You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
13162 lines
400 KiB
13162 lines
400 KiB
/****************************************************************************/
|
|
// wstrpc.c
|
|
//
|
|
// TermSrv API RPC server code.
|
|
//
|
|
// Copyright (C) 1997-2000 Microsoft Corporation
|
|
/****************************************************************************/
|
|
|
|
#include "precomp.h"
|
|
#pragma hdrstop
|
|
|
|
#include <winuserp.h>
|
|
|
|
#define SECURITY_WIN32
|
|
|
|
#include <stdlib.h>
|
|
#include <time.h>
|
|
#include <tchar.h>
|
|
#include <lmaccess.h>
|
|
#include <lmerr.h>
|
|
#include <allproc.h>
|
|
#include <winsta.h>
|
|
#include <rpc.h>
|
|
#include <vdmdbg.h>
|
|
#include <dsrole.h>
|
|
#include <security.h>
|
|
#include <ntsecapi.h>
|
|
#include <lmapibuf.h>
|
|
#include "..\rpcwire.h"
|
|
#define INITGUID
|
|
#include "objbase.h"
|
|
#include "initguid.h"
|
|
#include <netcfgx.h>
|
|
#include "devguid.h"
|
|
|
|
#include <malloc.h>
|
|
#include <dsgetdc.h>
|
|
#include <winsock2.h>
|
|
#include <tdi.h>
|
|
|
|
#include <reason.h>
|
|
|
|
#include "tsremdsk.h"
|
|
|
|
/*
|
|
* Include the RPC generated common header
|
|
*/
|
|
#include "tsrpc.h"
|
|
|
|
#include "icaevent.h"
|
|
#include "sessdir.h"
|
|
|
|
#include "conntfy.h"
|
|
|
|
#define REMOTE_DISCONNECT_TITLE_ID 23
|
|
#define REMOTE_DISCONNECT_MESSAGE_ID 24
|
|
|
|
#define MIN_GAP_DATABASE_SIZE 100
|
|
|
|
#define MAX_IDS_LEN 256 // maximum length that the input parm can be
|
|
|
|
#define MAX_BUF 256
|
|
#define MAX_STRING_BYTES 512
|
|
|
|
//
|
|
// Winlogon defines
|
|
//
|
|
#define APPLICATION_NAME TEXT("Winlogon")
|
|
#define WINSTATIONS_DISABLED TEXT("WinStationsDisabled")
|
|
|
|
#ifdef NTSDDEBUG
|
|
#define NTSDDBGPRINT(x) DbgPrint x
|
|
#else
|
|
#define NTSDDBGPRINT(x)
|
|
#endif
|
|
|
|
//
|
|
// Value passed to RPC runtime libraries for the maximum number of
|
|
// cached threads it will keep around. We can actually service more RPC
|
|
// calls than this, but it will delete threads when they are done.
|
|
//
|
|
#define MAX_WINSTATION_RPC_THREADS 1000
|
|
|
|
//
|
|
//This value is to restrict the number
|
|
//of concurrent calls to WinStationWaitSystemEvent(),
|
|
//We should keep it lower than MAX_WINSTATION_RPC_THREADS
|
|
//because this calls may block indefinitely, thus, if we don't do so,
|
|
//it may render TS RPC service unresponsive for indefinite period of time.
|
|
//
|
|
#define MAX_SYSTEM_EVENTS 100
|
|
|
|
|
|
#ifdef notdef
|
|
// This validates the user pointer to be within the View memory region
|
|
#define ISPOINTERVALID_SERVER(pContext, p, length) \
|
|
(((ULONG)(p) >= (ULONG)(pContext)->ViewBase) && \
|
|
((char *)(p) + (length)) < (char *)((ULONG)(pContext)->ViewBase+pContext->ViewSize))
|
|
#endif
|
|
|
|
|
|
//
|
|
// Extern funcs, these three are from acl.c
|
|
extern VOID CleanUpSD(PSECURITY_DESCRIPTOR);
|
|
extern BOOL IsCallerSystem( VOID );
|
|
extern BOOL IsCallerAdmin( VOID );
|
|
extern BOOL IsCallerAnonymous( VOID );
|
|
extern BOOLEAN WinStationCheckConsoleSession(VOID);
|
|
extern NTSTATUS CheckIdleWinstation(VOID);
|
|
|
|
extern NTSTATUS WaitForConsoleConnectWorker( PWINSTATION pWinStation );
|
|
|
|
extern WCHAR gpszServiceName[];
|
|
|
|
extern BOOL g_fAppCompat;
|
|
|
|
extern ULONG MaxOutStandingConnect;
|
|
extern ULONG NumOutStandingConnect;
|
|
extern HANDLE hConnectEvent;
|
|
|
|
|
|
// TermSrv counter values
|
|
extern DWORD g_TermSrvTotalSessions;
|
|
extern DWORD g_TermSrvReconSessions;
|
|
extern DWORD g_TermSrvDiscSessions;
|
|
|
|
extern DWORD g_TermSrvSuccTotalLogons;
|
|
extern DWORD g_TermSrvSuccRemoteLogons;
|
|
extern DWORD g_TermSrvSuccLocalLogons;
|
|
extern DWORD g_TermSrvSuccSession0Logons;
|
|
|
|
extern PSID gSystemSid;
|
|
extern PSID gAdminSid;
|
|
|
|
extern HANDLE WinStationIdleControlEvent;
|
|
|
|
extern HANDLE ConsoleLogoffEvent;
|
|
extern RTL_CRITICAL_SECTION ConsoleLock;
|
|
extern ULONG gConsoleCreationDisable;
|
|
|
|
extern NTSTATUS
|
|
WinStationEnableSessionIo(
|
|
PWINSTATION pWinStation,
|
|
BOOL bEnable
|
|
);
|
|
|
|
extern NTSTATUS
|
|
_CheckShadowLoop(
|
|
IN ULONG ClientLogonId,
|
|
IN PWSTR pTargetServerName,
|
|
IN ULONG TargetLogonId
|
|
);
|
|
|
|
extern BOOL
|
|
Filter_RemoveOutstandingConnection(
|
|
IN PBYTE pin_addr,
|
|
IN UINT uAddrSize
|
|
);
|
|
|
|
extern NTSTATUS
|
|
WinStationWinerrorToNtStatus(ULONG ulWinError);
|
|
|
|
typedef struct _SID_CACHE_LIST_ENTRY {
|
|
LIST_ENTRY ListEntry;
|
|
HANDLE ProcId;
|
|
LARGE_INTEGER CreateTime;
|
|
PSID pSid;
|
|
} SID_CACHE_LIST_ENTRY, *PSID_CACHE_LIST_ENTRY;
|
|
|
|
#define MAX_SID_CACHE_ENTRIES 4000
|
|
ULONG gMaxSidCacheEntries = 0;
|
|
|
|
#define REG_GUID_TABLE REG_CONTROL_TSERVER L"\\lanatable\\"
|
|
#define LANA_ID L"LanaId"
|
|
|
|
|
|
/*=============================================================================
|
|
== Functions Defined
|
|
=============================================================================*/
|
|
VOID NotifySystemEvent( ULONG );
|
|
VOID CheckSidCacheSize();
|
|
RPC_STATUS RegisterRPCInterface( BOOL bReregister );
|
|
|
|
/*=============================================================================
|
|
== External Functions used
|
|
=============================================================================*/
|
|
|
|
NTSTATUS WinStationEnumerateWorker( PULONG, PLOGONID, PULONG, PULONG );
|
|
NTSTATUS WinStationRenameWorker( PWINSTATIONNAME, ULONG, PWINSTATIONNAME, ULONG );
|
|
NTSTATUS xxxWinStationQueryInformation( ULONG, ULONG, PVOID, ULONG, PULONG );
|
|
NTSTATUS xxxWinStationSetInformation( ULONG, WINSTATIONINFOCLASS, PVOID, ULONG );
|
|
NTSTATUS LogonIdFromWinStationNameWorker( PWINSTATIONNAME, ULONG, PULONG );
|
|
NTSTATUS IcaWinStationNameFromLogonId( ULONG, PWINSTATIONNAME );
|
|
NTSTATUS WaitForConnectWorker( PWINSTATION pWinStation, HANDLE ClientProcessId );
|
|
DWORD xxxWinStationGenerateLicense( PWCHAR, ULONG, PCHAR, ULONG );
|
|
DWORD xxxWinStationInstallLicense( PCHAR, ULONG );
|
|
DWORD xxxWinStationEnumerateLicenses( PULONG, PULONG, PCHAR, PULONG );
|
|
DWORD xxxWinStationActivateLicense( PCHAR, ULONG, PWCHAR, ULONG );
|
|
DWORD xxxWinStationRemoveLicense( PCHAR, ULONG );
|
|
DWORD xxxWinStationSetPoolCount( PCHAR, ULONG );
|
|
DWORD xxxWinStationQueryUpdateRequired( PULONG );
|
|
NTSTATUS WinStationShadowWorker( ULONG, PWSTR, ULONG, ULONG, BYTE, USHORT );
|
|
NTSTATUS WinStationShadowTargetSetupWorker( BOOL, ULONG );
|
|
NTSTATUS WinStationShadowTargetWorker( BOOLEAN, BOOL, ULONG, PWINSTATIONCONFIG2, PICA_STACK_ADDRESS,
|
|
PVOID, ULONG, PVOID, ULONG, PVOID );
|
|
NTSTATUS WinStationStopAllShadows( PWINSTATION );
|
|
|
|
VOID WinStationTerminate( PWINSTATION );
|
|
VOID WinStationDeleteWorker( PWINSTATION );
|
|
NTSTATUS WinStationDoDisconnect( PWINSTATION, PRECONNECT_INFO, BOOLEAN );
|
|
NTSTATUS WinStationDoReconnect( PWINSTATION, PRECONNECT_INFO );
|
|
VOID CleanupReconnect( PRECONNECT_INFO );
|
|
NTSTATUS ShutdownLogoff( ULONG, ULONG );
|
|
|
|
NTSTATUS SelfRelativeToAbsoluteSD( PSECURITY_DESCRIPTOR,
|
|
PSECURITY_DESCRIPTOR *, PULONG );
|
|
NTSTATUS QueueWinStationCreate( PWINSTATIONNAME );
|
|
ULONG WinStationShutdownReset( PVOID );
|
|
NTSTATUS DoForWinStationGroup( PULONG, ULONG, LPTHREAD_START_ROUTINE );
|
|
NTSTATUS InitializeGAPPointersDatabase();
|
|
NTSTATUS IncreaseGAPPointersDatabaseSize();
|
|
NTSTATUS InsertPointerInGAPDatabase(PVOID Pointer);
|
|
VOID ReleaseGAPPointersDatabase();
|
|
BOOLEAN PointerIsInGAPDatabase(PVOID Pointer);
|
|
VOID ValidateGAPPointersDatabase(ULONG n);
|
|
VOID ResetAutoReconnectInfo( PWINSTATION );
|
|
|
|
NTSTATUS
|
|
GetSidFromProcessId(
|
|
HANDLE UniqueProcessId,
|
|
LARGE_INTEGER CreateTime,
|
|
PSID *ppProcessSid,
|
|
BOOLEAN ImpersonatingClient
|
|
);
|
|
|
|
PSECURITY_DESCRIPTOR
|
|
WinStationGetSecurityDescriptor(
|
|
PWINSTATION pWinStation
|
|
);
|
|
|
|
NTSTATUS
|
|
WinStationConnectWorker(
|
|
ULONG ClientLogonId,
|
|
ULONG ConnectLogonId,
|
|
ULONG TargetLogonId,
|
|
PWCHAR pPassword,
|
|
DWORD PasswordSize,
|
|
BOOLEAN bWait,
|
|
BOOLEAN bAutoReconnecting
|
|
);
|
|
|
|
NTSTATUS
|
|
WinStationDisconnectWorker(
|
|
ULONG LogonId,
|
|
BOOLEAN bWait,
|
|
BOOLEAN CallerIsRpc
|
|
);
|
|
|
|
NTSTATUS
|
|
WinStationWaitSystemEventWorker(
|
|
HANDLE hServer,
|
|
ULONG EventMask,
|
|
PULONG pEventFlags
|
|
);
|
|
|
|
NTSTATUS
|
|
WinStationCallbackWorker(
|
|
ULONG LogonId,
|
|
PWCHAR pPhoneNumber
|
|
);
|
|
|
|
NTSTATUS
|
|
WinStationBreakPointWorker(
|
|
ULONG LogonId,
|
|
BOOLEAN KernelFlag
|
|
);
|
|
|
|
NTSTATUS
|
|
WinStationReadRegistryWorker(
|
|
VOID
|
|
);
|
|
|
|
NTSTATUS
|
|
ReInitializeSecurityWorker(
|
|
VOID
|
|
);
|
|
|
|
NTSTATUS
|
|
WinStationNotifyLogonWorker(
|
|
DWORD ClientLogonId,
|
|
DWORD ClientProcessId,
|
|
BOOLEAN fUserIsAdmin,
|
|
DWORD UserToken,
|
|
PWCHAR pDomain,
|
|
DWORD DomainSize,
|
|
PWCHAR pUserName,
|
|
DWORD UserNameSize,
|
|
PWCHAR pPassword,
|
|
DWORD PasswordSize,
|
|
UCHAR Seed,
|
|
PCHAR pUserConfig,
|
|
DWORD ConfigSize,
|
|
BOOLEAN *pfIsRedirected
|
|
);
|
|
|
|
NTSTATUS
|
|
WinStationNotifyLogoffWorker(
|
|
DWORD ClientLogonId,
|
|
DWORD ClientProcessId
|
|
);
|
|
|
|
NTSTATUS
|
|
WinStationNotifyNewSession(
|
|
DWORD ClientLogonId
|
|
);
|
|
|
|
NTSTATUS
|
|
WinStationShutdownSystemWorker(
|
|
ULONG ClientLogonId,
|
|
ULONG ShutdownFlags
|
|
);
|
|
|
|
NTSTATUS
|
|
WinStationTerminateProcessWorker(
|
|
ULONG ProcessId,
|
|
ULONG ExitCode
|
|
);
|
|
|
|
PSECURITY_DESCRIPTOR
|
|
BuildEveryOneAllowSD();
|
|
|
|
NTSTATUS AddUserAce( PWINSTATION );
|
|
NTSTATUS RemoveUserAce( PWINSTATION );
|
|
NTSTATUS ApplyWinStaMapping( PWINSTATION pWinStation );
|
|
|
|
NTSTATUS
|
|
RpcCheckClientAccess(
|
|
PWINSTATION pWinStation,
|
|
ACCESS_MASK DesiredAccess,
|
|
BOOLEAN AlreadyImpersonating
|
|
);
|
|
|
|
NTSTATUS
|
|
RpcCheckClientAccessLocal(
|
|
PWINSTATION pWinStation,
|
|
ACCESS_MASK DesiredAccess,
|
|
BOOLEAN AlreadyImpersonating
|
|
);
|
|
|
|
_CheckConnectAccess(
|
|
PWINSTATION pSourceWinStation,
|
|
PSID pClientSid,
|
|
ULONG ClientLogonId,
|
|
PWCHAR pPassword,
|
|
DWORD PasswordSize
|
|
);
|
|
|
|
NTSTATUS
|
|
RpcCheckSystemClient(
|
|
ULONG LogonId
|
|
);
|
|
|
|
NTSTATUS
|
|
RpcCheckSystemClientNoLogonId(
|
|
PWINSTATION pWinStation
|
|
);
|
|
|
|
NTSTATUS
|
|
RpcGetClientLogonId(
|
|
PULONG pLogonId
|
|
);
|
|
|
|
BOOL
|
|
ConfigurePerSessionSecurity(
|
|
PWINSTATION pWinStation
|
|
);
|
|
|
|
BOOL
|
|
IsCallerAdmin( VOID );
|
|
|
|
BOOL
|
|
IsCallerSystem( VOID );
|
|
|
|
BOOL
|
|
IsCallerAnonymous( VOID );
|
|
|
|
BOOLEAN
|
|
ValidWireBuffer(WINSTATIONINFOCLASS InfoClass,
|
|
PVOID WireBuf,
|
|
ULONG WireBufLen);
|
|
|
|
NTSTATUS
|
|
IsZeroterminateStringA(
|
|
PBYTE pString,
|
|
DWORD dwLength
|
|
);
|
|
|
|
NTSTATUS
|
|
IsZeroterminateStringW(
|
|
PWCHAR pwString,
|
|
DWORD dwLength
|
|
) ;
|
|
|
|
NTSTATUS
|
|
IsConfigValid(
|
|
PWINSTATIONCONFIG2 pConfig
|
|
);
|
|
|
|
NTSTATUS
|
|
WinStationUpdateClientCachedCredentialsWorker(
|
|
DWORD ClientLogonId,
|
|
ULONG_PTR ClientProcessId,
|
|
PWCHAR pDomain,
|
|
DWORD DomainSize,
|
|
PWCHAR pUserName,
|
|
DWORD UserNameSize,
|
|
BOOLEAN fSmartCard
|
|
);
|
|
|
|
NTSTATUS
|
|
WinStationFUSCanRemoteUserDisconnectWorker(
|
|
DWORD TargetLogonId,
|
|
DWORD ClientLogonId,
|
|
ULONG_PTR ClientProcessId,
|
|
PWCHAR pDomain,
|
|
DWORD DomainSize,
|
|
PWCHAR pUserName,
|
|
DWORD UserNameSize
|
|
);
|
|
|
|
NTSTATUS
|
|
WinStationCheckLoopBackWorker(
|
|
DWORD TargetLogonId,
|
|
DWORD ClientLogonId,
|
|
PWCHAR pTargetServerName,
|
|
DWORD NameSize
|
|
);
|
|
|
|
NTSTATUS WinStationNotifyDisconnectPipeWorker(
|
|
DWORD ClientLogonId,
|
|
ULONG_PTR ClientProcessId
|
|
);
|
|
|
|
NTSTATUS WinStationSessionInitializedWorker(
|
|
DWORD ClientLogonId,
|
|
ULONG_PTR ClientProcessId
|
|
);
|
|
|
|
NTSTATUS WinStationCheckAccessWorker(
|
|
ULONG ClientLogonId,
|
|
DWORD UserToken,
|
|
ULONG TargetLogonId,
|
|
ULONG AccessMask
|
|
);
|
|
|
|
|
|
|
|
/*=============================================================================
|
|
== Internal Functions used
|
|
=============================================================================*/
|
|
VOID AuditShutdownEvent(VOID);
|
|
BOOL AuditingEnabled(VOID);
|
|
|
|
NTSTATUS LogoffWinStation( PWINSTATION, ULONG );
|
|
|
|
//
|
|
//Used by IsGinaVersionCurrent()
|
|
//
|
|
#define WLX_NEGOTIATE_NAME "WlxNegotiate"
|
|
typedef BOOL (WINAPI * PWLX_NEGOTIATE)(DWORD, DWORD *);
|
|
BOOL IsGinaVersionCurrent();
|
|
|
|
|
|
#if DBG
|
|
void DumpOutLastErrorString()
|
|
{
|
|
LPVOID lpMsgBuf;
|
|
DWORD error = GetLastError();
|
|
|
|
DBGPRINT(("GetLastError() = 0x%lx \n", error ));
|
|
|
|
FormatMessage(
|
|
FORMAT_MESSAGE_ALLOCATE_BUFFER |
|
|
FORMAT_MESSAGE_FROM_SYSTEM |
|
|
FORMAT_MESSAGE_IGNORE_INSERTS,
|
|
NULL,
|
|
error,
|
|
MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), // Default language
|
|
(LPTSTR) &lpMsgBuf,
|
|
0,
|
|
NULL
|
|
);
|
|
|
|
//
|
|
// Process any inserts in lpMsgBuf.
|
|
// ...
|
|
// Display the string.
|
|
//
|
|
DBGPRINT(("%s\n", (LPCTSTR)lpMsgBuf ));
|
|
|
|
//
|
|
// Free the buffer.
|
|
//
|
|
LocalFree( lpMsgBuf );
|
|
}
|
|
#endif
|
|
|
|
#if DBG
|
|
#define DumpOutLastError DumpOutLastErrorString()
|
|
#else
|
|
#define DumpOutLastError
|
|
#endif
|
|
|
|
|
|
/*=============================================================================
|
|
== Data
|
|
=============================================================================*/
|
|
BOOLEAN gbPointersDatabaseIsValid = FALSE;
|
|
ULONG gPointersDatabaseSize;
|
|
ULONG gNbProcesses;
|
|
PVOID *gPointersDatabase = NULL;
|
|
|
|
RTL_CRITICAL_SECTION gRpcGetAllProcessesLock;
|
|
RTL_CRITICAL_SECTION gRpcPointersDatabaseLock;
|
|
RTL_CRITICAL_SECTION gRpcSidCacheLock;
|
|
BOOLEAN gbRpcGetAllProcessesOK;
|
|
BOOLEAN gbRpcSidCacheOK;
|
|
|
|
extern RTL_CRITICAL_SECTION WsxListLock;
|
|
extern LIST_ENTRY WsxListHead;
|
|
extern LIST_ENTRY WinStationListHead; // protected by WinStationListLock
|
|
|
|
LIST_ENTRY gSidCacheHead;
|
|
|
|
BOOLEAN bConsoleConnected=FALSE;
|
|
|
|
extern POLICY_TS_MACHINE g_MachinePolicy; // declared in winsta.c
|
|
|
|
|
|
/*****************************************************************************
|
|
* WinStationInitRPC
|
|
*
|
|
* Setup the RPC bindings, and listen for incoming requests.
|
|
****************************************************************************/
|
|
RPC_STATUS
|
|
WinStationInitRPC( VOID
|
|
)
|
|
{
|
|
RPC_STATUS Status;
|
|
DWORD Result;
|
|
RPC_BINDING_VECTOR *pBindingVector;
|
|
|
|
TRACE((hTrace,TC_ICASRV,TT_API2,"RPC WinStationInitRPC\n"));
|
|
|
|
//
|
|
// Initialize the Critical Sections that are
|
|
// necessary for RpcWinStationGetAllProcesses
|
|
//
|
|
gbRpcGetAllProcessesOK =
|
|
((NT_SUCCESS(RtlInitializeCriticalSection(&gRpcGetAllProcessesLock))
|
|
&& (NT_SUCCESS(RtlInitializeCriticalSection(&gRpcPointersDatabaseLock)))
|
|
)? TRUE : FALSE);
|
|
|
|
gbRpcSidCacheOK =
|
|
NT_SUCCESS(RtlInitializeCriticalSection(&gRpcSidCacheLock)) ? TRUE :
|
|
FALSE;
|
|
InitializeListHead(&gSidCacheHead);
|
|
|
|
// register the LPC (local only) interface
|
|
Status = RpcServerUseProtseqEp(
|
|
L"ncalrpc", // Protocol Sequence (LPC)
|
|
MAX_WINSTATION_RPC_THREADS, // Maximum calls at one time
|
|
L"IcaApi", // Endpoint
|
|
NULL // Pass NULL for Security - RPC will take care of the correct Security based on Protocol Sequence used
|
|
);
|
|
|
|
if( Status != RPC_S_OK ) {
|
|
TRACE((hTrace,TC_ICASRV,TT_ERROR,"IcaServ: Error %d RpcUseProtseqEp on ncalrpc\n",Status));
|
|
return( Status );
|
|
}
|
|
|
|
//
|
|
// register the Named pipes interface
|
|
// (remote with NT domain authentication)
|
|
//
|
|
Status = RpcServerUseProtseqEp(
|
|
L"ncacn_np", // Protocol Sequence
|
|
MAX_WINSTATION_RPC_THREADS, // Maximum calls at one time
|
|
L"\\pipe\\Ctx_WinStation_API_service", // Endpoint
|
|
NULL // Security
|
|
);
|
|
|
|
if( Status != RPC_S_OK ) {
|
|
TRACE((hTrace,TC_ICASRV,TT_ERROR,"TERMSRV: Error %d RpcUseProtseqEp on ncacn_np\n",Status));
|
|
return( Status );
|
|
}
|
|
|
|
// Register our interface handle
|
|
Status = RegisterRPCInterface( FALSE );
|
|
|
|
if( Status != RPC_S_OK ) {
|
|
return( Status );
|
|
}
|
|
|
|
// By default, rpc will serialize access to context handles. Since
|
|
// the ICASRV needs to be able to have two threads access a context
|
|
// handle at once, and it knows what it is doing, we will tell rpc
|
|
// not to serialize access to context handles.
|
|
|
|
|
|
// We cannot call this function as its effects are process wide, and since we are
|
|
// part of SvcHost, other services also get affected with this call.
|
|
// instead we will use context_handle_noserialize attribute in our acf files.
|
|
//
|
|
// I_RpcSsDontSerializeContext();
|
|
|
|
// Now do the RPC listen to service calls
|
|
Status = RpcServerListen(
|
|
1, // Min calls
|
|
MAX_WINSTATION_RPC_THREADS,
|
|
TRUE // fDontWait
|
|
);
|
|
|
|
if( Status != RPC_S_OK ) {
|
|
TRACE((hTrace,TC_ICASRV,TT_ERROR,"TERMSRV: Error %d RpcServerListen\n",Status));
|
|
return( Status );
|
|
}
|
|
|
|
return( 0 );
|
|
}
|
|
|
|
|
|
/*****************************************************************************
|
|
* RpcWinStationOpenServer
|
|
*
|
|
* Function to open the server for WinStation API's.
|
|
*
|
|
* The purpose of this function is the allocation of the
|
|
* RPC context handle for server side state information.
|
|
****************************************************************************/
|
|
BOOLEAN
|
|
RpcWinStationOpenServer(
|
|
handle_t hBinding,
|
|
DWORD *pResult,
|
|
HANDLE *phContext
|
|
)
|
|
{
|
|
PRPC_CLIENT_CONTEXT p;
|
|
|
|
//
|
|
// Allocate our open context structure
|
|
//
|
|
p = midl_user_allocate( sizeof(RPC_CLIENT_CONTEXT) );
|
|
|
|
if( p == NULL ) {
|
|
*pResult = (DWORD) STATUS_NO_MEMORY;
|
|
return( FALSE );
|
|
}
|
|
|
|
//
|
|
// zero it out
|
|
//
|
|
memset( p, 0, sizeof(RPC_CLIENT_CONTEXT) );
|
|
|
|
//
|
|
// Initialize it
|
|
//
|
|
p->pWaitEvent = NULL;
|
|
|
|
//
|
|
// Return the RPC context handle
|
|
//
|
|
*phContext = (PRPC_CLIENT_CONTEXT)p;
|
|
|
|
// Return success
|
|
*pResult = STATUS_SUCCESS;
|
|
|
|
return( *pResult == STATUS_SUCCESS ? TRUE : FALSE );
|
|
}
|
|
|
|
|
|
/*****************************************************************************
|
|
* RpcWinStationCloseServer
|
|
*
|
|
* Function to close the server for WinStation API's.
