLogonId) { NTSTATUS Status; PROCESS_SESSION_INFORMATION ProcessInfo; /* * Get the LogonId for the process */ *pLogonId = 0; Status = NtQueryInformationProcess( Process, ProcessSessionInformation, &ProcessInfo, sizeof( ProcessInfo ), NULL ); if ( !NT_SUCCESS( Status ) ) { DBGPRINT(( "TERMSRV: GetProcessLogonId, Process=%x, Status=%x\n", Process, Status )); return( Status ); } *pLogonId = ProcessInfo.SessionId; return Status; } /******************************************************************************* * SetProcessLogonId * * Set LogonId for a process * * ENTRY: * ProcessHandle (input) * handle of process to set LogonId for * LogonId (output) * LogonId to set for process ******************************************************************************/ NTSTATUS SetProcessLogonId(HANDLE Process, ULONG LogonId) { NTSTATUS Status; PROCESS_SESSION_INFORMATION ProcessInfo; /* * Set the LogonId for the process */ ProcessInfo.SessionId = LogonId; Status = NtSetInformationProcess( Process, ProcessSessionInformation, &ProcessInfo, sizeof( ProcessInfo ) ); if ( !NT_SUCCESS( Status ) ) { DBGPRINT(( "TERMSRV: SetProcessLogonId, Process=%x, Status=%x\n", Process, Status )); return Status; } return Status; } /******************************************************************************* * FindWinStationById * * Find and lock a WinStation given its LogonId * * ENTRY: * LogonId (input) * LogonId of WinStation to find * LockList (input) * BOOLEAN indicating whether WinStationListLock should be * left locked on return * * EXIT: * On success - Pointer to WinStation * On failure - NULL ******************************************************************************/ PWINSTATION FindWinStationById(ULONG LogonId, BOOLEAN LockList) { PLIST_ENTRY Head, Next; PWINSTATION pWinStation; PWINSTATION pFoundWinStation = NULL; ULONG uCount; Head = &WinStationListHead; ENTERCRIT( &WinStationListLock ); /* * Search the list for a WinStation with the given logonid. */ searchagain: uCount = 0; for ( Next = Head->Flink; Next != Head; Next = Next->Flink ) { pWinStation = CONTAINING_RECORD( Next, WINSTATION, Links ); if ( pWinStation->LogonId == LogonId ) { uCount++; /* * Now try to lock the WinStation. */ if (pFoundWinStation == NULL){ if ( !LockRefLock( &pWinStation->Lock ) ) goto searchagain; pFoundWinStation = pWinStation; } #if DBG #else break; #endif } } ASSERT((uCount <= 1) || (LogonId== -1) ); /* * If the WinStationList lock should not be held, then release it now. */ if ( !LockList ) LEAVECRIT( &WinStationListLock ); if (pFoundWinStation == NULL) { TRACE((hTrace,TC_ICASRV,TT_API2,"TERMSRV: FindWinStationById: %d (not found)\n", LogonId )); } return pFoundWinStation; } BOOL FindFirstListeningWinStationName( PWINSTATIONNAMEW pListenName, PWINSTATIONCONFIG2 pConfig ) { PLIST_ENTRY Head, Next; PWINSTATION pWinStation; BOOL bFound = FALSE; Head = &WinStationListHead; ENTERCRIT( &WinStationListLock ); searchagain: /* * Search the list for a WinStation with the given name. */ for ( Next = Head->Flink; Next != Head; Next = Next->Flink ) { pWinStation = CONTAINING_RECORD( Next, WINSTATION, Links ); if ( pWinStation->Flags & WSF_LISTEN && pWinStation->Client.ProtocolType == PROTOCOL_RDP) { // try to lock winstation. if ( !LockRefLock( &pWinStation->Lock ) ) goto searchagain; CopyMemory( pConfig, &(pWinStation->Config), sizeof(WINSTATIONCONFIG2) ); lstrcpy( pListenName, pWinStation->WinStationName ); ReleaseWinStation( pWinStation ); bFound = TRUE; } } LEAVECRIT( &WinStationListLock ); TRACE((hTrace,TC_ICASRV,TT_API3,"TERMSRV: FindFirstListeningWinStationName: %ws\n", (bFound) ? pListenName : L"Not Found" )); return bFound; } /******************************************************************************* * FindWinStationByName * * Find and lock a WinStation given its Name * * ENTRY: * WinStationName (input) * Name of WinStation to find * LockList (input) * BOOLEAN indicating whether WinStationListLock should be * left locked on return * * EXIT: * On success - Pointer to WinStation * On failure - NULL ******************************************************************************/ PWINSTATION FindWinStationByName(LPWSTR WinStationName, BOOLEAN LockList) { PLIST_ENTRY Head, Next; PWINSTATION pWinStation; Head = &WinStationListHead; ENTERCRIT( &WinStationListLock ); /* * Search the list for a WinStation with the given name. */ searchagain: for ( Next = Head->Flink; Next != Head; Next = Next->Flink ) { pWinStation = CONTAINING_RECORD( Next, WINSTATION, Links ); if ( !_wcsicmp( pWinStation->WinStationName, WinStationName ) ) { /* * Now try to lock the WinStation. If this succeeds, * then ensure it still has the name we're searching for. */ if ( !LockRefLock( &pWinStation->Lock ) ) goto searchagain; if ( _wcsicmp( pWinStation->WinStationName, WinStationName ) ) { ReleaseWinStation( pWinStation ); goto searchagain; } /* * If the WinStationList lock should not be held, then release it now. */ if ( !LockList ) LEAVECRIT( &WinStationListLock ); TRACE((hTrace,TC_ICASRV,TT_API3,"TERMSRV: FindWinStationByName: %S, LogonId %u\n", WinStationName, pWinStation->LogonId )); return( pWinStation ); } } /* * If the WinStationList lock should not be held, then release it now. */ if ( !LockList ) LEAVECRIT( &WinStationListLock ); TRACE((hTrace,TC_ICASRV,TT_API3,"TERMSRV: FindWinStationByName: %S, (not found)\n", WinStationName )); return NULL; } /******************************************************************************* * FindIdleWinStation * * Find and lock an idle WinStation * * EXIT: * On success - Pointer to WinStation * On failure - NULL ******************************************************************************/ PWINSTATION FindIdleWinStation() { PLIST_ENTRY Head, Next; PWINSTATION pWinStation; BOOLEAN bFirstTime = TRUE; Head = &WinStationListHead; ENTERCRIT( &WinStationListLock ); /* * Search the list for an idle WinStation */ searchagain: for ( Next = Head->Flink; Next != Head; Next = Next->Flink ) { pWinStation = CONTAINING_RECORD( Next, WINSTATION, Links ); if ( (pWinStation->Flags & WSF_IDLE) && !(pWinStation->Flags & WSF_IDLEBUSY) && !pWinStation->Starting ) { /* * Now try to lock the WinStation. If this succeeds, * then ensure it is still marked as idle. */ if ( !LockRefLock( &pWinStation->Lock ) ) { goto searchagain; } if ( !(pWinStation->Flags & WSF_IDLE) || (pWinStation->Flags & WSF_IDLEBUSY) || pWinStation->Starting ) { ReleaseWinStation( pWinStation ); goto searchagain; } LEAVECRIT( &WinStationListLock ); return( pWinStation ); } } LEAVECRIT( &WinStationListLock ); TRACE((hTrace,TC_ICASRV,TT_API2,"TERMSRV: FindIdleWinStation: (none found)\n" )); return NULL; } /******************************************************************************* * CountWinStationType * * Count the number of matching Winstation Listen Names * * ENTRY: * Listen Name * * bActiveOnly if TRUE, count only active WinStations * * EXIT: * Number ******************************************************************************/ ULONG CountWinStationType( PWINSTATIONNAME pListenName, BOOLEAN bActiveOnly, BOOLEAN bLockHeld) { PLIST_ENTRY Head, Next; PWINSTATION pWinStation; ULONG Count = 0; Head = &WinStationListHead; if ( !bLockHeld ) { ENTERCRIT( &WinStationListLock ); } /* * Search the list for an idle WinStation */ for ( Next = Head->Flink; Next != Head; Next = Next->Flink ) { pWinStation = CONTAINING_RECORD( Next, WINSTATION, Links ); if ( !wcscmp( pWinStation->ListenName, pListenName ) ) { if ( !bActiveOnly ) Count++; else if ( pWinStation->State == State_Active || pWinStation->State == State_Shadow ) Count++; } } if ( !bLockHeld ) { LEAVECRIT( &WinStationListLock ); } TRACE((hTrace,TC_ICASRV,TT_API2,"TERMSRV: CountWinstationType %d\n", Count )); return Count; } /******************************************************************************* * IncrementReference * * Increments refcount on a WinStation given a pointer * * NOTE: * WinStationListLock must be locked on entry and will be locked on return. * * ENTRY: * pWinStation (input) * Pointer to WinStation to lock * ******************************************************************************/ void IncrementReference(PWINSTATION pWinStation) { /* * increment the ref count on winstation. */ InterlockedIncrement( &pWinStation->Lock.RefCount ); } /******************************************************************************* * InitRefLock * * Initialize a RefLock and lock it. * * ENTRY: * pLock (input) * Pointer to RefLock to init * pDeleteProcedure (input) * Pointer to delete procedure for object ******************************************************************************/ NTSTATUS InitRefLock(PREFLOCK pLock, PREFLOCKDELETEPROCEDURE pDeleteProcedure) { NTSTATUS Status; // Create and lock winstation mutex Status = NtCreateMutant( &pLock->Mutex, MUTANT_ALL_ACCESS, NULL, TRUE ); if ( !NT_SUCCESS( Status ) ) return( Status ); pLock->RefCount = 1; pLock->Invalid = FALSE; pLock->pDeleteProcedure = pDeleteProcedure; return STATUS_SUCCESS; } /******************************************************************************* * SetRefLockDeleteProc * * Cahnge a RefLock DeleteProc. * * ENTRY: * pLock (input) * Pointer to RefLock to init * pDeleteProcedure (input) * Pointer to delete procedure for object ******************************************************************************/ NTSTATUS SetRefLockDeleteProc( PREFLOCK pLock, PREFLOCKDELETEPROCEDURE pDeleteProcedure) { pLock->pDeleteProcedure = pDeleteProcedure; return STATUS_SUCCESS; } /******************************************************************************* * LockRefLock * * Increment the reference count for a RefLock and lock it. * * NOTE: * WinStationListLock must be locked on entry and will be locked on return. * * ENTRY: * pLock (input) * Pointer to RefLock to lock * * EXIT: * TRUE - if object was locked successfully * FALSE - otherwise ******************************************************************************/ BOOLEAN LockRefLock(PREFLOCK pLock) { /* * Increment reference count for this RefLock. */ InterlockedIncrement( &pLock->RefCount ); /* * If mutex cannot be locked without blocking, * then unlock the WinStation list lock, wait for the mutex, * and relock the WinStation list lock. */ if ( NtWaitForSingleObject( pLock->Mutex, FALSE, &TimeoutZero ) != STATUS_SUCCESS ) { LEAVECRIT( &WinStationListLock ); NtWaitForSingleObject( pLock->Mutex, FALSE, NULL ); ENTERCRIT( &WinStationListLock ); /* * If the object is marked as invalid, it was removed while * we waited for the lock. Release our lock and return FALSE, * indicating we were unable to lock it. */ if ( pLock->Invalid ) { /* * Release the winstationlist lock because the Winstation * migth go away as a result of releasing its lock, */ LEAVECRIT( &WinStationListLock ); ReleaseRefLock( pLock ); ENTERCRIT( &WinStationListLock ); return FALSE; } } return TRUE; } /******************************************************************************* * RelockRefLock * * Relock a RefLock which has been unlocked but still has a reference. * * NOTE: * Object must have been previously unlocked by calling UnlockRefLock. * * EXIT: * TRUE - if object is still valid * FALSE - if object was marked invalid while unlocked ******************************************************************************/ BOOLEAN RelockRefLock(PREFLOCK pLock) { /* * Lock the mutex */ NtWaitForSingleObject( pLock->Mutex, FALSE, NULL ); /* * If the object is marked as invalid, * it was removed while it was unlocked so we return FALSE. */ return !pLock->Invalid; } /******************************************************************************* * UnlockRefLock * * Unlock a RefLock but keep a reference to it (don't decrement * the reference count). Caller must use RelockWinRefLock * to relock the object. * * ENTRY: * pLock (input) * Pointer to RefLock to unlock ******************************************************************************/ VOID UnlockRefLock(PREFLOCK pLock) { NtReleaseMutant(pLock->Mutex, NULL); } /******************************************************************************* * ReleaseRefLock * * Unlock and dereference a RefLock. * * ENTRY: * pLock (input) * Pointer to RefLock to release ******************************************************************************/ VOID ReleaseRefLock(PREFLOCK pLock) { ASSERT( pLock->RefCount > 0 ); /* * If object has been marked invalid and we are the * last reference, then finish deleting it now. */ if ( pLock->Invalid ) { ULONG RefCount; RefCount = InterlockedDecrement( &pLock->RefCount ); NtReleaseMutant( pLock->Mutex, NULL ); if ( RefCount == 0 ) { NtClose( pLock->Mutex ); (*pLock->pDeleteProcedure)( pLock ); } } else { InterlockedDecrement( &pLock->RefCount ); NtReleaseMutant( pLock->Mutex, NULL ); } } /******************************************************************************* * DeleteRefLock * * Unlock, dereference, and delete a RefLock. * * ENTRY: * pLock (input) * Pointer to RefLock to delete ******************************************************************************/ VOID DeleteRefLock(PREFLOCK pLock) { ASSERT( pLock->RefCount > 0 ); /* * If we are the last reference, then delete the object now */ if ( InterlockedDecrement( &pLock->RefCount ) == 0 ) { NtReleaseMutant( pLock->Mutex, NULL ); NtClose( pLock->Mutex ); (*pLock->pDeleteProcedure)( pLock ); /* * Otherwise, just mark the object invalid */ } else { pLock->Invalid = TRUE; NtReleaseMutant( pLock->Mutex, NULL ); } } BOOLEAN IsWinStationLockedByCaller(PWINSTATION pWinStation) { MUTANT_BASIC_INFORMATION MutantInfo; NTSTATUS Status; Status = NtQueryMutant( pWinStation->Lock.Mutex, MutantBasicInformation, &MutantInfo, sizeof(MutantInfo), NULL ); if ( NT_SUCCESS( Status ) ) return MutantInfo.OwnedByCaller; return FALSE; } /******************************************************************************* * WinStationEnumerateWorker * * Enumerate the WinStation list and return LogonIds and WinStation * names to the caller. * * NOTE: * This version only returns one entry at a time. There is no guarantee * across calls that the list will not change, causing the users Index * to miss an entry or get the same entry twice. * * ENTRY: * pEntries (input/output) * Pointer to number of entries to return/number actually returned * pWin (output) * Pointer to buffer to return entries * pByteCount (input/output) * Pointer to size of buffer/length of data returned in buffer * pIndex (input/output) * Pointer to WinStation index to return/next index ******************************************************************************/ NTSTATUS WinStationEnumerateWorker( PULONG pEntries, PLOGONID pWin, PULONG pByteCount, PULONG pIndex) { PLIST_ENTRY Head, Next; PWINSTATION pWinStation; ULONG WinStationIndex; ULONG MaxEntries, MaxByteCount; NTSTATUS Status; NTSTATUS Error = STATUS_NO_MORE_ENTRIES; WinStationIndex = 0; MaxEntries = *pEntries; MaxByteCount = *pByteCount; *pEntries = 0; *pByteCount = 0; Head = &WinStationListHead; ENTERCRIT( &WinStationListLock ); for ( Next = Head->Flink; Next != Head; Next = Next->Flink ) { if ( *pEntries >= MaxEntries || *pByteCount + sizeof(LOGONID) > MaxByteCount ) { break; } pWinStation = CONTAINING_RECORD( Next, WINSTATION, Links ); // // If Session has not yet been fully Started, skip this session during Enumeration // if (pWinStation->LogonId == -1) { continue; } if ( *pIndex == WinStationIndex ) { (*pIndex)++; // set Index to next entry /* * Verify that client has QUERY access before * returning it in the enumerate list. * (Note that RpcCheckClientAccess only references the WinStation * to get the LogonId, so it is safe to call this routine without * locking the WinStation since we hold the WinStationListLock * which prevents the WinStation from being deleted.) */ Status = RpcCheckClientAccess( pWinStation, WINSTATION_QUERY, FALSE ); if ( NT_SUCCESS( Status ) ) { Error = STATUS_SUCCESS; /* * It's possible that the LPC client can go away while we * are processing this call. Its also possible that another * server thread handles the LPC_PORT_CLOSED message and closes * the port, which deletes the view memory, which is what * pWin points to. In this case the pWin references below * will trap. We catch this and just break out of the loop. */ try { pWin->LogonId = pWinStation->LogonId; if ( pWinStation->Terminating ) pWin->State = State_Down; else pWin->State = pWinStation->State; wcscpy( pWin->WinStationName, pWinStation->WinStationName ); } except( EXCEPTION_EXECUTE_HANDLER ) { break; } pWin++; (*pEntries)++; *pByteCount += sizeof(LOGONID); } } WinStationIndex++; } LEAVECRIT( &WinStationListLock ); return Error; } /******************************************************************************* * LogonIdFromWinStationNameWorker * * Return the LogonId for a given WinStation name. * * ENTRY: * WinStationName (input) * name of WinStation to query * pLogonId (output) * Pointer to location to return LogonId ******************************************************************************/ NTSTATUS LogonIdFromWinStationNameWorker( PWINSTATIONNAME WinStationName, ULONG NameSize, PULONG pLogonId) { PLIST_ENTRY Head, Next; PWINSTATION pWinStation; NTSTATUS Status; UINT uiLength; // make sure we don't go beyond the end of one of the two strings // (and work around bug #229753 : NameSize is in bytes, not a characters count) if (NameSize > sizeof(WINSTATIONNAME)) { uiLength = sizeof(WINSTATIONNAME)/sizeof(WCHAR); } else { uiLength = NameSize/sizeof(WCHAR); } Head = &WinStationListHead; ENTERCRIT( &WinStationListLock ); for ( Next = Head->Flink; Next != Head; Next = Next->Flink ) { pWinStation = CONTAINING_RECORD( Next, WINSTATION, Links ); if ( !_wcsnicmp( pWinStation->WinStationName, WinStationName, uiLength ) ) { /* * If client doesn't have QUERY access, return NOT_FOUND error */ Status = RpcCheckClientAccess( pWinStation, WINSTATION_QUERY, FALSE ); if ( !NT_SUCCESS( Status ) ) break; *pLogonId = pWinStation->LogonId; LEAVECRIT( &WinStationListLock ); return( STATUS_SUCCESS ); } } LEAVECRIT( &WinStationListLock ); return STATUS_CTX_WINSTATION_NOT_FOUND; } /******************************************************************************* * IcaWinStationNameFromLogonId * * Return the WinStation name for a given LogonId. * * ENTRY: * LogonId (output) * LogonId to query * pWinStationName (input) * pointer to location to return WinStation name ******************************************************************************/ NTSTATUS IcaWinStationNameFromLogonId( ULONG LogonId, PWINSTATIONNAME pWinStationName) { PLIST_ENTRY Head, Next; PWINSTATION pWinStation; NTSTATUS Status; Head = &WinStationListHead; ENTERCRIT( &WinStationListLock ); for ( Next = Head->Flink; Next != Head; Next = Next->Flink ) { pWinStation = CONTAINING_RECORD( Next, WINSTATION, Links ); if ( pWinStation->LogonId == LogonId ) { /* * If client doesn't have QUERY access, return NOT_FOUND error */ Status = RpcCheckClientAccess( pWinStation, WINSTATION_QUERY, FALSE ); if ( !NT_SUCCESS( Status ) ) break; wcscpy( pWinStationName, pWinStation->WinStationName ); LEAVECRIT( &WinStationListLock ); return( STATUS_SUCCESS ); } } LEAVECRIT( &WinStationListLock ); return STATUS_CTX_WINSTATION_NOT_FOUND; } NTSTATUS TerminateProcessAndWait( HANDLE ProcessId, HANDLE Process, ULONG Seconds) { NTSTATUS Status; ULONG mSecs; LARGE_INTEGER Timeout; /* * Try to terminate the process */ TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: TerminateProcessAndWait, process=0x%x, ", ProcessId )); Status = NtTerminateProcess( Process, STATUS_SUCCESS ); if ( !NT_SUCCESS( Status ) && Status != STATUS_PROCESS_IS_TERMINATING ) { DBGPRINT(("Terminate=0x%x\n", Status )); return( Status ); } TRACE((hTrace,TC_ICASRV,TT_API1, "Terminate=0x%x, ", Status )); /* * Wait for the process to die */ mSecs = Seconds * 1000; Timeout = RtlEnlargedIntegerMultiply( mSecs, -10000 ); Status = NtWaitForSingleObject( Process, FALSE, &Timeout ); TRACE((hTrace,TC_ICASRV,TT_API1, "Wait=0x%x\n", Status )); return Status; } /***************************************************************************** * ShutdownLogoff * * Worker function to handle logoff notify of WinStations when * the system is being shutdown. * * It is built from the code in WinStationReset * * ENTRY: * Client LogonId (input) * LogonId of the client Winstation doing the shutdown. This is so * that he does not get reset. * Flags (input) * The shutdown flags. ****************************************************************************/ NTSTATUS ShutdownLogoff(ULONG ClientLogonId, ULONG Flags) { PLIST_ENTRY Head, Next; PWINSTATION pWinStation, pConsole = NULL; PULONG Tmp; PULONG Ids = NULL; ULONG IdCount = 0; ULONG IdAllocCount = 0; NTSTATUS Status = STATUS_SUCCESS; TRACE((hTrace,TC_ICASRV,TT_API1, "ShutdownLogoff: Called from WinStation %d Flags %x\n", ClientLogonId, Flags )); /* * Loop through all the WinStations getting the LogonId's * of active Winstations */ Head = &WinStationListHead; ENTERCRIT( &WinStationListLock ); for ( Next = Head->Flink; Next != Head; Next = Next->Flink ) { pWinStation = CONTAINING_RECORD( Next, WINSTATION, Links ); // // take a reference on the console // if ( pWinStation->fOwnsConsoleTerminal ) { if (!pConsole) { IncrementReference( pWinStation ); pConsole = pWinStation; } } // // just skip : // - the caller's session // - the console (because winsrv!W32WinStationExitWindows would fail for the console) // - the listener // if ( ( pWinStation->LogonId == ClientLogonId ) || ( pWinStation->LogonId == 0) || ( pWinStation->Flags & WSF_LISTEN ) ) { // Skip this one, or it's a listen continue; } if ( IdCount >= IdAllocCount ) { // Reallocate the array IdAllocCount += 16; Tmp = RtlAllocateHeap( RtlProcessHeap(), 0, IdAllocCount * sizeof(ULONG) ); if ( Tmp == NULL ) { Status = STATUS_NO_MEMORY; if ( Ids ) RtlFreeHeap( RtlProcessHeap(), 0, Ids ); IdCount = 0; break; } if ( Ids ) { RtlCopyMemory( Tmp, Ids, IdCount*sizeof(ULONG) ); RtlFreeHeap( RtlProcessHeap(), 0, Ids ); } Ids = Tmp; } // Copy the LogonId into our array Ids[IdCount++] = pWinStation->LogonId; } // // We are protected by new winstations starting up by the shutdown // global flags. // // The actual WinStation reset routine will validate that the LogonId // is still valid // LEAVECRIT( &WinStationListLock ); // // see if the console is being shadowed // if ( pConsole ) { RelockWinStation( pConsole ); WinStationStopAllShadows( pConsole ); ReleaseWinStation( pConsole ); } if (IdCount !