|
|
* This function is obsolete. use RpcWinstationCloseServerEx instead.
|
|
* Its kept here for compatibility with older (w2k) clients.
|
|
****************************************************************************/
|
|
BOOLEAN
|
|
RpcWinStationCloseServer(
|
|
HANDLE hContext,
|
|
DWORD *pResult
|
|
)
|
|
{
|
|
PRPC_CLIENT_CONTEXT pContext = (PRPC_CLIENT_CONTEXT)hContext;
|
|
ULONG EventFlags;
|
|
NTSTATUS Status;
|
|
|
|
if(!hContext)
|
|
{
|
|
*pResult = STATUS_UNSUCCESSFUL;
|
|
return( FALSE );
|
|
}
|
|
|
|
// Free the wait event block if one was allocated
|
|
if ( pContext->pWaitEvent ) {
|
|
WinStationWaitSystemEventWorker( hContext, WEVENT_NONE, &EventFlags );
|
|
}
|
|
|
|
*pResult = STATUS_SUCCESS;
|
|
|
|
return( TRUE );
|
|
}
|
|
|
|
/*****************************************************************************
|
|
* RpcWinStationCloseServerEx
|
|
*
|
|
* Function to close the server for WinStation API's.
|
|
* This function supersades the RpcWinStationCloseServer
|
|
****************************************************************************/
|
|
BOOLEAN
|
|
RpcWinStationCloseServerEx(
|
|
HANDLE *phContext,
|
|
DWORD *pResult
|
|
)
|
|
{
|
|
PRPC_CLIENT_CONTEXT pContext = NULL;
|
|
|
|
ULONG EventFlags;
|
|
NTSTATUS Status;
|
|
|
|
if(!phContext || !(*phContext))
|
|
{
|
|
*pResult = STATUS_UNSUCCESSFUL;
|
|
return( FALSE );
|
|
}
|
|
|
|
pContext = (PRPC_CLIENT_CONTEXT)*phContext;
|
|
|
|
// Free the wait event block if one was allocated
|
|
if ( pContext->pWaitEvent ) {
|
|
WinStationWaitSystemEventWorker( *phContext, WEVENT_NONE, &EventFlags );
|
|
}
|
|
|
|
Status = RpcSsContextLockExclusive(NULL, pContext);
|
|
if (RPC_S_OK == Status)
|
|
{
|
|
midl_user_free(pContext);
|
|
|
|
// This is required to signal the RPC that we are done with this context handle
|
|
*phContext = NULL;
|
|
|
|
*pResult = STATUS_SUCCESS;
|
|
return( TRUE );
|
|
}
|
|
else
|
|
{
|
|
DbgPrint("-------------RpcWinStationCloseServerEx: failed to lock the Context exclusively, Status = 0x%X\n", Status);
|
|
*pResult = Status;
|
|
if (*pResult == STATUS_TIMEOUT) *pResult = STATUS_UNSUCCESSFUL;
|
|
return (FALSE);
|
|
}
|
|
}
|
|
|
|
|
|
/*****************************************************************************
|
|
* RpcIcaServerPing
|
|
*
|
|
* Called on an external ping to this Terminal Server.
|
|
****************************************************************************/
|
|
BOOLEAN
|
|
RpcIcaServerPing(
|
|
HANDLE hServer,
|
|
DWORD *pResult
|
|
)
|
|
{
|
|
if(!hServer)
|
|
{
|
|
*pResult = STATUS_UNSUCCESSFUL;
|
|
return( FALSE );
|
|
}
|
|
|
|
TRACE((hTrace,TC_ICASRV,TT_API1,"PING Received!\n"));
|
|
|
|
*pResult = STATUS_SUCCESS;
|
|
|
|
return( TRUE );
|
|
}
|
|
|
|
|
|
/*****************************************************************************
|
|
* RpcWinStationEnumerate
|
|
*
|
|
* WinStationEnumerate API
|
|
****************************************************************************/
|
|
BOOLEAN
|
|
RpcWinStationEnumerate(
|
|
HANDLE hServer,
|
|
DWORD *pResult,
|
|
PULONG pEntries,
|
|
PCHAR pLogonId,
|
|
PULONG pByteCount,
|
|
PULONG pIndex
|
|
)
|
|
{
|
|
if(!hServer)
|
|
{
|
|
*pResult = STATUS_UNSUCCESSFUL;
|
|
return( FALSE );
|
|
}
|
|
|
|
if (!pEntries || !pLogonId || !pByteCount || !pIndex) {
|
|
*pResult = STATUS_INVALID_USER_BUFFER;
|
|
return FALSE;
|
|
}
|
|
|
|
*pResult = WinStationEnumerateWorker(
|
|
pEntries,
|
|
(PLOGONID)pLogonId,
|
|
pByteCount,
|
|
pIndex
|
|
);
|
|
|
|
return( *pResult == STATUS_SUCCESS ? TRUE : FALSE );
|
|
}
|
|
|
|
|
|
/*****************************************************************************
|
|
* RpcWinStationEnumerateProcesses
|
|
*
|
|
* WinStationEnumerateProcesses API
|
|
****************************************************************************/
|
|
BOOLEAN
|
|
RpcWinStationEnumerateProcesses(
|
|
HANDLE hServer,
|
|
DWORD *pResult,
|
|
PBYTE pProcessBuffer,
|
|
DWORD ByteCount
|
|
)
|
|
{
|
|
PBYTE pSrcProcessBuffer = NULL;
|
|
RPC_STATUS RpcStatus;
|
|
NTSTATUS Status;
|
|
|
|
if(!hServer)
|
|
{
|
|
*pResult = STATUS_UNSUCCESSFUL;
|
|
return( FALSE );
|
|
}
|
|
|
|
#ifdef _X86_
|
|
|
|
RtlEnterCriticalSection(&gRpcGetAllProcessesLock);
|
|
|
|
// Check if SID cache hasn't grown too much
|
|
CheckSidCacheSize();
|
|
|
|
//
|
|
// Allocate a temporary buffer
|
|
//
|
|
pSrcProcessBuffer = MemAlloc (ByteCount);
|
|
if (pSrcProcessBuffer == NULL)
|
|
{
|
|
RtlLeaveCriticalSection(&gRpcGetAllProcessesLock);
|
|
*pResult = STATUS_NO_MEMORY;
|
|
return FALSE;
|
|
}
|
|
|
|
//
|
|
// Impersonate client
|
|
//
|
|
RpcStatus = RpcImpersonateClient( NULL );
|
|
|
|
if( RpcStatus != RPC_S_OK ) {
|
|
RtlLeaveCriticalSection(&gRpcGetAllProcessesLock);
|
|
*pResult = STATUS_ACCESS_DENIED;
|
|
return FALSE;
|
|
}
|
|
|
|
/*
|
|
* Perform process enumeration.
|
|
*/
|
|
*pResult = NtQuerySystemInformation( SystemProcessInformation,
|
|
(PVOID)pSrcProcessBuffer,
|
|
ByteCount,
|
|
NULL);
|
|
if ( *pResult == STATUS_SUCCESS ) {
|
|
PSYSTEM_PROCESS_INFORMATION pSrcProcessInfo;
|
|
PSYSTEM_PROCESS_INFORMATION pDestProcessInfo;
|
|
PCITRIX_PROCESS_INFORMATION pDestCitrixInfo;
|
|
ULONG SessionId = INVALID_SESSIONID;
|
|
PWINSTATION pWinStation = NULL;
|
|
ULONG TotalOffset;
|
|
PSID pSid;
|
|
ULONG SizeOfSid;
|
|
PBYTE pSrc, pDest;
|
|
ULONG i;
|
|
ULONG Size = 0;
|
|
|
|
/*
|
|
* Walk the returned buffer to calculate the required size.
|
|
*/
|
|
pSrcProcessInfo = (PSYSTEM_PROCESS_INFORMATION)pSrcProcessBuffer;
|
|
TotalOffset = 0;
|
|
do
|
|
{
|
|
Size += (SIZEOF_TS4_SYSTEM_PROCESS_INFORMATION
|
|
+ (SIZEOF_TS4_SYSTEM_THREAD_INFORMATION * pSrcProcessInfo->NumberOfThreads)
|
|
+ pSrcProcessInfo->ImageName.Length
|
|
);
|
|
//
|
|
// Get the Sid (will be remembered in the Sid cache)
|
|
// Maybe it would be better to add here a "Sidmaximumlength" ??
|
|
//
|
|
Status = GetSidFromProcessId(
|
|
pSrcProcessInfo->UniqueProcessId,
|
|
pSrcProcessInfo->CreateTime,
|
|
&pSid,
|
|
TRUE
|
|
);
|
|
|
|
if (Status == STATUS_CANNOT_IMPERSONATE)
|
|
{
|
|
RtlLeaveCriticalSection(&gRpcGetAllProcessesLock);
|
|
MemFree(pSrcProcessBuffer);
|
|
*pResult = STATUS_ACCESS_DENIED;
|
|
return FALSE;
|
|
}
|
|
|
|
if (NT_SUCCESS(Status))
|
|
{
|
|
Size += RtlLengthSid(pSid);
|
|
}
|
|
|
|
TotalOffset += pSrcProcessInfo->NextEntryOffset;
|
|
pSrcProcessInfo = (PSYSTEM_PROCESS_INFORMATION)&pSrcProcessBuffer[TotalOffset];
|
|
}
|
|
while (pSrcProcessInfo->NextEntryOffset != 0);
|
|
|
|
if (ByteCount < Size)
|
|
{
|
|
RevertToSelf();
|
|
RtlLeaveCriticalSection(&gRpcGetAllProcessesLock);
|
|
MemFree(pSrcProcessBuffer);
|
|
*pResult = STATUS_INFO_LENGTH_MISMATCH;
|
|
return FALSE;
|
|
}
|
|
|
|
/*
|
|
* Walk the returned buffer (it's in new Win2000 SYSTEM_PROCESS_INFORMATION format),
|
|
* copy it to the old TS4 SYSTEM_PROCESS_INFORMATION format, and fixup the addresses
|
|
* (now containing pointers in our address space within pProcessBuffer) to offsets.
|
|
*/
|
|
|
|
// back to the beginning
|
|
pSrcProcessInfo = (PSYSTEM_PROCESS_INFORMATION)pSrcProcessBuffer;
|
|
pDestProcessInfo = (PSYSTEM_PROCESS_INFORMATION)pProcessBuffer;
|
|
|
|
// initialize current pointers
|
|
pSrc = pSrcProcessBuffer;
|
|
pDest = pProcessBuffer;
|
|
TotalOffset = 0;
|
|
for(;;) {
|
|
//
|
|
// Check winstation Query access first.
|
|
//
|
|
SessionId = pSrcProcessInfo->SessionId;
|
|
if( SessionId == INVALID_SESSIONID )
|
|
{
|
|
//
|
|
// Skip the process entry.
|
|
//
|
|
if( pSrcProcessInfo->NextEntryOffset == 0 )
|
|
{
|
|
pDestProcessInfo->NextEntryOffset = 0;
|
|
break;
|
|
}
|
|
|
|
TotalOffset += pSrcProcessInfo->NextEntryOffset;
|
|
pSrcProcessInfo = (PSYSTEM_PROCESS_INFORMATION)&pSrcProcessBuffer[TotalOffset];
|
|
pSrc = (PBYTE)pSrcProcessInfo;
|
|
continue;
|
|
}
|
|
|
|
/*
|
|
* Find and lock client WinStation
|
|
*/
|
|
pWinStation = FindWinStationById( SessionId, FALSE );
|
|
if ( pWinStation == NULL )
|
|
{
|
|
//
|
|
// The session this process belongs to, might already be gone.
|
|
// Don't fail here, just skip the process entry.
|
|
//
|
|
if( pSrcProcessInfo->NextEntryOffset == 0 )
|
|
{
|
|
pDestProcessInfo->NextEntryOffset = 0;
|
|
break;
|
|
}
|
|
|
|
TotalOffset += pSrcProcessInfo->NextEntryOffset;
|
|
pSrcProcessInfo = (PSYSTEM_PROCESS_INFORMATION)&pSrcProcessBuffer[TotalOffset];
|
|
pSrc = (PBYTE)pSrcProcessInfo;
|
|
continue;
|
|
}
|
|
|
|
Status = RpcCheckClientAccess( pWinStation, WINSTATION_QUERY, TRUE );
|
|
ReleaseWinStation( pWinStation );
|
|
if ( !NT_SUCCESS( Status ) )
|
|
{
|
|
//
|
|
// The client is not authorized to view this process entry. Skip it.
|
|
//
|
|
if( pSrcProcessInfo->NextEntryOffset == 0 )
|
|
{
|
|
pDestProcessInfo->NextEntryOffset = 0;
|
|
break;
|
|
}
|
|
|
|
TotalOffset += pSrcProcessInfo->NextEntryOffset;
|
|
pSrcProcessInfo = (PSYSTEM_PROCESS_INFORMATION)&pSrcProcessBuffer[TotalOffset];
|
|
pSrc = (PBYTE)pSrcProcessInfo;
|
|
continue;
|
|
}
|
|
|
|
//
|
|
// Copy process information
|
|
//
|
|
memcpy(pDest,pSrc,SIZEOF_TS4_SYSTEM_PROCESS_INFORMATION);
|
|
pSrc += sizeof(SYSTEM_PROCESS_INFORMATION);
|
|
pDest += SIZEOF_TS4_SYSTEM_PROCESS_INFORMATION;
|
|
|
|
//
|
|
// Copy all the threads info
|
|
//
|
|
for (i=0; i < pSrcProcessInfo->NumberOfThreads ; i++)
|
|
{
|
|
memcpy(pDest,pSrc,SIZEOF_TS4_SYSTEM_THREAD_INFORMATION);
|
|
pSrc += sizeof(SYSTEM_THREAD_INFORMATION);
|
|
pDest += SIZEOF_TS4_SYSTEM_THREAD_INFORMATION;
|
|
}
|
|
|
|
//
|
|
// Set the old TS4 info
|
|
//
|
|
pDestCitrixInfo = (PCITRIX_PROCESS_INFORMATION) pDest;
|
|
pDest += sizeof(CITRIX_PROCESS_INFORMATION);
|
|
|
|
pDestCitrixInfo->MagicNumber = CITRIX_PROCESS_INFO_MAGIC;
|
|
pDestCitrixInfo->LogonId = pSrcProcessInfo->SessionId;
|
|
pDestCitrixInfo->ProcessSid = NULL;
|
|
|
|
//
|
|
// Get the Sid again (from the cache)
|
|
//
|
|
Status = GetSidFromProcessId(
|
|
pDestProcessInfo->UniqueProcessId,
|
|
pDestProcessInfo->CreateTime,
|
|
&pSid,
|
|
TRUE
|
|
);
|
|
|
|
if (Status == STATUS_CANNOT_IMPERSONATE)
|
|
{
|
|
*pResult = STATUS_ACCESS_DENIED;
|
|
break;
|
|
}
|
|
|
|
if (NT_SUCCESS(Status))
|
|
{
|
|
//
|
|
// Copy the Sid
|
|
//
|
|
SizeOfSid = RtlLengthSid(pSid);
|
|
|
|
pDestCitrixInfo->ProcessSid = NULL;
|
|
if ( NT_SUCCESS(RtlCopySid(SizeOfSid, pDest, pSid) ) )
|
|
{
|
|
pDestCitrixInfo->ProcessSid = (PSID)((ULONG_PTR)pDest - (ULONG_PTR)pProcessBuffer);
|
|
pDest += SizeOfSid;
|
|
}
|
|
}
|
|
|
|
pDestCitrixInfo->Pad = 0;
|
|
|
|
//
|
|
// Copy the image file name
|
|
//
|
|
if ((pSrcProcessInfo->ImageName.Buffer != NULL) && (pSrcProcessInfo->ImageName.Length != 0) )
|
|
{
|
|
memcpy(pDest, pSrcProcessInfo->ImageName.Buffer, pSrcProcessInfo->ImageName.Length);
|
|
pDestProcessInfo->ImageName.Buffer = (PWSTR) ((ULONG_PTR)pDest - (ULONG_PTR)pProcessBuffer);
|
|
pDestProcessInfo->ImageName.Length = pSrcProcessInfo->ImageName.Length;
|
|
pDest += (pSrcProcessInfo->ImageName.Length);
|
|
memcpy(pDest,L"\0",sizeof(WCHAR));
|
|
pDest += sizeof(WCHAR);
|
|
}
|
|
else
|
|
{
|
|
pDestProcessInfo->ImageName.Buffer = NULL;
|
|
pDestProcessInfo->ImageName.Length = 0;
|
|
}
|
|
|
|
//
|
|
// loop...
|
|
//
|
|
if( pSrcProcessInfo->NextEntryOffset == 0 )
|
|
{
|
|
pDestProcessInfo->NextEntryOffset = 0;
|
|
break;
|
|
}
|
|
|
|
pDestProcessInfo->NextEntryOffset =
|
|
(ULONG)((ULONG_PTR)pDest - (ULONG_PTR)pDestProcessInfo);
|
|
|
|
pDestProcessInfo = (PSYSTEM_PROCESS_INFORMATION)pDest;
|
|
|
|
TotalOffset += pSrcProcessInfo->NextEntryOffset;
|
|
pSrcProcessInfo = (PSYSTEM_PROCESS_INFORMATION)&pSrcProcessBuffer[TotalOffset];
|
|
pSrc = (PBYTE)pSrcProcessInfo;
|
|
}
|
|
}
|
|
|
|
if (Status != STATUS_CANNOT_IMPERSONATE)
|
|
RevertToSelf();
|
|
|
|
RtlLeaveCriticalSection(&gRpcGetAllProcessesLock);
|
|
MemFree(pSrcProcessBuffer);
|
|
return( *pResult == STATUS_SUCCESS ? TRUE : FALSE );
|
|
#else
|
|
|
|
*pResult = STATUS_NOT_SUPPORTED;
|
|
return FALSE;
|
|
#endif
|
|
}
|
|
|
|
|
|
/*******************************************************************************
|
|
* AllocateGAPPointer
|
|
******************************************************************************/
|
|
void __RPC_FAR * __RPC_USER
|
|
AllocateGAPPointer( size_t Size )
|
|
{
|
|
void __RPC_FAR * pMyPointer;
|
|
|
|
pMyPointer = MIDL_user_allocate(Size);
|
|
if (pMyPointer != NULL)
|
|
{
|
|
if (gbRpcGetAllProcessesOK == TRUE)
|
|
{
|
|
//
|
|
// store the pointer in our database
|
|
// so that the RPC server stub do not try to free them.
|
|
//
|
|
if (!NT_SUCCESS(InsertPointerInGAPDatabase(pMyPointer)))
|
|
{
|
|
MIDL_user_free(pMyPointer);
|
|
pMyPointer = NULL;
|
|
}
|
|
}
|
|
else // nothing can be done
|
|
{
|
|
MIDL_user_free(pMyPointer);
|
|
pMyPointer = NULL;
|
|
}
|
|
}
|
|
return pMyPointer;
|
|
}
|
|
|
|
|
|
//********************************************************************************
|
|
//
|
|
// Functions used to handle the memory allocations and de-allocations
|
|
// in RpcWinStationGetAllProcesses (GAP = Get All Processes)
|
|
//
|
|
//********************************************************************************
|
|
NTSTATUS
|
|
InitializeGAPPointersDatabase()
|
|
{
|
|
NTSTATUS Status = STATUS_SUCCESS;
|
|
|
|
RtlEnterCriticalSection(&gRpcPointersDatabaseLock);
|
|
{
|
|
gPointersDatabaseSize = MIN_GAP_DATABASE_SIZE;
|
|
gPointersDatabase = MemAlloc(MIN_GAP_DATABASE_SIZE * sizeof(PVOID));
|
|
|
|
if (gPointersDatabase == NULL)
|
|
{
|
|
Status = STATUS_NO_MEMORY;
|
|
}
|
|
else
|
|
{
|
|
RtlZeroMemory(gPointersDatabase,MIN_GAP_DATABASE_SIZE * sizeof(PVOID));
|
|
}
|
|
|
|
gNbProcesses = 0;
|
|
gbPointersDatabaseIsValid = FALSE;
|
|
}
|
|
RtlLeaveCriticalSection(&gRpcPointersDatabaseLock);
|
|
|
|
return Status;
|
|
}
|
|
|
|
|
|
NTSTATUS
|
|
IncreaseGAPPointersDatabaseSize()
|
|
{
|
|
NTSTATUS Status = STATUS_SUCCESS;
|
|
PVOID *NewPointersDatabase;
|
|
|
|
NewPointersDatabase = MemAlloc(gPointersDatabaseSize * 2 * sizeof(PVOID));
|
|
|
|
if (NewPointersDatabase == NULL)
|
|
{
|
|
Status = STATUS_NO_MEMORY;
|
|
}
|
|
else
|
|
{
|
|
RtlCopyMemory(NewPointersDatabase,
|
|
gPointersDatabase,
|
|
gPointersDatabaseSize * sizeof(PVOID));
|
|
RtlZeroMemory(&NewPointersDatabase[gPointersDatabaseSize],
|
|
gPointersDatabaseSize * sizeof(PVOID));
|
|
|
|
MemFree(gPointersDatabase);
|
|
gPointersDatabase = NewPointersDatabase;
|
|
gPointersDatabaseSize = gPointersDatabaseSize * 2;
|
|
}
|
|
|
|
return Status;
|
|
}
|
|
|
|
|
|
NTSTATUS
|
|
InsertPointerInGAPDatabase(PVOID Pointer)
|
|
{
|
|
ULONG i;
|
|
NTSTATUS Status = STATUS_SUCCESS;
|
|
|
|
// DBGPRINT(("TERMSRV: InsertPointerInGAPDatabase 0x%x\n",Pointer));
|
|
|
|
RtlEnterCriticalSection(&gRpcPointersDatabaseLock);
|
|
{
|
|
for (i=0; i < gPointersDatabaseSize; i++)
|
|
{
|
|
if (gPointersDatabase[i] == NULL)
|
|
{
|
|
gPointersDatabase[i] = Pointer;
|
|
break;
|
|
}
|
|
}
|
|
if (i == gPointersDatabaseSize)
|
|
{
|
|
Status = IncreaseGAPPointersDatabaseSize();
|
|
if (NT_SUCCESS(Status))
|
|
{
|
|
gPointersDatabase[i] = Pointer;
|
|
}
|
|
}
|
|
}
|
|
RtlLeaveCriticalSection(&gRpcPointersDatabaseLock);
|
|
return Status;
|
|
}
|
|
|
|
|
|
VOID
|
|
ReleaseGAPPointersDatabase()
|
|
{
|
|
PTS_ALL_PROCESSES_INFO_NT6 pProcessArray;
|
|
ULONG i;
|
|
|
|
if (gPointersDatabase != NULL)
|
|
{
|
|
RtlEnterCriticalSection(&gRpcPointersDatabaseLock);
|
|
{
|
|
//
|
|
// free all the "autonomic" pointers
|
|
//
|
|
|
|
// the first one is ProcessArray
|
|
if ((gPointersDatabase[0] != NULL) && (gNbProcesses != 0))
|
|
{
|
|
pProcessArray = (PTS_ALL_PROCESSES_INFO_NT6) gPointersDatabase[0];
|
|
|
|
//
|
|
// free the Process Info buffer
|
|
//
|
|
if (pProcessArray[0].pTsProcessInfo != NULL)
|
|
{
|
|
LocalFree(pProcessArray[0].pTsProcessInfo);
|
|
}
|
|
|
|
//
|
|
// free all the SIDs
|
|
//
|
|
for (i=0; i < gNbProcesses ; i++)
|
|
{
|
|
if (pProcessArray[i].pSid != NULL)
|
|
{
|
|
LocalFree(pProcessArray[i].pSid);
|
|
}
|
|
}
|
|
//
|
|
// free the returned array
|
|
//
|
|
LocalFree(pProcessArray);
|
|
}
|
|
|
|
//
|
|
// free the database
|
|
//
|
|
MemFree(gPointersDatabase);
|
|
gPointersDatabase = NULL;
|
|
gNbProcesses = 0;
|
|
//
|
|
// disable the checking
|
|
//
|
|
gbPointersDatabaseIsValid = FALSE;
|
|
}
|
|
RtlLeaveCriticalSection(&gRpcPointersDatabaseLock);
|
|
}
|
|
}
|
|
|
|
|
|
BOOLEAN
|
|
PointerIsInGAPDatabase(PVOID Pointer)
|
|
{
|
|
ULONG i;
|
|
BOOLEAN bRet = FALSE;
|
|
|
|
// spend time only if necessary
|
|
if ((Pointer != NULL)
|
|
&& (gbRpcGetAllProcessesOK == TRUE)
|
|
&& (gbPointersDatabaseIsValid == TRUE)
|
|
)
|
|
{
|
|
RtlEnterCriticalSection(&gRpcPointersDatabaseLock);
|
|
{
|
|
// we need to check because the database may have been released
|
|
// while we were waiting for the lock
|
|
if (gPointersDatabase != NULL)
|
|
{
|
|
for (i=0; i < gPointersDatabaseSize; i++)
|
|
{
|
|
if (gPointersDatabase[i] == Pointer)
|
|
{
|
|
bRet = TRUE;
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
}
|
|
RtlLeaveCriticalSection(&gRpcPointersDatabaseLock);
|
|
}
|
|
|
|
return bRet;
|
|
}
|
|
|
|
|
|
VOID
|
|
ValidateGAPPointersDatabase(ULONG n)
|
|
{
|
|
gbPointersDatabaseIsValid = TRUE;
|
|
gNbProcesses = n;
|
|
}
|
|
|
|
|
|
/*******************************************************************************
|
|
* SidCacheAdd
|
|
*
|
|
* NOTE: Do not call with GAP allocated, or otherwise controlled pointers.
|
|
******************************************************************************/
|
|
VOID
|
|
SidCacheAdd(
|
|
HANDLE UniqueProcessId,
|
|
LARGE_INTEGER CreateTime,
|
|
PSID pNewSid
|
|
)
|
|
{
|
|
DWORD SidLength;
|
|
NTSTATUS Status;
|
|
PLIST_ENTRY pNewListEntry;
|
|
PSID_CACHE_LIST_ENTRY pNewCacheRecord;
|
|
PSID pSid;
|
|
|
|
//
|
|
// If the lock didn't initialize, bail.
|
|
//
|
|
if (!gbRpcSidCacheOK) {
|
|
return;
|
|
}
|
|
|
|
//
|
|
// Initialize memory for cache record. Failure is not a problem;
|
|
// the sid just won't be cached.
|
|
//
|
|
pNewCacheRecord = MemAlloc(sizeof(SID_CACHE_LIST_ENTRY));
|
|
if (pNewCacheRecord == NULL) {
|
|
return;
|
|
}
|
|
|
|
pNewCacheRecord->pSid = pNewSid;
|
|
pNewCacheRecord->ProcId = UniqueProcessId;
|
|
pNewCacheRecord->CreateTime = CreateTime;
|
|
pNewListEntry = &pNewCacheRecord->ListEntry;
|
|
|
|
//
|
|
// Lock the Sid Cache and add the new member.
|
|
//
|
|
RtlEnterCriticalSection(&gRpcSidCacheLock);
|
|
InsertTailList(&gSidCacheHead, pNewListEntry);
|
|
|
|
gMaxSidCacheEntries++;
|
|
RtlLeaveCriticalSection(&gRpcSidCacheLock);
|
|
}
|
|
|
|
|
|
/*******************************************************************************
|
|
*
|
|
* SidCacheFind
|
|
*
|
|
* NOTE: Use RtlLengthSid, alloc memory, and RtlCopySid for the return value!
|
|
* Otherwise, you may free memory being used by the Cache!!
|
|
*
|
|
******************************************************************************/
|
|
PSID
|
|
SidCacheFind(
|
|
HANDLE UniqueProcessId,
|
|
LARGE_INTEGER CreateTime
|
|
)
|
|
{
|
|
PLIST_ENTRY pTempEntry;
|
|
PSID_CACHE_LIST_ENTRY pSidCacheEntry;
|
|
PSID pRetSid = NULL;
|
|
|
|
//
|
|
// If the lock didn't initialize, bail.
|
|
//
|
|
if (!gbRpcSidCacheOK) {
|
|
return(NULL);
|
|
}
|
|
|
|
//
|
|
// Lock the Sid Cache.
|
|
//
|
|
RtlEnterCriticalSection(&gRpcSidCacheLock);
|
|
|
|
//
|
|
// The list head is a place holder, start searching from the head's
|
|
// Flink. Stop when we reach the list head again.
|
|
//
|
|
pTempEntry = gSidCacheHead.Flink;
|
|
|
|
while(pTempEntry != &gSidCacheHead) {
|
|
pSidCacheEntry = CONTAINING_RECORD(
|
|
pTempEntry,
|
|
SID_CACHE_LIST_ENTRY,
|
|
ListEntry
|
|
);
|
|
|
|
if (pSidCacheEntry->ProcId != UniqueProcessId) {
|
|
pTempEntry = pTempEntry->Flink;
|
|
} else {
|
|
if (pSidCacheEntry->CreateTime.QuadPart == CreateTime.QuadPart) {
|
|
pRetSid = pSidCacheEntry->pSid;
|
|
} else {
|
|
//
|
|
// If the PID matches, but the create time doesn't, this record is
|
|
// stale. Remove it from the list and free the memory associated with
|
|
// it. There can only be one entry in the cache per PID, therefore,
|
|
// stop searching after freeing.
|
|
//
|
|
RemoveEntryList(pTempEntry);
|
|
if (pSidCacheEntry->pSid != NULL) {
|
|
MemFree(pSidCacheEntry->pSid);
|
|
}
|
|
MemFree(pSidCacheEntry);
|
|
}
|
|
break;
|
|
}
|
|
}
|
|
|
|
//
|
|
// Release the Sid Cache.
|
|
//
|
|
RtlLeaveCriticalSection(&gRpcSidCacheLock);
|
|
return(pRetSid);
|
|
}
|
|
|
|
|
|
/*******************************************************************************
|
|
*
|
|
* SidCacheFree
|
|
*
|
|
*
|
|
******************************************************************************/
|
|
VOID
|
|
SidCacheFree(
|
|
PLIST_ENTRY pListHead
|
|
)
|
|
{
|
|
PLIST_ENTRY pTempEntry = pListHead->Flink;
|
|
|
|
//
|
|
// Lock the Sid Cache.
|
|
//
|
|
|
|
RtlEnterCriticalSection(&gRpcSidCacheLock);
|
|
|
|
|
|
//
|
|
// The list head is a place holder, start freeing from the head's
|
|
// Flink. Stop when we reach the list head again.
|
|
//
|
|
|
|
while (pTempEntry != pListHead) {
|
|
PSID_CACHE_LIST_ENTRY pSidCacheEntry;
|
|
pSidCacheEntry = CONTAINING_RECORD(
|
|
pTempEntry,
|
|
SID_CACHE_LIST_ENTRY,
|
|
ListEntry
|
|
);
|
|
|
|
if (pSidCacheEntry->pSid != NULL) {
|
|
MemFree(pSidCacheEntry->pSid);
|
|
}
|
|
|
|
|
|
RemoveEntryList(pTempEntry);
|
|
pTempEntry = pTempEntry->Flink;
|
|
MemFree(pSidCacheEntry);
|
|
|
|
}
|
|
|
|
//
|
|
// Release the Sid Cache.
|
|
//
|
|
|
|
RtlLeaveCriticalSection(&gRpcSidCacheLock);
|
|
}
|
|
|
|
/*******************************************************************************
|
|
*
|
|
* SidCacheUpdate
|
|
*
|
|
*
|
|
******************************************************************************/
|
|
VOID
|
|
SidCacheUpdate(
|
|
VOID
|
|
)
|
|
{
|
|
|
|
//
|
|
// TODO: Figure out a way to get rid of stale cache entries!
|
|
//
|
|
|
|
}
|
|
|
|
/*******************************************************************************
|
|
*
|
|
* GetSidFromProcessId
|
|
*
|
|
* NOTE: GetSid returns a normal, local memory pointer. The caller should
|
|
* copy this sid based on its needs. For example, RpcWinStationGAP
|
|
* would copy this sid to a GAP pointer. The caller should NOT free
|
|
* the returned pointer, as it is also being cached!
|
|
*
|
|
******************************************************************************/
|
|
NTSTATUS
|
|
GetSidFromProcessId(
|
|
HANDLE UniqueProcessId,
|
|
LARGE_INTEGER CreateTime,
|
|
PSID *ppProcessSid,
|
|
BOOLEAN ImpersonatingClient
|
|
)
|
|
{
|
|
BOOLEAN bResult = FALSE;
|
|
DWORD ReturnLength;
|
|
DWORD BufferLength;
|
|
DWORD SidLength;
|
|
PSID pSid;
|
|
NTSTATUS Status;
|
|
PTOKEN_USER pTokenUser = NULL;
|
|
HANDLE hProcess = NULL;
|
|
HANDLE hToken;
|
|
OBJECT_ATTRIBUTES ObjectAttributes;
|
|
CLIENT_ID ClientId;
|
|
KERNEL_USER_TIMES TimeInfo;
|
|
BOOLEAN ImpersonateAgain = FALSE;
|
|
RPC_STATUS RpcStatus;
|
|
|
|
//
|
|
// Look in sid cache first. Do it only for Admins.
|
|
//
|
|
|
|
if ( IsCallerAdmin() ) {
|
|
*ppProcessSid = SidCacheFind(UniqueProcessId, CreateTime);
|
|
if (*ppProcessSid != NULL) {
|
|
return(STATUS_SUCCESS);
|
|
}
|
|
}
|
|
|
|
//
|
|
// Take the long road...
|
|
// Get the Process Handle
|
|
//
|
|
|
|
InitializeObjectAttributes(
|
|
&ObjectAttributes,
|
|
NULL,
|
|
0,
|
|
NULL,
|
|
NULL
|
|
);
|
|
ClientId.UniqueThread = (HANDLE)NULL;
|
|
ClientId.UniqueProcess = (HANDLE)UniqueProcessId;
|
|
|
|
// For Admins, we revert to system context before getting the SID.
|
|
// This is a hack. Ideally, process ACLs should have been set appropriately.
|
|
if ( ImpersonatingClient && IsCallerAdmin() ) {
|
|
RpcStatus = RpcRevertToSelf();
|
|
|
|
if (RpcStatus == RPC_S_OK) {
|
|
ImpersonateAgain = TRUE;
|
|
}
|
|
}
|
|
|
|
// This should now pass. If not, then this is not a permission issue.
|
|
Status = NtOpenProcess(
|
|
&hProcess,
|
|
PROCESS_QUERY_INFORMATION,
|
|
&ObjectAttributes,
|
|
&ClientId
|
|
);
|
|
|
|
if (NT_SUCCESS(Status)) {
|
|
|
|
//
|
|
// Get the Process CreateTime information
|
|
//
|
|
|
|
Status = NtQueryInformationProcess(
|
|
hProcess,
|
|
ProcessTimes,
|
|
(PVOID)&TimeInfo,
|
|
sizeof(TimeInfo),
|
|
NULL
|
|
);
|
|
|
|
//
|
|
// Verify that the passed in PID and CreateTime match
|
|
// the current environment (i.e. don't bother getting
|
|
// information on a stale PID).
|
|
//
|
|
|
|
if (NT_SUCCESS(Status)) {
|
|
if ((TimeInfo.CreateTime.LowPart != CreateTime.LowPart) ||
|
|
(TimeInfo.CreateTime.HighPart != CreateTime.HighPart)) {
|
|
CloseHandle(hProcess);
|
|
Status = STATUS_INVALID_HANDLE;
|
|
goto ReturnStatus;
|
|
}
|
|
} else {
|
|
CloseHandle(hProcess);
|
|
goto ReturnStatus;
|
|
}
|
|
|
|
//
|
|
// Get the Process Token
|
|
//
|
|
|
|
Status = NtOpenProcessToken(
|
|
hProcess,
|
|
TOKEN_QUERY,
|
|
&hToken
|
|
);
|
|
|
|
if (NT_SUCCESS(Status)) {
|
|
|
|
//
|
|
// Query the TokenUser size, then allocate space
|
|
// and re-query.
|
|
//
|
|
|
|
Status = NtQueryInformationToken(
|
|
hToken,
|
|
TokenUser,
|
|
NULL,
|
|
0,
|
|
&ReturnLength
|
|
);
|
|
|
|
if (ReturnLength == 0) {
|
|
CloseHandle(hProcess);
|
|
CloseHandle(hToken);
|
|
goto ReturnStatus;
|
|
}
|
|
|
|
BufferLength = ReturnLength;
|
|
pTokenUser = MemAlloc(BufferLength);
|
|
if( pTokenUser == NULL ) {
|
|
CloseHandle(hProcess);
|
|
CloseHandle(hToken);
|
|
Status = STATUS_NO_MEMORY;
|
|
goto ReturnStatus;
|
|
}
|
|
|
|
Status = NtQueryInformationToken(
|
|
hToken,
|
|
TokenUser,
|
|
pTokenUser,
|
|
BufferLength,
|
|
&ReturnLength
|
|
);
|
|
|
|
CloseHandle(hToken);
|
|
|
|
if (NT_SUCCESS(Status)) {
|
|
|
|
//
|
|
// A valid Sid has been found; copy it and add it to
|
|
// the cache.
|
|
//
|
|
|
|
SidLength = RtlLengthSid(pTokenUser->User.Sid);
|
|
pSid = MemAlloc(SidLength);
|
|
|
|
if (pSid != NULL) {
|
|
Status = RtlCopySid(
|
|
SidLength,
|
|
pSid,
|
|
pTokenUser->User.Sid
|
|
);
|
|
|
|
if (NT_SUCCESS(Status)) {
|
|
*ppProcessSid = pSid;
|
|
bResult = TRUE;
|
|
SidCacheAdd(UniqueProcessId, CreateTime, pSid);
|
|
}
|
|
} else {
|
|
Status = STATUS_NO_MEMORY;
|
|
}
|
|
}
|
|
MemFree(pTokenUser);
|
|
}
|
|
CloseHandle(hProcess);
|
|
}
|
|
|
|
ReturnStatus:
|
|
if (ImpersonateAgain) {
|
|
RpcStatus = RpcImpersonateClient( NULL );
|
|
if ( RpcStatus != RPC_S_OK )
|
|
Status = STATUS_CANNOT_IMPERSONATE;
|
|
}
|
|
|
|
return(Status);
|
|
}
|
|
|
|
|
|
VOID
|
|
CheckSidCacheSize()
|
|
|
|
{
|
|
|
|
// if cache has grown over limit, free all the entries
|
|
// and reset the cache entries counter
|
|
|
|
if (gMaxSidCacheEntries >= MAX_SID_CACHE_ENTRIES) {
|
|
SidCacheFree(&gSidCacheHead);
|
|
InitializeListHead(&gSidCacheHead);
|
|
gMaxSidCacheEntries = 0;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
//
|
|
// This function converts sys buffer to ts buffer. also counts the processes, and returns array procids.
|
|
// CALLER NEED TO LocalFree the *ppProcIds, thats allocaed.
|
|
NTSTATUS ConvertSysBufferToTSBuffer(PBYTE *ppSysProcessBuffer, DWORD ByteCount, ULONG *pProcesses, PHANDLE *ppProcIds)
|
|
{
|
|
PBYTE pTSProcessBuffer = NULL;
|
|
PSYSTEM_PROCESS_INFORMATION pSysProcessInfo = NULL;
|
|
PTS_SYS_PROCESS_INFORMATION_NT6 pTSProcessInfo = NULL;
|
|
ULONG TotalOffset = 0;
|
|
ULONG TotalTSOffset = 0;
|
|
ULONG TotalTmpOffset = 0;
|
|
ULONG CurrentOffset = 0;
|
|
ULONG CurrentSessionId = INVALID_SESSIONID;
|
|
HANDLE *pProcessIds = NULL;
|
|
UINT uiNumProcess = 0;
|
|
NTSTATUS Status;
|
|
PWINSTATION pWinStation = NULL;
|
|
|
|
ASSERT(ppSysProcessBuffer);
|
|
ASSERT(*ppSysProcessBuffer);
|
|
ASSERT(ByteCount);
|
|
ASSERT(pProcesses);
|
|
ASSERT(ppProcIds);
|
|
|
|
// allocate target buffer.
|
|
pTSProcessBuffer = MIDL_user_allocate(ByteCount);
|
|
|
|
if (pTSProcessBuffer == NULL)
|
|
{
|
|
*ppProcIds = NULL;
|
|
*pProcesses = 0;
|
|
return STATUS_NO_MEMORY;
|
|
}
|
|
|
|
|
|
uiNumProcess = 0;
|
|
TotalOffset = 0;
|
|
|
|
//count number of processes
|
|
do
|
|
{
|
|
ASSERT(TotalOffset < ByteCount);
|
|
pSysProcessInfo = (PSYSTEM_PROCESS_INFORMATION) &((*ppSysProcessBuffer)[TotalOffset]);
|
|
TotalOffset += pSysProcessInfo->NextEntryOffset;
|
|
uiNumProcess++;
|
|
}
|
|
while (pSysProcessInfo->NextEntryOffset != 0);
|
|
|
|
// allocate memory for process ids.
|
|
pProcessIds = LocalAlloc(LMEM_FIXED, sizeof(HANDLE) * uiNumProcess);
|
|
|
|
if (!pProcessIds)
|
|
{
|
|
MIDL_user_free(pTSProcessBuffer);
|
|
*ppProcIds = NULL;
|
|
*pProcesses = 0;
|
|
return STATUS_NO_MEMORY;
|
|
}
|
|
|
|
uiNumProcess = 0;
|
|
TotalOffset = 0;
|
|
TotalTSOffset = 0;
|
|
|
|
do
|
|
{
|
|
ASSERT(TotalOffset < ByteCount);
|
|
pSysProcessInfo = (PSYSTEM_PROCESS_INFORMATION) &((*ppSysProcessBuffer)[TotalOffset]);
|
|
CurrentSessionId = pSysProcessInfo->SessionId;
|
|
|
|
if(CurrentSessionId == INVALID_SESSIONID)
|
|
{
|
|
TotalOffset += pSysProcessInfo->NextEntryOffset;
|
|
CurrentOffset = pSysProcessInfo->NextEntryOffset;
|
|
continue;
|
|
}
|
|
|
|
/*
|
|
* Find and lock client WinStation
|
|
*/
|
|
pWinStation = FindWinStationById( CurrentSessionId, FALSE );
|
|
if ( pWinStation == NULL )
|
|
{
|
|
//
|
|
//The session this process belongs to, might already be gone.
|
|
//Don't fail here, just skip the process.
|
|
//
|
|
pSysProcessInfo->SessionId = INVALID_SESSIONID;
|
|
TotalOffset += pSysProcessInfo->NextEntryOffset;
|
|
CurrentOffset = pSysProcessInfo->NextEntryOffset;
|
|
continue;
|
|
}
|
|
|
|
Status = RpcCheckClientAccess( pWinStation, WINSTATION_QUERY, TRUE );
|
|
|
|
ReleaseWinStation( pWinStation );
|
|
|
|
TotalTmpOffset = TotalOffset;
|
|
TotalOffset += pSysProcessInfo->NextEntryOffset;
|
|
CurrentOffset = pSysProcessInfo->NextEntryOffset;
|
|
|
|
do
|
|
{
|
|
pSysProcessInfo = (PSYSTEM_PROCESS_INFORMATION) &((*ppSysProcessBuffer)[TotalTmpOffset]);
|
|
|
|
if(pSysProcessInfo->SessionId != CurrentSessionId)
|
|
{
|
|
TotalTmpOffset += pSysProcessInfo->NextEntryOffset;
|
|
continue;
|
|
}
|
|
|
|
if ( NT_SUCCESS( Status ) )
|
|
{
|
|
pTSProcessInfo = (PTS_SYS_PROCESS_INFORMATION_NT6)&(pTSProcessBuffer[TotalTSOffset]);
|
|
|
|
// now copy the information over.
|
|
/* ULONG */ pTSProcessInfo->NextEntryOffset = sizeof(TS_SYS_PROCESS_INFORMATION_NT6) +
|
|
pSysProcessInfo->ImageName.MaximumLength;//pSysProcessInfo->NextEntryOffset;
|
|
/* ULONG */ pTSProcessInfo->NumberOfThreads = pSysProcessInfo->NumberOfThreads;
|
|
/* LARGE_INTEGER */ pTSProcessInfo->SpareLi1 = pSysProcessInfo->SpareLi1;
|
|
/* LARGE_INTEGER */ pTSProcessInfo->SpareLi2 = pSysProcessInfo->SpareLi2;
|
|
/* LARGE_INTEGER */ pTSProcessInfo->SpareLi3 = pSysProcessInfo->SpareLi3;
|
|
/* LARGE_INTEGER */ pTSProcessInfo->CreateTime = pSysProcessInfo->CreateTime;
|
|
/* LARGE_INTEGER */ pTSProcessInfo->UserTime = pSysProcessInfo->UserTime;
|
|
/* LARGE_INTEGER */ pTSProcessInfo->KernelTime = pSysProcessInfo->KernelTime;
|
|
|
|
if (pSysProcessInfo->ImageName.Buffer != NULL && pSysProcessInfo->ImageName.Length != 0)
|
|
{
|
|
pTSProcessInfo->ImageName.Buffer = (PWSTR)((PBYTE)pTSProcessInfo + sizeof(TS_SYS_PROCESS_INFORMATION_NT6));
|
|
memcpy(pTSProcessInfo->ImageName.Buffer, pSysProcessInfo->ImageName.Buffer, pSysProcessInfo->ImageName.MaximumLength );
|
|
pTSProcessInfo->ImageName.Length = pSysProcessInfo->ImageName.Length;
|
|
pTSProcessInfo->ImageName.MaximumLength = pSysProcessInfo->ImageName.MaximumLength;
|
|
}
|
|
else
|
|
{
|
|
pTSProcessInfo->ImageName.Buffer = NULL;
|
|
pTSProcessInfo->ImageName.Length = 0;
|
|
}
|
|
|
|
/* KPRIORITY */ pTSProcessInfo->BasePriority = pSysProcessInfo->BasePriority;
|
|
/* HANDLE */ pTSProcessInfo->UniqueProcessId = HandleToULong(pSysProcessInfo->UniqueProcessId);
|
|
/* HANDLE */ pTSProcessInfo->InheritedFromUniqueProcessId = HandleToULong(pSysProcessInfo->InheritedFromUniqueProcessId);
|
|
/* ULONG */ pTSProcessInfo->HandleCount = pSysProcessInfo->HandleCount;
|
|
/* ULONG */ pTSProcessInfo->SessionId = pSysProcessInfo->SessionId;
|
|
// /* ULONG_PTR */ pTSProcessInfo->PageDirectoryBase = pSysProcessInfo->PageDirectoryBase;
|
|
/* SIZE_T */ pTSProcessInfo->PeakVirtualSize = pSysProcessInfo->PeakVirtualSize;
|
|
/* SIZE_T */ pTSProcessInfo->VirtualSize = pSysProcessInfo->VirtualSize;
|
|
/* ULONG */ pTSProcessInfo->PageFaultCount = pSysProcessInfo->PageFaultCount;
|
|
/* SIZE_T */ pTSProcessInfo->PeakWorkingSetSize = (ULONG)pSysProcessInfo->PeakWorkingSetSize;
|
|
/* SIZE_T */ pTSProcessInfo->WorkingSetSize = (ULONG)pSysProcessInfo->WorkingSetSize;
|
|
/* SIZE_T */ pTSProcessInfo->QuotaPeakPagedPoolUsage = (ULONG)pSysProcessInfo->QuotaPeakPagedPoolUsage;
|
|
/* SIZE_T */ pTSProcessInfo->QuotaPagedPoolUsage = (ULONG)pSysProcessInfo->QuotaPagedPoolUsage;
|
|
/* SIZE_T */ pTSProcessInfo->QuotaPeakNonPagedPoolUsage = (ULONG)pSysProcessInfo->QuotaPeakNonPagedPoolUsage;
|
|
/* SIZE_T */ pTSProcessInfo->QuotaNonPagedPoolUsage = (ULONG)pSysProcessInfo->QuotaNonPagedPoolUsage;
|
|
/* SIZE_T */ pTSProcessInfo->PagefileUsage = (ULONG)pSysProcessInfo->PagefileUsage;
|
|
/* SIZE_T */ pTSProcessInfo->PeakPagefileUsage = (ULONG)pSysProcessInfo->PeakPagefileUsage;
|
|
/* SIZE_T */ pTSProcessInfo->PrivatePageCount = (ULONG)pSysProcessInfo->PrivatePageCount;
|
|
|
|
//
|
|
// now keep the original pid form the original buffer,
|
|
//we have lost some data while converting it to ts format.
|
|
pProcessIds[uiNumProcess] = pSysProcessInfo->UniqueProcessId;
|
|
TotalTSOffset += pTSProcessInfo->NextEntryOffset;
|
|
uiNumProcess++;
|
|
}
|
|
|
|
pSysProcessInfo->SessionId = INVALID_SESSIONID;
|
|
TotalTmpOffset += pSysProcessInfo->NextEntryOffset;
|
|
}
|
|
while (pSysProcessInfo->NextEntryOffset != 0);
|
|
|
|
}
|
|
while (CurrentOffset != 0);
|
|
|
|
if ( !uiNumProcess )
|
|
{
|
|
LocalFree(pProcessIds);
|
|
MIDL_user_free(pTSProcessBuffer);
|
|
*ppProcIds = NULL;
|
|
*pProcesses = 0;
|
|
return STATUS_ACCESS_DENIED;
|
|
}
|
|
|
|
// now lets get rid of the original buffer, and replace it with our new TS process buffer
|
|
LocalFree(*ppSysProcessBuffer);
|
|
|
|
*ppProcIds = pProcessIds;
|
|
*pProcesses = uiNumProcess;
|
|
*ppSysProcessBuffer = pTSProcessBuffer;
|
|
|
|
return STATUS_SUCCESS;
|
|
}
|
|
|
|
|
|
/***********************************************************************************************************
|
|
* WinStationGetAllProcessesWorker
|
|
*
|
|
* Worker routine for RpcWinStationGetAllProcesses(Win2K) and RpcWinStationGetAllProcesses_NT6(Whistler).
|
|
*
|
|
* EXIT:
|
|
* TRUE -- The query succeeded, and the buffer contains the requested data.
|
|
* FALSE -- The operation failed. Extended error status is returned in pResult.
|
|
***********************************************************************************************************/
|
|
BOOLEAN
|
|
WinStationGetAllProcessesWorker(
|
|
HANDLE hServer,
|
|
DWORD *pResult,
|
|
ULONG Level,
|
|
ULONG *pNumberOfProcesses,
|
|
PBYTE *ppTsAllProcessesInfo
|
|
)
|
|
{
|
|
PTS_SYS_PROCESS_INFORMATION_NT6 pProcessInfo = NULL;
|
|
PTS_ALL_PROCESSES_INFO_NT6 pProcessArray = NULL;
|
|
|
|
ULONG TotalOffset;
|
|
ULONG NumberOfProcesses = 1; // at least 1 process
|
|
ULONG i;
|
|
RPC_STATUS RpcStatus;
|
|
NTSTATUS Status = STATUS_INFO_LENGTH_MISMATCH; // Assume that this length is wrong. In fact it *is* wrong initially.
|
|
|
|
if (gbRpcGetAllProcessesOK == FALSE)
|
|
{
|
|
*pResult = STATUS_NO_MEMORY;
|
|
*pNumberOfProcesses = 0;
|
|
*ppTsAllProcessesInfo = NULL;
|
|
return FALSE;
|
|
}
|
|
|
|
//
|
|
// this critical section will be released in
|
|
// RpcWinStationGetAllProcesses_notify_flag
|
|
//
|
|
RtlEnterCriticalSection(&gRpcGetAllProcessesLock);
|
|
|
|
RpcStatus = RpcImpersonateClient( NULL );
|
|
|
|
if( RpcStatus != RPC_S_OK ) {
|
|
TRACE((hTrace,TC_ICASRV,TT_ERROR,"TERMSRV: WinStationGetAllProcessesWorker RpcImpersonateClient failed! %d\n",RpcStatus));
|
|
*pResult = STATUS_ACCESS_DENIED;
|
|
*pNumberOfProcesses = 0;
|
|
*ppTsAllProcessesInfo = NULL;
|
|
return FALSE;
|
|
}
|
|
|
|
// Check if SID cache hasn't grown too much
|
|
|
|
CheckSidCacheSize();
|
|
|
|
|
|
if (!NT_SUCCESS(InitializeGAPPointersDatabase()))
|
|
{
|
|
RpcRevertToSelf();
|
|
*pResult = STATUS_NO_MEMORY;
|
|
*pNumberOfProcesses = 0;
|
|
*ppTsAllProcessesInfo = NULL;
|
|
return FALSE;
|
|
}
|
|
|
|
//
|
|
// make sure requested information level is known
|
|
//
|
|
if (Level != GAP_LEVEL_BASIC) // only info level known on this version
|
|
{
|
|
*pResult = STATUS_NOT_IMPLEMENTED;
|
|
}
|
|
else // OK
|
|
{
|
|
PBYTE pProcessBuffer = NULL;
|
|
PSID pSid;
|
|
DWORD RequiredByteCount = 0;
|
|
DWORD ByteCount = (MAX_PATH*sizeof(WCHAR)) + 1; // Give the minimum length first. We will get the correct on subsequent calls.