=0) { // // Ids[] holds the LogonId's of valid Winstations, IdCount is the number // /* * Now do the actual logout and/or reset of the WinStations. */ if (Flags & WSD_LOGOFF) { Status = DoForWinStationGroup( Ids, IdCount, (LPTHREAD_START_ROUTINE) WinStationLogoff); } if (Flags & WSD_SHUTDOWN) { Status = DoForWinStationGroup( Ids, IdCount, (LPTHREAD_START_ROUTINE) WinStationShutdownReset); } } return Status; } /***************************************************************************** * DoForWinStationGroup * * Executes a function for each WinStation in the group. * The group is passed as an array of LogonId's. * * ENTRY: * Ids (input) * Array of LogonId's of WinStations to reset * * IdCount (input) * Count of LogonId's in array * * ThreadProc (input) * The thread routine executed for each WinStation. ****************************************************************************/ NTSTATUS DoForWinStationGroup( PULONG Ids, ULONG IdCount, LPTHREAD_START_ROUTINE ThreadProc) { ULONG Index; NTSTATUS Status; LARGE_INTEGER Timeout; PHANDLE ThreadHandles = NULL; ThreadHandles = RtlAllocateHeap( RtlProcessHeap(), 0, IdCount * sizeof(HANDLE) ); if( ThreadHandles == NULL ) { return( STATUS_NO_MEMORY ); } /* * Wait a max of 60 seconds for thread to exit */ Timeout = RtlEnlargedIntegerMultiply( 60000, -10000 ); for( Index=0; Index < IdCount; Index++ ) { // // Here we create a thread to run the actual reset function. // Since we are holding the lists crit sect, the threads will // wait until we are done, then wake up when we release it // DWORD ThreadId; ThreadHandles[Index] = CreateThread( NULL, 0, // use Default stack size of the svchost process ThreadProc, LongToPtr( Ids[Index] ), // LogonId THREAD_SET_INFORMATION, &ThreadId ); if ( !ThreadHandles[Index] ) { ThreadHandles[Index] = (HANDLE)(-1); TRACE((hTrace,TC_ICASRV,TT_ERROR,"TERMSRV: Shutdown: Could not create thread for WinStation %d Shutdown\n", Ids[Index])); } } // // Now wait for the threads to exit. Each will reset their // WinStation and be signal by the kernel when the thread is // exited. // for (Index=0; Index < IdCount; Index++) { if ( ThreadHandles[Index] != (HANDLE)(-1) ) { Status = NtWaitForSingleObject( ThreadHandles[Index], FALSE, // Not alertable &Timeout ); if( Status == STATUS_TIMEOUT ) { TRACE((hTrace,TC_ICASRV,TT_ERROR,"TERMSRV: DoForWinStationGroup: Timeout Waiting for Thread\n")); } else if (!NT_SUCCESS( Status ) ) { TRACE((hTrace,TC_ICASRV,TT_ERROR,"TERMSRV: DoForWinStationGroup: Error waiting for Thread Status 0x%x\n", Status)); } NtClose( ThreadHandles[Index] ); } } /* makarp:free the ThreadHandles. // #182609 */ RtlFreeHeap( RtlProcessHeap(), 0, ThreadHandles ); return STATUS_SUCCESS; } /***************************************************************************** * WinStationShutdownReset * * Reset a WinStation due to a system shutdown. Does not re-create * it. * * ENTRY: * ThreadArg (input) * WinStation logonId ****************************************************************************/ ULONG WinStationShutdownReset(PVOID ThreadArg) { ULONG LogonId = (ULONG)(INT_PTR)ThreadArg; PWINSTATION pWinStation; NTSTATUS Status; ULONG ulIndex; BOOL bConnectDisconnectPending = TRUE; TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: ShutdownReset, LogonId=%d\n", LogonId )); /* * Find and lock the WinStation struct for the specified LogonId */ pWinStation = FindWinStationById( LogonId, FALSE ); if ( pWinStation == NULL ) { Status = STATUS_CTX_WINSTATION_NOT_FOUND; goto done; } /* * Console is a special case since it only logs off */ if ( LogonId == 0 ) { Status = LogoffWinStation( pWinStation, (EWX_FORCE | EWX_LOGOFF) ); ReleaseWinStation( pWinStation ); goto done; } /* * Mark the winstation as being deleted. * If a reset/delete operation is already in progress * on this winstation, then don't proceed with the delete. * Also if there is a Connect/disconnect pending, give it * a chance to complete. */ for (ulIndex=0; ulIndex < WINSTATION_WAIT_COMPLETE_RETRIES; ulIndex++) { if ( pWinStation->Flags & (WSF_RESET | WSF_DELETE) ) { ReleaseWinStation( pWinStation ); Status = STATUS_CTX_WINSTATION_BUSY; goto done; } if ( pWinStation->Flags & (WSF_CONNECT | WSF_DISCONNECT) ) { LARGE_INTEGER Timeout; Timeout = RtlEnlargedIntegerMultiply( WINSTATION_WAIT_COMPLETE_DURATION, -10000 ); UnlockWinStation( pWinStation ); NtDelayExecution( FALSE, &Timeout ); if ( !RelockWinStation( pWinStation ) ) { ReleaseWinStation( pWinStation ); Status = STATUS_SUCCESS; goto done; } } else { bConnectDisconnectPending = FALSE; break; } } if ( bConnectDisconnectPending ) { ReleaseWinStation( pWinStation ); Status = STATUS_CTX_WINSTATION_BUSY; goto done; } pWinStation->Flags |= WSF_DELETE; /* * If no broken reason/source have been set, then set them here. */ if ( pWinStation->BrokenReason == 0 ) { pWinStation->BrokenReason = Broken_Terminate; pWinStation->BrokenSource = BrokenSource_Server; } /* * Make sure this WinStation is ready to delete */ WinStationTerminate( pWinStation ); /* * Call the WinStationDelete worker */ WinStationDeleteWorker( pWinStation ); Status = STATUS_SUCCESS; done: TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: ShutdownReset, Status=0x%x\n", Status )); ExitThread( 0 ); return Status; } /***************************************************************************** * WinStationLogoff * * Logoff the WinStation via ExitWindows. * * ENTRY: * ThreadArg (input) * WinStation logonId ****************************************************************************/ ULONG WinStationLogoff(PVOID ThreadArg) { ULONG LogonId = (ULONG)(INT_PTR)ThreadArg; PWINSTATION pWinStation; NTSTATUS Status; LARGE_INTEGER Timeout; /* * Wait a maximum of 1 min for the session to logoff */ Timeout = RtlEnlargedIntegerMultiply( 60000, -10000 ); TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: WinStationLogoff, LogonId=%d\n", LogonId )); /* * Find and lock the WinStation struct for the specified LogonId */ pWinStation = FindWinStationById( LogonId, FALSE ); if ( pWinStation == NULL ) { Status = STATUS_CTX_WINSTATION_NOT_FOUND; } else { Status = LogoffWinStation( pWinStation, EWX_LOGOFF); if (ShutdownInProgress && NT_SUCCESS(Status) && ((pWinStation->State == State_Active) || (pWinStation->State == State_Disconnected))) { UnlockWinStation( pWinStation ); Status = NtWaitForSingleObject( pWinStation->InitialCommandProcess, FALSE, &Timeout ); RelockWinStation( pWinStation ); } ReleaseWinStation( pWinStation ); } TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: WinStationLogoff, Status=0x%x\n", Status )); ExitThread( 0 ); return Status; } /******************************************************************************* * ResetGroupByListener * * Resets all active winstations on the supplied listen name. * * ENTRY: * pListenName (input) * Type of Winstation (e.g. tcp, ipx) ******************************************************************************/ VOID ResetGroupByListener(PWINSTATIONNAME pListenName) { PLIST_ENTRY Head, Next; PWINSTATION pWinStation; Head = &WinStationListHead; ENTERCRIT( &WinStationListLock ); /* * Search the list for all active WinStation with the given ListenName. */ for ( Next = Head->Flink; Next != Head; Next = Next->Flink ) { pWinStation = CONTAINING_RECORD( Next, WINSTATION, Links ); if (!wcscmp(pWinStation->ListenName, pListenName) && (!(pWinStation->Flags & (WSF_RESET | WSF_LISTEN)))) { QueueWinStationReset(pWinStation->LogonId); } } LEAVECRIT( &WinStationListLock ); } NTSTATUS LogoffWinStation(PWINSTATION pWinStation, ULONG ExitWindowsFlags) { WINSTATION_APIMSG msg; NTSTATUS Status = 0; /* * Tell the WinStation to logoff */ msg.ApiNumber = SMWinStationExitWindows; msg.u.ExitWindows.Flags = ExitWindowsFlags; Status = SendWinStationCommand( pWinStation, &msg, 0 ); return Status; } /***************************************************************************** * * This section of the file contains the impementation of the digital * certification mechanism for the Stack and WinStation Extension DLLs. This * code is not in a separate file so that external symbols are not visible. * All routines are declared static. * ****************************************************************************/ // // For security reasons, the TRACE statements in the following routine are // normally not included. If you want to include them, uncomment the // SIGN_DEBUG_WINSTA #define below. // // #define SIGN_DEBUG_WINSTA #include #include #include #include "../../tscert/inc/pubblob.h" // needed by certvfy.inc #include "../../tscert/inc/certvfy.inc" // VerifyFile() // // The following are initialized by VfyInit. // static RTL_CRITICAL_SECTION VfyLock; static WCHAR szSystemDir[ MAX_PATH + 1 ]; static WCHAR szDriverDir[ MAX_PATH + 1 ]; /******************************************************************************* * ReportStackLoadFailure * * Send a StackFailed message to the WinStationApiPort. * * ENTRY: * Module (input) * Name of Module to Log Error Against ******************************************************************************/ static NTSTATUS ReportStackLoadFailure(PWCHAR Module) { HANDLE h; extern WCHAR gpszServiceName[]; h = RegisterEventSource(NULL, gpszServiceName); if (h != NULL) { if (!ReportEventW(h, // event log handle EVENTLOG_ERROR_TYPE, // event type 0, // category zero EVENT_BAD_STACK_MODULE,// event identifier NULL, // no user security identifier 1, // one substitution string 0, // no data &Module, // pointer to string array NULL) // pointer to data ) { DBGPRINT(("ReportEvent Failed %ld. Event ID=%lx module=%ws\n",GetLastError(), EVENT_BAD_STACK_MODULE, Module)); } DeregisterEventSource(h); } else { DBGPRINT(("Cannot RegisterEvent Source %ld Event ID=%lx module=%ws\n",GetLastError(), EVENT_BAD_STACK_MODULE, Module)); } return STATUS_SUCCESS; } /****************************************************************************** * _VerifyStackModules * Verifies the integrity of the stack modules and the authenticity * of the digital signature. * * ENTRY: * pWinStation (input) * Pointer to a Listen Winstation. * * EXIT: * STATUS_SUCCESS - no error * STATUS_UNSUCCESSFUL - DLL integrity check, authenticity check failed * or registry stucture invalid *****************************************************************************/ static NTSTATUS _VerifyStackModules(IN PWINSTATION pWinStation) { PWCHAR pszModulePath = NULL; NTSTATUS Status = STATUS_SUCCESS; DWORD KeyIndex; DWORD Error; #ifdef SIGN_BYPASS_OPTION HKEY hKey; #endif SIGN_BYPASS_OPTION HKEY hVidKey; HKEY hVidDriverKey; UNICODE_STRING KeyPath; UNICODE_STRING ValueName; OBJECT_ATTRIBUTES ObjectAttributes; HANDLE hServiceKey; PKEY_VALUE_PARTIAL_INFORMATION KeyValueInfo; ULONG ValueLength; #define VALUE_BUFFER_SZ (sizeof(KEY_VALUE_PARTIAL_INFORMATION) + \ 256 * sizeof( WCHAR)) PCHAR pValueBuffer = NULL; INT Entries; DWORD dwByteCount; PPDNAME pPdNames, p; INT i; DLLNAME WdDLL; #ifdef SIGN_BYPASS_OPTION // // Check if Verification is to be bypassed // if ( RegOpenKeyEx( HKEY_LOCAL_MACHINE, REG_CONTROL_TSERVER L"\\BypassVerification", 0, KEY_READ, &hKey ) == ERROR_SUCCESS ) { RegCloseKey( hKey ); Status = STATUS_SUCCESS; goto exit; } #endif //SIGN_BYPASS_OPTION #ifdef SIGN_DEBUG_WINSTA TRACE((hTrace,TC_ICASRV,TT_API1, "System Dir: %ws\n", szSystemDir )); #endif // SIGN_DEBUG_WINSTA // allocate memory pszModulePath = MemAlloc( (MAX_PATH + 1) * sizeof(WCHAR) ) ; if (pszModulePath == NULL) { Status = STATUS_NO_MEMORY; goto exit; } pValueBuffer = MemAlloc( VALUE_BUFFER_SZ ); if (pValueBuffer == NULL) { Status = STATUS_NO_MEMORY; goto exit; } // // Verify the WSX DLL if defined // if ( pWinStation->Config.Wd.WsxDLL[0] != L'\0' ) { wcscpy( pszModulePath, szSystemDir ); wcscat( pszModulePath, pWinStation->Config.Wd.WsxDLL ); wcscat( pszModulePath, L".DLL" ); #ifdef SIGN_DEBUG_WINSTA TRACE((hTrace,TC_ICASRV,TT_API1, "==> WSX Path: %ws\n", pszModulePath )); #endif // SIGN_DEBUG_WINSTA if ( !VerifyFile( pszModulePath, &VfyLock ) ) { ReportStackLoadFailure(pszModulePath); Status = STATUS_UNSUCCESSFUL; goto exit; } } // // Verify the WD // wcscpy( WdDLL, pWinStation->Config.Wd.WdDLL ); wcscpy( pszModulePath, szDriverDir ); wcscat( pszModulePath, WdDLL ); wcscat( pszModulePath, L".SYS" ); #ifdef SIGN_DEBUG_WINSTA TRACE((hTrace,TC_ICASRV,TT_API1, "==> WD Path: %ws\n", pszModulePath )); #endif // SIGN_DEBUG_WINSTA if ( !VerifyFile( pszModulePath, &VfyLock ) ) { ReportStackLoadFailure(pszModulePath); Status = STATUS_UNSUCCESSFUL; goto exit; } // // Verify the TD which is in Pd[0]. Always defined for Listen Stack. // wcscpy( pszModulePath, szDriverDir ); wcscat( pszModulePath, pWinStation->Config.Pd[0].Create.PdDLL ); wcscat( pszModulePath, L".SYS" ); #ifdef SIGN_DEBUG_WINSTA TRACE((hTrace,TC_ICASRV,TT_API1, "==> WD Path: %ws\n", pszModulePath )); #endif // SIGN_DEBUG_WINSTA if ( !VerifyFile( pszModulePath, &VfyLock ) ) { ReportStackLoadFailure(pszModulePath); Status = STATUS_UNSUCCESSFUL; goto exit; } // // Enumerate the PDs for this WD and verify all the PDs. // Can't depend on Pd[i] for this since optional PDs won't // be present during Listen. // Entries = -1; dwByteCount = 0; i = 0; Error = RegPdEnumerate( NULL, WdDLL, FALSE, &i, &Entries, NULL, &dwByteCount ); #ifdef SIGN_DEBUG_WINSTA TRACE((hTrace,TC_ICASRV,TT_API1, "RegPdEnumerate 1 complete., Entries %d, Error %d\n", Entries, Error )); #endif // SIGN_DEBUG_WINSTA if ( Error != ERROR_NO_MORE_ITEMS && Error != ERROR_CANTOPEN ) { Status = STATUS_UNSUCCESSFUL; goto exit; } // // T.Share doesn't have PDs, so check if none // if ( Entries ) { dwByteCount = sizeof(PDNAME) * Entries; pPdNames = MemAlloc( dwByteCount ); if ( !pPdNames ) { Status = STATUS_UNSUCCESSFUL; goto exit; } i = 0; Error = RegPdEnumerate( NULL, WdDLL, FALSE, &i, &Entries, pPdNames, &dwByteCount ); if ( Error != ERROR_SUCCESS ) { /* makarp #182610 */ MemFree( pPdNames ); Status = STATUS_UNSUCCESSFUL; goto exit; } // // Open up the Registry entry for each named PD and pull out the value // of the PdDLL. This is the name of the DLL to verify. // for ( i = 0, p = pPdNames; i < Entries; i++, (char*)p += sizeof(PDNAME) ) { HKEY hPdKey; PWCHAR pszPdDLL = NULL; PWCHAR pszRegPath = NULL; DWORD dwLen; DWORD dwType; // allocate memory pszPdDLL = MemAlloc( (MAX_PATH+1) * sizeof(WCHAR) ); if (pszPdDLL == NULL) { MemFree( pPdNames ); Status = STATUS_NO_MEMORY; goto exit; } pszRegPath = MemAlloc( (MAX_PATH+1) * sizeof(WCHAR) ); if (pszRegPath == NULL) { MemFree( pszPdDLL ); MemFree( pPdNames ); Status = STATUS_NO_MEMORY; goto exit; } // // Build up the Registry Path to open the PD's key // wcscpy( pszRegPath, WD_REG_NAME ); wcscat( pszRegPath, L"\\" ); wcscat( pszRegPath, WdDLL ); wcscat( pszRegPath, PD_REG_NAME L"\\" ); wcscat( pszRegPath, p ); #ifdef SIGN_DEBUG_WINSTA TRACE((hTrace,TC_ICASRV,TT_API1, "PdKeyPath: %ws\n", pszRegPath )); #endif // SIGN_DEBUG_WINSTA if ( RegOpenKeyEx( HKEY_LOCAL_MACHINE, pszRegPath, 0, KEY_READ, &hPdKey ) != ERROR_SUCCESS ) { MemFree( pPdNames ); MemFree( pszPdDLL ); MemFree( pszRegPath ); Status = STATUS_UNSUCCESSFUL; goto exit; } // // Get the name of the Pd DLL. // dwLen = (MAX_PATH + 1) * sizeof(WCHAR) ; if ( RegQueryValueEx( hPdKey, WIN_PDDLL, NULL, &dwType, (PCHAR) pszPdDLL, &dwLen ) != ERROR_SUCCESS ) { MemFree( pPdNames ); MemFree( pszPdDLL ); MemFree( pszRegPath ); // makarp:182610 RegCloseKey(hPdKey); Status = STATUS_UNSUCCESSFUL; goto exit; } // makarp:182610 RegCloseKey(hPdKey); // // Build path to DLL and attempt verification // wcscpy( pszModulePath, szDriverDir ); wcscat( pszModulePath, pszPdDLL ); wcscat( pszModulePath, L".SYS" ); #ifdef SIGN_DEBUG_WINSTA TRACE((hTrace,TC_ICASRV,TT_API1, "==> PD Path: %ws\n", pszModulePath )); #endif // SIGN_DEBUG_WINSTA if ( !VerifyFile( pszModulePath, &VfyLock ) && GetLastError() != ERROR_CANTOPEN ) { MemFree( pPdNames ); MemFree( pszPdDLL ); MemFree( pszRegPath ); ReportStackLoadFailure(pszModulePath); Status = STATUS_UNSUCCESSFUL; goto exit; } MemFree( pszPdDLL ); MemFree( pszRegPath ); } MemFree( pPdNames ); } // // for all keys under HKLM\System\CCS\Control\Terminal Server\VIDEO // open the subkey \Device\Video0 and use that value as // a string to open // \REGISTRY\Machine\System\CCS\Services\vdtw30\Device0 // DLL name is in Value "Installed Display Drivers" // // Open registry (LOCAL_MACHINE\System\CCS\Control\Terminal Server\VIDEO) // // NOTE: All video driver DLLs are verified since there isn't any simple // method to determine which one is used for this stack. // if ( RegOpenKeyEx( HKEY_LOCAL_MACHINE, VIDEO_REG_NAME, 0, KEY_ENUMERATE_SUB_KEYS, &hVidKey ) != ERROR_SUCCESS ) { Status = STATUS_UNSUCCESSFUL; goto exit; } for ( KeyIndex = 0 ;; KeyIndex++ ) { // For all VIDEO subkeys PWCHAR pszVidDriverName = NULL; PWCHAR pszRegPath = NULL; PWCHAR pszDeviceKey = NULL; PWCHAR pszServiceKey = NULL; DWORD dwLen; DWORD dwType; // allocate memory pszVidDriverName = MemAlloc( (MAX_PATH + 1) * sizeof(WCHAR) ); if (pszVidDriverName == NULL) { Status = STATUS_NO_MEMORY; goto exit; } pszRegPath = MemAlloc( (MAX_PATH + 1) * sizeof(WCHAR) ); if (pszRegPath == NULL) { MemFree(pszVidDriverName); Status = STATUS_NO_MEMORY; goto exit; } pszDeviceKey = MemAlloc( (MAX_PATH + 1) * sizeof(WCHAR) ); if (pszDeviceKey == NULL) { MemFree(pszVidDriverName); MemFree(pszRegPath); Status = STATUS_NO_MEMORY; goto exit; } pszServiceKey = MemAlloc( (MAX_PATH + 1) * sizeof(WCHAR) ); if (pszServiceKey == NULL) { MemFree(pszVidDriverName); MemFree(pszRegPath); MemFree(pszDeviceKey); Status = STATUS_NO_MEMORY; goto exit; } // // Get name of VIDEO driver subkey. If end of subkeys, exit loop. // if ((Error = RegEnumKey( hVidKey, KeyIndex, pszVidDriverName, MAX_PATH+1))!= ERROR_SUCCESS ){ MemFree(pszVidDriverName); MemFree(pszRegPath); MemFree(pszDeviceKey); MemFree(pszServiceKey); break; // exit for loop } // // Build up the Registry Path to open the VgaCompatible Value // wcscpy( pszRegPath, VIDEO_REG_NAME L"\\" ); wcscat( pszRegPath, pszVidDriverName ); #ifdef SIGN_DEBUG_WINSTA TRACE((hTrace,TC_ICASRV,TT_API1, "VidDriverKeyPath: %ws\n", pszRegPath )); #endif // SIGN_DEBUG_WINSTA if ( RegOpenKeyEx( HKEY_LOCAL_MACHINE, pszRegPath, 0, KEY_READ, &hVidDriverKey ) != ERROR_SUCCESS ) { Status = STATUS_UNSUCCESSFUL; MemFree(pszVidDriverName); MemFree(pszRegPath); MemFree(pszDeviceKey); MemFree(pszServiceKey); goto closevidkey; } // // Don't like to use constant strings, but this is the way // WINSRV does it... // dwLen = (MAX_PATH + 1) * sizeof(WCHAR) ; if ( RegQueryValueEx( hVidDriverKey, L"VgaCompatible", NULL, &dwType, (PCHAR) pszDeviceKey, &dwLen ) != ERROR_SUCCESS ) { RegCloseKey( hVidDriverKey ); Status = STATUS_UNSUCCESSFUL; MemFree(pszVidDriverName); MemFree(pszRegPath); MemFree(pszDeviceKey); MemFree(pszServiceKey); goto closevidkey; } #ifdef SIGN_DEBUG_WINSTA TRACE((hTrace,TC_ICASRV,TT_API1, "DeviceKey: %ws\n", pszDeviceKey )); #endif // SIGN_DEBUG_WINSTA dwLen = (MAX_PATH + 1) * sizeof(WCHAR); if ( RegQueryValueEx( hVidDriverKey, pszDeviceKey, NULL, &dwType, (PCHAR) pszServiceKey, &dwLen ) != ERROR_SUCCESS ) { RegCloseKey( hVidDriverKey ); Status = STATUS_UNSUCCESSFUL; MemFree(pszVidDriverName); MemFree(pszRegPath); MemFree(pszDeviceKey); MemFree(pszServiceKey); goto closevidkey; } RegCloseKey( hVidDriverKey ); #ifdef SIGN_DEBUG_WINSTA TRACE((hTrace,TC_ICASRV,TT_API1, "ServiceKey: %ws\n", pszServiceKey )); #endif // SIGN_DEBUG_WINSTA RtlInitUnicodeString( &KeyPath, pszServiceKey ); InitializeObjectAttributes( &ObjectAttributes, &KeyPath, OBJ_CASE_INSENSITIVE, NULL, NULL ); // // Must use NT Registry APIs since the ServiceKey key name from // the registry is in the form used by these APIs. // Status = NtOpenKey( &hServiceKey, GENERIC_READ, &ObjectAttributes ); if ( !NT_SUCCESS( Status ) ) { DBGPRINT(( "TERMSRV: NtOpenKey failed, rc=%x\n", Status )); Status = STATUS_UNSUCCESSFUL; MemFree(pszVidDriverName); MemFree(pszRegPath); MemFree(pszDeviceKey); MemFree(pszServiceKey); goto closevidkey; } // // Don't like to use constant strings, but this is the way // WINSRV does it... // RtlInitUnicodeString( &ValueName, L"InstalledDisplayDrivers" ); KeyValueInfo = (PKEY_VALUE_PARTIAL_INFORMATION)pValueBuffer; Status = NtQueryValueKey( hServiceKey, &ValueName, KeyValuePartialInformation, (PVOID)KeyValueInfo, VALUE_BUFFER_SZ, &ValueLength ); NtClose( hServiceKey ); if ( !NT_SUCCESS( Status ) ) { Status = STATUS_UNSUCCESSFUL; MemFree(pszVidDriverName); MemFree(pszRegPath); MemFree(pszDeviceKey); MemFree(pszServiceKey); goto closevidkey; } wcscpy( pszModulePath, szSystemDir ); wcscat( pszModulePath, (PWCHAR)&KeyValueInfo->Data ); wcscat( pszModulePath, L".DLL" ); #ifdef SIGN_DEBUG_WINSTA TRACE((hTrace,TC_ICASRV,TT_API1, "==> VidDriverDLLPath: %ws\n", pszModulePath )); #endif // SIGN_DEBUG_WINSTA if ( !VerifyFile( pszModulePath, &VfyLock ) ) { ReportStackLoadFailure(pszModulePath); Status = STATUS_UNSUCCESSFUL; MemFree(pszVidDriverName); MemFree(pszRegPath); MemFree(pszDeviceKey); MemFree(pszServiceKey); goto closevidkey; } MemFree(pszVidDriverName); MemFree(pszRegPath); MemFree(pszDeviceKey); MemFree(pszServiceKey); } // for all VIDEO subkeys closevidkey: RegCloseKey( hVidKey ); exit: if (pszModulePath != NULL) { MemFree(pszModulePath); pszModulePath = NULL; } if (pValueBuffer != NULL) { MemFree(pValueBuffer); pValueBuffer = NULL; } return Status; } /******************************************************************************* * VfyInit * Sets up environment for Stack DLL verification. ******************************************************************************/ NTSTATUS VfyInit() { GetSystemDirectory( szSystemDir, sizeof( szSystemDir )/ sizeof(WCHAR)); wcscat( szSystemDir, L"\\" ); wcscpy( szDriverDir, szSystemDir ); wcscat( szDriverDir, L"Drivers\\" ); return RtlInitializeCriticalSection(&VfyLock); } VOID WinstationUnloadProfile(PWINSTATION pWinStation) { #if 0 NTSTATUS NtStatus; UNICODE_STRING UnicodeString; BOOL bResult; // if this is not the last session for this user, then we do nothing. if (WinstationCountUserSessions(pWinStation->pProfileSid, pWinStation->LogonId) != 0) { return; } // Get the user hive name from user Sid. NtStatus = RtlConvertSidToUnicodeString( &UnicodeString, pWinStation->pProfileSid, (BOOLEAN)TRUE ); if (!NT_SUCCESS(NtStatus)) { DBGPRINT(("TERMSRV: WinstationUnloadProfile couldn't convert Sid to string. \n")); return; } // Unload the user's hive. bResult = WinstationRegUnLoadKey(HKEY_USERS, UnicodeString.Buffer); if (!bResult) { DBGPRINT(("TERMSRV: WinstationUnloadProfile failed. \n")); } // free allocated string. RtlFreeUnicodeString(&UnicodeString); #endif } BOOL WinstationRegUnLoadKey(HKEY hKey, LPWSTR lpSubKey) { BOOL bResult = TRUE; LONG error; NTSTATUS Status; BOOLEAN WasEnabled; ENTERCRIT(&UserProfileLock); // // Enable the restore privilege // Status = RtlAdjustPrivilege(SE_RESTORE_PRIVILEGE, TRUE, FALSE, &WasEnabled); if (NT_SUCCESS(Status)) { error = RegUnLoadKey(hKey, lpSubKey); if ( error != ERROR_SUCCESS) { DBGPRINT(("TERMSRV: WinstationRegUnLoadKey RegUnLoadKey failed. \n")); bResult = FALSE; } // // Restore the privilege to its previous state // Status = RtlAdjustPrivilege(SE_RESTORE_PRIVILEGE, WasEnabled, FALSE, &WasEnabled); } else { DBGPRINT(("TERMSRV: WinstationRegUnLoadKey adjust privilege failed. \n")); bResult = FALSE; } LEAVECRIT(&UserProfileLock); return bResult; } ULONG WinstationCountUserSessions(PSID pUserSid, ULONG CurrentLogonId) { PLIST_ENTRY Head, Next; PWINSTATION pWinStation; ULONG Count = 0; PSID pSid; Head = &WinStationListHead; ENTERCRIT( &WinStationListLock ); // Search the list for WinStations with a matching ListenName for ( Next = Head->Flink; Next != Head; Next = Next->Flink ) { pWinStation = CONTAINING_RECORD( Next, WINSTATION, Links ); if (pWinStation->LogonId == CurrentLogonId) { continue; } if (pWinStation->pUserSid != NULL) { pSid = pWinStation->pUserSid; } else { pSid = pWinStation->pProfileSid; } if ( (pSid != NULL) && RtlEqualSid( pSid, pUserSid ) ) { Count++; } } LEAVECRIT( &WinStationListLock ); return Count; } PWINSTATION FindConsoleSession() { PLIST_ENTRY Head, Next; PWINSTATION pWinStation; PWINSTATION pFoundWinStation = NULL; ULONG uCount; Head = &WinStationListHead; ENTERCRIT( &WinStationListLock ); /* * Search the list for a WinStation with the Console Session. */ searchagain: uCount = 0; for ( Next = Head->Flink; Next != Head; Next = Next->Flink ) { pWinStation = CONTAINING_RECORD( Next, WINSTATION, Links ); if ( pWinStation->fOwnsConsoleTerminal) { uCount++; /* * Now try to lock the WinStation. */ if (pFoundWinStation == NULL){ if ( !LockRefLock( &pWinStation->Lock ) ) goto searchagain; pFoundWinStation = pWinStation; } #if DBG #else break; #endif } } ASSERT((uCount <= 1)); /* * If the WinStationList lock should not be held, then release it now. */ LEAVECRIT( &WinStationListLock ); return pFoundWinStation; } PWINSTATION FindIdleSessionZero() { PLIST_ENTRY Head, Next; PWINSTATION pWinStation; PWINSTATION pFoundWinStation = NULL; ULONG uCount; Head = &WinStationListHead; ENTERCRIT( &WinStationListLock ); /* * Search the list for a WinStation with the Console Session. */ searchagain: uCount = 0; for ( Next = Head->Flink; Next != Head; Next = Next->Flink ) { pWinStation = CONTAINING_RECORD( Next, WINSTATION, Links ); if (pWinStation->LogonId == 0) { uCount++; /* * Now try to lock the WinStation. */ if (pFoundWinStation == NULL){ if ( !LockRefLock( &pWinStation->Lock ) ) goto searchagain; pFoundWinStation = pWinStation; } #if DBG #else break; #endif } } ASSERT((uCount <= 1)); /* * If the WinStationList lock should not be held, then release it now. */ LEAVECRIT( &WinStationListLock ); if (pFoundWinStation != NULL) { if ((pFoundWinStation->State == State_Disconnected) && (!pFoundWinStation->Flags) && (pFoundWinStation->UserName[0] == L'\0') ) { return pFoundWinStation; } else { ReleaseWinStation(pFoundWinStation); } } return NULL; } BOOLEAN WinStationCheckConsoleSession(VOID) { PWINSTATION pWinStation; NTSTATUS Status; // Check if there already is a console session pWinStation = FindConsoleSession(); if (pWinStation != NULL) { ReleaseWinStation(pWinStation); return TRUE; } else { if (gConsoleCreationDisable > 0) { return FALSE; } } // // See if we can use a disconnected session zero that is not in use // if (ConsoleReconnectInfo.hStack != NULL) { pWinStation = FindIdleSessionZero(); if (gConsoleCreationDisable > 0) { if (pWinStation != NULL) { ReleaseWinStation(pWinStation); } return FALSE; } if (pWinStation != NULL) { NTSTATUS Status; pWinStation->Flags |= WSF_CONNECT; Status = WinStationDoReconnect(pWinStation, &ConsoleReconnectInfo); pWinStation->Flags &= ~WSF_CONNECT; ReleaseWinStation(pWinStation); if (NT_SUCCESS(Status)) { RtlZeroMemory(&ConsoleReconnectInfo,sizeof(RECONNECT_INFO)); return TRUE; }else{ CleanupReconnect(&ConsoleReconnectInfo); RtlZeroMemory(&ConsoleReconnectInfo,sizeof(RECONNECT_INFO)); } } } // We nead to create a new session to connect to the Console pWinStation = FindIdleWinStation(); if (pWinStation == NULL) { WinStationCreateWorker( NULL, NULL, TRUE); pWinStation = FindIdleWinStation(); if (pWinStation == NULL) { return FALSE; } } // It is possible that we may have found a idle winstation which is not yet started // We shud Start the Winstation now in that case // To check this, check the Subsystem/Initial program is non null if ( (pWinStation->InitialCommandProcess == NULL) && (pWinStation->WindowsSubSysProcess == NULL) ) { // Protect this WinStation with WSF_IDLEBUSY flag because we want to use it (WinStationStart unlocks the winstation) pWinStation->Flags |= WSF_IDLEBUSY; Status = WinStationStart( pWinStation ) ; if (Status != STATUS_SUCCESS) { // Starting the winstation failed - close connection endpoint and go and wait for another connection pWinStation->Flags &= ~WSF_IDLEBUSY; goto StartError; } pWinStation->Flags &= ~WSF_IDLEBUSY; Status = WinStationCreateComplete( pWinStation) ; if (Status != STATUS_SUCCESS) { // WinstationCreateComplete failed - close connection endpoint and go and wait for another connection goto StartError; } } if (gConsoleCreationDisable > 0) { ReleaseWinStation(pWinStation); return FALSE; } // Set the session as owning the Console and wakeup the WaitForConnectWorker // Actually there is more to do than that and I will need to process LLS licensing here. pWinStation->fOwnsConsoleTerminal = TRUE; pWinStation->State = State_ConnectQuery; pWinStation->Flags &= ~WSF_IDLE; wcscpy(pWinStation->WinStationName, L"Console"); CleanupReconnect(&ConsoleReconnectInfo); RtlZeroMemory(&ConsoleReconnectInfo,sizeof(RECONNECT_INFO)); NtSetEvent( pWinStation->ConnectEvent, NULL ); ReleaseWinStation(pWinStation); // If necessary, create another idle WinStation to replace the one being connected NtSetEvent(WinStationIdleControlEvent, NULL); return TRUE; StartError: if ( !(pWinStation->Flags & (WSF_RESET | WSF_DELETE)) ) { pWinStation->Flags |= WSF_DELETE; WinStationTerminate( pWinStation ); pWinStation->State = State_Down; //PostErrorValueEvent(EVENT_TS_WINSTATION_START_FAILED, Status); WinStationDeleteWorker(pWinStation); } else { ReleaseWinStation(pWinStation); } return FALSE; } /****************************************************************************** * Tells win32k to load the console shadow mirroring driver * * ENTRY: * pWinStation (input) * Pointer to the console Winstation. * pClientConfig (input) * Pointer to the configuration of the shadow client. * * EXIT: * STATUS_SUCCESS - no error * STATUS_xxx - error *****************************************************************************/ NTSTATUS ConsoleShadowStart( IN PWINSTATION pWinStation, IN PWINSTATIONCONFIG2 pClientConfig, IN PVOID pModuleData, IN ULONG ModuleDataLength) { NTSTATUS Status; WINSTATION_APIMSG WMsg; ULONG ReturnLength; TRACE((hTrace, TC_ICASRV, TT_API1, "CONSOLE REMOTING: LOAD DD\n")); Status = NtCreateEvent( &pWinStation->ShadowDisplayChangeEvent, EVENT_ALL_ACCESS, NULL, NotificationEvent, FALSE ); if ( !NT_SUCCESS( Status) ) { goto badevent; } Status = NtDuplicateObject( NtCurrentProcess(), pWinStation->ShadowDisplayChangeEvent, pWinStation->WindowsSubSysProcess, &WMsg.u.DoConnect.hDisplayChangeEvent, 0, 0, DUPLICATE_SAME_ACCESS ); if ( !NT_SUCCESS( Status ) ) { DBGPRINT(( "TERMSRV: ConsoleShadowStart, LogonId=%d, NtDuplicateObject 0x%x\n", pWinStation->LogonId, Status )); goto badevent; } /* * Read Wd, Cd and Pd configuration data from registry */ Status = RegConsoleShadowQuery( SERVERNAME_CURRENT, pWinStation->WinStationName, pClientConfig->Wd.WdPrefix, &pWinStation->Config, sizeof(WINSTATIONCONFIG2), &ReturnLength ); if ( !NT_SUCCESS(Status) ) { goto badconfig; } /* * Build the Console Stack. * We need this special stack for the Console Shadow. */ Status = IcaOpen( &pWinStation->hIca ); if ( !NT_SUCCESS( Status ) ) { DBGPRINT(( "TERMSRV IcaOpen for console stack : Error 0x%x from IcaOpen, last error %d\n", Status, GetLastError() )); goto badopen; } Status = IcaStackOpen( pWinStation->hIca, Stack_Console, (PROC)WsxStackIoControl, pWinStation, &pWinStation->hStack ); if ( !NT_SUCCESS( Status ) ) { DBGPRINT(( "TERMSRV IcaOpen for console stack : Error 0x%x from IcaOpen, last error %d\n", Status, GetLastError() )); goto badstackopen; } DBGPRINT(("WinStationStart: pushing stack for console...\n")); /* * Load and initialize the WinStation extensions */ pWinStation->pWsx = FindWinStationExtensionDll( pWinStation->Config.Wd.WsxDLL, pWinStation->Config.Wd.WdFlag ); if ( pWinStation->pWsx && pWinStation->pWsx->pWsxWinStationInitialize ) { Status = pWinStation->pWsx->pWsxWinStationInitialize( &pWinStation->pWsxContext ); } if ( !NT_SUCCESS( Status ) ) { DBGPRINT(( "TERMSRV IcaOpen for console stack : Error 0x%x from IcaOpen, last error %d\n", Status, GetLastError() )); goto badextension; } /* * Load the stack */ Status = IcaPushConsoleStack( (HANDLE)(pWinStation->hStack), pWinStation->WinStationName, &pWinStation->Config, pModuleData, ModuleDataLength); if ( !NT_SUCCESS( Status ) ) { DBGPRINT(( "TERMSRV IcaOpen for console stack : Error 0x%x from IcaOpen, last error %d\n", Status, GetLastError() )); goto badpushstack; } DBGPRINT(("WinStationStart: pushed stack for console\n")); /* * This code is based on that in WaitForConnectWorker (see wait.c) */ if ( !(pWinStation->pWsx) || !(pWinStation->pWsx->pWsxInitializeClientData) ) { DBGPRINT(( "TERMSRV: ConsoleShadowStart, LogonId=%d, No pWsxInitializeClientData\n" )); Status = STATUS_CTX_SHADOW_INVALID; goto done; } pWinStation->State = State_Idle; /* * Open the beep channel (if not already) and duplicate it. * This is one channel that both CSR and ICASRV have open. */ Status = IcaChannelOpen( pWinStation->hIca, Channel_Beep, NULL, &pWinStation->hIcaBeepChannel ); if ( !NT_SUCCESS( Status ) ) { DBGPRINT(( "TERMSRV: ConsoleShadowStart, LogonId=%d, IcaChannelOpen 0x%x\n", pWinStation->LogonId, Status )); goto done; } Status = NtDuplicateObject( NtCurrentProcess(), pWinStation->hIcaBeepChannel, pWinStation->WindowsSubSysProcess, &WMsg.u.DoConnect.hIcaBeepChannel, 0, 0, DUPLICATE_SAME_ACCESS ); if ( !NT_SUCCESS( Status ) ) { DBGPRINT(( "TERMSRV: ConsoleShadowStart, LogonId=%d, NtDuplicateObject 0x%x\n", pWinStation->LogonId, Status )); goto done; } /* * Open the thinwire channel (if not already) and duplicate it. * This is one channel that both CSR and ICASRV have open. */ Status = IcaChannelOpen( pWinStation->hIca, Channel_Virtual, VIRTUAL_THINWIRE, &pWinStation->hIcaThinwireChannel ); if ( !NT_SUCCESS( Status ) ) { DBGPRINT(( "TERMSRV: ConsoleShadowStart, LogonId=%d, IcaChannelOpen 0x%x\n", pWinStation->LogonId, Status )); goto done; } Status = NtDuplicateObject( NtCurrentProcess(), pWinStation->hIcaThinwireChannel, pWinStation->WindowsSubSysProcess, &WMsg.u.DoConnect.hIcaThinwireChannel, 0, 0, DUPLICATE_SAME_ACCESS ); if ( !NT_SUCCESS( Status ) ) { DBGPRINT(( "TERMSRV: ConsoleShadowStart, LogonId=%d, NtDuplicateObject 0x%x\n", pWinStation->LogonId, Status )); goto done; } Status = IcaChannelIoControl( pWinStation->hIcaThinwireChannel, IOCTL_ICA_CHANNEL_ENABLE_SHADOW, NULL, 0, NULL, 0, NULL ); ASSERT( NT_SUCCESS( Status ) ); /* * Video channel */ Status = WinStationOpenChannel( pWinStation->hIca, pWinStation->WindowsSubSysProcess, Channel_Video, NULL, &WMsg.u.DoConnect.hIcaVideoChannel ); if ( !NT_SUCCESS( Status ) ) { DBGPRINT(( "TERMSRV: ConsoleShadowStart, LogonId=%d, NtDuplicateObject 0x%x\n", pWinStation->LogonId, Status )); goto done; } /* * Keyboard channel */ Status = WinStationOpenChannel( pWinStation->hIca, pWinStation->WindowsSubSysProcess, Channel_Keyboard, NULL, &WMsg.u.DoConnect.hIcaKeyboardChannel ); if ( !NT_SUCCESS( Status ) ) { DBGPRINT(( "TERMSRV: ConsoleShadowStart, LogonId=%d, NtDuplicateObject 0x%x\n", pWinStation->LogonId, Status )); goto done; } /* * Mouse channel */ Status = WinStationOpenChannel( pWinStation->hIca, pWinStation->WindowsSubSysProcess, Channel_Mouse, NULL, &WMsg.u.DoConnect.hIcaMouseChannel ); if ( !NT_SUCCESS( Status ) ) { DBGPRINT(( "TERMSRV: ConsoleShadowStart, LogonId=%d, NtDuplicateObject 0x%x\n", pWinStation->LogonId, Status )); goto done; } /* * Command channel */ Status = WinStationOpenChannel( pWinStation->hIca, pWinStation->WindowsSubSysProcess, Channel_Command, NULL, &WMsg.u.DoConnect.hIcaCommandChannel ); if ( !NT_SUCCESS( Status ) ) { DBGPRINT(( "TERMSRV: ConsoleShadowStart, LogonId=%d, NtDuplicateObject 0x%x\n", pWinStation->LogonId, Status )); goto done; } /* * Secure any virtual channels */ VirtualChannelSecurity( pWinStation ); /* * Get the client data */ Status = pWinStation->pWsx->pWsxInitializeClientData( pWinStation->pWsxContext, pWinStation->hStack, pWinStation->hIca, pWinStation->hIcaThinwireChannel, pWinStation->VideoModuleName, sizeof(pWinStation->VideoModuleName), &pWinStation->Config.Config.User, &pWinStation->Client.HRes, &pWinStation->Client.VRes, &pWinStation->Client.ColorDepth, &WMsg.u.DoConnect ); if ( !NT_SUCCESS( Status ) ) { DBGPRINT(( "TERMSRV: ConsoleShadowStart, LogonId=%d, InitializeClientData failed 0x%x\n", pWinStation->LogonId, Status )); goto done; } /* * Store WinStation name in connect msg */ RtlCopyMemory( WMsg.u.DoConnect.WinStationName, pWinStation->WinStationName, sizeof(WINSTATIONNAME) ); /* * Save screen resolution, and color depth */ WMsg.u.DoConnect.HRes = pWinStation->Client.HRes; WMsg.u.DoConnect.VRes = pWinStation->Client.VRes; /* * Translate the color to the format excpected in winsrv */ switch(pWinStation->Client.ColorDepth){ case 1: WMsg.u.DoConnect.ColorDepth=4 ; // 16 colors break; case 2: WMsg.u.DoConnect.ColorDepth=8 ; // 256 break; case 4: WMsg.u.DoConnect.ColorDepth= 16;// 64K break; case 8: WMsg.u.DoConnect.ColorDepth= 24;// 16M break; #define DC_HICOLOR #ifdef DC_HICOLOR case 16: WMsg.u.DoConnect.ColorDepth= 15;// 32K break; #endif default: WMsg.u.DoConnect.ColorDepth=8 ; break; } /* * Tell Win32 about the connection */ WMsg.ApiNumber = SMWinStationDoConnect; WMsg.u.DoConnect.ConsoleShadowFlag = TRUE; Status = SendWinStationCommand( pWinStation, &WMsg, 60 ); TRACE((hTrace,TC_ICASRV,TT_API1,"TERMSRV: SMWinStationDoConnect %d Status=0x%x\n", pWinStation->LogonId, Status)); if ( !NT_SUCCESS( Status ) ) { DBGPRINT(( "TERMSRV: ConsoleShadowStart, LogonId=%d, SendWinStationCommand failed 0x%x\n", pWinStation->LogonId, Status )); goto done; } /* * This flag is important: without it, WinStationDoDisconnect won't let * Win32k know about the disconnection, so it can't unload the chained DD. */ pWinStation->StateFlags |= WSF_ST_CONNECTED_TO_CSRSS; /* * Set connect time */ NtQuerySystemTime( &pWinStation->ConnectTime ); /* * no need for logon timers here - we don't want to * stop the console session! */ TRACE((hTrace, TC_ICASRV, TT_API1, "CONSOLE REMOTING: LOADED DD\n")); pWinStation->State = State_Active; return Status; /* * Error paths: */ done: // to undo the push stack, does the IcaStackClose below suffice? pWinStation->State = State_Active; badpushstack: if (pWinStation->pWsxContext) { if ( pWinStation->pWsx && pWinStation->pWsx->pWsxWinStationRundown ) { pWinStation->pWsx->pWsxWinStationRundown( pWinStation->pWsxContext ); } pWinStation->pWsxContext = NULL; } badextension: pWinStation->pWsx = NULL; IcaStackClose( pWinStation->hStack ); badstackopen: IcaClose( pWinStation->hIca ); badopen: pWinStation->Config = gConsoleConfig; badconfig: NtClose(pWinStation->ShadowDisplayChangeEvent); pWinStation->ShadowDisplayChangeEvent = NULL; badevent: return Status; } /****************************************************************************** * Tells win32k to unload the console shadow mirroring driver * * ENTRY: * pWinStation (input) * Pointer to the console Winstation. * * EXIT: * STATUS_SUCCESS - no error * STATUS_xxx - error *****************************************************************************/ NTSTATUS ConsoleShadowStop(PWINSTATION pWinStation) { WINSTATION_APIMSG ConsoleShadowStopMsg; NTSTATUS Status; /* * Tell Win32k to unload the chained DD */ ConsoleShadowStopMsg.ApiNumber = SMWinStationDoDisconnect; ConsoleShadowStopMsg.u.DoDisconnect.ConsoleShadowFlag = TRUE; Status = SendWinStationCommand( pWinStation, &ConsoleShadowStopMsg, 600 ); if ( !NT_SUCCESS(Status) ) { TRACE((hTrace,TC_ICASRV,TT_ERROR, "TERMSRV: CSR ConsoleShadowStop failed LogonId=%d Status=0x%x\n", pWinStation->LogonId, Status )); } /* * No matter what happened, everything must be undone. */ if (pWinStation->pWsxContext) { if ( pWinStation->pWsx && pWinStation->pWsx->pWsxWinStationRundown ) { pWinStation->pWsx->pWsxWinStationRundown( pWinStation->pWsxContext ); } pWinStation->pWsxContext = NULL; } pWinStation->pWsx = NULL; IcaStackClose( pWinStation->hStack ); IcaClose( pWinStation->hIca ); /* * Close various ICA channel handles */ if ( pWinStation->hIcaBeepChannel ) { (void) IcaChannelClose( pWinStation->hIcaBeepChannel ); pWinStation->hIcaBeepChannel = NULL; } if ( pWinStation->hIcaThinwireChannel ) { (void) IcaChannelClose( pWinStation->hIcaThinwireChannel ); pWinStation->hIcaThinwireChannel = NULL; } /* * Restore console config. */ pWinStation->Config = gConsoleConfig; NtClose(pWinStation->ShadowDisplayChangeEvent); pWinStation->ShadowDisplayChangeEvent = NULL; return Status; } ULONG CodePairs[] = { // Very general NT Status STATUS_SUCCESS, NO_ERROR, STATUS_NO_MEMORY, ERROR_NOT_ENOUGH_MEMORY, STATUS_ACCESS_DENIED, ERROR_ACCESS_DENIED, STATUS_INSUFFICIENT_RESOURCES, ERROR_NO_SYSTEM_RESOURCES, STATUS_BUFFER_TOO_SMALL, ERROR_INSUFFICIENT_BUFFER, STATUS_OBJECT_NAME_NOT_FOUND, ERROR_FILE_NOT_FOUND, STATUS_NOT_SUPPORTED, ERROR_NOT_SUPPORTED, // RPC specific Status RPC_NT_SERVER_UNAVAILABLE, RPC_S_SERVER_UNAVAILABLE, RPC_NT_INVALID_STRING_BINDING, RPC_S_INVALID_STRING_BINDING, RPC_NT_WRONG_KIND_OF_BINDING, RPC_S_WRONG_KIND_OF_BINDING, RPC_NT_PROTSEQ_NOT_SUPPORTED, RPC_S_PROTSEQ_NOT_SUPPORTED, RPC_NT_INVALID_RPC_PROTSEQ, RPC_S_INVALID_RPC_PROTSEQ, RPC_NT_INVALID_STRING_UUID, RPC_S_INVALID_STRING_UUID, RPC_NT_INVALID_ENDPOINT_FORMAT, RPC_S_INVALID_ENDPOINT_FORMAT, RPC_NT_INVALID_NET_ADDR, RPC_S_INVALID_NET_ADDR, RPC_NT_NO_ENDPOINT_FOUND, RPC_S_NO_ENDPOINT_FOUND, RPC_NT_INVALID_TIMEOUT, RPC_S_INVALID_TIMEOUT, RPC_NT_OBJECT_NOT_FOUND, RPC_S_OBJECT_NOT_FOUND, RPC_NT_ALREADY_REGISTERED, RPC_S_ALREADY_REGISTERED, RPC_NT_TYPE_ALREADY_REGISTERED, RPC_S_TYPE_ALREADY_REGISTERED, RPC_NT_ALREADY_LISTENING, RPC_S_ALREADY_LISTENING, RPC_NT_NO_PROTSEQS_REGISTERED, RPC_S_NO_PROTSEQS_REGISTERED, RPC_NT_NOT_LISTENING, RPC_S_NOT_LISTENING, RPC_NT_UNKNOWN_MGR_TYPE, RPC_S_UNKNOWN_MGR_TYPE, RPC_NT_UNKNOWN_IF, RPC_S_UNKNOWN_IF, RPC_NT_NO_BINDINGS, RPC_S_NO_BINDINGS, RPC_NT_NO_MORE_BINDINGS, RPC_S_NO_MORE_BINDINGS, RPC_NT_NO_PROTSEQS, RPC_S_NO_PROTSEQS, RPC_NT_CANT_CREATE_ENDPOINT, RPC_S_CANT_CREATE_ENDPOINT, RPC_NT_OUT_OF_RESOURCES, RPC_S_OUT_OF_RESOURCES, RPC_NT_SERVER_TOO_BUSY, RPC_S_SERVER_TOO_BUSY, RPC_NT_INVALID_NETWORK_OPTIONS, RPC_S_INVALID_NETWORK_OPTIONS, RPC_NT_NO_CALL_ACTIVE, RPC_S_NO_CALL_ACTIVE, RPC_NT_CALL_FAILED, RPC_S_CALL_FAILED, RPC_NT_CALL_FAILED_DNE, RPC_S_CALL_FAILED_DNE, RPC_NT_PROTOCOL_ERROR, RPC_S_PROTOCOL_ERROR, RPC_NT_UNSUPPORTED_TRANS_SYN, RPC_S_UNSUPPORTED_TRANS_SYN, RPC_NT_UNSUPPORTED_TYPE, RPC_S_UNSUPPORTED_TYPE, RPC_NT_INVALID_TAG, RPC_S_INVALID_TAG, RPC_NT_INVALID_BOUND, RPC_S_INVALID_BOUND, RPC_NT_NO_ENTRY_NAME, RPC_S_NO_ENTRY_NAME, RPC_NT_INVALID_NAME_SYNTAX, RPC_S_INVALID_NAME_SYNTAX, RPC_NT_UNSUPPORTED_NAME_SYNTAX, RPC_S_UNSUPPORTED_NAME_SYNTAX, RPC_NT_UUID_NO_ADDRESS, RPC_S_UUID_NO_ADDRESS, RPC_NT_DUPLICATE_ENDPOINT, RPC_S_DUPLICATE_ENDPOINT, RPC_NT_UNKNOWN_AUTHN_TYPE, RPC_S_UNKNOWN_AUTHN_TYPE, RPC_NT_MAX_CALLS_TOO_SMALL, RPC_S_MAX_CALLS_TOO_SMALL, RPC_NT_STRING_TOO_LONG, RPC_S_STRING_TOO_LONG, RPC_NT_PROTSEQ_NOT_FOUND, RPC_S_PROTSEQ_NOT_FOUND, RPC_NT_PROCNUM_OUT_OF_RANGE, RPC_S_PROCNUM_OUT_OF_RANGE, RPC_NT_BINDING_HAS_NO_AUTH, RPC_S_BINDING_HAS_NO_AUTH, RPC_NT_UNKNOWN_AUTHN_SERVICE, RPC_S_UNKNOWN_AUTHN_SERVICE, RPC_NT_UNKNOWN_AUTHN_LEVEL, RPC_S_UNKNOWN_AUTHN_LEVEL, RPC_NT_INVALID_AUTH_IDENTITY, RPC_S_INVALID_AUTH_IDENTITY, RPC_NT_UNKNOWN_AUTHZ_SERVICE, RPC_S_UNKNOWN_AUTHZ_SERVICE, RPC_NT_NOTHING_TO_EXPORT, RPC_S_NOTHING_TO_EXPORT, RPC_NT_INCOMPLETE_NAME, RPC_S_INCOMPLETE_NAME, RPC_NT_INVALID_VERS_OPTION, RPC_S_INVALID_VERS_OPTION, RPC_NT_NO_MORE_MEMBERS, RPC_S_NO_MORE_MEMBERS, RPC_NT_NOT_ALL_OBJS_UNEXPORTED, RPC_S_NOT_ALL_OBJS_UNEXPORTED, RPC_NT_INTERFACE_NOT_FOUND, RPC_S_INTERFACE_NOT_FOUND, RPC_NT_ENTRY_ALREADY_EXISTS, RPC_S_ENTRY_ALREADY_EXISTS, RPC_NT_ENTRY_NOT_FOUND, RPC_S_ENTRY_NOT_FOUND, RPC_NT_NAME_SERVICE_UNAVAILABLE, RPC_S_NAME_SERVICE_UNAVAILABLE, RPC_NT_INVALID_NAF_ID, RPC_S_INVALID_NAF_ID, RPC_NT_CANNOT_SUPPORT, RPC_S_CANNOT_SUPPORT, RPC_NT_NO_CONTEXT_AVAILABLE, RPC_S_NO_CONTEXT_AVAILABLE, RPC_NT_INTERNAL_ERROR, RPC_S_INTERNAL_ERROR, RPC_NT_ZERO_DIVIDE, RPC_S_ZERO_DIVIDE, RPC_NT_ADDRESS_ERROR, RPC_S_ADDRESS_ERROR, RPC_NT_FP_DIV_ZERO, RPC_S_FP_DIV_ZERO, RPC_NT_FP_UNDERFLOW, RPC_S_FP_UNDERFLOW, RPC_NT_FP_OVERFLOW, RPC_S_FP_OVERFLOW, RPC_NT_NO_MORE_ENTRIES, RPC_X_NO_MORE_ENTRIES, RPC_NT_SS_CHAR_TRANS_OPEN_FAIL, RPC_X_SS_CHAR_TRANS_OPEN_FAIL, RPC_NT_SS_CHAR_TRANS_SHORT_FILE, RPC_X_SS_CHAR_TRANS_SHORT_FILE, RPC_NT_SS_CONTEXT_MISMATCH, ERROR_INVALID_HANDLE, RPC_NT_SS_CONTEXT_DAMAGED, RPC_X_SS_CONTEXT_DAMAGED, RPC_NT_SS_HANDLES_MISMATCH, RPC_X_SS_HANDLES_MISMATCH, RPC_NT_SS_CANNOT_GET_CALL_HANDLE, RPC_X_SS_CANNOT_GET_CALL_HANDLE, RPC_NT_NULL_REF_POINTER, RPC_X_NULL_REF_POINTER, RPC_NT_ENUM_VALUE_OUT_OF_RANGE, RPC_X_ENUM_VALUE_OUT_OF_RANGE, RPC_NT_BYTE_COUNT_TOO_SMALL, RPC_X_BYTE_COUNT_TOO_SMALL, RPC_NT_BAD_STUB_DATA, RPC_X_BAD_STUB_DATA, RPC_NT_INVALID_OBJECT, RPC_S_INVALID_OBJECT, RPC_NT_GROUP_MEMBER_NOT_FOUND, RPC_S_GROUP_MEMBER_NOT_FOUND, RPC_NT_NO_INTERFACES, RPC_S_NO_INTERFACES, RPC_NT_CALL_CANCELLED, RPC_S_CALL_CANCELLED, RPC_NT_BINDING_INCOMPLETE, RPC_S_BINDING_INCOMPLETE, RPC_NT_COMM_FAILURE, RPC_S_COMM_FAILURE, RPC_NT_UNSUPPORTED_AUTHN_LEVEL, RPC_S_UNSUPPORTED_AUTHN_LEVEL, RPC_NT_NO_PRINC_NAME, RPC_S_NO_PRINC_NAME, RPC_NT_NOT_RPC_ERROR, RPC_S_NOT_RPC_ERROR, RPC_NT_UUID_LOCAL_ONLY, RPC_S_UUID_LOCAL_ONLY, RPC_NT_SEC_PKG_ERROR, RPC_S_SEC_PKG_ERROR, RPC_NT_NOT_CANCELLED, RPC_S_NOT_CANCELLED, RPC_NT_INVALID_ES_ACTION, RPC_X_INVALID_ES_ACTION, RPC_NT_WRONG_ES_VERSION, RPC_X_WRONG_ES_VERSION, RPC_NT_WRONG_STUB_VERSION, RPC_X_WRONG_STUB_VERSION, RPC_NT_INVALID_PIPE_OBJECT, RPC_X_INVALID_PIPE_OBJECT, RPC_NT_WRONG_PIPE_VERSION, RPC_X_WRONG_PIPE_VERSION, RPC_NT_SEND_INCOMPLETE, RPC_S_SEND_INCOMPLETE, RPC_NT_INVALID_ASYNC_HANDLE, RPC_S_INVALID_ASYNC_HANDLE, RPC_NT_INVALID_ASYNC_CALL, RPC_S_INVALID_ASYNC_CALL, RPC_NT_PIPE_CLOSED, RPC_X_PIPE_CLOSED, RPC_NT_PIPE_EMPTY, RPC_X_PIPE_EMPTY, RPC_NT_PIPE_DISCIPLINE_ERROR, RPC_X_PIPE_DISCIPLINE_ERROR, // Terminal Server Specific Status. STATUS_CTX_CLOSE_PENDING, ERROR_CTX_CLOSE_PENDING, STATUS_CTX_NO_OUTBUF, ERROR_CTX_NO_OUTBUF, STATUS_CTX_MODEM_INF_NOT_FOUND, ERROR_CTX_MODEM_INF_NOT_FOUND, STATUS_CTX_INVALID_MODEMNAME, ERROR_CTX_INVALID_MODEMNAME, STATUS_CTX_RESPONSE_ERROR, ERROR_CTX_MODEM_RESPONSE_ERROR, STATUS_CTX_MODEM_RESPONSE_TIMEOUT, ERROR_CTX_MODEM_RESPONSE_TIMEOUT, STATUS_CTX_MODEM_RESPONSE_NO_CARRIER, ERROR_CTX_MODEM_RESPONSE_NO_CARRIER, STATUS_CTX_MODEM_RESPONSE_NO_DIALTONE, ERROR_CTX_MODEM_RESPONSE_NO_DIALTONE, STATUS_CTX_MODEM_RESPONSE_BUSY, ERROR_CTX_MODEM_RESPONSE_BUSY, STATUS_CTX_MODEM_RESPONSE_VOICE, ERROR_CTX_MODEM_RESPONSE_VOICE, STATUS_CTX_TD_ERROR, ERROR_CTX_TD_ERROR, STATUS_LPC_REPLY_LOST, ERROR_CONNECTION_ABORTED, STATUS_CTX_WINSTATION_NAME_INVALID, ERROR_CTX_WINSTATION_NAME_INVALID, STATUS_CTX_WINSTATION_NOT_FOUND, ERROR_CTX_WINSTATION_NOT_FOUND, STATUS_CTX_WINSTATION_NAME_COLLISION, ERROR_CTX_WINSTATION_ALREADY_EXISTS, STATUS_CTX_WINSTATION_BUSY, ERROR_CTX_WINSTATION_BUSY, STATUS_CTX_GRAPHICS_INVALID, ERROR_CTX_GRAPHICS_INVALID, STATUS_CTX_BAD_VIDEO_MODE, ERROR_CTX_BAD_VIDEO_MODE, STATUS_CTX_NOT_CONSOLE, ERROR_CTX_NOT_CONSOLE, STATUS_CTX_CLIENT_QUERY_TIMEOUT, ERROR_CTX_CLIENT_QUERY_TIMEOUT, STATUS_CTX_CONSOLE_DISCONNECT, ERROR_CTX_CONSOLE_DISCONNECT, STATUS_CTX_CONSOLE_CONNECT, ERROR_CTX_CONSOLE_CONNECT, STATUS_CTX_SHADOW_DENIED, ERROR_CTX_SHADOW_DENIED, STATUS_CTX_SHADOW_INVALID, ERROR_CTX_SHADOW_INVALID, STATUS_CTX_SHADOW_DISABLED, ERROR_CTX_SHADOW_DISABLED, STATUS_CTX_WINSTATION_ACCESS_DENIED, ERROR_CTX_WINSTATION_ACCESS_DENIED, STATUS_CTX_INVALID_PD, ERROR_CTX_INVALID_PD, STATUS_CTX_PD_NOT_FOUND, ERROR_CTX_PD_NOT_FOUND, STATUS_CTX_INVALID_WD, ERROR_CTX_INVALID_WD, STATUS_CTX_WD_NOT_FOUND, ERROR_CTX_WD_NOT_FOUND, STATUS_CTX_CLIENT_LICENSE_IN_USE, ERROR_CTX_CLIENT_LICENSE_IN_USE, STATUS_CTX_CLIENT_LICENSE_NOT_SET, ERROR_CTX_CLIENT_LICENSE_NOT_SET, STATUS_CTX_LICENSE_NOT_AVAILABLE, ERROR_CTX_LICENSE_NOT_AVAILABLE, STATUS_CTX_LICENSE_CLIENT_INVALID, ERROR_CTX_LICENSE_CLIENT_INVALID, STATUS_CTX_LICENSE_EXPIRED, ERROR_CTX_LICENSE_EXPIRED, }; /* * WinStationWinerrorToNtStatus * Translate a Windows error code into an NTSTATUS code. */ NTSTATUS WinStationWinerrorToNtStatus(ULONG ulWinError) { ULONG ulIndex; for (ulIndex = 0 ; ulIndex < sizeof(CodePairs)/sizeof(CodePairs[0]) ; ulIndex+=2) { if (CodePairs[ ulIndex+1 ] == ulWinError ) { return (NTSTATUS) CodePairs[ ulIndex]; } } return STATUS_UNSUCCESSFUL; } /* * WinStationSetMaxOustandingConnections() set the default values * for the maximum number of outstanding connection connections. * Reads the registry configuration for it if it exists. */ VOID WinStationSetMaxOustandingConnections() { SYSTEM_BASIC_INFORMATION BasicInfo; HKEY hKey; NTSTATUS Status; BOOL bLargeMachine = FALSE; // Initialize date of last delayed connection that was logged into // event log. In order not to flood event log with what may not be a DOS // attack but just a normal regulation action, delayed connection are not // logged more than once in 24h. GetSystemTime(&LastLoggedDelayConnection); // Init the default values for maximum outstanding connection and // Maximumn outstanding connections from single IP address. For // Non server platforms these are fixed values. if (!gbServer) { MaxOutStandingConnect = MAX_DEFAULT_CONNECTIONS_PRO; MaxSingleOutStandingConnect = MAX_DEFAULT_SINGLE_CONNECTIONS_PRO; } else { // Determine if this Machine has over 512Mb of