|
|
HANDLE *pProcessids = NULL;
|
|
|
|
while ( Status == STATUS_INFO_LENGTH_MISMATCH)
|
|
{
|
|
//
|
|
// Allocate a buffer
|
|
//
|
|
pProcessBuffer = MIDL_user_allocate(ByteCount);
|
|
|
|
if (pProcessBuffer == NULL)
|
|
{
|
|
Status = STATUS_NO_MEMORY;
|
|
*pResult = STATUS_NO_MEMORY;
|
|
*pNumberOfProcesses = 0;
|
|
*ppTsAllProcessesInfo = NULL;
|
|
break;
|
|
}
|
|
|
|
//
|
|
// Perform process enumeration.
|
|
// NOTE: We had a mismatch in the structure for the process information in Win2K and whistler from RPC point of view.
|
|
// Win2K RPC interpretes the size of the image name is twice of what whistler does. So, to take care of this problem,
|
|
// where Win2K client may call Whistler server, we will allocate more bytes than actually required. So, we will pass
|
|
// less number of bytes to the system call by the same amount.
|
|
//
|
|
Status = NtQuerySystemInformation( SystemProcessInformation,
|
|
(PVOID)pProcessBuffer,
|
|
ByteCount - (MAX_PATH*sizeof(WCHAR)),
|
|
&RequiredByteCount );
|
|
if (Status == STATUS_INFO_LENGTH_MISMATCH)
|
|
{
|
|
// Allocate little more bytes than required.
|
|
ByteCount = RequiredByteCount + (MAX_PATH*sizeof(WCHAR));
|
|
MIDL_user_free(pProcessBuffer);
|
|
}
|
|
}
|
|
|
|
if ( Status != STATUS_SUCCESS)
|
|
{
|
|
*pResult = STATUS_NO_MEMORY;
|
|
if (pProcessBuffer != NULL)
|
|
{
|
|
MIDL_user_free(pProcessBuffer);
|
|
pProcessBuffer = NULL;
|
|
}
|
|
}
|
|
else
|
|
{
|
|
Status = ConvertSysBufferToTSBuffer(&pProcessBuffer, ByteCount, &NumberOfProcesses, &pProcessids);
|
|
|
|
if (Status != STATUS_SUCCESS)
|
|
{
|
|
// failed to convert sysbuffer to ts buffer.
|
|
// lets bail out.
|
|
*pResult = Status;
|
|
if (pProcessBuffer != NULL)
|
|
{
|
|
MIDL_user_free(pProcessBuffer);
|
|
pProcessBuffer = NULL;
|
|
}
|
|
}
|
|
else // everything's fine
|
|
{
|
|
ASSERT(pProcessids);
|
|
ASSERT(pProcessBuffer);
|
|
ASSERT(NumberOfProcesses > 0);
|
|
|
|
|
|
pProcessArray = AllocateGAPPointer(NumberOfProcesses * sizeof(TS_ALL_PROCESSES_INFO_NT6));
|
|
|
|
if (pProcessArray == NULL)
|
|
{
|
|
*pResult = STATUS_NO_MEMORY;
|
|
MIDL_user_free(pProcessBuffer);
|
|
pProcessBuffer = NULL;
|
|
}
|
|
else
|
|
{
|
|
|
|
RtlZeroMemory(pProcessArray,
|
|
NumberOfProcesses * sizeof(TS_ALL_PROCESSES_INFO_NT6));
|
|
*pResult = STATUS_SUCCESS;
|
|
pProcessInfo = (PTS_SYS_PROCESS_INFORMATION_NT6)pProcessBuffer;
|
|
TotalOffset = 0;
|
|
|
|
//
|
|
// Walk the returned buffer again to set the correct pointers in pProcessArray
|
|
//
|
|
for (i=0; i < NumberOfProcesses; i++)
|
|
{
|
|
pProcessArray[i].pTsProcessInfo = (PTS_SYS_PROCESS_INFORMATION_NT6)pProcessInfo;
|
|
|
|
//
|
|
// keep some trace of the "internal" pointers
|
|
// so that the RPC server stub do not try to free them.
|
|
//
|
|
|
|
if (!NT_SUCCESS(InsertPointerInGAPDatabase(pProcessArray[i].pTsProcessInfo)))
|
|
{
|
|
*pResult = STATUS_NO_MEMORY;
|
|
break;
|
|
}
|
|
|
|
if ( pProcessInfo->ImageName.Buffer )
|
|
{
|
|
if (!NT_SUCCESS(InsertPointerInGAPDatabase(pProcessInfo->ImageName.Buffer)))
|
|
{
|
|
*pResult = STATUS_NO_MEMORY;
|
|
break;
|
|
}
|
|
}
|
|
|
|
//
|
|
// Get the Sid
|
|
//
|
|
Status = GetSidFromProcessId(
|
|
pProcessids[i],
|
|
pProcessInfo->CreateTime,
|
|
&pSid,
|
|
TRUE
|
|
);
|
|
|
|
if (Status == STATUS_CANNOT_IMPERSONATE)
|
|
{
|
|
*pResult = STATUS_ACCESS_DENIED;
|
|
break;
|
|
}
|
|
|
|
if (NT_SUCCESS(Status))
|
|
{
|
|
//
|
|
// set the length for the Sid
|
|
//
|
|
pProcessArray[i].SizeOfSid = RtlLengthSid(pSid);
|
|
// GAP allocate a pointer and copy!
|
|
pProcessArray[i].pSid = AllocateGAPPointer(
|
|
pProcessArray[i].SizeOfSid
|
|
);
|
|
if (pProcessArray[i].pSid == NULL) {
|
|
*pResult = STATUS_NO_MEMORY;
|
|
break;
|
|
}
|
|
|
|
*pResult = RtlCopySid(
|
|
pProcessArray[i].SizeOfSid,
|
|
pProcessArray[i].pSid,
|
|
pSid
|
|
);
|
|
if (!(NT_SUCCESS(*pResult))) {
|
|
break;
|
|
}
|
|
|
|
|
|
}
|
|
else
|
|
{
|
|
//
|
|
// set a NULL Sid
|
|
//
|
|
pProcessArray[i].pSid = NULL;
|
|
pProcessArray[i].SizeOfSid = 0;
|
|
}
|
|
//
|
|
// next entry
|
|
//
|
|
|
|
TotalOffset += pProcessInfo->NextEntryOffset;
|
|
|
|
|
|
pProcessInfo = (PTS_SYS_PROCESS_INFORMATION_NT6)&pProcessBuffer[TotalOffset];
|
|
|
|
|
|
}
|
|
|
|
if (*pResult != STATUS_SUCCESS) // we finally failed !
|
|
{
|
|
// DBGPRINT(( "TERMSRV: RpcWinStationGAP: ultimate failure\n"));
|
|
|
|
//
|
|
// free all SIDs
|
|
//
|
|
for (i=0; i < NumberOfProcesses; i++)
|
|
{
|
|
if (pProcessArray[i].pSid != NULL)
|
|
{
|
|
LocalFree(pProcessArray[i].pSid);
|
|
}
|
|
}
|
|
//
|
|
// free the array
|
|
//
|
|
LocalFree(pProcessArray);
|
|
pProcessArray = NULL;
|
|
//
|
|
// free the buffer
|
|
//
|
|
MIDL_user_free(pProcessBuffer);
|
|
pProcessBuffer = NULL;
|
|
}
|
|
}
|
|
|
|
if (pProcessids)
|
|
LocalFree(pProcessids);
|
|
|
|
}
|
|
}
|
|
}
|
|
|
|
if (NT_SUCCESS(*pResult))
|
|
{
|
|
// DBGPRINT(( "TERMSRV: RpcWinStationGAP: Everything went fine\n"));
|
|
|
|
//
|
|
// From that moment, we may receive some MIDL_user_free
|
|
// so enable the database checking
|
|
//
|
|
ValidateGAPPointersDatabase(NumberOfProcesses);
|
|
|
|
*pNumberOfProcesses = NumberOfProcesses;
|
|
*ppTsAllProcessesInfo = (PBYTE) pProcessArray;
|
|
|
|
}
|
|
else // error case
|
|
{
|
|
*pNumberOfProcesses = 0;
|
|
*ppTsAllProcessesInfo = NULL;
|
|
}
|
|
|
|
if (Status != STATUS_CANNOT_IMPERSONATE)
|
|
RpcRevertToSelf();
|
|
|
|
return ( (NT_SUCCESS(*pResult))? TRUE : FALSE);
|
|
}
|
|
|
|
|
|
/*******************************************************************************
|
|
* RpcWinStationGetAllProcesses_NT6
|
|
*
|
|
* Replaces RpcWinStationGetAllProcesses for Win2K servers.
|
|
*
|
|
* EXIT:
|
|
* TRUE -- The query succeeded, and the buffer contains the requested data.
|
|
* FALSE -- The operation failed. Extended error status is returned in pResult.
|
|
******************************************************************************/
|
|
BOOLEAN
|
|
RpcWinStationGetAllProcesses_NT6(
|
|
HANDLE hServer,
|
|
DWORD *pResult,
|
|
ULONG Level,
|
|
ULONG *pNumberOfProcesses,
|
|
PTS_ALL_PROCESSES_INFO_NT6 *ppTsAllProcessesInfo
|
|
)
|
|
{
|
|
BOOLEAN Result;
|
|
PTS_ALL_PROCESSES_INFO_NT6 pProcessInfo;
|
|
|
|
if(!hServer)
|
|
{
|
|
*pResult = STATUS_UNSUCCESSFUL;
|
|
return( FALSE );
|
|
}
|
|
|
|
Result = WinStationGetAllProcessesWorker(
|
|
hServer,
|
|
pResult,
|
|
Level,
|
|
pNumberOfProcesses,
|
|
(PBYTE *)&pProcessInfo
|
|
);
|
|
|
|
*ppTsAllProcessesInfo = pProcessInfo;
|
|
|
|
return Result;
|
|
}
|
|
|
|
|
|
|
|
/*******************************************************************************
|
|
*
|
|
* RpcWinStationGetAllProcesses
|
|
*
|
|
* Replaces RpcWinStationEnumerateProcesses for NT5.0 servers.
|
|
* (Now used only by winsta client of Win2K)
|
|
*
|
|
* ENTRY:
|
|
*
|
|
* EXIT:
|
|
*
|
|
* TRUE -- The query succeeded, and the buffer contains the requested data.
|
|
*
|
|
* FALSE -- The operation failed. Extended error status is returned in pResult.
|
|
*
|
|
******************************************************************************/
|
|
|
|
BOOLEAN
|
|
RpcWinStationGetAllProcesses(
|
|
HANDLE hServer,
|
|
DWORD *pResult,
|
|
ULONG Level,
|
|
ULONG *pNumberOfProcesses,
|
|
PTS_ALL_PROCESSES_INFO *ppTsAllProcessesInfo
|
|
)
|
|
{
|
|
BOOLEAN Result;
|
|
PTS_ALL_PROCESSES_INFO pProcessInfo;
|
|
|
|
if(!hServer)
|
|
{
|
|
*pResult = STATUS_UNSUCCESSFUL;
|
|
return( FALSE );
|
|
}
|
|
|
|
Result = WinStationGetAllProcessesWorker(
|
|
hServer,
|
|
pResult,
|
|
Level,
|
|
pNumberOfProcesses,
|
|
(PBYTE *)&pProcessInfo
|
|
);
|
|
|
|
*ppTsAllProcessesInfo = pProcessInfo;
|
|
|
|
return Result;
|
|
}
|
|
|
|
|
|
/*******************************************************************************
|
|
* RpcWinStationGetLanAdapterName
|
|
*
|
|
* EXIT:
|
|
* TRUE -- The query succeeded, and the buffer contains the requested data.
|
|
* FALSE -- The operation failed. Extended error status is returned in pResult.
|
|
******************************************************************************/
|
|
|
|
#define RELEASEPTR(iPointer) \
|
|
if (iPointer) { \
|
|
iPointer->lpVtbl->Release(iPointer); \
|
|
iPointer = NULL; \
|
|
}
|
|
|
|
BOOLEAN RpcWinStationGetLanAdapterName(
|
|
HANDLE hServer,
|
|
DWORD *pResult,
|
|
DWORD PdNameSize,
|
|
PWCHAR pPdName,
|
|
ULONG LanAdapter,
|
|
ULONG *pLength,
|
|
PWCHAR *ppLanAdapterName)
|
|
{
|
|
HRESULT hResult = S_OK;
|
|
HRESULT hr = S_OK;
|
|
|
|
//Interface pointer declarations
|
|
WCHAR szProtocol[256];
|
|
INetCfg * pnetCfg = NULL;
|
|
INetCfgClass * pNetCfgClass = NULL;
|
|
INetCfgClass * pNetCfgClassAdapter = NULL;
|
|
INetCfgComponent * pNetCfgComponent = NULL;
|
|
INetCfgComponent * pNetCfgComponentprot = NULL;
|
|
IEnumNetCfgComponent * pEnumComponent = NULL;
|
|
INetCfgComponentBindings * pBinding = NULL;
|
|
LPWSTR pDisplayName = NULL;
|
|
DWORD dwCharacteristics;
|
|
ULONG count = 0;
|
|
RPC_STATUS RpcStatus;
|
|
PWCHAR pLanAdapter = NULL;
|
|
|
|
*ppLanAdapterName = NULL;
|
|
*pLength = 0;
|
|
*pResult = STATUS_SUCCESS;
|
|
|
|
if(!hServer)
|
|
{
|
|
*pResult = STATUS_UNSUCCESSFUL;
|
|
return( FALSE );
|
|
}
|
|
|
|
// Impersonate the client so that strings get localized
|
|
RpcStatus = RpcImpersonateClient(NULL);
|
|
if(RpcStatus != RPC_S_OK)
|
|
{
|
|
*pResult = STATUS_CANNOT_IMPERSONATE;
|
|
goto done;
|
|
}
|
|
|
|
// 0 corresponds to "All network adapters"
|
|
|
|
if (0 == LanAdapter) {
|
|
pLanAdapter = MIDL_user_allocate((DEVICENAME_LENGTH + 1) * sizeof(WCHAR));
|
|
if (pLanAdapter == NULL) {
|
|
*pResult = STATUS_NO_MEMORY;
|
|
RpcRevertToSelf();
|
|
goto done;
|
|
}
|
|
else {
|
|
if (!LoadString(hModuleWin, STR_ALL_LAN_ADAPTERS, pLanAdapter,
|
|
DEVICENAME_LENGTH + 1)) {
|
|
*pResult = STATUS_UNSUCCESSFUL;
|
|
MIDL_user_free(pLanAdapter);
|
|
RpcRevertToSelf();
|
|
goto done;
|
|
}
|
|
|
|
*ppLanAdapterName = pLanAdapter;
|
|
*pLength = (DEVICENAME_LENGTH + 1);
|
|
RpcRevertToSelf();
|
|
goto done;
|
|
}
|
|
}
|
|
|
|
RpcRevertToSelf();
|
|
|
|
|
|
try{
|
|
|
|
NTSTATUS StringStatus ;
|
|
|
|
// Do some buffer validation
|
|
// No of bytes (and not no of WCHARS) is sent from the Client, so send half the length got
|
|
StringStatus = IsZeroterminateStringW(pPdName, PdNameSize / sizeof(WCHAR) );
|
|
if (StringStatus != STATUS_SUCCESS) {
|
|
*pResult = STATUS_INVALID_PARAMETER;
|
|
goto done;
|
|
}
|
|
|
|
if (0 == _wcsnicmp( pPdName , L"tcp", PdNameSize/sizeof(WCHAR))) {
|
|
lstrcpy(szProtocol,NETCFG_TRANS_CID_MS_TCPIP);
|
|
}
|
|
else if( 0 == _wcsnicmp( pPdName , L"netbios", PdNameSize/sizeof(WCHAR)) ) {
|
|
lstrcpy(szProtocol,NETCFG_SERVICE_CID_MS_NETBIOS);
|
|
}
|
|
else if( 0 == _wcsnicmp( pPdName , L"ipx", PdNameSize/sizeof(WCHAR)) ) {
|
|
lstrcpy(szProtocol,NETCFG_TRANS_CID_MS_NWIPX);
|
|
}
|
|
else if( 0 == _wcsnicmp( pPdName , L"spx", PdNameSize/sizeof(WCHAR)) ) {
|
|
lstrcpy(szProtocol,NETCFG_TRANS_CID_MS_NWSPX);
|
|
}
|
|
else {
|
|
*pResult = STATUS_INVALID_PARAMETER;
|
|
goto done;
|
|
}
|
|
} except(EXCEPTION_EXECUTE_HANDLER){
|
|
*pResult = STATUS_INVALID_PARAMETER;
|
|
goto done;
|
|
}
|
|
|
|
|
|
hResult = CoCreateInstance(&CLSID_CNetCfg, NULL, CLSCTX_SERVER,
|
|
&IID_INetCfg, (LPVOID *)&pnetCfg);
|
|
if (FAILED(hResult)) {
|
|
*pResult = STATUS_UNSUCCESSFUL;
|
|
goto done;
|
|
}
|
|
|
|
if (pnetCfg != NULL) {
|
|
hResult = pnetCfg->lpVtbl->Initialize(pnetCfg,NULL );
|
|
if (FAILED(hResult) || pnetCfg == NULL) {
|
|
*pResult = STATUS_UNSUCCESSFUL;
|
|
goto done;
|
|
}
|
|
|
|
if (lstrcmpi(szProtocol, NETCFG_SERVICE_CID_MS_NETBIOS) == 0) {
|
|
hResult = pnetCfg->lpVtbl->QueryNetCfgClass(pnetCfg,
|
|
&GUID_DEVCLASS_NETSERVICE, &IID_INetCfgClass,
|
|
(void **)&pNetCfgClass);
|
|
if (FAILED(hResult) || pNetCfgClass == NULL) {
|
|
*pResult = STATUS_UNSUCCESSFUL;
|
|
goto done;
|
|
}
|
|
}
|
|
else {
|
|
hResult = pnetCfg->lpVtbl->QueryNetCfgClass(pnetCfg,
|
|
&GUID_DEVCLASS_NETTRANS, &IID_INetCfgClass,
|
|
(void **)&pNetCfgClass);
|
|
if (FAILED( hResult ) || pNetCfgClass == NULL) {
|
|
*pResult = STATUS_UNSUCCESSFUL;
|
|
goto done;
|
|
}
|
|
}
|
|
|
|
hResult = pnetCfg->lpVtbl->QueryNetCfgClass(pnetCfg,
|
|
&GUID_DEVCLASS_NET, &IID_INetCfgClass,
|
|
(void **)&pNetCfgClassAdapter);
|
|
if (FAILED( hResult ) || pNetCfgClassAdapter == NULL) {
|
|
*pResult = STATUS_UNSUCCESSFUL;
|
|
goto done;
|
|
}
|
|
|
|
hResult = pNetCfgClass->lpVtbl->FindComponent(pNetCfgClass,
|
|
szProtocol, &pNetCfgComponentprot);
|
|
if (FAILED( hResult ) || pNetCfgComponentprot == NULL) {
|
|
*pResult = STATUS_UNSUCCESSFUL;
|
|
goto done;
|
|
}
|
|
|
|
hResult = pNetCfgComponentprot->lpVtbl->QueryInterface(
|
|
pNetCfgComponentprot, &IID_INetCfgComponentBindings,
|
|
(void **)&pBinding);
|
|
if (FAILED( hResult ) || pBinding == NULL) {
|
|
*pResult = STATUS_UNSUCCESSFUL;
|
|
goto done;
|
|
}
|
|
|
|
hResult = pNetCfgClassAdapter->lpVtbl->EnumComponents(
|
|
pNetCfgClassAdapter, &pEnumComponent);
|
|
|
|
RELEASEPTR(pNetCfgClassAdapter);
|
|
|
|
if (FAILED( hResult ) || pEnumComponent == NULL) {
|
|
*pResult = STATUS_UNSUCCESSFUL;
|
|
goto done;
|
|
}
|
|
|
|
*pResult = STATUS_UNSUCCESSFUL;
|
|
|
|
while(TRUE) {
|
|
hr = pEnumComponent->lpVtbl->Next(pEnumComponent, 1,
|
|
&pNetCfgComponent,&count);
|
|
if (count == 0 || NULL == pNetCfgComponent)
|
|
break;
|
|
|
|
hr = pNetCfgComponent->lpVtbl->GetCharacteristics(
|
|
pNetCfgComponent,&dwCharacteristics);
|
|
if (FAILED(hr)) {
|
|
RELEASEPTR(pNetCfgComponent);
|
|
continue;
|
|
}
|
|
|
|
if (dwCharacteristics & NCF_PHYSICAL) {
|
|
if (S_OK == pBinding->lpVtbl->IsBoundTo(pBinding,
|
|
pNetCfgComponent)) {
|
|
GUID guidNIC;
|
|
/*index++;
|
|
if(index == LanAdapter)
|
|
{
|
|
hResult = pNetCfgComponent->lpVtbl->GetDisplayName(pNetCfgComponent,&pLanAdapter);
|
|
|
|
if( FAILED( hResult ) )
|
|
{
|
|
*pResult = STATUS_UNSUCCESSFUL;
|
|
}
|
|
else
|
|
{
|
|
*ppLanAdapterName = MIDL_user_allocate((lstrlen(pLanAdapter) + 1) * sizeof(WCHAR));
|
|
if (*ppLanAdapterName == NULL)
|
|
{
|
|
*pResult = STATUS_NO_MEMORY;
|
|
}
|
|
else
|
|
{
|
|
lstrcpy(*ppLanAdapterName,pLanAdapter);
|
|
*pLength = (lstrlen(pLanAdapter) + 1);
|
|
*pResult = STATUS_SUCCESS;
|
|
}
|
|
CoTaskMemFree(pLanAdapter);
|
|
break;
|
|
}
|
|
}
|
|
*/
|
|
|
|
hResult = pNetCfgComponent->lpVtbl->GetInstanceGuid(
|
|
pNetCfgComponent , &guidNIC);
|
|
if (SUCCEEDED( hResult )) {
|
|
hResult = pNetCfgComponent->lpVtbl->GetDisplayName(
|
|
pNetCfgComponent, &pLanAdapter);
|
|
}
|
|
if (SUCCEEDED(hResult)) {
|
|
WCHAR wchRegKey[ MAX_PATH ];
|
|
WCHAR wchGUID[ 40 ];
|
|
HKEY hKey;
|
|
|
|
lstrcpy( wchRegKey , REG_GUID_TABLE );
|
|
|
|
// convert the 128bit value into a string
|
|
StringFromGUID2(&guidNIC, wchGUID,
|
|
sizeof( wchGUID ) / sizeof( WCHAR ));
|
|
|
|
// create the full regkey
|
|
lstrcat( wchRegKey , wchGUID );
|
|
|
|
// find guid in guid table
|
|
hResult = (HRESULT)RegOpenKeyEx(HKEY_LOCAL_MACHINE,
|
|
wchRegKey, 0, KEY_READ, &hKey);
|
|
|
|
if (hResult == ERROR_SUCCESS) {
|
|
DWORD dwSize = sizeof( DWORD );
|
|
DWORD dwLana = 0;
|
|
|
|
RegQueryValueEx(hKey, LANA_ID, NULL, NULL,
|
|
(LPBYTE)&dwLana, &dwSize);
|
|
RegCloseKey(hKey);
|
|
|
|
// if we have a match allocate space for the lanadapter name
|
|
// and then lets split
|
|
if (LanAdapter == dwLana) {
|
|
*ppLanAdapterName = MIDL_user_allocate(
|
|
(lstrlen(pLanAdapter) + 1) *
|
|
sizeof(WCHAR));
|
|
|
|
if ( *ppLanAdapterName == NULL ) {
|
|
*pResult = STATUS_NO_MEMORY;
|
|
}
|
|
else {
|
|
lstrcpy( *ppLanAdapterName , pLanAdapter );
|
|
*pLength = ( lstrlen( pLanAdapter ) + 1 );
|
|
*pResult = STATUS_SUCCESS;
|
|
}
|
|
|
|
MIDL_user_free(pLanAdapter);
|
|
break;
|
|
}
|
|
}
|
|
|
|
MIDL_user_free(pLanAdapter);
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
RELEASEPTR(pNetCfgComponent);
|
|
}
|
|
|
|
|
|
done:
|
|
RELEASEPTR(pBinding);
|
|
RELEASEPTR(pEnumComponent);
|
|
RELEASEPTR(pNetCfgComponentprot);
|
|
RELEASEPTR(pNetCfgComponent);
|
|
RELEASEPTR(pNetCfgClass);
|
|
|
|
if ( pnetCfg != NULL )
|
|
pnetCfg->lpVtbl->Uninitialize(pnetCfg);
|
|
|
|
RELEASEPTR(pnetCfg);
|
|
|
|
CoUninitialize();
|
|
|
|
return *pResult == STATUS_SUCCESS ? TRUE : FALSE;
|
|
}
|
|
|
|
|
|
/*******************************************************************************
|
|
*
|
|
* RpcWinStationGetAllProcesses_NT6_notify_flag
|
|
*
|
|
* This callback function is called by the RPC server stub at the very end
|
|
* (after all the calls to MIDL_user_free).
|
|
* This allows us to free the remaining pointers.
|
|
* We also release the lock so that a new RpcWinStationGetAllProcesses
|
|
* can be processed.
|
|
*
|
|
******************************************************************************/
|
|
void RpcWinStationGetAllProcesses_NT6_notify_flag(boolean fServerCalled)
|
|
{
|
|
// DBGPRINT(( "TERMSRV: Entering RpcWinStationGAP_notify\n"));
|
|
|
|
if (!fServerCalled)
|
|
return;
|
|
|
|
if (gbRpcGetAllProcessesOK == TRUE)
|
|
{
|
|
//
|
|
// free our own pointers, free the database and disable the checking
|
|
//
|
|
ReleaseGAPPointersDatabase();
|
|
|
|
//
|
|
// release the lock that has been held since we entered
|
|
// RpcWinStationGetAllProcesses
|
|
//
|
|
RtlLeaveCriticalSection(&gRpcGetAllProcessesLock);
|
|
}
|
|
}
|
|
|
|
|
|
/*******************************************************************************
|
|
*
|
|
* RpcWinStationGetAllProcesses_notify_flag
|
|
*
|
|
* This callback function is called by the RPC server stub at the very end
|
|
* (after all the calls to MIDL_user_free).
|
|
* This allows us to free the remaining pointers.
|
|
* We also release the lock so that a new RpcWinStationGetAllProcesses
|
|
* can be processed.
|
|
*
|
|
******************************************************************************/
|
|
void RpcWinStationGetAllProcesses_notify_flag(boolean fServerCalled)
|
|
{
|
|
// DBGPRINT(( "TERMSRV: Entering RpcWinStationGAP_notify\n"));
|
|
|
|
if (!fServerCalled)
|
|
return;
|
|
|
|
if (gbRpcGetAllProcessesOK == TRUE)
|
|
{
|
|
//
|
|
// free our own pointers, free the database and disable the checking
|
|
//
|
|
ReleaseGAPPointersDatabase();
|
|
|
|
//
|
|
// release the lock that has been held since we entered
|
|
// RpcWinStationGetAllProcesses
|
|
//
|
|
RtlLeaveCriticalSection(&gRpcGetAllProcessesLock);
|
|
}
|
|
}
|
|
|
|
|
|
/*****************************************************************************
|
|
*
|
|
* RpcWinStationGetProcessSid
|
|
*
|
|
* RpcWinStationGetProcessSid API
|
|
*
|
|
* ENTRY:
|
|
* hServer - input, The serrver handle to work on.
|
|
* dwUniqueProcessId - input, ProcessID (its not really unique)
|
|
* ProcessStartTime - input, ProcessStartTime combined with ProcessID
|
|
* identifies a unique process
|
|
* pResult - output, error code
|
|
* pProcessUserSid - output, process user sid
|
|
* dwSidSize - input, sid size allocated.
|
|
*
|
|
* EXIT:
|
|
* TRUE - Requested Sid is in pProcessUserSid.
|
|
* FALSE - The operation failed. Status code is in pResult.
|
|
*
|
|
****************************************************************************/
|
|
BOOLEAN RpcWinStationGetProcessSid(
|
|
HANDLE hServer,
|
|
DWORD dwUniqueProcessId,
|
|
LARGE_INTEGER ProcessStartTime,
|
|
LONG *pResult, // Really an NTSTATUS
|
|
PBYTE pProcessUserSid,
|
|
DWORD dwSidSize,
|
|
DWORD *pdwSizeNeeded)
|
|
{
|
|
PSID pSid;
|
|
RPC_STATUS RpcStatus;
|
|
|
|
if(!hServer)
|
|
{
|
|
*pResult = STATUS_UNSUCCESSFUL;
|
|
return( FALSE );
|
|
}
|
|
|
|
RpcStatus = RpcImpersonateClient( NULL );
|
|
|
|
if( RpcStatus != RPC_S_OK ) {
|
|
*pResult = STATUS_ACCESS_DENIED;
|
|
return FALSE;
|
|
}
|
|
|
|
RtlEnterCriticalSection(&gRpcGetAllProcessesLock);
|
|
|
|
// Check if SID cache hasn't grown too much
|
|
CheckSidCacheSize();
|
|
|
|
*pResult = GetSidFromProcessId(
|
|
(HANDLE)(ULONG_PTR)dwUniqueProcessId,
|
|
ProcessStartTime,
|
|
&pSid,
|
|
TRUE
|
|
);
|
|
|
|
if (NT_SUCCESS(*pResult)) {
|
|
*pdwSizeNeeded = RtlLengthSid(pSid);
|
|
|
|
if (*pdwSizeNeeded <= dwSidSize) {
|
|
if (pProcessUserSid == NULL) {
|
|
*pResult = STATUS_INVALID_PARAMETER;
|
|
} else {
|
|
*pResult = RtlCopySid(
|
|
*pdwSizeNeeded,
|
|
pProcessUserSid,
|
|
pSid
|
|
);
|
|
}
|
|
} else {
|
|
*pResult = STATUS_BUFFER_TOO_SMALL;
|
|
}
|
|
} else {
|
|
*pdwSizeNeeded = 0;
|
|
}
|
|
|
|
RtlLeaveCriticalSection(&gRpcGetAllProcessesLock);
|
|
|
|
RpcRevertToSelf();
|
|
|
|
return(*pResult == STATUS_SUCCESS ? TRUE : FALSE);
|
|
}
|
|
|
|
|
|
/*******************************************************************************
|
|
*
|
|
* RpcWinStationRename
|
|
*
|
|
* Renames a window station object in the session manager.
|
|
*
|
|
* ENTRY:
|
|
*
|
|
* pWinStationNameOld (input)
|
|
* Old name of window station.
|
|
*
|
|
* pWinStationNameNew (input)
|
|
* New name of window station.
|
|
*
|
|
*
|
|
* EXIT:
|
|
*
|
|
* TRUE -- The rename operation succeeded.
|
|
*
|
|
* FALSE -- The operation failed. Extended error status is available
|
|
* using GetLastError.
|
|
*
|
|
******************************************************************************/
|
|
|
|
BOOLEAN
|
|
RpcWinStationRename(
|
|
HANDLE hServer,
|
|
DWORD *pResult,
|
|
PWCHAR pWinStationNameOld,
|
|
DWORD NameOldSize,
|
|
PWCHAR pWinStationNameNew,
|
|
DWORD NameNewSize
|
|
)
|
|
{
|
|
if(!hServer)
|
|
{
|
|
*pResult = STATUS_UNSUCCESSFUL;
|
|
return( FALSE );
|
|
}
|
|
|
|
*pResult = WinStationRenameWorker(
|
|
pWinStationNameOld,
|
|
NameOldSize,
|
|
pWinStationNameNew,
|
|
NameNewSize
|
|
);
|
|
|
|
return( *pResult == STATUS_SUCCESS ? TRUE : FALSE );
|
|
}
|
|
|
|
|
|
/*******************************************************************************
|
|
*
|
|
* RpcWinStationQueryInformation
|
|
*
|
|
* Queries configuration information about a window station object.
|
|
*
|
|
* ENTRY:
|
|
*
|
|
* WinStationHandle (input)
|
|
* Identifies the window station object. The handle must have
|
|
* WINSTATION_QUERY access.
|
|
*
|
|
* WinStationInformationClass (input)
|
|
* Specifies the type of information to retrieve from the specified
|
|
* window station object.
|
|
*
|
|
* pWinStationInformation (output)
|
|
* A pointer to a buffer that will receive information about the
|
|
* specified window station. The format and contents of the buffer
|
|
* depend on the specified information class being queried.
|
|
*
|
|
* WinStationInformationLength (input)
|
|
* Specifies the length in bytes of the window station information
|
|
* buffer.
|
|
*
|
|
* pReturnLength (output)
|
|
* An optional parameter that if specified, receives the number of
|
|
* bytes placed in the window station information buffer.
|
|
*
|
|
* EXIT:
|
|
*
|
|
* TRUE -- The query succeeded, and the buffer contains the requested data.
|
|
*
|
|
* FALSE -- The operation failed. Extended error status is available
|
|
* using GetLastError.
|
|
*
|
|
******************************************************************************/
|
|
|
|
BOOLEAN
|
|
RpcWinStationQueryInformation(
|
|
HANDLE hServer,
|
|
DWORD *pResult,
|
|
ULONG LogonId,
|
|
DWORD WinStationInformationClass,
|
|
PCHAR pWinStationInformation,
|
|
DWORD WinStationInformationLength,
|
|
DWORD *pReturnLength
|
|
)
|
|
{
|
|
if(!hServer)
|
|
{
|
|
*pResult = STATUS_UNSUCCESSFUL;
|
|
return( FALSE );
|
|
}
|
|
|
|
if (!pReturnLength) {
|
|
*pResult = STATUS_INVALID_USER_BUFFER;
|
|
return FALSE;
|
|
}
|
|
|
|
// Do minimal buffer validation
|
|
if ((pWinStationInformation == NULL ) && (WinStationInformationLength != 0)) {
|
|
*pResult = STATUS_INVALID_USER_BUFFER;
|
|
return FALSE;
|
|
}
|
|
|
|
|
|
*pResult = xxxWinStationQueryInformation(
|
|
LogonId,
|
|
WinStationInformationClass,
|
|
pWinStationInformation,
|
|
WinStationInformationLength,
|
|
pReturnLength
|
|
);
|
|
|
|
|
|
return( *pResult == STATUS_SUCCESS ? TRUE : FALSE );
|
|
}
|
|
|
|
|
|
/*******************************************************************************
|
|
*
|
|
* RpcWinStationSetInformation
|
|
*
|
|
* Sets configuration information for a window station object.
|
|
*
|
|
* ENTRY:
|
|
*
|
|
* WinStationHandle (input)
|
|
* Identifies the window station object. The handle must have
|
|
* WINSTATION_SET access.
|
|
*
|
|
* WinStationInformationClass (input)
|
|
* Specifies the type of information to retrieve from the specified
|
|
* window station object.
|
|
*
|
|
* pWinStationInformation (input)
|
|
* A pointer to a buffer that contains information to set for the
|
|
* specified window station. The format and contents of the buffer
|
|
* depend on the specified information class being set.
|
|
*
|
|
* WinStationInformationLength (input)
|
|
* Specifies the length in bytes of the window station information
|
|
* buffer.
|
|
*
|
|
* EXIT:
|
|
*
|
|
* TRUE -- The set operation succeeded.
|
|
*
|
|
* FALSE -- The operation failed. Extended error status is available
|
|
* using GetLastError.
|
|
*
|
|
******************************************************************************/
|
|
|
|
BOOLEAN
|
|
RpcWinStationSetInformation(
|
|
HANDLE hServer,
|
|
DWORD *pResult,
|
|
ULONG LogonId,
|
|
DWORD WinStationInformationClass,
|
|
PCHAR pWinStationInformation,
|
|
ULONG WinStationInformationLength
|
|
)
|
|
{
|
|
if(!hServer)
|
|
{
|
|
*pResult = STATUS_UNSUCCESSFUL;
|
|
return( FALSE );
|
|
}
|
|
|
|
// Do minimal buffer validation
|
|
if ((pWinStationInformation == NULL ) && (WinStationInformationLength != 0)) {
|
|
*pResult = STATUS_INVALID_USER_BUFFER;
|
|
return FALSE;
|
|
}
|
|
|
|
|
|
*pResult = xxxWinStationSetInformation(
|
|
LogonId,
|
|
WinStationInformationClass,
|
|
pWinStationInformation,
|
|
WinStationInformationLength
|
|
);
|
|
|
|
|
|
return( *pResult == STATUS_SUCCESS ? TRUE : FALSE );
|
|
}
|
|
|
|
|
|
/*******************************************************************************
|
|
*
|
|
* RpcLogonIdFromWinStationName
|
|
*
|
|
* Returns the LogonId for the specified window station name.
|
|
*
|
|
* ENTRY:
|
|
*
|
|
* pWinStationName (input)
|
|
* Window station name.
|
|
*
|
|
* pLogonId (output)
|
|
* Pointer to where to place the LogonId if found
|
|
*
|
|
* EXIT:
|
|
*
|
|
* If the function succeeds, the return value is TRUE, otherwise, it is
|
|
* FALSE.
|
|
* To get extended error information, use the GetLastError function.
|
|
*
|
|
******************************************************************************/
|
|
BOOLEAN
|
|
RpcLogonIdFromWinStationName(
|
|
HANDLE hServer,
|
|
DWORD *pResult,
|
|
PWCHAR pWinStationName,
|
|
DWORD NameSize,
|
|
PULONG pLogonId
|
|
)
|
|
{
|
|
if(!hServer)
|
|
{
|
|
*pResult = STATUS_UNSUCCESSFUL;
|
|
return( FALSE );
|
|
}
|
|
|
|
*pResult = LogonIdFromWinStationNameWorker(
|
|
pWinStationName,
|
|
NameSize,
|
|
pLogonId
|
|
);
|
|
|
|
return( *pResult == STATUS_SUCCESS ? TRUE : FALSE );
|
|
}
|
|
|
|
|
|
/*******************************************************************************
|
|
*
|
|
* RpcWinStationNameFromLogonId
|
|
*
|
|
* Returns the WinStation name for the specified LogonId.
|
|
*
|
|
* ENTRY:
|
|
*
|
|
* LogonId (output)
|
|
* LogonId to query
|
|
*
|
|
* pWinStationName (input)
|
|
* Location to return WinStation name
|
|
*
|
|
* EXIT:
|
|
*
|
|
* If the function succeeds, the return value is TRUE, otherwise, it is
|
|
* FALSE.
|
|
* To get extended error information, use the GetLastError function.
|
|
*
|
|
******************************************************************************/
|
|
BOOLEAN
|
|
RpcWinStationNameFromLogonId(
|
|
HANDLE hServer,
|
|
DWORD *pResult,
|
|
ULONG LogonId,
|
|
PWCHAR pWinStationName,
|
|
DWORD NameSize
|
|
)
|
|
{
|
|
if(!hServer)
|
|
{
|
|
*pResult = STATUS_UNSUCCESSFUL;
|
|
return( FALSE );
|
|
}
|
|
|
|
if((NameSize < ((WINSTATIONNAME_LENGTH + 1) * sizeof(WCHAR))) ||
|
|
(IsBadWritePtr(pWinStationName, NameSize)))
|
|
{
|
|
*pResult = STATUS_INVALID_PARAMETER;
|
|
return FALSE;
|
|
}
|
|
|
|
*pResult = IcaWinStationNameFromLogonId(
|
|
LogonId,
|
|
pWinStationName
|
|
);
|
|
|
|
return( *pResult == STATUS_SUCCESS ? TRUE : FALSE );
|
|
}
|
|
|
|
|
|
/*******************************************************************************
|
|
*
|
|
* RpcWinStationDisconnect
|
|
*
|
|
* Disconects a window station object from the configured terminal and Pd.
|
|
* While disconnected all window station i/o is bit bucketed.
|
|
*
|
|
* ENTRY:
|
|
*
|
|
* LogonId (input)
|
|
* ID of window station object to disconnect.
|
|
* bWait (input)
|
|
* Specifies whether or not to wait for disconnect to complete
|
|
*
|
|
* EXIT:
|
|
*
|
|
* TRUE -- The disconnect operation succeeded.
|
|
*
|
|
* FALSE -- The operation failed. Extended error status is available
|
|
* using GetLastError.
|
|
*
|
|
******************************************************************************/
|
|
BOOLEAN
|
|
RpcWinStationDisconnect(
|
|
HANDLE hServer,
|
|
DWORD *pResult,
|
|
ULONG LogonId,
|
|
BOOLEAN bWait
|
|
)
|
|
{
|
|
if(!hServer)
|
|
{
|
|
*pResult = STATUS_UNSUCCESSFUL;
|
|
return( FALSE );
|
|
}
|
|
|
|
*pResult = WinStationDisconnectWorker(
|
|
LogonId,
|
|
bWait,
|
|
TRUE
|
|
);
|
|
return( *pResult == STATUS_SUCCESS ? TRUE : FALSE );
|
|
}
|
|
|
|
|
|
/*******************************************************************************
|
|
*
|
|
* RpcWinStationConnect
|
|
*
|
|
* Connects a window station object to the configured terminal and Pd.
|
|
*
|
|
* ENTRY:
|
|
*
|
|
* LogonId (input)
|
|
* ID of window station object to connect.
|
|
*
|
|
* TargetLogonId (input)
|
|
* ID of target window station.
|
|
*
|
|
* pPassword (input)
|
|
* password of LogonId window station (not needed if same domain/username)
|
|
*
|
|
* bWait (input)
|
|
* Specifies whether or not to wait for connect to complete
|
|
*
|
|
* EXIT:
|
|
*
|
|
* TRUE -- The connect operation succeeded.
|
|
*
|
|
* FALSE -- The operation failed. Extended error status is available
|
|
* using GetLastError.
|
|
*
|
|
******************************************************************************/
|
|
BOOLEAN
|
|
RpcWinStationConnect(
|
|
HANDLE hServer,
|
|
DWORD *pResult,
|
|
ULONG ClientLogonId,
|
|
ULONG ConnectLogonId,
|
|
ULONG TargetLogonId,
|
|
PWCHAR pPassword,
|
|
DWORD PasswordSize,
|
|
BOOLEAN bWait
|
|
)
|
|
{
|
|
|
|
if(!hServer)
|
|
{
|
|
*pResult = STATUS_UNSUCCESSFUL;
|
|
return( FALSE );
|
|
}
|
|
|
|
// Do some buffer Validation
|
|
*pResult = IsZeroterminateStringW(pPassword, PasswordSize );
|
|
|
|
if (*pResult != STATUS_SUCCESS) {
|
|
return FALSE;
|
|
}
|
|
*pResult = WinStationConnectWorker(
|
|
ClientLogonId,
|
|
ConnectLogonId,
|
|
TargetLogonId,
|
|
pPassword,
|
|
PasswordSize,
|
|
bWait,
|
|
FALSE
|
|
);
|
|
|
|
return( *pResult == STATUS_SUCCESS ? TRUE : FALSE );
|
|
}
|
|
|
|
|
|
/*****************************************************************************
|
|
* RpcWinStationVirtualOpen
|
|
*
|
|
* Open a virtual channel
|
|
****************************************************************************/
|
|
BOOLEAN
|
|
RpcWinStationVirtualOpen(
|
|
HANDLE hServer,
|
|
DWORD *pResult,
|
|
ULONG LogonId,
|
|
DWORD Pid,
|
|
PCHAR pVirtualName, /* ascii name */
|
|
DWORD NameSize,
|
|
ULONG_PTR *pHandle
|
|
)
|
|
{
|
|
RPC_STATUS RpcStatus;
|
|
NTSTATUS Status = STATUS_SUCCESS;
|
|
PWINSTATION pWinStation;
|
|
HANDLE pidhandle = NULL;
|
|
HANDLE handle = NULL;
|
|
UINT LocalFlag = 0;
|
|
ULONG ulChannelNameLength = 0;
|
|
|
|
if(!hServer)
|
|
{
|
|
*pResult = STATUS_UNSUCCESSFUL;
|
|
return( FALSE );
|
|
}
|
|
|
|
//
|
|
// Only allow local access since virtual channels can't be accessed remotely
|
|
//
|
|
|
|
RpcStatus = I_RpcBindingIsClientLocal(
|
|
0, // Active RPC call we are servicing
|
|
&LocalFlag
|
|
);
|
|
|
|
if( RpcStatus != RPC_S_OK ) {
|
|
KdPrintEx((DPFLTR_TERMSRV_ID, DPFLTR_ERROR_LEVEL,
|
|
"TERMSRV: RpcWinStationVirtualOpen: I_RpcBindingIsClientLocal() failed: 0x%x\n",RpcStatus));
|
|
Status = STATUS_UNSUCCESSFUL;
|
|
goto done;
|
|
}
|
|
|
|
//
|
|
// Check that the call came in locally
|
|
//
|
|
if (!LocalFlag) {
|
|
Status = (DWORD)STATUS_INVALID_PARAMETER;
|
|
goto done;
|
|
}
|
|
|
|
//
|
|
// Check channel name length.
|
|
//
|
|
if ( pVirtualName ) {
|
|
// Make sure if the virtual channel name is specified, the namelength if set to non-zero.
|
|
// Some bad client might intentionally have set it to 0, we don't want it to succeed.
|
|
if ( NameSize == 0 ) {
|
|
Status = (DWORD)STATUS_INVALID_PARAMETER;
|
|
goto done;
|
|
}
|
|
|
|
pVirtualName[NameSize-1] = '\0';
|
|
ulChannelNameLength = strlen( pVirtualName );
|
|
}
|
|
|
|
if ( !ulChannelNameLength ||
|
|
(ulChannelNameLength > VIRTUALCHANNELNAME_LENGTH)
|
|
) {
|
|
Status = (DWORD)STATUS_INVALID_PARAMETER;
|
|
goto done;
|
|
}
|
|
|
|
/*
|
|
* Impersonate the client so that when the attempt is made to open the
|
|
* process, it will fail if the client does not have dup handle access.
|
|
*/
|
|
RpcStatus = RpcImpersonateClient( NULL );
|
|
if( RpcStatus != RPC_S_OK ) {
|
|
KdPrintEx((DPFLTR_TERMSRV_ID, DPFLTR_ERROR_LEVEL, "TERMSRV: RpcWinStationVirtualOpen: Not impersonating! RpcStatus 0x%x\n",RpcStatus));
|
|
Status = (DWORD)STATUS_CANNOT_IMPERSONATE;
|
|
goto done;
|
|
}
|
|
|
|
pidhandle = OpenProcess( PROCESS_DUP_HANDLE, FALSE, Pid );
|
|
|
|
RpcRevertToSelf();
|
|
|
|
if ( !pidhandle ) {
|
|
Status = (DWORD)STATUS_ACCESS_DENIED;
|
|
goto done;
|
|
}
|
|
|
|
/*
|
|
* Find and lock client WinStation
|
|
*/
|
|
pWinStation = FindWinStationById( LogonId, FALSE );
|
|
if ( pWinStation == NULL ) {
|
|
Status = (DWORD)STATUS_ACCESS_DENIED;
|
|
goto done;
|
|
}
|
|
|
|
/*
|
|
* If this winstation type does not allow opening virtual channel, then deny access.
|
|
*/
|
|
if ( !_tcsicmp(VIRTUAL_THINWIRE, pVirtualName) &&
|
|
( ( pWinStation->Client.ProtocolType == PROTOCOL_RDP ) ||
|
|
!(pWinStation->Config.Wd.WdFlag & WDF_USER_VCIOCTL) ) )
|
|
{
|
|
Status = STATUS_ACCESS_DENIED;
|
|
ReleaseWinStation( pWinStation );
|
|
goto done;
|
|
}
|
|
|
|
/*
|
|
* Make sure the caller has WINSTATION_VIRTUAL access
|
|
*/
|
|
Status = RpcCheckClientAccess( pWinStation, WINSTATION_VIRTUAL, FALSE );
|
|
if ( !NT_SUCCESS( Status ) ) {
|
|
ReleaseWinStation( pWinStation );
|
|
goto done;
|
|
}
|
|
|
|
/*
|
|
* Don't allow VirtualChannel opens on listner or idle sessions
|
|
*/
|
|
if( pWinStation->State == State_Listen ||
|
|
pWinStation->State == State_Idle )
|
|
{
|
|
ReleaseWinStation( pWinStation);
|
|
Status = (DWORD)STATUS_ACCESS_DENIED;
|
|
goto done;
|
|
}
|
|
|
|
/*
|
|
* we need to impersonate before calling IcaChannelOpen to
|
|
* make sure the handle gets marked as non system created
|
|
*/
|
|
RpcStatus = RpcImpersonateClient( NULL );
|
|
if( RpcStatus != RPC_S_OK ) {
|
|
ReleaseWinStation( pWinStation);
|
|
DbgPrint("\n\n-----752354 - TERMSRV: RpcWinStationVirtualOpen: Not impersonating! RpcStatus 0x%x*----\n\n",RpcStatus);
|
|
Status = (DWORD)STATUS_CANNOT_IMPERSONATE;
|
|
goto done;
|
|
}
|
|
|
|
/*
|
|
* Duplicate the virtual channel.
|
|
*/
|
|
Status = IcaChannelOpen( pWinStation->hIca,
|
|
Channel_Virtual,
|
|
pVirtualName,
|
|
&handle );
|
|
|
|
RevertToSelf();
|
|
|
|
ReleaseWinStation( pWinStation );
|
|
|
|
if ( !NT_SUCCESS( Status ) ) {
|
|
DbgPrint("**** 752354 - TERMSRV: IcaChannelOpen failed! Status 0x%x\n",Status);
|
|
goto done;
|
|
}
|
|
|
|
Status = NtDuplicateObject( NtCurrentProcess(),
|
|
handle,
|
|
pidhandle,
|
|
(PHANDLE)pHandle,
|
|
0,
|
|
0,
|
|
DUPLICATE_SAME_ACCESS |
|
|
DUPLICATE_SAME_ATTRIBUTES );
|
|
|
|
done:
|
|
if ( handle )
|
|
IcaChannelClose( handle );
|
|
if ( pidhandle )
|
|
CloseHandle( pidhandle );
|
|
*pResult = Status;
|
|
|
|
if ( NT_SUCCESS(Status) )
|
|
return( TRUE );
|
|
else
|
|
return( FALSE );
|
|
}
|
|
|
|
|
|
/*****************************************************************************
|
|
* RpcWinStationBeepOpen
|
|
*
|
|
* Open a beep channel
|
|
****************************************************************************/
|
|
BOOLEAN
|
|
RpcWinStationBeepOpen(
|
|
HANDLE hServer,
|
|
DWORD *pResult,
|
|
ULONG LogonId,
|
|
DWORD Pid,
|
|
ULONG_PTR *pHandle
|
|
)
|
|
{
|
|
RPC_STATUS RpcStatus;
|
|
NTSTATUS Status = STATUS_SUCCESS;
|
|
PWINSTATION pWinStation;
|
|
HANDLE pidhandle = NULL;
|
|
HANDLE handle = NULL;
|
|
|
|
if(!hServer)
|
|
{
|
|
*pResult = STATUS_UNSUCCESSFUL;
|
|
return( FALSE );
|
|
}
|
|
|
|
/*
|
|
* Impersonate the client so that when the attempt is made to open the
|
|
* process, it will fail if the client does not have dup handle access.
|
|
*/
|
|
RpcStatus = RpcImpersonateClient( NULL );
|
|
if( RpcStatus != RPC_S_OK ) {
|
|
KdPrintEx((DPFLTR_TERMSRV_ID, DPFLTR_ERROR_LEVEL, "TERMSRV: RpcWinStationBeepOpen: Not impersonating! RpcStatus 0x%x\n",RpcStatus));
|
|
Status = (DWORD)STATUS_CANNOT_IMPERSONATE;
|
|
goto done;
|
|
}
|
|
|
|
if ( !IsCallerSystem() ) {
|
|
*pResult = STATUS_ACCESS_DENIED;
|
|
RpcRevertToSelf();
|
|
return FALSE;
|
|
}
|
|
|
|
|
|
pidhandle = OpenProcess( PROCESS_DUP_HANDLE, FALSE, Pid );
|
|
|
|
RpcRevertToSelf();
|
|
|
|
if ( !pidhandle ) {
|
|
Status = (DWORD)STATUS_ACCESS_DENIED;
|
|
goto done;
|
|
}
|
|
|
|
/*
|
|
* Find and lock client WinStation
|
|
*/
|
|
pWinStation = FindWinStationById( LogonId, FALSE );
|
|
if ( pWinStation == NULL ) {
|
|
Status = (DWORD)STATUS_ACCESS_DENIED;
|
|
goto done;
|
|
}
|
|
|
|
/*
|
|
* Make sure the caller has WINSTATION_VIRTUAL access
|
|
*/
|
|
Status = RpcCheckClientAccess( pWinStation, WINSTATION_VIRTUAL, FALSE );
|
|
if ( !NT_SUCCESS( Status ) ) {
|
|
ReleaseWinStation( pWinStation );
|
|
goto done;
|
|
}
|
|
|
|
/*
|
|
* Duplicate the beep channel.