memory // In order to set defaults Values (registry settings overide this anyway). // Default value are not changed for machines over 512 Mb : Session regulation // is trigered if we have 50 outstanding connection and we will wait 30 seconds // before acception new connections. For machines with less than 512 Mb, regulation // needs to be stronger : it is trigered at lower number of outstanding connections and we will // wait 70 seconds before accepting new connections. MaxOutStandingConnect = MAX_DEFAULT_CONNECTIONS; Status = NtQuerySystemInformation( SystemBasicInformation, &BasicInfo, sizeof(BasicInfo), NULL ); if (NT_SUCCESS(Status)) { if (BasicInfo.PageSize > 1024*1024) { MaxOutStandingConnect = MAX_DEFAULT_CONNECTIONS; DelayConnectionTime = 30*1000; }else{ ULONG ulPagesPerMeg = 1024*1024/BasicInfo.PageSize; ULONG ulMemSizeInMegabytes = (ULONG)BasicInfo.NumberOfPhysicalPages/ulPagesPerMeg ; if (ulMemSizeInMegabytes >= 512) { MaxOutStandingConnect = MAX_DEFAULT_CONNECTIONS; DelayConnectionTime = 70*1000; } else if (ulMemSizeInMegabytes >= 256) { MaxOutStandingConnect = 15; DelayConnectionTime = 70*1000; } else if (ulMemSizeInMegabytes >= 128) { MaxOutStandingConnect = 10; DelayConnectionTime = 70*1000; } else { MaxOutStandingConnect = 5; DelayConnectionTime = 70*1000; } } } // // set max number of outstanding connection from single IP // if ( MaxOutStandingConnect < MAX_SINGLE_CONNECT_THRESHOLD_DIFF*5) { MaxSingleOutStandingConnect = MaxOutStandingConnect - 1; } else { MaxSingleOutStandingConnect = MaxOutStandingConnect - MAX_SINGLE_CONNECT_THRESHOLD_DIFF; } } } /* * Make sure we can Preallocate an Idle session before allowing console disconnect. * */ NTSTATUS CheckIdleWinstation() { PWINSTATION pWinStation; NTSTATUS Status; pWinStation = FindIdleWinStation(); if ( pWinStation == NULL ) { /* * Create another idle WinStation */ Status = WinStationCreateWorker( NULL, NULL, TRUE ); if ( NT_SUCCESS( Status ) ) { pWinStation = FindIdleWinStation(); if ( pWinStation == NULL ) { return STATUS_INSUFFICIENT_RESOURCES; } } else { return STATUS_INSUFFICIENT_RESOURCES; } } ReleaseWinStation(pWinStation); return STATUS_SUCCESS; } NTSTATUS InitializeWinStationSecurityLock( VOID ) { NTSTATUS Status ; try { RtlInitializeResource( &WinStationSecurityLock ); Status = STATUS_SUCCESS ; } except (EXCEPTION_EXECUTE_HANDLER) { Status = GetExceptionCode(); } return Status; } //gets the product id from the registry NTSTATUS GetProductIdFromRegistry( WCHAR* DigProductId, DWORD dwSize ) { HKEY hKey = NULL; NTSTATUS status = STATUS_UNSUCCESSFUL; ZeroMemory( DigProductId, dwSize ); if( RegOpenKeyEx( HKEY_LOCAL_MACHINE, REG_WINDOWS_KEY, 0, KEY_READ, &hKey) == ERROR_SUCCESS ) { DWORD dwType = REG_SZ; if( RegQueryValueEx( hKey, L"ProductId", NULL, &dwType, (LPBYTE)DigProductId, &dwSize ) == ERROR_SUCCESS ) status = STATUS_SUCCESS; } if (hKey) RegCloseKey( hKey ); return status; } // // Gets the remote IP address of the connections // and supports statistics of how many outstanding connections // are there for this client, if the number of outstanding connections // reaches MaxSingleOutStandingConnections, *pbBlocked is returned FALSE // the functions returns TRUE on success // // Paramters: // pContext // pEndpoint - handle of this connection // EndpointLength - td layer needs the length // pin_addr - returns remote IP address // pbBlocked - returns TRUE if the connection has to be blocked, because of excessive number of // outstanding connections // BOOL Filter_AddOutstandingConnection( IN HANDLE pContext, IN PVOID pEndpoint, IN ULONG EndpointLength, OUT PBYTE pin_addr, OUT PUINT puAddrSize, OUT BOOLEAN *pbBlocked ) { BOOL rv = FALSE; PTS_OUTSTANDINGCONNECTION pIter, pPrev; TS_OUTSTANDINGCONNECTION key; struct sockaddr_in6 addr6; ULONG AddrBytesReturned; NTSTATUS Status; PVOID paddr; BOOL bLocked = FALSE; PVOID bSucc; BOOLEAN bNewElement; ULONGLONG currentTime; *pbBlocked = FALSE; Status = IcaStackIoControl( pContext, IOCTL_TS_STACK_QUERY_REMOTEADDRESS, pEndpoint, EndpointLength, &addr6, sizeof( addr6 ), &AddrBytesReturned ); if ( !NT_SUCCESS( Status )) { goto exitpt; } if ( AF_INET == addr6.sin6_family ) { key.uAddrSize = 4; paddr = &(((struct sockaddr_in *)&addr6)->sin_addr.s_addr); } else if ( AF_INET6 == addr6.sin6_family ) { key.uAddrSize = 16; paddr = &(addr6.sin6_addr); } else { ASSERT( 0 ); } ASSERT ( *puAddrSize >= key.uAddrSize ); RtlCopyMemory( pin_addr, paddr, key.uAddrSize ); *puAddrSize = key.uAddrSize; ENTERCRIT( &FilterLock ); bLocked = TRUE; // // Check first in the outstanding connections // RtlCopyMemory( key.addr, paddr, key.uAddrSize ); pIter = RtlLookupElementGenericTable( &gOutStandingConnections, &key ); if ( NULL == pIter ) { // // check in the blocked connections list // pPrev = NULL; pIter = g_pBlockedConnections; while ( NULL != pIter ) { if ( key.uAddrSize == pIter->uAddrSize && key.uAddrSize == RtlCompareMemory( pIter->addr, paddr, key.uAddrSize )) { break; } pPrev = pIter; pIter = pIter->pNext; } if ( NULL != pIter ) { pIter->NumOutStandingConnect ++; // // already blocked, check for exparation time // GetSystemTimeAsFileTime( (LPFILETIME)¤tTime ); if ( currentTime > pIter->blockUntilTime ) { // // unblock, remove from list // pIter->blockUntilTime = 0; if ( NULL != pPrev ) { pPrev->pNext = pIter->pNext; } else { g_pBlockedConnections = pIter->pNext; } bSucc = RtlInsertElementGenericTable( &gOutStandingConnections, pIter, sizeof( *pIter ), &bNewElement ); if ( !bSucc ) { MemFree( pIter ); goto exitpt; } ASSERT( bNewElement ); MemFree( pIter ); } else { *pbBlocked = TRUE; } } else { // // this will be a new connection // key.NumOutStandingConnect = 1; bSucc = RtlInsertElementGenericTable( &gOutStandingConnections, &key, sizeof( key ), &bNewElement ); if ( !bSucc ) { goto exitpt; } ASSERT( bNewElement ); } } else { pIter->NumOutStandingConnect ++; // // Check if we need to block this connection // if ( pIter->NumOutStandingConnect > MaxSingleOutStandingConnect ) { *pbBlocked = TRUE; key.NumOutStandingConnect = pIter->NumOutStandingConnect; GetSystemTimeAsFileTime( (LPFILETIME)¤tTime ); // DelayConnectionTime is in ms // currentTime is in 100s ns key.blockUntilTime = currentTime + ((ULONGLONG)10000) * ((ULONGLONG)DelayConnectionTime); RtlDeleteElementGenericTable( &gOutStandingConnections, &key ); // // add to the blocked connections // pIter = MemAlloc( sizeof( *pIter )); if ( NULL == pIter ) { goto exitpt; } RtlCopyMemory( pIter, &key, sizeof( *pIter )); pIter->pNext = g_pBlockedConnections; g_pBlockedConnections = pIter; // // log at most one event on every 15 minutes // if ( LastLoggedBlockedConnection + ((ULONGLONG)10000) * (15 * 60 * 1000) < currentTime ) { LastLoggedBlockedConnection = currentTime; WriteErrorLogEntry( EVENT_TOO_MANY_CONNECTIONS, &key.addr, key.uAddrSize ); } } } rv = TRUE; exitpt: if ( bLocked ) { LEAVECRIT( &FilterLock ); } return rv; } // // Removes outstanding connections added in AddOutStandingConnection // BOOL Filter_RemoveOutstandingConnection( IN PBYTE paddr, IN UINT uAddrSize ) { PTS_OUTSTANDINGCONNECTION pIter, pPrev, pNext; TS_OUTSTANDINGCONNECTION key; ULONGLONG currentTime; NTSTATUS Status; ULONG AddrBytesReturned; #if DBG BOOL bFound = FALSE; #endif pPrev = NULL; GetSystemTimeAsFileTime( (LPFILETIME)¤tTime ); key.uAddrSize = uAddrSize; RtlCopyMemory( key.addr, paddr, uAddrSize ); ENTERCRIT( &FilterLock ); pIter = RtlLookupElementGenericTable( &gOutStandingConnections, &key ); if ( NULL != pIter ) { #if DBG bFound = TRUE; #endif pIter->NumOutStandingConnect--; // // cleanup connections w/o reference // if ( 0 == pIter->NumOutStandingConnect ) { RtlDeleteElementGenericTable( &gOutStandingConnections, &key ); } } // // work through the blocked list // pIter = g_pBlockedConnections; while( pIter ) { if ( uAddrSize == pIter->uAddrSize && uAddrSize == RtlCompareMemory( pIter->addr, paddr, uAddrSize )) { ASSERT( 0 != pIter->NumOutStandingConnect ); pIter->NumOutStandingConnect--; #if DBG ASSERT( !bFound ); bFound = TRUE; #endif } // // cleanup all connections w/o references // if ( 0 == pIter->NumOutStandingConnect && currentTime > pIter->blockUntilTime ) { if ( NULL == pPrev ) { g_pBlockedConnections = pIter->pNext; } else { pPrev->pNext = pIter->pNext; } // // remove item and advance to the next // pNext = pIter->pNext; MemFree( pIter ); pIter = pNext; } else { // // advance to the next item // pPrev = pIter; pIter = pIter->pNext; } } ASSERT( bFound ); /* * Decrement the number of outstanding connections. * If connections drop back to max value, set the connect event. */ #if DBG // // ensure proper cleanup // bFound = ( 0 == gOutStandingConnections.NumberGenericTableElements ); for( pIter = g_pBlockedConnections; pIter; pIter = pIter->pNext ) { bFound = bFound & ( 0 == pIter->NumOutStandingConnect ); } #endif LEAVECRIT( &FilterLock ); return TRUE; } /***************************************************************************** * * Filter_CompareConnectionEntry * * Generic table support.Compare two connection entries * * ****************************************************************************/ RTL_GENERIC_COMPARE_RESULTS NTAPI Filter_CompareConnectionEntry( IN struct _RTL_GENERIC_TABLE *Table, IN PVOID FirstInstance, IN PVOID SecondInstance ) { PTS_OUTSTANDINGCONNECTION pFirst, pSecond; INT rc; pFirst = (PTS_OUTSTANDINGCONNECTION)FirstInstance; pSecond = (PTS_OUTSTANDINGCONNECTION)SecondInstance; if ( pFirst->uAddrSize < pSecond->uAddrSize ) { return GenericLessThan; } else if ( pFirst->uAddrSize > pSecond->uAddrSize ) { return GenericGreaterThan; } rc = memcmp( pFirst->addr, pSecond->addr, pFirst->uAddrSize ); return ( rc < 0 )?GenericLessThan: ( rc > 0 )?GenericGreaterThan: GenericEqual; } /***************************************************************************** * * Filter_AllocateConnectionEntry * * Generic table support. Allocates a new table entry * * ****************************************************************************/ PVOID Filter_AllocateConnectionEntry( IN struct _RTL_GENERIC_TABLE *Table, IN CLONG ByteSize ) { return MemAlloc( ByteSize ); } /***************************************************************************** * * Filter_FreeConnectionEntry * * Generic table support. frees a new table entry * * ****************************************************************************/ VOID Filter_FreeConnectionEntry ( IN struct _RTL_GENERIC_TABLE *Table, IN PVOID Buffer ) { MemFree( Buffer ); } VOID Filter_DestroyList( VOID ) { PTS_OUTSTANDINGCONNECTION p; TS_OUTSTANDINGCONNECTION con; while ( NULL != g_pBlockedConnections ) { p = g_pBlockedConnections->pNext; MemFree( g_pBlockedConnections ); g_pBlockedConnections = p; } while (p = RtlEnumerateGenericTable( &gOutStandingConnections, TRUE)) { RtlCopyMemory( &con, p, sizeof( con )); RtlDeleteElementGenericTable( &gOutStandingConnections, &con); } } // // ComputeHMACVerifier // Compute the HMAC verifier from the random // and the cookie // BOOL ComputeHMACVerifier( PBYTE pCookie, //IN - the shared secret LONG cbCookieLen, //IN - the shared secret len PBYTE pRandom, //IN - the session random LONG cbRandomLen, //IN - the session random len PBYTE pVerifier, //OUT- the verifier LONG cbVerifierLen //IN - the verifier buffer length ) { HMACMD5_CTX hmacctx; BOOL fRet = FALSE; ASSERT(cbVerifierLen >= MD5DIGESTLEN); if (!