|
|
*/
|
|
Status = IcaChannelOpen( pWinStation->hIca,
|
|
Channel_Beep,
|
|
NULL,
|
|
&handle );
|
|
|
|
ReleaseWinStation( pWinStation );
|
|
|
|
if ( !NT_SUCCESS( Status ) ) {
|
|
goto done;
|
|
}
|
|
|
|
Status = NtDuplicateObject( NtCurrentProcess(),
|
|
handle,
|
|
pidhandle,
|
|
(PHANDLE)pHandle,
|
|
0,
|
|
0,
|
|
DUPLICATE_SAME_ACCESS |
|
|
DUPLICATE_SAME_ATTRIBUTES );
|
|
|
|
done:
|
|
if ( handle )
|
|
IcaChannelClose( handle );
|
|
if ( pidhandle )
|
|
CloseHandle( pidhandle );
|
|
*pResult = Status;
|
|
|
|
if ( NT_SUCCESS(Status) )
|
|
return( TRUE );
|
|
else
|
|
return( FALSE );
|
|
}
|
|
|
|
|
|
/*******************************************************************************
|
|
* RpcWinStationReset
|
|
*
|
|
* Reset the specified window station.
|
|
*
|
|
* ENTRY:
|
|
* LogonId (input)
|
|
* Identifies the window station object to reset.
|
|
* bWait (input)
|
|
* Specifies whether or not to wait for reset to complete
|
|
*
|
|
* EXIT:
|
|
* TRUE -- The reset operation succeeded.
|
|
* FALSE -- The operation failed. Extended error status is available
|
|
* using GetLastError.
|
|
******************************************************************************/
|
|
BOOLEAN
|
|
RpcWinStationReset(
|
|
HANDLE hServer,
|
|
DWORD *pResult,
|
|
ULONG LogonId,
|
|
BOOLEAN bWait
|
|
)
|
|
{
|
|
NTSTATUS Status;
|
|
|
|
if(!hServer)
|
|
{
|
|
*pResult = STATUS_UNSUCCESSFUL;
|
|
return( FALSE );
|
|
}
|
|
|
|
*pResult = WinStationResetWorker(
|
|
LogonId,
|
|
bWait,
|
|
TRUE, // Rpc caller, must check access
|
|
TRUE // By default, recreate the WinStation
|
|
);
|
|
|
|
//
|
|
// dont return STATUS_TIMEOUT.
|
|
//
|
|
|
|
if (*pResult == STATUS_TIMEOUT) *pResult = STATUS_UNSUCCESSFUL;
|
|
return( *pResult == STATUS_SUCCESS ? TRUE : FALSE );
|
|
}
|
|
|
|
|
|
/*******************************************************************************
|
|
* RpcWinStationShadowStop
|
|
*
|
|
* Stop any shadow operation on the specified window station.
|
|
*
|
|
* ENTRY:
|
|
* LogonId (input)
|
|
* Identifies the window station object to reset.
|
|
* bWait (input)
|
|
* Specifies whether or not to wait for reset to complete
|
|
*
|
|
* EXIT:
|
|
* TRUE -- The stop shadow operation succeeded.
|
|
* FALSE -- The operation failed. Extended error status is available
|
|
* using GetLastError.
|
|
******************************************************************************/
|
|
BOOLEAN
|
|
RpcWinStationShadowStop(
|
|
HANDLE hServer,
|
|
DWORD *pResult,
|
|
ULONG LogonId,
|
|
BOOLEAN bWait // unused - later?
|
|
)
|
|
{
|
|
PWINSTATION pWinStation;
|
|
ULONG ClientLogonId;
|
|
NTSTATUS Status;
|
|
RPC_STATUS RpcStatus;
|
|
UINT LocalFlag;
|
|
|
|
if(!hServer)
|
|
{
|
|
*pResult = STATUS_UNSUCCESSFUL;
|
|
return( FALSE );
|
|
}
|
|
|
|
TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: RpcWinStationShadowStop, LogonId=%d\n", LogonId ));
|
|
|
|
|
|
/*
|
|
* Find and lock the WinStation struct for the specified LogonId
|
|
*/
|
|
pWinStation = FindWinStationById( LogonId, FALSE );
|
|
if ( pWinStation == NULL ) {
|
|
Status = STATUS_CTX_WINSTATION_NOT_FOUND;
|
|
goto notfound;
|
|
}
|
|
|
|
//
|
|
// If the session is NOT being shadowed then bail out
|
|
//
|
|
if ( !( pWinStation->State == State_Active &&
|
|
!IsListEmpty(&pWinStation->ShadowHead) ) ) {
|
|
Status = STATUS_CTX_SHADOW_NOT_RUNNING;
|
|
goto done;
|
|
}
|
|
|
|
/*
|
|
* Impersonate the client
|
|
*/
|
|
RpcStatus = RpcImpersonateClient( NULL );
|
|
if( RpcStatus != RPC_S_OK ) {
|
|
KdPrintEx((DPFLTR_TERMSRV_ID, DPFLTR_ERROR_LEVEL, "TERMSRV: RpcWinStationShadowStop: Not impersonating! RpcStatus 0x%x\n",RpcStatus));
|
|
Status = STATUS_CANNOT_IMPERSONATE;
|
|
goto done;
|
|
}
|
|
|
|
//
|
|
// If its remote RPC call we should ignore ClientLogonId
|
|
//
|
|
RpcStatus = I_RpcBindingIsClientLocal(
|
|
0, // Active RPC call we are servicing
|
|
&LocalFlag
|
|
);
|
|
|
|
if( RpcStatus != RPC_S_OK ) {
|
|
KdPrintEx((DPFLTR_TERMSRV_ID, DPFLTR_ERROR_LEVEL, "ERMSRV: RpcWinStationShadowStop: I_RpcBindingIsClientLocal() failed : 0x%x\n",RpcStatus));
|
|
RpcRevertToSelf();
|
|
Status = STATUS_UNSUCCESSFUL;
|
|
goto done;
|
|
}
|
|
|
|
//
|
|
// Get the client session id if it's local
|
|
//
|
|
if (LocalFlag) {
|
|
Status = RpcGetClientLogonId( &ClientLogonId );
|
|
if ( !NT_SUCCESS( Status ) ) {
|
|
RpcRevertToSelf();
|
|
goto done;
|
|
}
|
|
}
|
|
|
|
|
|
//
|
|
// Check for Disconnect or Reset rights since these two operations
|
|
// would anyway terminate the shadow.
|
|
//
|
|
Status = RpcCheckClientAccess( pWinStation, WINSTATION_DISCONNECT | WINSTATION_RESET, TRUE );
|
|
|
|
//
|
|
// If the access is denied then see if the client is on the same session
|
|
// and check to see if the user has the veto right to being shadowed.
|
|
//
|
|
if( !NT_SUCCESS(Status) && LocalFlag && (ClientLogonId == LogonId ) ) {
|
|
|
|
switch ( pWinStation->Config.Config.User.Shadow ) {
|
|
|
|
case Shadow_EnableInputNotify :
|
|
case Shadow_EnableNoInputNotify :
|
|
|
|
Status = STATUS_SUCCESS;
|
|
break;
|
|
|
|
default :
|
|
|
|
// other cases : don't touch the Status
|
|
break;
|
|
}
|
|
|
|
} // else : The call comes from a remote machine or a different session.
|
|
|
|
RpcRevertToSelf();
|
|
|
|
if ( !NT_SUCCESS( Status ) ) {
|
|
goto done;
|
|
}
|
|
|
|
Status = WinStationStopAllShadows( pWinStation );
|
|
|
|
done:
|
|
|
|
ReleaseWinStation( pWinStation );
|
|
|
|
notfound:
|
|
|
|
*pResult = Status;
|
|
|
|
return( *pResult == STATUS_SUCCESS ? TRUE : FALSE );
|
|
}
|
|
|
|
|
|
/*******************************************************************************
|
|
* RpcWinStationShutdownSystem
|
|
*
|
|
* Shutdown the system and optionally logoff all WinStations
|
|
* and/or reboot the system.
|
|
*
|
|
* ENTRY:
|
|
* ShutdownFlags (input)
|
|
* Flags which specify shutdown options.
|
|
*
|
|
* EXIT:
|
|
* TRUE -- The shutdown operation succeeded.
|
|
* FALSE -- The operation failed. Extended error status is available
|
|
* using GetLastError.
|
|
******************************************************************************/
|
|
BOOLEAN
|
|
RpcWinStationShutdownSystem(
|
|
HANDLE hServer,
|
|
DWORD *pResult,
|
|
DWORD ClientLogonId,
|
|
ULONG ShutdownFlags
|
|
)
|
|
{
|
|
if(!hServer)
|
|
{
|
|
*pResult = STATUS_UNSUCCESSFUL;
|
|
return( FALSE );
|
|
}
|
|
|
|
*pResult = WinStationShutdownSystemWorker( ClientLogonId, ShutdownFlags );
|
|
if (AuditingEnabled() && (ShutdownFlags & WSD_LOGOFF)
|
|
&& (*pResult == STATUS_SUCCESS))
|
|
AuditShutdownEvent();
|
|
|
|
//
|
|
// dont return STATUS_TIMEOUT.
|
|
//
|
|
|
|
if (*pResult == STATUS_TIMEOUT) *pResult = STATUS_UNSUCCESSFUL;
|
|
return( *pResult == STATUS_SUCCESS ? TRUE : FALSE );
|
|
}
|
|
|
|
|
|
/*******************************************************************************
|
|
* RpcWinStationTerminateProcess
|
|
*
|
|
* Terminate the specified process
|
|
*
|
|
* ENTRY:
|
|
* hServer (input)
|
|
* handle to winframe server
|
|
* pResult (output)
|
|
* address to return error status
|
|
* ProcessId (input)
|
|
* process id of the process to terminate
|
|
* ExitCode (input)
|
|
* Termination status for each thread in the process
|
|
*
|
|
* EXIT:
|
|
* TRUE -- The terminate operation succeeded.
|
|
* FALSE -- The operation failed. Extended error status is available
|
|
* using GetLastError.
|
|
******************************************************************************/
|
|
BOOLEAN
|
|
RpcWinStationTerminateProcess(
|
|
HANDLE hServer,
|
|
DWORD *pResult,
|
|
ULONG ProcessId,
|
|
ULONG ExitCode
|
|
)
|
|
{
|
|
RPC_STATUS RpcStatus;
|
|
|
|
if(!hServer)
|
|
{
|
|
*pResult = STATUS_UNSUCCESSFUL;
|
|
return( FALSE );
|
|
}
|
|
|
|
/*
|
|
* Impersonate the client so that when the attempt is made to terminate
|
|
* the process, it will fail if the account is not admin.
|
|
*/
|
|
RpcStatus = RpcImpersonateClient( NULL );
|
|
if( RpcStatus != RPC_S_OK ) {
|
|
KdPrintEx((DPFLTR_TERMSRV_ID, DPFLTR_ERROR_LEVEL, "TERMSRV: RpcWinStationTerminateProcess: Not impersonating! RpcStatus 0x%x\n",RpcStatus));
|
|
*pResult = (DWORD)STATUS_CANNOT_IMPERSONATE;
|
|
return( FALSE );
|
|
}
|
|
|
|
*pResult = WinStationTerminateProcessWorker( ProcessId, ExitCode );
|
|
|
|
RpcRevertToSelf();
|
|
|
|
return( *pResult == STATUS_SUCCESS ? TRUE : FALSE );
|
|
}
|
|
|
|
|
|
/*******************************************************************************
|
|
* RpcWinStationWaitSystemEvent
|
|
*
|
|
* Waits for an event (WinStation create, delete, connect, etc) before
|
|
* returning to the caller.
|
|
*
|
|
* ENTRY:
|
|
* EventFlags (input)
|
|
* Bit mask that specifies which event(s) to wait for.
|
|
* pEventFlags (output)
|
|
* Bit mask of event(s) that occurred.
|
|
*
|
|
* EXIT:
|
|
* TRUE -- The wait event operation succeeded.
|
|
* FALSE -- The operation failed. Extended error status is available
|
|
* using GetLastError.
|
|
******************************************************************************/
|
|
BOOLEAN
|
|
RpcWinStationWaitSystemEvent(
|
|
HANDLE hServer,
|
|
DWORD *pResult,
|
|
ULONG EventMask,
|
|
PULONG pEventFlags
|
|
)
|
|
{
|
|
if(!hServer)
|
|
{
|
|
*pResult = STATUS_UNSUCCESSFUL;
|
|
return( FALSE );
|
|
}
|
|
|
|
*pResult = WinStationWaitSystemEventWorker( hServer, EventMask, pEventFlags );
|
|
|
|
return( *pResult == STATUS_SUCCESS ? TRUE : FALSE );
|
|
}
|
|
|
|
|
|
/*****************************************************************************
|
|
* RpcWinStationShadow
|
|
*
|
|
* Start a Winstation shadow operation
|
|
*
|
|
* ENTRY:
|
|
* hServer (input)
|
|
* shadow client server handle
|
|
* pResult (output)
|
|
* address to return status
|
|
* LogonId (input)
|
|
* shadow client logon id
|
|
* pTargetServerName (input)
|
|
* shadow target server name
|
|
* NameSize (input)
|
|
* size of pTargetServerName (input)
|
|
* TargetLogonId (input)
|
|
* shadow target login id (where the app is running)
|
|
* HotkeyVk (input)
|
|
* virtual key to press to stop shadow
|
|
* HotkeyModifiers (input)
|
|
* virtual modifer to press to stop shadow (i.e. shift, control)
|
|
****************************************************************************/
|
|
BOOLEAN
|
|
RpcWinStationShadow(
|
|
HANDLE hServer,
|
|
DWORD *pResult,
|
|
ULONG LogonId,
|
|
PWSTR pTargetServerName,
|
|
ULONG NameSize,
|
|
ULONG TargetLogonId,
|
|
BYTE HotkeyVk,
|
|
USHORT HotkeyModifiers
|
|
)
|
|
{
|
|
RPC_STATUS RpcStatus;
|
|
ULONG ulLength = 0;
|
|
WCHAR TargetServerNameW[MAX_COMPUTERNAME_LENGTH+1];
|
|
char* pTargetServerNameA = NULL;
|
|
PWSTR pTargetServerNameW = pTargetServerName;
|
|
|
|
if(!hServer)
|
|
{
|
|
*pResult = STATUS_UNSUCCESSFUL;
|
|
return( FALSE );
|
|
}
|
|
|
|
// Do minimal buffer validation
|
|
if (pTargetServerName != NULL) {
|
|
// No of bytes is sent from the Client, so send half the length got
|
|
*pResult = (DWORD)IsZeroterminateStringW(pTargetServerName, NameSize / sizeof(WCHAR));
|
|
|
|
if (*pResult != STATUS_SUCCESS) {
|
|
return FALSE;
|
|
}
|
|
|
|
ulLength = wcslen(pTargetServerName);
|
|
|
|
if (ulLength > (MAX_COMPUTERNAME_LENGTH)) {
|
|
struct hostent *hostPtr;
|
|
ULONG ulRequiredLength = 0;
|
|
PUCHAR ipaddr = NULL;
|
|
int ipLength = 0;
|
|
|
|
*pResult = STATUS_INVALID_PARAMETER;
|
|
//
|
|
// Limit the target server name to MAX_COMPUTERNAME_LENGTH.
|
|
// We do this by converting the server name to ipaddress.
|
|
// First convert the name to ANSI
|
|
//
|
|
ulRequiredLength = WideCharToMultiByte(CP_ACP, 0,
|
|
pTargetServerName, -1,
|
|
NULL, 0, NULL, NULL);
|
|
|
|
ASSERT(ulRequiredLength > 0);
|
|
pTargetServerNameA = MemAlloc(ulRequiredLength);
|
|
|
|
if (pTargetServerNameA == NULL) {
|
|
*pResult = STATUS_NO_MEMORY;
|
|
goto EXIT;
|
|
}
|
|
if (ulRequiredLength == 0 ||
|
|
!WideCharToMultiByte(CP_ACP, 0,
|
|
pTargetServerName, -1,
|
|
pTargetServerNameA, ulRequiredLength,
|
|
NULL, NULL)) {
|
|
DBGPRINT(("RpcWinStationShadow: WideCharToMultiByte failed %ld\n",
|
|
GetLastError()));
|
|
goto EXIT;
|
|
}
|
|
|
|
//
|
|
// Get the ip address of the target server name
|
|
//
|
|
if ((hostPtr = gethostbyname(pTargetServerNameA)) == NULL) {
|
|
DBGPRINT(("RpcWinStationShadow: gethostbyname failed %ld\n",
|
|
WSAGetLastError()));
|
|
goto EXIT;
|
|
}
|
|
|
|
MemFree(pTargetServerNameA);
|
|
pTargetServerNameA = NULL;
|
|
|
|
ipaddr = (PUCHAR)*(hostPtr->h_addr_list);
|
|
|
|
// Sanity checks.
|
|
ASSERT(hostPtr->h_length >= 4);
|
|
ASSERT(ipaddr != NULL);
|
|
if (ipaddr == NULL) {
|
|
goto EXIT;
|
|
}
|
|
//
|
|
// Put the ip address in target server name.
|
|
// Use this for shadowing
|
|
//
|
|
ipLength =_snwprintf(TargetServerNameW, MAX_COMPUTERNAME_LENGTH,
|
|
L"%d.%d.%d.%d",
|
|
ipaddr[0], ipaddr[1], ipaddr[2], ipaddr[3]);
|
|
|
|
if (ipLength < 0) {
|
|
DBGPRINT(("RpcWinStationShadow: _snwprintf failed\n"));
|
|
*pResult = STATUS_BUFFER_OVERFLOW;
|
|
goto EXIT;
|
|
}
|
|
ulLength = ipLength;
|
|
TargetServerNameW[MAX_COMPUTERNAME_LENGTH] = L'\0';
|
|
pTargetServerNameW = TargetServerNameW;
|
|
}
|
|
}
|
|
|
|
/*
|
|
* Impersonate the client so that when the shadow connection is
|
|
* created, it will have the correct security.
|
|
*/
|
|
RpcStatus = RpcImpersonateClient( NULL );
|
|
if( RpcStatus != RPC_S_OK ) {
|
|
KdPrintEx((DPFLTR_TERMSRV_ID, DPFLTR_ERROR_LEVEL, "TERMSRV: RpcWinStationShadow: Not impersonating! RpcStatus 0x%x\n",RpcStatus));
|
|
*pResult = (DWORD)STATUS_CANNOT_IMPERSONATE;
|
|
return( FALSE );
|
|
}
|
|
|
|
*pResult = (DWORD)WinStationShadowWorker( LogonId,
|
|
pTargetServerNameW,
|
|
ulLength,
|
|
TargetLogonId,
|
|
HotkeyVk,
|
|
HotkeyModifiers );
|
|
|
|
RpcRevertToSelf();
|
|
|
|
EXIT:
|
|
if (pTargetServerNameA != NULL) {
|
|
MemFree(pTargetServerNameA);
|
|
}
|
|
return( *pResult == STATUS_SUCCESS ? TRUE : FALSE );
|
|
}
|
|
|
|
|
|
/*****************************************************************************
|
|
* RpcWinStationShadowTargetSetup
|
|
*
|
|
* Setup a Winstation shadow operation
|
|
*
|
|
* ENTRY:
|
|
* hServer (input)
|
|
* target server
|
|
* pResult (output)
|
|
* address to return status
|
|
* LogonId (input)
|
|
* target logon id
|
|
****************************************************************************/
|
|
BOOLEAN
|
|
RpcWinStationShadowTargetSetup(
|
|
HANDLE hServer,
|
|
DWORD *pResult,
|
|
IN ULONG LogonId
|
|
)
|
|
{
|
|
RPC_STATUS RpcStatus;
|
|
|
|
if(!hServer)
|
|
{
|
|
*pResult = STATUS_UNSUCCESSFUL;
|
|
return( FALSE );
|
|
}
|
|
|
|
/*
|
|
* Impersonate the client so that the shadow connect request
|
|
* will be under the correct security context.
|
|
*/
|
|
RpcStatus = RpcImpersonateClient( NULL );
|
|
if( RpcStatus != RPC_S_OK ) {
|
|
KdPrintEx((DPFLTR_TERMSRV_ID, DPFLTR_ERROR_LEVEL, "TERMSRV: RpcWinStationShadow: Not impersonating! RpcStatus 0x%x\n",RpcStatus));
|
|
*pResult = (DWORD)STATUS_CANNOT_IMPERSONATE;
|
|
return( FALSE );
|
|
}
|
|
|
|
// remote caller can't RA session.
|
|
*pResult = (DWORD)WinStationShadowTargetSetupWorker( FALSE, LogonId );
|
|
|
|
RpcRevertToSelf();
|
|
|
|
return( *pResult == STATUS_SUCCESS ? TRUE : FALSE );
|
|
}
|
|
|
|
|
|
/*****************************************************************************
|
|
* RpcWinStationShadowTarget
|
|
*
|
|
* Start a Winstation shadow operation
|
|
*
|
|
* ENTRY:
|
|
* hServer (input)
|
|
* target server
|
|
* pResult (output)
|
|
* address to return status
|
|
* LogonId (input)
|
|
* target logon id
|
|
* pConfig (input)
|
|
* pointer to WinStation config data
|
|
* NameSize (input)
|
|
* length of config data
|
|
* pAddress (input)
|
|
* address of shadow client
|
|
* AddressSize (input)
|
|
* length of address
|
|
* pModuleData (input)
|
|
* pointer to client module data
|
|
* ModuleDataLength (input)
|
|
* length of client module data
|
|
* pThinwireData (input)
|
|
* pointer to thinwire module data
|
|
* ThinwireDataLength (input)
|
|
* length of thinwire module data
|
|
* pClientName (input)
|
|
* pointer to client name string (domain/username)
|
|
* ClientNameLength (input)
|
|
* length of client name string
|
|
****************************************************************************/
|
|
BOOLEAN
|
|
RpcWinStationShadowTarget(
|
|
HANDLE hServer,
|
|
DWORD *pResult,
|
|
IN ULONG LogonId,
|
|
IN PBYTE pConfig,
|
|
IN DWORD NameSize,
|
|
IN PBYTE pAddress,
|
|
IN DWORD AddressSize,
|
|
IN PBYTE pModuleData,
|
|
IN DWORD ModuleDataLength,
|
|
IN PBYTE pThinwireData,
|
|
IN DWORD ThinwireDataLength,
|
|
IN PBYTE pClientName,
|
|
IN DWORD ClientNameLength
|
|
)
|
|
{
|
|
RPC_STATUS RpcStatus;
|
|
|
|
if(!hServer)
|
|
{
|
|
*pResult = STATUS_UNSUCCESSFUL;
|
|
return( FALSE );
|
|
}
|
|
|
|
/*
|
|
* Validate buffers .
|
|
*/
|
|
if (AddressSize < sizeof(ICA_STACK_ADDRESS) ||
|
|
pClientName == NULL ||
|
|
NameSize < sizeof(WINSTATIONCONFIG2)) {
|
|
*pResult = STATUS_INVALID_USER_BUFFER;
|
|
return FALSE;
|
|
}
|
|
// No of bytes is sent from the Client, so send half the length got
|
|
*pResult = (DWORD)IsZeroterminateStringW((PWCHAR)pClientName,ClientNameLength / sizeof(WCHAR));
|
|
if (*pResult != STATUS_SUCCESS) {
|
|
return FALSE;
|
|
}
|
|
|
|
*pResult = IsConfigValid((PWINSTATIONCONFIG2)pConfig);
|
|
if (*pResult != STATUS_SUCCESS) {
|
|
return FALSE;
|
|
}
|
|
|
|
/*
|
|
* Impersonate the client so that the shadow connect request
|
|
* will be under the correct security context.
|
|
*/
|
|
RpcStatus = RpcImpersonateClient( NULL );
|
|
if( RpcStatus != RPC_S_OK ) {
|
|
KdPrintEx((DPFLTR_TERMSRV_ID, DPFLTR_ERROR_LEVEL, "TERMSRV: RpcWinStationShadow: Not impersonating! RpcStatus 0x%x\n",RpcStatus));
|
|
*pResult = (DWORD)STATUS_CANNOT_IMPERSONATE;
|
|
return( FALSE );
|
|
}
|
|
|
|
*pResult = (DWORD)WinStationShadowTargetWorker(
|
|
FALSE, // Shadower not a Help Assistant session.
|
|
FALSE, // protocol shadow, can't be help assistant session
|
|
LogonId,
|
|
(PWINSTATIONCONFIG2) pConfig,
|
|
(PICA_STACK_ADDRESS) pAddress,
|
|
(PVOID) pModuleData,
|
|
ModuleDataLength,
|
|
(PVOID) pThinwireData,
|
|
ThinwireDataLength,
|
|
pClientName );
|
|
|
|
RpcRevertToSelf();
|
|
|
|
return( *pResult == STATUS_SUCCESS ? TRUE : FALSE );
|
|
}
|
|
|
|
|
|
/*******************************************************************************
|
|
* RpcWinStationGenerateLicense
|
|
*
|
|
* Called to generate a license from a given serial number string.
|
|
*
|
|
* ENTRY:
|
|
* hServer (input)
|
|
* Server handle
|
|
* pSerialNumberString (input)
|
|
* Pointer to a null-terminated, wide-character Serial Number string
|
|
* pLicense (output)
|
|
* Pointer to a License structure that will be filled in with
|
|
* information based on pSerialNumberString
|
|
* LicenseSize (input)
|
|
* Size in bytes of the structure pointed to by pLicense
|
|
*
|
|
* EXIT:
|
|
* TRUE -- The generate operation succeeded.
|
|
* FALSE -- The operation failed. Extended error status is available
|
|
* in pResult.
|
|
******************************************************************************/
|
|
BOOLEAN
|
|
RpcWinStationGenerateLicense(
|
|
HANDLE hServer,
|
|
DWORD *pResult,
|
|
PWCHAR pSerialNumberString,
|
|
DWORD Length,
|
|
PCHAR pLicense,
|
|
DWORD LicenseSize
|
|
)
|
|
{
|
|
RPC_STATUS RpcStatus;
|
|
|
|
if(!hServer)
|
|
{
|
|
*pResult = STATUS_UNSUCCESSFUL;
|
|
return( FALSE );
|
|
}
|
|
|
|
//
|
|
// The WinFrame licensing API's load the Ulm DLL in the context
|
|
// of the ICASRV process, and then attempt to access the
|
|
// WinFrame licensing registry keys. By impersonating the caller,
|
|
// we can make sure that the license key operation is done under
|
|
// the callers subject context. This will fail for non-admin callers, as
|
|
// defined by the ACL placed on the licensing keys.