(pCookie && cbCookieLen && pRandom && cbRandomLen && pVerifier && cbVerifierLen)) { goto bail_out; } HMACMD5Init(&hmacctx, pCookie, cbCookieLen); HMACMD5Update(&hmacctx, pRandom, cbRandomLen); HMACMD5Final(&hmacctx, pVerifier); fRet = TRUE; bail_out: return fRet; } // // Extract the session to reconnect to from the ARC info // also do the necessary security checks // // Params: // pClientArcInfo - autoreconnect information from the client // // Returns: // If all security checks pass and pArc is valid then winstation // to reconnect to is returned. Else NULL // // NOTE: WinStation returned is left LOCKED. // PWINSTATION GetWinStationFromArcInfo( PBYTE pClientRandom, LONG cbClientRandomLen, PTS_AUTORECONNECTINFO pClientArcInfo ) { NTSTATUS Status = STATUS_UNSUCCESSFUL; PWINSTATION pWinStation = NULL; PWINSTATION pFoundWinStation = NULL; ARC_CS_PRIVATE_PACKET UNALIGNED* pCSArcInfo = NULL; BYTE arcSCclientBlob[ARC_SC_SECURITY_TOKEN_LEN]; BYTE hmacVerifier[ARC_CS_SECURITY_TOKEN_LEN]; PBYTE pServerArcBits = NULL; ULONG BytesGot = 0; TS_AUTORECONNECTINFO SCAutoReconnectInfo; TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: WinStation GetWinStationFromArcInfo pRandom:%p len:%d\n", pClientRandom, cbClientRandomLen)); if (!pClientArcInfo) { goto error; } pCSArcInfo = (ARC_CS_PRIVATE_PACKET UNALIGNED*)pClientArcInfo->AutoReconnectInfo; if (!pCSArcInfo->cbLen || pCSArcInfo->cbLen < sizeof(ARC_CS_PRIVATE_PACKET)) { TRACE((hTrace,TC_ICASRV,TT_ERROR, "TERMSRV: GetWinStationFromArcInfo ARC length invalid bailing out\n")); goto error; } memset(arcSCclientBlob, 0, sizeof(arcSCclientBlob)); pWinStation = FindWinStationById(pCSArcInfo->LogonId, FALSE); if (pWinStation) { TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: GetWinStationFromArcInfo found arc winstation: %d\n", pCSArcInfo->LogonId)); // // Do security checks to ensure this is the same winstation // that was connected to the client // // // First obtain the last autoreconnect blob sent to the client // since we do an inline cookie update in rdpwd // if (pWinStation->AutoReconnectInfo.Valid) { pServerArcBits = pWinStation->AutoReconnectInfo.ArcRandomBits; Status = STATUS_SUCCESS; } else { if (pWinStation->pWsx && pWinStation->pWsx->pWsxEscape) { if (pWinStation->Terminating || pWinStation->StateFlags & WSF_ST_WINSTATIONTERMINATE || !pWinStation->WinStationName[0]) { TRACE((hTrace,TC_ICASRV,TT_ERROR, "GetWinStationFromArcInfo skipping escape" "to closed stack disconnected %d\n", LogonId)); Status = STATUS_ACCESS_DENIED; goto error; } Status = pWinStation->pWsx->pWsxEscape( pWinStation->pWsxContext, GET_SC_AUTORECONNECT_INFO, NULL, 0, &SCAutoReconnectInfo, sizeof(SCAutoReconnectInfo), &BytesGot); if (NT_SUCCESS(Status)) { ASSERT(SCAutoReconnectInfo.cbAutoReconnectInfo == ARC_SC_SECURITY_TOKEN_LEN); } pServerArcBits = SCAutoReconnectInfo.AutoReconnectInfo; } } } else { Status = STATUS_ACCESS_DENIED; } if (NT_SUCCESS(Status)) { // // Ensure we got the correct length for the server->client // data // ASSERT(pServerArcBits); // // Get random // if (ComputeHMACVerifier(pServerArcBits, ARC_SC_SECURITY_TOKEN_LEN, pClientRandom, cbClientRandomLen, (PBYTE)hmacVerifier, sizeof(hmacVerifier))) { // // Check that the verifier matches that sent by the client // if (!memcmp(hmacVerifier, pCSArcInfo->SecurityVerifier, sizeof(pCSArcInfo->SecurityVerifier))) { TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: WinStation ARC info matches - will autoreconnect\n")); } else { TRACE((hTrace,TC_ICASRV,TT_ERROR, "TERMSRV: autoreconnect verifier does not match targid:%d!!!\n", pWinStation->LogonId)); // // Reset the autoreconnect info // pWinStation->AutoReconnectInfo.Valid = FALSE; memset(pWinStation->AutoReconnectInfo.ArcRandomBits, 0, sizeof(pWinStation->AutoReconnectInfo.ArcRandomBits)); // // Log an event // PostErrorValueEvent(EVENT_AUTORECONNECT_AUTHENTICATION_FAILED, Status); // // Mark that no winstation target was found // goto error; } } pFoundWinStation = pWinStation; } error: if ((NULL == pFoundWinStation) && pWinStation) { ReleaseWinStation(pWinStation); pWinStation = NULL; } return pFoundWinStation; } // // Extract the session to reconnect to from the ARC info // also do the necessary security checks // // Params: // pWinStation - winstation to reset autoreconnect info for // VOID ResetAutoReconnectInfo( PWINSTATION pWinStation) { pWinStation->AutoReconnectInfo.Valid = FALSE; memset(pWinStation->AutoReconnectInfo.ArcRandomBits, 0, sizeof(pWinStation->AutoReconnectInfo.ArcRandomBits)); } /***************************************************************************** * * Filter_CompareConnectionEntry * * Generic table support.Compare two connection entries * * ****************************************************************************/ RTL_GENERIC_COMPARE_RESULTS NTAPI Filter_CompareFailedConnectionEntry( IN struct _RTL_GENERIC_TABLE *Table, IN PVOID FirstInstance, IN PVOID SecondInstance ) { PTS_FAILEDCONNECTION pFirst, pSecond; INT rc; pFirst = (PTS_FAILEDCONNECTION)FirstInstance; pSecond = (PTS_FAILEDCONNECTION)SecondInstance; if ( pFirst->uAddrSize < pSecond->uAddrSize ) { return GenericLessThan; } else if ( pFirst->uAddrSize > pSecond->uAddrSize ) { return GenericGreaterThan; } rc = memcmp( pFirst->addr, pSecond->addr, pFirst->uAddrSize ); return ( rc < 0 )?GenericLessThan: ( rc > 0 )?GenericGreaterThan: GenericEqual; } VOID ReadDoSParametersFromRegistry( HKEY hKeyTermSrv ) { DWORD dwLen; DWORD dwType; ULONG TimeLimitForFailedConnectionsMins, DoSBlockTimeMins; ULONG szBuffer[MAX_PATH/sizeof(ULONG)]; // Set Default values if Reg values are not set MaxFailedConnect = 5; DoSBlockTime = 5 * 60 * 1000; TimeLimitForFailedConnections = 2 * 60 * 1000; g_BlackListPolicy = TRUE; // // Get DoS parameters from Registry // dwLen = sizeof(MaxFailedConnect); if (RegQueryValueEx(hKeyTermSrv, MAX_FAILED_CONNECT, NULL, &dwType, (PCHAR)&szBuffer, &dwLen) == ERROR_SUCCESS) { if (*(PULONG)szBuffer > 0) { MaxFailedConnect = *(PULONG)szBuffer; } } // Note - for the next 2 parameters, whatever is present in the registry is in minutes // So convert it into milliseconds after reading dwLen = sizeof(TimeLimitForFailedConnectionsMins); if (RegQueryValueEx(hKeyTermSrv, TIME_LIMIT_FAILED_CONNECT, NULL, &dwType, (PCHAR)&szBuffer, &dwLen) == ERROR_SUCCESS) { if (*(PULONG)szBuffer > 0) { TimeLimitForFailedConnectionsMins = *(PULONG)szBuffer; TimeLimitForFailedConnections = TimeLimitForFailedConnectionsMins * 60 * 1000; } } dwLen = sizeof(DoSBlockTimeMins); if (RegQueryValueEx(hKeyTermSrv, DOS_BLOCK_TIME, NULL, &dwType, (PCHAR)&szBuffer, &dwLen) == ERROR_SUCCESS) { if (*(PULONG)szBuffer > 0) { DoSBlockTimeMins = *(PULONG)szBuffer; DoSBlockTime = DoSBlockTimeMins * 60 * 1000; } } // Table Cleanup time is twice the time within which a IP has to make "n" bad connections to get blocked // This should be in milliseconds CleanupTimeout = 2 * TimeLimitForFailedConnections; dwLen = sizeof(g_BlackListPolicy); if (RegQueryValueEx(hKeyTermSrv, BLACK_LIST_POLICY, NULL, &dwType, (PCHAR)&szBuffer, &dwLen) == ERROR_SUCCESS) { if (*(PULONG)szBuffer > 0) { g_BlackListPolicy = *(PULONG)szBuffer; } } } /******************************************************************************* * IsConfigValid * * Check the validity of the Winstation Config struct. * It's used for now for the machine-to-machine shadow as input from the * shadower's machine should not be trusted and should be checked. * * ENTRY: * IN pConfig - Winstation config struct to be checked * * EXIT: * STATUS_SUCCESS - if the struct can be used * Other status - the check failed ******************************************************************************/ NTSTATUS IsConfigValid(PWINSTATIONCONFIG2 pConfig) { ULONG i; NTSTATUS Status; PWCHAR pszModulePath = NULL; // Verify that each member of the config is valid //WINSTATIONCREATEW Create; // ULONG fEnableWinStation : 1; // ULONG MaxInstanceCount; //PDCONFIGW Pd[ MAX_PDCONFIG ]; // PDCONFIG2W Create; // PDNAMEW PdName; // descriptive name of PD // SDCLASS SdClass; // type of PD // DLLNAMEW PdDLL; // name of PD dll // ULONG PdFlag; // PD flags // ULONG OutBufLength; // optimal output buffer length // ULONG OutBufCount; // optimal number of output buffers // ULONG OutBufDelay; // write delay in msecs // ULONG InteractiveDelay; // write delay during active input // ULONG PortNumber; // network listen port number // ULONG KeepAliveTimeout; // network watchdog frequence // PDPARAMSW Params; // SDCLASS SdClass; // NETWORKCONFIGW Network; // LONG LanAdapter; // DEVICENAMEW NetworkName; // ULONG Flags; // ASYNCCONFIGW Async; // DEVICENAMEW DeviceName; // MODEMNAMEW ModemName; // ULONG BaudRate; // ULONG Parity; // ULONG StopBits; // ULONG ByteSize; // ULONG fEnableDsrSensitivity: 1; // ULONG fConnectionDriver: 1; // FLOWCONTROLCONFIG FlowControl; // CONNECTCONFIG Connect; // NASICONFIGW Nasi; // NASISPECIFICNAMEW SpecificName; // NASIUSERNAMEW UserName; // NASIPASSWORDW PassWord; // NASISESIONNAMEW SessionName; // NASIFILESERVERW FileServer; // BOOLEAN GlobalSession; // OEMTDCONFIGW OemTd; // LONG Adapter; // DEVICENAMEW DeviceName; // ULONG Flags; // allocate the path string to verify dlls and drivers pszModulePath = MemAlloc( (MAX_PATH + 1) * sizeof(WCHAR) ); if (pszModulePath == NULL) { Status = STATUS_NO_MEMORY; goto done; } if ((lstrlen(szDriverDir) + DLLNAME_LENGTH + 4 > MAX_PATH) || (lstrlen(szSystemDir) + DLLNAME_LENGTH + 4 > MAX_PATH)) { Status = STATUS_UNSUCCESSFUL; goto done; } for (i=0; i < MAX_PDCONFIG; i++) { PPDCONFIG pPdConfig; pPdConfig = &(pConfig->Pd[i]); if (pPdConfig->Create.SdClass == SdNone) break; Status = IsZeroterminateStringW(pPdConfig->Create.PdName, PDNAME_LENGTH + 1); if (!NT_SUCCESS(Status)) goto done; Status = IsZeroterminateStringW(pPdConfig->Create.PdDLL, DLLNAME_LENGTH + 1); if (!NT_SUCCESS(Status)) goto done; lstrcpyn(pszModulePath, szDriverDir, MAX_PATH+1); lstrcat(pszModulePath, pPdConfig->Create.PdDLL); lstrcat(pszModulePath, L".SYS"); if (!VerifyFile(pszModulePath, &VfyLock)) { Status = STATUS_UNSUCCESSFUL; goto done; } switch(pPdConfig->Params.SdClass) { case SdNetwork: Status = IsZeroterminateStringW(pPdConfig->Params.Network.NetworkName, DEVICENAME_LENGTH + 1); if (!NT_SUCCESS(Status)) goto done; break; case SdAsync: // needed ? Status = IsZeroterminateStringW(pPdConfig->Params.Async.DeviceName, DEVICENAME_LENGTH + 1); if (!NT_SUCCESS(Status)) goto done; Status = IsZeroterminateStringW(pPdConfig->Params.Async.ModemName, MODEMNAME_LENGTH + 1); if (!NT_SUCCESS(Status)) goto done; break; case SdNasi: // needed ? break; case SdOemTransport: // needed ? break; default: break; } } //WDCONFIGW Wd; // WDNAMEW WdName; // DLLNAMEW WdDLL; // DLLNAMEW WsxDLL; // ULONG WdFlag; // ULONG WdInputBufferLength; // DLLNAMEW CfgDLL; // WDPREFIXW WdPrefix; Status = IsZeroterminateStringW(pConfig->Wd.WdName, WDNAME_LENGTH + 1); if (!NT_SUCCESS(Status)) goto done; Status = IsZeroterminateStringW(pConfig->Wd.WdDLL, DLLNAME_LENGTH + 1); if (!NT_SUCCESS(Status)) goto done; // Verify the Wd lstrcpyn(pszModulePath, szDriverDir, MAX_PATH+1); lstrcat(pszModulePath, pConfig->Wd.WdDLL); lstrcat(pszModulePath, L".SYS"); if (!VerifyFile(pszModulePath, &VfyLock)) { Status = STATUS_UNSUCCESSFUL; goto done; } Status = IsZeroterminateStringW(pConfig->Wd.WsxDLL, DLLNAME_LENGTH + 1); if (!NT_SUCCESS(Status)) goto done; // Verify the Wsx if defined if ( pConfig->Wd.WsxDLL[0] != L'\0' ) { lstrcpyn(pszModulePath, szSystemDir, MAX_PATH+1); lstrcat(pszModulePath, pConfig->Wd.WsxDLL); lstrcat(pszModulePath, L".DLL"); if (!VerifyFile(pszModulePath, &VfyLock)) { Status = STATUS_UNSUCCESSFUL; goto done; } } Status = IsZeroterminateStringW(pConfig->Wd.CfgDLL, DLLNAME_LENGTH + 1); if (!NT_SUCCESS(Status)) goto done; Status = IsZeroterminateStringW(pConfig->Wd.WdPrefix, WDPREFIX_LENGTH + 1); if (!NT_SUCCESS(Status)) goto done; //CDCONFIGW Cd; // CDCLASS CdClass; // CDNAMEW CdName; // DLLNAMEW CdDLL; // ULONG CdFlag; // Status = IsZeroterminateStringW(pConfig->Cd.CdName, CDNAME_LENGTH + 1); if (!NT_SUCCESS(Status)) goto done; Status = IsZeroterminateStringW(pConfig->Cd.CdDLL, DLLNAME_LENGTH + 1); if (!NT_SUCCESS(Status)) goto done; //WINSTATIONCONFIGW Config; // WCHAR Comment[ WINSTATIONCOMMENT_LENGTH + 1 ]; // USERCONFIGW User; // char OEMId[4]; // WinFrame Server OEM Id // Status = IsZeroterminateStringW(pConfig->Config.Comment, WINSTATIONCOMMENT_LENGTH + 1); if (!NT_SUCCESS(Status)) goto done; done: if (pszModulePath) MemFree(pszModulePath); return Status; }