|
|
//
|
|
|
|
/*
|
|
* Impersonate the client
|
|
*/
|
|
RpcStatus = RpcImpersonateClient( NULL );
|
|
if( RpcStatus != RPC_S_OK ) {
|
|
KdPrintEx((DPFLTR_TERMSRV_ID, DPFLTR_ERROR_LEVEL, "TERMSRV: RpcWinStationGenerateLicense: Not impersonating! RpcStatus 0x%x\n",RpcStatus));
|
|
*pResult = ERROR_CANNOT_IMPERSONATE;
|
|
return( FALSE );
|
|
}
|
|
|
|
#ifdef not_hydrix
|
|
*pResult = xxxWinStationGenerateLicense(
|
|
pSerialNumberString,
|
|
Length,
|
|
pLicense,
|
|
LicenseSize
|
|
);
|
|
#else
|
|
{
|
|
PLIST_ENTRY Head, Next;
|
|
PWSEXTENSION pWsx;
|
|
ICASRVPROCADDR IcaSrvProcAddr;
|
|
|
|
*pResult = (DWORD)STATUS_UNSUCCESSFUL;
|
|
|
|
RtlEnterCriticalSection( &WsxListLock );
|
|
|
|
Head = &WsxListHead;
|
|
for ( Next = Head->Flink; Next != Head; Next = Next->Flink ) {
|
|
pWsx = CONTAINING_RECORD( Next, WSEXTENSION, Links );
|
|
if ( pWsx->pWsxWinStationGenerateLicense ) {
|
|
*pResult = pWsx->pWsxWinStationGenerateLicense(
|
|
pSerialNumberString,
|
|
Length,
|
|
pLicense,
|
|
LicenseSize
|
|
);
|
|
break;
|
|
}
|
|
}
|
|
|
|
RtlLeaveCriticalSection( &WsxListLock );
|
|
}
|
|
KdPrintEx((DPFLTR_TERMSRV_ID, DPFLTR_TRACE_LEVEL, "WinStationGenerateLicense: 0x%x\n", *pResult ));
|
|
#endif
|
|
|
|
RpcRevertToSelf();
|
|
|
|
return( *pResult == ERROR_SUCCESS ? TRUE : FALSE );
|
|
}
|
|
|
|
|
|
/*******************************************************************************
|
|
* RpcWinStationInstallLicense
|
|
*
|
|
* Called to install a license.
|
|
*
|
|
* ENTRY:
|
|
* hServer (input)
|
|
* Server handle
|
|
* pLicense (input)
|
|
* Pointer to a License structure containing the license to
|
|
* be installed
|
|
* LicenseSize (input)
|
|
* Size in bytes of the structure pointed to by pLicense
|
|
*
|
|
* EXIT:
|
|
* TRUE -- The install operation succeeded.
|
|
* FALSE -- The operation failed. Extended error status is available
|
|
* in pResult.
|
|
******************************************************************************/
|
|
BOOLEAN
|
|
RpcWinStationInstallLicense(
|
|
HANDLE hServer,
|
|
DWORD *pResult,
|
|
PCHAR pLicense,
|
|
DWORD LicenseSize
|
|
)
|
|
{
|
|
RPC_STATUS RpcStatus;
|
|
|
|
if(!hServer)
|
|
{
|
|
*pResult = STATUS_UNSUCCESSFUL;
|
|
return( FALSE );
|
|
}
|
|
|
|
/*
|
|
* Impersonate the client
|
|
*/
|
|
RpcStatus = RpcImpersonateClient( NULL );
|
|
if( RpcStatus != RPC_S_OK ) {
|
|
KdPrintEx((DPFLTR_TERMSRV_ID, DPFLTR_ERROR_LEVEL, "TERMSRV: RpcWinStationInstallLicense: Not impersonating! RpcStatus 0x%x\n",RpcStatus));
|
|
*pResult = ERROR_CANNOT_IMPERSONATE;
|
|
return( FALSE );
|
|
}
|
|
|
|
#ifdef not_hydrix
|
|
*pResult = xxxWinStationInstallLicense(
|
|
pLicense,
|
|
LicenseSize
|
|
);
|
|
#else
|
|
{
|
|
PLIST_ENTRY Head, Next;
|
|
PWSEXTENSION pWsx;
|
|
ICASRVPROCADDR IcaSrvProcAddr;
|
|
|
|
*pResult = (DWORD)STATUS_UNSUCCESSFUL;
|
|
|
|
RtlEnterCriticalSection( &WsxListLock );
|
|
|
|
Head = &WsxListHead;
|
|
for ( Next = Head->Flink; Next != Head; Next = Next->Flink ) {
|
|
pWsx = CONTAINING_RECORD( Next, WSEXTENSION, Links );
|
|
if ( pWsx->pWsxWinStationInstallLicense ) {
|
|
*pResult = pWsx->pWsxWinStationInstallLicense(
|
|
pLicense,
|
|
LicenseSize
|
|
);
|
|
break;
|
|
}
|
|
}
|
|
|
|
RtlLeaveCriticalSection( &WsxListLock );
|
|
}
|
|
KdPrintEx((DPFLTR_TERMSRV_ID, DPFLTR_INFO_LEVEL, "WinStationInstallLicense: 0x%x\n", *pResult ));
|
|
#endif
|
|
|
|
RpcRevertToSelf();
|
|
|
|
return( *pResult == ERROR_SUCCESS ? TRUE : FALSE );
|
|
}
|
|
|
|
|
|
/*******************************************************************************
|
|
* RpcWinStationEnumerateLicenses
|
|
*
|
|
* Called to return the list of valid licenses.
|
|
*
|
|
* ENTRY:
|
|
* hServer (input)
|
|
* Server handle
|
|
* pIndex (input/output)
|
|
* Specifies the subkey index for the \Citrix\WinStations subkeys in the
|
|
* registry. Should be set to 0 for the initial call, and supplied
|
|
* again (as modified by this function) for multi-call enumeration.
|
|
* pEntries (input/output)
|
|
* Points to a variable specifying the number of entries requested.
|
|
* If the number requested is 0xFFFFFFFF, the function returns as
|
|
* many entries as possible. When the function finishes successfully,
|
|
* the variable pointed to by the pEntries parameter contains the
|
|
* number of entries actually read.
|
|
* pLicense (input/output)
|
|
* Points to the buffer to receive the enumeration results, which are
|
|
* returned as an array of LICENSE structures. If this parameter
|
|
* is NULL, then no data will be copied, but just an enumeration count
|
|
* will be made.
|
|
* LicenseSize (input)
|
|
* Size in bytes of the structure pointed to by pLicense
|
|
* pByteCount (input/output)
|
|
* Points to a variable that specifies the size, in bytes, of the
|
|
* pWinStationName parameter. If the buffer is too small to receive even
|
|
* one entry, the function returns an error code (ERROR_OUTOFMEMORY)
|
|
* and this variable receives the required size of the buffer for a
|
|
* single subkey. When the function finishes sucessfully, the variable
|
|
* pointed to by the pByteCount parameter contains the number of bytes
|
|
* actually stored in pLicense.
|
|
*
|
|
* EXIT:
|
|
* TRUE -- The enumerate operation succeeded.
|
|
* FALSE -- The operation failed. Extended error status is available
|
|
* in pResult.
|
|
******************************************************************************/
|
|
BOOLEAN
|
|
RpcWinStationEnumerateLicenses(
|
|
HANDLE hServer,
|
|
DWORD *pResult,
|
|
DWORD *pIndex,
|
|
DWORD *pEntries,
|
|
PCHAR pLicense,
|
|
DWORD LicenseSize,
|
|
DWORD *pByteCount
|
|
)
|
|
{
|
|
RPC_STATUS RpcStatus;
|
|
|
|
if(!hServer)
|
|
{
|
|
*pResult = STATUS_UNSUCCESSFUL;
|
|
return( FALSE );
|
|
}
|
|
|
|
/*
|
|
* Impersonate the client
|
|
*/
|
|
RpcStatus = RpcImpersonateClient( NULL );
|
|
if( RpcStatus != RPC_S_OK ) {
|
|
KdPrintEx((DPFLTR_TERMSRV_ID, DPFLTR_ERROR_LEVEL, "TERMSRV: RpcWinStationEnumerateLicenses: Not impersonating! RpcStatus 0x%x\n",RpcStatus));
|
|
*pResult = ERROR_CANNOT_IMPERSONATE;
|
|
return( FALSE );
|
|
}
|
|
|
|
#ifdef not_hydrix
|
|
*pResult = xxxWinStationEnumerateLicenses(
|
|
pIndex,
|
|
pEntries,
|
|
pLicense,
|
|
pByteCount
|
|
);
|
|
#else
|
|
{
|
|
PLIST_ENTRY Head, Next;
|
|
PWSEXTENSION pWsx;
|
|
ICASRVPROCADDR IcaSrvProcAddr;
|
|
|
|
*pResult = (DWORD)STATUS_UNSUCCESSFUL;
|
|
|
|
RtlEnterCriticalSection( &WsxListLock );
|
|
|
|
Head = &WsxListHead;
|
|
for ( Next = Head->Flink; Next != Head; Next = Next->Flink ) {
|
|
pWsx = CONTAINING_RECORD( Next, WSEXTENSION, Links );
|
|
if ( pWsx->pWsxWinStationEnumerateLicenses ) {
|
|
*pResult = pWsx->pWsxWinStationEnumerateLicenses(
|
|
pIndex,
|
|
pEntries,
|
|
pLicense,
|
|
pByteCount
|
|
);
|
|
break;
|
|
}
|
|
}
|
|
|
|
RtlLeaveCriticalSection( &WsxListLock );
|
|
}
|
|
KdPrintEx((DPFLTR_TERMSRV_ID, DPFLTR_INFO_LEVEL, "WinStationEnumerateLicense: 0x%x\n", *pResult ));
|
|
#endif
|
|
|
|
RpcRevertToSelf();
|
|
|
|
return( *pResult == ERROR_SUCCESS ? TRUE : FALSE );
|
|
}
|
|
|
|
|
|
/*******************************************************************************
|
|
* RpcWinStationActivateLicense
|
|
*
|
|
* Called to Activate a license for a License
|
|
*
|
|
* ENTRY:
|
|
* hServer (input)
|
|
* Server handle
|
|
* pLicense (output)
|
|
* Pointer to a License structure that will be filled in with
|
|
* information based on pSerialNumberString
|
|
* LicenseSize (input)
|
|
* Size in bytes of the structure pointed to by pLicense
|
|
* pActivationCode (input)
|
|
* Pointer to a null-terminated, wide-character Activation Code string
|
|
*
|
|
* EXIT:
|
|
* TRUE -- The activate operation succeeded.
|
|
* FALSE -- The operation failed. Extended error status is available
|
|
* in pResult.
|
|
******************************************************************************/
|
|
BOOLEAN
|
|
RpcWinStationActivateLicense(
|
|
HANDLE hServer,
|
|
DWORD *pResult,
|
|
PCHAR pLicense,
|
|
DWORD LicenseSize,
|
|
PWCHAR pActivationCode,
|
|
DWORD StringSize
|
|
)
|
|
{
|
|
RPC_STATUS RpcStatus;
|
|
|
|
if(!hServer)
|
|
{
|
|
*pResult = STATUS_UNSUCCESSFUL;
|
|
return( FALSE );
|
|
}
|
|
|
|
/*
|
|
* Impersonate the client
|
|
*/
|
|
RpcStatus = RpcImpersonateClient( NULL );
|
|
if( RpcStatus != RPC_S_OK ) {
|
|
KdPrintEx((DPFLTR_TERMSRV_ID, DPFLTR_ERROR_LEVEL, "TERMSRV: RpcWinStationActivateLicense: Not impersonating! RpcStatus 0x%x\n",RpcStatus));
|
|
*pResult = ERROR_CANNOT_IMPERSONATE;
|
|
return( FALSE );
|
|
}
|
|
|
|
#ifdef not_hydrix
|
|
*pResult = xxxWinStationActivateLicense(
|
|
pLicense,
|
|
LicenseSize,
|
|
pActivationCode,
|
|
StringSize
|
|
);
|
|
#else
|
|
{
|
|
PLIST_ENTRY Head, Next;
|
|
PWSEXTENSION pWsx;
|
|
ICASRVPROCADDR IcaSrvProcAddr;
|
|
|
|
*pResult = (DWORD)STATUS_UNSUCCESSFUL;
|
|
|
|
RtlEnterCriticalSection( &WsxListLock );
|
|
|
|
Head = &WsxListHead;
|
|
for ( Next = Head->Flink; Next != Head; Next = Next->Flink ) {
|
|
pWsx = CONTAINING_RECORD( Next, WSEXTENSION, Links );
|
|
if ( pWsx->pWsxWinStationActivateLicense ) {
|
|
*pResult = pWsx->pWsxWinStationActivateLicense(
|
|
pLicense,
|
|
LicenseSize,
|
|
pActivationCode,
|
|
StringSize
|
|
);
|
|
break;
|
|
}
|
|
}
|
|
|
|
RtlLeaveCriticalSection( &WsxListLock );
|
|
}
|
|
KdPrintEx((DPFLTR_TERMSRV_ID, DPFLTR_INFO_LEVEL, "WinStationActivateLicense: 0x%x\n", *pResult ));
|
|
#endif
|
|
|
|
RpcRevertToSelf();
|
|
|
|
return( *pResult == ERROR_SUCCESS ? TRUE : FALSE );
|
|
}
|
|
|
|
|
|
/*****************************************************************************
|
|
* RpcWinStationQueryLicense
|
|
*
|
|
* Query the license(s) on the WinFrame server and the network
|
|
*
|
|
* ENTRY:
|
|
* hServer (input)
|
|
* Server handle
|
|
* pLicenseCounts (output)
|
|
* pointer to buffer to return license count structure
|
|
* ByteCount (input)
|
|
* length of buffer in bytes
|
|
*
|
|
* EXIT:
|
|
* TRUE -- The query operation succeeded.
|
|
* FALSE -- The operation failed. Extended error status is available
|
|
* in pResult.
|
|
****************************************************************************/
|
|
BOOLEAN
|
|
RpcWinStationQueryLicense(
|
|
HANDLE hServer,
|
|
DWORD *pResult,
|
|
PCHAR pLicenseCounts,
|
|
ULONG ByteCount
|
|
)
|
|
{
|
|
RPC_STATUS RpcStatus;
|
|
|
|
if(!hServer)
|
|
{
|
|
*pResult = STATUS_UNSUCCESSFUL;
|
|
return( FALSE );
|
|
}
|
|
|
|
/*
|
|
* Impersonate the client
|
|
*/
|
|
RpcStatus = RpcImpersonateClient( NULL );
|
|
if( RpcStatus != RPC_S_OK ) {
|
|
KdPrintEx((DPFLTR_TERMSRV_ID, DPFLTR_ERROR_LEVEL, "TERMSRV: RpcWinStationQueryLicense: Not impersonating! RpcStatus 0x%x\n",RpcStatus));
|
|
*pResult = ERROR_CANNOT_IMPERSONATE;
|
|
return( FALSE );
|
|
}
|
|
|
|
#ifdef not_hydrix
|
|
*pResult = QueryLicense(
|
|
(PLICENSE_COUNTS) pLicenseCounts,
|
|
ByteCount );
|
|
#else
|
|
{
|
|
PLIST_ENTRY Head, Next;
|
|
PWSEXTENSION pWsx;
|
|
ICASRVPROCADDR IcaSrvProcAddr;
|
|
|
|
*pResult = (DWORD)STATUS_UNSUCCESSFUL;
|
|
|
|
RtlEnterCriticalSection( &WsxListLock );
|
|
|
|
Head = &WsxListHead;
|
|
for ( Next = Head->Flink; Next != Head; Next = Next->Flink ) {
|
|
pWsx = CONTAINING_RECORD( Next, WSEXTENSION, Links );
|
|
if ( pWsx->pWsxQueryLicense ) {
|
|
*pResult = pWsx->pWsxQueryLicense(
|
|
pLicenseCounts,
|
|
ByteCount );
|
|
break;
|
|
}
|
|
}
|
|
|
|
RtlLeaveCriticalSection( &WsxListLock );
|
|
}
|
|
KdPrintEx((DPFLTR_TERMSRV_ID, DPFLTR_INFO_LEVEL, "WinStationQueryLicense: 0x%x\n", *pResult ));
|
|
#endif
|
|
|
|
RpcRevertToSelf();
|
|
|
|
return( *pResult == ERROR_SUCCESS ? TRUE : FALSE );
|
|
}
|
|
|
|
|
|
/*****************************************************************************
|
|
* RpcWinStationQueryUpdateRequired
|
|
*
|
|
* Query the license(s) on the WinFrame server and determine if an
|
|
* update is required.
|
|
*
|
|
* ENTRY:
|
|
* hServer (input)
|
|
* Server handle
|
|
* pUpdateFlag (output)
|
|
* Update flag, set if an update is required
|
|
*
|
|
* EXIT:
|
|
* TRUE -- The query operation succeeded.
|
|
* FALSE -- The operation failed. Extended error status is available
|
|
* in pResult.
|
|
****************************************************************************/
|
|
BOOLEAN
|
|
RpcWinStationQueryUpdateRequired(
|
|
HANDLE hServer,
|
|
DWORD *pResult,
|
|
PULONG pUpdateFlag
|
|
)
|
|
{
|
|
RPC_STATUS RpcStatus;
|
|
|
|
if(!hServer)
|
|
{
|
|
*pResult = STATUS_UNSUCCESSFUL;
|
|
return( FALSE );
|
|
}
|
|
|
|
/*
|
|
* Impersonate the client
|
|
*/
|
|
RpcStatus = RpcImpersonateClient( NULL );
|
|
if( RpcStatus != RPC_S_OK ) {
|
|
KdPrintEx((DPFLTR_TERMSRV_ID, DPFLTR_ERROR_LEVEL, "TERMSRV: RpcWinStationQueryUpdateRequired: Not impersonating! RpcStatus 0x%x\n",RpcStatus));
|
|
*pResult = ERROR_CANNOT_IMPERSONATE;
|
|
return( FALSE );
|
|
}
|
|
|
|
#ifdef not_hydrix
|
|
*pResult = xxxWinStationQueryUpdateRequired( pUpdateFlag );
|
|
#else
|
|
{
|
|
PLIST_ENTRY Head, Next;
|
|
PWSEXTENSION pWsx;
|
|
ICASRVPROCADDR IcaSrvProcAddr;
|
|
|
|
*pResult = (DWORD)STATUS_UNSUCCESSFUL;
|
|
|
|
RtlEnterCriticalSection( &WsxListLock );
|
|
|
|
Head = &WsxListHead;
|
|
for ( Next = Head->Flink; Next != Head; Next = Next->Flink ) {
|
|
pWsx = CONTAINING_RECORD( Next, WSEXTENSION, Links );
|
|
if ( pWsx->pWsxWinStationQueryUpdateRequired ) {
|
|
*pResult = pWsx->pWsxWinStationQueryUpdateRequired( pUpdateFlag );
|
|
break;
|
|
}
|
|
}
|
|
|
|
RtlLeaveCriticalSection( &WsxListLock );
|
|
}
|
|
#endif
|
|
|
|
RpcRevertToSelf();
|
|
|
|
return( *pResult == ERROR_SUCCESS ? TRUE : FALSE );
|
|
}
|
|
|
|
|
|
/*******************************************************************************
|
|
* RpcWinStationRemoveLicense
|
|
*
|
|
* Called to remove a license diskette.
|
|
*
|
|
* ENTRY:
|
|
* hServer (input)
|
|
* Server handle
|
|
* pLicense (input)
|
|
* Pointer to a License structure containing the license to
|
|
* be removed
|
|
* LicenseSize (input)
|
|
* Size in bytes of the structure pointed to by pLicense
|
|
*
|
|
* EXIT:
|
|
* TRUE -- The remove operation succeeded.
|
|
* FALSE -- The operation failed. Extended error status is available
|
|
* in pResult.
|
|
******************************************************************************/
|
|
BOOLEAN
|
|
RpcWinStationRemoveLicense(
|
|
HANDLE hServer,
|
|
DWORD *pResult,
|
|
PCHAR pLicense,
|
|
DWORD LicenseSize
|
|
)
|
|
{
|
|
RPC_STATUS RpcStatus;
|
|
|
|
if(!hServer)
|
|
{
|
|
*pResult = STATUS_UNSUCCESSFUL;
|
|
return( FALSE );
|
|
}
|
|
|
|
/*
|
|
* Impersonate the client
|
|
*/
|
|
RpcStatus = RpcImpersonateClient( NULL );
|
|
if( RpcStatus != RPC_S_OK ) {
|
|
KdPrintEx((DPFLTR_TERMSRV_ID, DPFLTR_ERROR_LEVEL, "TERMSRV: RpcWinStationRemoveLicense: Not impersonating! RpcStatus 0x%x\n",RpcStatus));
|
|
*pResult = ERROR_CANNOT_IMPERSONATE;
|
|
return( FALSE );
|
|
}
|
|
|
|
#ifdef not_hydrix
|
|
*pResult = xxxWinStationRemoveLicense(
|
|
pLicense,
|
|
LicenseSize
|
|
);
|
|
#else
|
|
{
|
|
PLIST_ENTRY Head, Next;
|
|
PWSEXTENSION pWsx;
|
|
ICASRVPROCADDR IcaSrvProcAddr;
|
|
|
|
*pResult = (DWORD)STATUS_UNSUCCESSFUL;
|
|
|
|
RtlEnterCriticalSection( &WsxListLock );
|
|
|
|
Head = &WsxListHead;
|
|
for ( Next = Head->Flink; Next != Head; Next = Next->Flink ) {
|
|
pWsx = CONTAINING_RECORD( Next, WSEXTENSION, Links );
|
|
if ( pWsx->pWsxWinStationRemoveLicense ) {
|
|
*pResult = pWsx->pWsxWinStationRemoveLicense(
|
|
pLicense,
|
|
LicenseSize
|
|
);
|
|
break;
|
|
}
|
|
}
|
|
|
|
RtlLeaveCriticalSection( &WsxListLock );
|
|
}
|
|
KdPrintEx((DPFLTR_TERMSRV_ID, DPFLTR_INFO_LEVEL, "WinStationRemoveLicense: 0x%x\n", *pResult ));
|
|
#endif
|
|
|
|
RpcRevertToSelf();
|
|
|
|
return( *pResult == ERROR_SUCCESS ? TRUE : FALSE );
|
|
}
|
|
|
|
|
|
/*******************************************************************************
|
|
* RpcWinStationSetPoolCount
|
|
*
|
|
* Called to change the PoolCount for the given license
|
|
*
|
|
* ENTRY:
|
|
* hServer (input)
|
|
* Server handle
|
|
* pLicense (input)
|
|
* Pointer to a License structure containing the license to
|
|
* be removed
|
|
* LicenseSize (input)
|
|
* Size in bytes of the structure pointed to by pLicense
|
|
*
|
|
* EXIT:
|
|
* TRUE -- The change operation succeeded.
|
|
* FALSE -- The operation failed. Extended error status is available
|
|
* in pResult.
|
|
******************************************************************************/
|
|
BOOLEAN
|
|
RpcWinStationSetPoolCount(
|
|
HANDLE hServer,
|
|
DWORD *pResult,
|
|
PCHAR pLicense,
|
|
DWORD LicenseSize
|
|
)
|
|
{
|
|
RPC_STATUS RpcStatus;
|
|
|
|
if(!hServer)
|
|
{
|
|
*pResult = STATUS_UNSUCCESSFUL;
|
|
return( FALSE );
|
|
}
|
|
|
|
/*
|
|
* Impersonate the client
|
|
*/
|
|
RpcStatus = RpcImpersonateClient( NULL );
|
|
if( RpcStatus != RPC_S_OK ) {
|
|
KdPrintEx((DPFLTR_TERMSRV_ID, DPFLTR_ERROR_LEVEL, "TERMSRV: RpcWinStationSetPoolCount: Not impersonating! RpcStatus 0x%x\n",RpcStatus));
|
|
*pResult = ERROR_CANNOT_IMPERSONATE;
|
|
return( FALSE );
|
|
}
|
|
|
|
#ifdef not_hydrix
|
|
*pResult = xxxWinStationSetPoolCount(
|
|
pLicense,
|
|
LicenseSize
|
|
);
|
|
#else
|
|
{
|
|
PLIST_ENTRY Head, Next;
|
|
PWSEXTENSION pWsx;
|
|
ICASRVPROCADDR IcaSrvProcAddr;
|
|
|
|
*pResult = (DWORD)STATUS_UNSUCCESSFUL;
|
|
|
|
RtlEnterCriticalSection( &WsxListLock );
|
|
|
|
Head = &WsxListHead;
|
|
for ( Next = Head->Flink; Next != Head; Next = Next->Flink ) {
|
|
pWsx = CONTAINING_RECORD( Next, WSEXTENSION, Links );
|
|
if ( pWsx->pWsxWinStationSetPoolCount ) {
|
|
*pResult = pWsx->pWsxWinStationSetPoolCount(
|
|
pLicense,
|
|
LicenseSize
|
|
);
|
|
break;
|
|
}
|
|
}
|
|
|
|
RtlLeaveCriticalSection( &WsxListLock );
|
|
}
|
|
KdPrintEx((DPFLTR_TERMSRV_ID, DPFLTR_INFO_LEVEL, "WinStationSetPoolCount: 0x%x\n", *pResult ));
|
|
#endif
|
|
|
|
RpcRevertToSelf();
|
|
|
|
return( *pResult == ERROR_SUCCESS ? TRUE : FALSE );
|
|
}
|
|
|
|
|
|
/*****************************************************************************
|
|
* RpcWinStationAnnoyancePopup
|
|
****************************************************************************/
|
|
BOOLEAN
|
|
RpcWinStationAnnoyancePopup(
|
|
HANDLE hServer,
|
|
DWORD *pResult,
|
|
ULONG LogonId
|
|
)
|
|
{
|
|
PWINSTATION pWinStation;
|
|
NTSTATUS Status;
|
|
|
|
if(!hServer)
|
|
{
|
|
*pResult = STATUS_UNSUCCESSFUL;
|
|
return( FALSE );
|
|
}
|
|
|
|
/*
|
|
* Make sure the caller is SYSTEM (WinLogon)
|
|
*/
|
|
Status = RpcCheckSystemClient( LogonId );
|
|
if ( !NT_SUCCESS( Status ) ) {
|
|
*pResult = Status;
|
|
return( FALSE );
|
|
}
|
|
|
|
#ifdef not_hydrix
|
|
*pResult = WinStationLogonAnnoyance( LogonId );
|
|
#else
|
|
// Assume the worst
|
|
*pResult = (DWORD)STATUS_UNSUCCESSFUL;
|
|
|
|
// Check for compatibility
|
|
pWinStation = FindWinStationById( LogonId, FALSE );
|
|
if ( pWinStation != NULL ) {
|
|
if ( pWinStation->pWsx &&
|
|
pWinStation->pWsx->pWsxWinStationLogonAnnoyance ) {
|
|
UnlockWinStation( pWinStation );
|
|
*pResult = pWinStation->pWsx->pWsxWinStationLogonAnnoyance( LogonId );
|
|
RelockWinStation( pWinStation );
|
|
/*
|
|
* If WinStation has no Wsx structure, wen try to annoy it anyway.
|
|
* This will have the effect of sending annoy msgs to the console.
|
|
*/
|
|
} else if ( pWinStation->pWsx == NULL ) {
|
|
PLIST_ENTRY Head, Next;
|
|
PWSEXTENSION pWsx;
|
|
ICASRVPROCADDR IcaSrvProcAddr;
|
|
|
|
RtlEnterCriticalSection( &WsxListLock );
|
|
|
|
Head = &WsxListHead;
|
|
for ( Next = Head->Flink; Next != Head; Next = Next->Flink ) {
|
|
pWsx = CONTAINING_RECORD( Next, WSEXTENSION, Links );
|
|
if ( pWsx->pWsxWinStationLogonAnnoyance ) {
|
|
UnlockWinStation( pWinStation );
|
|
*pResult = pWsx->pWsxWinStationLogonAnnoyance( LogonId );
|
|
RelockWinStation( pWinStation );
|
|
break;
|
|
}
|
|
}
|
|
|
|
RtlLeaveCriticalSection( &WsxListLock );
|
|
}
|
|
ReleaseWinStation( pWinStation );
|
|
}
|
|
KdPrintEx((DPFLTR_TERMSRV_ID, DPFLTR_INFO_LEVEL, "WinStationAnnoyancePopup: 0x%x\n", *pResult ));
|
|
#endif
|
|
|
|
return( *pResult == STATUS_SUCCESS ? TRUE : FALSE );
|
|
}
|
|
|
|
|
|
/*****************************************************************************
|
|
* RpcWinStationCallback
|
|
****************************************************************************/
|
|
BOOLEAN
|
|
RpcWinStationCallback(
|
|
HANDLE hServer,
|
|
DWORD *pResult,
|
|
ULONG LogonId,
|
|
PWCHAR pPhoneNumber,
|
|
DWORD PhoneNumberSize
|
|
)
|
|
{
|
|
NTSTATUS Status;
|
|
|
|
if(!hServer)
|
|
{
|
|
*pResult = STATUS_UNSUCCESSFUL;
|
|
return( FALSE );
|
|
}
|
|
|
|
/*
|
|
* Make sure the caller is SYSTEM (WinLogon)
|
|
*/
|
|
Status = RpcCheckSystemClient( LogonId );
|
|
if ( !NT_SUCCESS( Status ) ) {
|
|
*pResult = Status;
|
|
return( FALSE );
|
|
}
|
|
|
|
*pResult = WinStationCallbackWorker( LogonId, pPhoneNumber );
|
|
|
|
return( *pResult == STATUS_SUCCESS ? TRUE : FALSE );
|
|
}
|
|
|
|
|
|
/*****************************************************************************
|
|
* RpcWinStationBreakPoint
|
|
****************************************************************************/
|
|
BOOLEAN
|
|
RpcWinStationBreakPoint(
|
|
HANDLE hServer,
|
|
DWORD *pResult,
|
|
ULONG LogonId,
|
|
BOOLEAN KernelFlag
|
|
)
|
|
{
|
|
/*
|
|
* This is obsolete and should be removed from the RPC code.
|
|
*/
|
|
*pResult = STATUS_NOT_IMPLEMENTED;
|
|
RpcRaiseException(ERROR_INVALID_FUNCTION);
|
|
return FALSE;
|
|
}
|
|
|
|
|
|
/*****************************************************************************
|
|
* RpcWinStationReadRegistry
|
|
****************************************************************************/
|
|
BOOLEAN
|
|
RpcWinStationReadRegistry(
|
|
HANDLE hServer,
|
|
DWORD *pResult
|
|
)
|
|
{
|
|
RPC_STATUS RpcStatus;
|
|
|
|
if(!hServer)
|
|
{
|
|
*pResult = STATUS_UNSUCCESSFUL;
|
|
return( FALSE );
|
|
}
|
|
|
|
RpcStatus = RpcImpersonateClient( NULL );
|
|
if( RpcStatus != RPC_S_OK ) {
|
|
*pResult = STATUS_ACCESS_DENIED;
|
|
return( FALSE );
|
|
}
|
|
|
|
|
|
if (!(IsCallerSystem() || IsCallerAdmin() )) {
|
|
*pResult = STATUS_ACCESS_DENIED;
|
|
RpcRevertToSelf();
|
|
return FALSE;
|
|
}
|
|
RpcRevertToSelf();
|
|
return RpcWinStationUpdateSettings(hServer, pResult, WINSTACFG_LEGACY, 0);
|
|
}
|
|
|
|
/*****************************************************************************
|
|
* RpcWinStationUpdateSettings
|
|
****************************************************************************/
|
|
BOOLEAN
|
|
RpcWinStationUpdateSettings(
|
|
HANDLE hServer,
|
|
DWORD *pResult,
|
|
DWORD SettingsClass,
|
|
DWORD SettingsParameters
|
|
)
|
|
{
|
|
/*
|
|
* This API is not secured, since it is harmless. It tells the system
|
|
* to make sure all winstations are up to date with the registry. You
|
|
* must be system to write the keys, so the info would match for a normal
|
|
* user poking this call.
|
|
*/
|
|
|
|
switch (SettingsClass) {
|
|
|
|
case WINSTACFG_SESSDIR:
|
|
{
|
|
if (!g_bPersonalTS && g_fAppCompat && g_bAdvancedServer) {
|
|
*pResult = UpdateSessionDirectory(SettingsParameters);
|
|
}
|
|
else {
|
|
// Do nothing in remote admin or on PTS
|
|
*pResult = STATUS_SUCCESS;
|
|
}
|
|
}
|
|
break;
|
|
|
|
case WINSTACFG_LEGACY:
|
|
{
|
|
*pResult = WinStationReadRegistryWorker();
|
|
}
|
|
break;
|
|
|
|
default:
|
|
{
|
|
*pResult = STATUS_INVALID_PARAMETER;
|
|
}
|
|
}
|
|
|
|
return( *pResult == STATUS_SUCCESS ? TRUE : FALSE );
|
|
}
|
|
|
|
|
|
|
|
/*****************************************************************************
|
|
* RpcReInitializeSecurity
|
|
****************************************************************************/
|
|
BOOLEAN
|
|
RpcWinStationReInitializeSecurity(
|
|
HANDLE hServer,
|
|
DWORD *pResult
|
|
)
|
|
{
|
|
RPC_STATUS RpcStatus;
|
|
|
|
if(!hServer)
|
|
{
|
|
*pResult = STATUS_UNSUCCESSFUL;
|
|
return( FALSE );
|
|
}
|
|
|
|
|
|
|
|
RpcStatus = RpcImpersonateClient( NULL );
|
|
if( RpcStatus != RPC_S_OK ) {
|
|
*pResult = STATUS_ACCESS_DENIED;
|
|
return( FALSE );
|
|
}
|
|
|
|
|
|
if (!(IsCallerSystem() || IsCallerAdmin() )) {
|
|
*pResult = STATUS_ACCESS_DENIED;
|
|
RpcRevertToSelf();
|
|
return FALSE;
|
|
}
|
|
RpcRevertToSelf();
|
|
|
|
*pResult = ReInitializeSecurityWorker();
|
|
|
|
return( *pResult == STATUS_SUCCESS ? TRUE : FALSE );
|
|
}
|
|
|
|
|
|
/*****************************************************************************
|
|
* RpcWinStationWaitForConnect
|
|
****************************************************************************/
|
|
BOOLEAN
|
|
RpcWinStationWaitForConnect(
|
|
HANDLE hServer,
|
|
DWORD *pResult,
|
|
DWORD ClientLogonId,
|
|
DWORD ClientProcessId
|
|
)
|
|
{
|
|
PWINSTATION pWinStation;
|
|
NTSTATUS Status = STATUS_SUCCESS;
|
|
HANDLE WinlogonStartHandle = NULL;
|
|
WCHAR szWinlogonStartEvent[MAX_PATH];
|
|
UNICODE_STRING WinlogonEventName;
|
|
OBJECT_ATTRIBUTES ObjA;
|
|
LARGE_INTEGER TimeOut ;
|
|
ULONG SleepDuration = 90 * 1000; // 90 seconds
|
|
|
|
if(!hServer)
|
|
{
|
|
*pResult = STATUS_UNSUCCESSFUL;
|
|
return( FALSE );
|
|
}
|
|
|
|
//
|
|
// Winlogon can call into Terminal Server, before we store the session id in its internal structure
|
|
// To prevent this, RpcWinStationWaitForConnect (which is called by Winlogon) will wait for a named event
|
|
// This is the same Named event (CsrStartEvent) which the Csr also waits for before calling into TermSrv
|
|
//
|
|
|
|
if (ClientLogonId != 0) {
|
|
|
|
wsprintf(szWinlogonStartEvent,
|
|
L"\\Sessions\\%d\\BaseNamedObjects\\CsrStartEvent",ClientLogonId);
|
|
|
|
RtlInitUnicodeString( &WinlogonEventName, szWinlogonStartEvent );
|
|
InitializeObjectAttributes( &ObjA, &WinlogonEventName, OBJ_OPENIF, NULL, NULL );
|
|
|
|
Status = NtCreateEvent( &WinlogonStartHandle,
|
|
EVENT_ALL_ACCESS,
|
|
&ObjA,
|
|
NotificationEvent,
|
|
FALSE );
|
|
|
|
if (!WinlogonStartHandle) {
|
|
Status = STATUS_INSUFFICIENT_RESOURCES;
|
|
goto error_exit;
|
|
} else {
|
|
|
|
TimeOut = RtlEnlargedIntegerMultiply( SleepDuration, -10000);
|
|
Status = NtWaitForSingleObject(WinlogonStartHandle, FALSE, &TimeOut);
|
|
|
|
NtClose(WinlogonStartHandle);
|
|
WinlogonStartHandle = NULL;
|
|
|
|
if (!NT_SUCCESS(Status) || (Status == STATUS_TIMEOUT)) {
|
|
// We timed out waiting for Session Creation to get complete - cant connect now, just exit
|
|
goto error_exit;
|
|
}
|
|
}
|
|
}
|
|
|
|
/*
|
|
* Make sure the caller is SYSTEM (WinLogon)
|
|
*/
|
|
Status = RpcCheckSystemClient( ClientLogonId );
|
|
if ( !NT_SUCCESS( Status ) ) {
|
|
*pResult = Status;
|
|
return( FALSE );
|
|
}
|
|
|
|
TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: WinStationWaitForConnect, LogonId=%d\n",ClientLogonId ));
|
|
|
|
/*
|
|
* Find and lock client WinStation
|
|
*/
|
|
pWinStation = FindWinStationById( ClientLogonId, FALSE );
|
|
if ( pWinStation == NULL ) {
|
|
*pResult = (DWORD)STATUS_ACCESS_DENIED;
|
|
return( FALSE );
|
|
}
|
|
|
|
*pResult = (DWORD)WaitForConnectWorker( pWinStation, (HANDLE)(ULONG_PTR)ClientProcessId );
|
|
|
|
return( *pResult == STATUS_SUCCESS ? TRUE : FALSE );
|
|
|
|
error_exit:
|
|
*pResult = Status;
|
|
|
|
//
|
|
// dont return STATUS_TIMEOUT.
|
|
//
|
|
|
|
if (*pResult == STATUS_TIMEOUT) *pResult = STATUS_UNSUCCESSFUL;
|
|
|
|
return FALSE;
|
|
}
|
|
|
|
|
|
/*****************************************************************************
|
|
* RpcWinStationNotifyLogon
|
|
****************************************************************************/
|
|
BOOLEAN
|
|
RpcWinStationNotifyLogon(
|
|
HANDLE hServer,
|
|
DWORD *pResult,
|
|
DWORD ClientLogonId,
|
|
DWORD ClientProcessId,
|
|
BOOLEAN fUserIsAdmin,
|
|
DWORD UserToken,
|
|
PWCHAR pDomain,
|
|
DWORD DomainSize,
|
|
PWCHAR pUserName,
|
|
DWORD UserNameSize,
|
|
PWCHAR pPassword,
|
|
DWORD PasswordSize,
|
|
UCHAR Seed,
|
|
PCHAR pUserConfig,
|
|
DWORD ConfigSize,
|
|
BOOLEAN *pfIsRedirected
|
|
)
|
|
{
|
|
NTSTATUS Status;
|
|
|
|
if(!hServer)
|
|
{
|
|
*pResult = STATUS_UNSUCCESSFUL;
|
|
return( FALSE );
|
|
}
|
|
/*
|
|
* Do some buffer validation
|
|
* No of bytes is sent from the Client, so send half the length got
|
|
*/
|
|
|
|
*pResult = IsZeroterminateStringW(pPassword, PasswordSize / sizeof(WCHAR) );
|
|
if (*pResult != STATUS_SUCCESS) {
|
|
return FALSE;
|
|
}
|
|
*pResult = IsZeroterminateStringW(pUserName, UserNameSize / sizeof(WCHAR) );
|
|
if (*pResult != STATUS_SUCCESS) {
|
|
return FALSE;
|
|
}
|
|
*pResult = IsZeroterminateStringW(pDomain, DomainSize / sizeof(WCHAR) );
|
|
if (*pResult != STATUS_SUCCESS) {
|
|
return FALSE;
|
|
}
|
|
|
|
/*
|
|
* Make sure the caller is SYSTEM (WinLogon)
|
|
*/
|
|
Status = RpcCheckSystemClient( ClientLogonId );
|
|
if ( !NT_SUCCESS( Status ) ) {
|
|
*pResult = Status;
|
|
return( FALSE );
|
|
}
|
|
|
|
*pResult = WinStationNotifyLogonWorker(
|
|
ClientLogonId,
|
|
ClientProcessId,
|
|
fUserIsAdmin,
|
|
UserToken,
|
|
pDomain,
|
|
DomainSize,
|
|
pUserName,
|
|
UserNameSize,
|
|
pPassword,
|
|
PasswordSize,
|
|
Seed,
|
|
pUserConfig,
|
|
ConfigSize,
|
|
pfIsRedirected
|
|
);
|
|
|
|
return( *pResult == STATUS_SUCCESS ? TRUE : FALSE );
|
|
}
|
|
|
|
|
|
/*****************************************************************************
|
|
* RpcWinStationNotifyLogoff
|
|
****************************************************************************/
|
|
BOOLEAN
|
|
RpcWinStationNotifyLogoff(
|
|
HANDLE hServer,
|
|
DWORD ClientLogonId,
|
|
DWORD ClientProcessId,
|
|
DWORD *pResult
|
|
)
|
|
{
|
|
NTSTATUS Status;
|
|
|
|
if(!hServer)
|
|
{
|
|
*pResult = STATUS_UNSUCCESSFUL;
|
|
return( FALSE );
|
|
}
|
|
/*
|
|
* Make sure the caller is SYSTEM (WinLogon)
|
|
*/
|
|
Status = RpcCheckSystemClient( ClientLogonId );
|
|
if ( !NT_SUCCESS( Status ) ) {
|
|
*pResult = Status;
|
|
return( FALSE );
|
|
}
|
|
|
|
*pResult = WinStationNotifyLogoffWorker(
|
|
ClientLogonId,
|
|
ClientProcessId
|
|
);
|
|
|
|
return( *pResult == STATUS_SUCCESS ? TRUE : FALSE );
|
|
}
|
|
|
|
|
|
/*****************************************************************************
|
|
* RpcWinStationNotifyNewSession
|
|
*
|
|
* THIS FUNCTION IS OBSOLETE AND SHOULD BE REMOVED FROM FUTURE VERSIONS OF
|
|
* INTERFACE.
|
|
****************************************************************************/
|
|
BOOLEAN
|
|
RpcWinStationNotifyNewSession(
|
|
HANDLE hServer,
|
|
DWORD *pResult,
|
|
DWORD ClientLogonId
|
|
)
|
|
{
|
|
*pResult = STATUS_SUCCESS;
|
|
|
|
return(TRUE);
|
|
}
|
|
|
|
|
|
/*******************************************************************************
|
|
* RpcWinStationSendMessage
|
|
*
|
|
* Sends a message to the specified window station object and optionally
|
|
* waits for a reply. The reply is returned to the caller of
|
|
* WinStationSendMessage.
|
|
*
|
|
* ENTRY:
|
|
* WinStationHandle (input)
|
|
* Specifies the window station object to send a message to.
|
|
* pTitle (input)
|
|
* Pointer to title for message box to display.
|
|
* TitleLength (input)
|
|
* Length of title to display in bytes.
|
|
* pMessage (input)
|
|
* Pointer to message to display.
|
|
* MessageLength (input)
|
|
* Length of message in bytes to display at the specified window station.
|
|
* Style (input)
|
|
* Standard Windows MessageBox() style parameter.
|
|
* Timeout (input)
|
|
* Response timeout in seconds. If message is not responded to in
|
|
* Timeout seconds then a response code of IDTIMEOUT (cwin.h) is
|
|
* returned to signify the message timed out.
|
|
* pResponse (output)
|
|
* Address to return selected response.
|
|
* DoNotWait (input)
|
|
* Do not wait for the response. Causes pResponse to be set to
|
|
* IDASYNC (cwin.h) if no errors queueing the message.
|
|
*
|
|
* EXIT:
|
|
* TRUE -- The send message operation succeeded.
|
|
* FALSE -- The operation failed. Extended error status is available
|
|
* using GetLastError.
|
|
******************************************************************************/
|
|
BOOLEAN
|
|
RpcWinStationSendMessage(
|
|
HANDLE hServer,
|
|
DWORD *pResult,
|
|
ULONG LogonId,
|
|
PWCHAR pTitle,
|
|
ULONG TitleLength,
|
|
PWCHAR pMessage,
|
|
ULONG MessageLength,
|
|
ULONG Style,
|
|
ULONG Timeout,
|
|
PULONG pResponse,
|
|
BOOLEAN DoNotWait
|
|
)
|
|
{
|
|
PWINSTATION pWinStation;
|
|
WINSTATION_APIMSG WMsg;
|
|
OBJECT_ATTRIBUTES ObjA;
|
|
NTSTATUS Status;
|
|
NTSTATUS MessageDelieveryStatus;
|
|
|
|
if(!hServer)
|
|
{
|
|
*pResult = STATUS_UNSUCCESSFUL;
|
|
return( FALSE );
|
|
}
|
|
|
|
/*
|
|
* Make sure that the title and the message are NULL terminated.
|
|
*/
|
|
pTitle[TitleLength-1] = L'\0';
|
|
pMessage[MessageLength-1] = L'\0';
|
|
|
|
|
|
/*
|
|
* Find and lock client WinStation
|
|
*/
|
|
pWinStation = FindWinStationById( LogonId, FALSE );
|
|
if ( pWinStation == NULL ) {
|
|
*pResult = (DWORD)STATUS_CTX_WINSTATION_NOT_FOUND;
|
|
return( FALSE );
|
|
}
|
|
|
|
|
|
Status = RpcCheckClientAccess( pWinStation, WINSTATION_MSG, FALSE );
|
|
if ( !NT_SUCCESS( Status ) ) {
|
|
*pResult = Status;
|
|
ReleaseWinStation( pWinStation );
|
|
return( FALSE );
|
|
}
|
|
|
|
|
|
|
|
|
|
TRACE((hTrace,TC_ICASRV,TT_API1, "RpcWinStationSendMessage: pTitle %S\n", pTitle ));
|
|
TRACE((hTrace,TC_ICASRV,TT_API1, "RpcWinStationSendMessage: pMessage %S\n", pMessage ));
|
|
|
|
/*
|
|
* Marshall in the [in] parameters
|
|
*
|
|
* pTitle and pMessage will be mapped into client
|
|
* view at apropriate time and place
|
|
*/
|
|
|
|
WMsg.u.SendMessage.pTitle = pTitle;
|
|
WMsg.u.SendMessage.TitleLength = TitleLength;
|
|
WMsg.u.SendMessage.pMessage = pMessage;
|
|
WMsg.u.SendMessage.MessageLength = MessageLength;
|
|
WMsg.u.SendMessage.Style = Style;
|
|
WMsg.u.SendMessage.Timeout = Timeout;
|
|
WMsg.u.SendMessage.DoNotWait = DoNotWait;
|
|
WMsg.u.SendMessage.DoNotWaitForCorrectDesktop = FALSE;
|
|
|
|
if( !DoNotWait ) {
|
|
WMsg.u.SendMessage.pStatus = &MessageDelieveryStatus;
|
|
WMsg.u.SendMessage.pResponse = pResponse;
|
|
} else {
|
|
WMsg.u.SendMessage.pStatus = NULL;
|
|
WMsg.u.SendMessage.pResponse = NULL;
|
|
}
|
|
|
|
|
|
WMsg.ApiNumber = SMWinStationDoMessage;
|
|
|
|
/*
|
|
* Create wait event
|
|
*/
|
|
if( !DoNotWait ) {
|
|
InitializeObjectAttributes( &ObjA, NULL, 0, NULL, NULL );
|
|
Status = NtCreateEvent( &WMsg.u.SendMessage.hEvent, EVENT_ALL_ACCESS, &ObjA,
|
|
NotificationEvent, FALSE );
|
|
if ( !NT_SUCCESS(Status) ) {
|
|
*pResult = Status;
|
|
goto done;
|
|
}
|
|
}
|
|
else
|
|
{
|
|
WMsg.u.SendMessage.hEvent = NULL;
|
|
|
|
}
|
|
|
|
/*
|
|
* Initialize response to IDTIMEOUT or IDASYNC
|
|
*/
|
|
|
|
if (DoNotWait) {
|
|
*pResponse = IDASYNC;
|
|
} else {
|
|
*pResponse = IDTIMEOUT;
|
|
}
|
|
|
|
/*
|
|
* Tell the WinStation to display the message box
|
|
*/
|
|
*pResult = SendWinStationCommand( pWinStation, &WMsg, 0 );
|
|
|
|
/*
|
|
* Wait for response, pResponse & MessageDelieveryStatus are filled in WinStationIcaReplyMessage
|
|
*/
|
|
if( !DoNotWait ) {
|
|
if (*pResult == STATUS_SUCCESS) {
|
|
TRACE((hTrace,TC_ICASRV,TT_API1, "RpcWinStationSendMessage: wait for response\n" ));
|
|
UnlockWinStation( pWinStation );
|
|
Status = NtWaitForSingleObject( WMsg.u.SendMessage.hEvent, FALSE, NULL );
|
|
if ( !RelockWinStation( pWinStation ) ) {
|
|
Status = STATUS_CTX_CLOSE_PENDING;
|
|
}
|
|
else {
|
|
Status = MessageDelieveryStatus;
|
|
}
|
|
|
|
*pResult = Status;
|
|
|
|
TRACE((hTrace,TC_ICASRV,TT_API1, "RpcWinStationSendMessage: got response %u\n", *pResponse ));
|
|
}
|
|
NtClose( WMsg.u.SendMessage.hEvent );
|
|
}
|
|
|
|
done:
|
|
|
|
ReleaseWinStation( pWinStation );
|
|
|
|
return( *pResult == STATUS_SUCCESS ? TRUE : FALSE );
|
|
}
|
|
|
|
|
|
/*****************************************************************************
|
|
* SERVER_HANDLE_rundown
|
|
*
|
|
* Required RPC context run down routine.
|
|
*
|
|
* This gets called when the RPC client drops or closes
|
|
* the connection and allows us to cleanup any state
|
|
* information.
|
|
*
|
|
* ENTRY:
|
|
* phContext (input)
|
|
* Context handle being rundown
|
|
****************************************************************************/
|
|
VOID
|
|
SERVER_HANDLE_rundown(
|
|
HANDLE hContext
|
|
)
|
|
{
|
|
DWORD Result;
|
|
PRPC_CLIENT_CONTEXT pContext = (PRPC_CLIENT_CONTEXT)hContext;
|
|
ULONG EventFlags;
|
|
|
|
TRACE((hTrace,TC_ICASRV,TT_API1,"TERMSRV: Context rundown, %p\n", hContext));
|
|
|
|
if(!pContext)
|
|
{
|
|
return;
|
|
}
|
|
//RpcWinStationCloseServerEx( &hContext, &Result );
|
|
//ASSERT(hContext == NULL);
|
|
|
|
// Free the wait event block if one was allocated
|
|
if ( pContext->pWaitEvent ) {
|
|
WinStationWaitSystemEventWorker( pContext, WEVENT_NONE, &EventFlags );
|
|
}
|
|
|
|
midl_user_free(hContext);
|
|
hContext = NULL;
|
|
|
|
return;
|
|
}
|
|
|
|
|
|
/*
|
|
* The following functions allow us to control the
|
|
* memory allocation and free functions of the RPC.
|
|
*/
|
|
|
|
void __RPC_FAR * __RPC_USER
|
|
MIDL_user_allocate( size_t Size )
|
|
{
|
|
return( LocalAlloc(LMEM_FIXED,Size) );
|
|
}
|
|
|
|
|
|
void __RPC_USER
|
|
MIDL_user_free( void __RPC_FAR *p )
|
|
{
|
|
if (!PointerIsInGAPDatabase(p))
|
|
{
|
|
// KdPrintEx((DPFLTR_TERMSRV_ID, DPFLTR_ERROR_LEVEL, "TERMSRV: MIDL_user_free for 0x%x....FREE it\n",p));
|
|
LocalFree( p );
|
|
}
|
|
else
|
|
{
|
|
// KdPrintEx((DPFLTR_TERMSRV_ID, DPFLTR_ERROR_LEVEL, "TERMSRV: MIDL_user_free for 0x%x..................DON'T FREE IT\n",p));
|
|
}
|
|
}
|
|
|
|
|
|
/*******************************************************************************
|
|
* NotifySystemEvent
|
|
*
|
|
* Notify clients that a system event occured.
|
|
*
|
|
* ENTRY:
|
|
* EventMask (input)
|
|
* mask of event(s) that have occured
|
|
******************************************************************************/
|
|
VOID
|
|
NotifySystemEvent( ULONG EventMask )
|
|
{
|
|
PLIST_ENTRY Head, Next;
|
|
PEVENT pWaitEvent;
|
|
NTSTATUS Status;
|
|
|
|
if ( IsListEmpty( &SystemEventHead ) ) {
|
|
return;
|
|
}
|
|
|
|
TRACE((hTrace,TC_ICAAPI,TT_API3, "TERMSRV: NotifySystemEvent, Event=0x%08x\n", EventMask ));
|
|
|
|
RtlEnterCriticalSection( &WinStationListLock );
|
|
Head = &SystemEventHead;
|
|
for ( Next = Head->Flink; Next != Head; Next = Next->Flink ) {
|
|
pWaitEvent = CONTAINING_RECORD( Next, EVENT, EventListEntry );
|
|
if ( pWaitEvent->EventMask & EventMask ) {
|
|
pWaitEvent->EventFlags |= EventMask;
|
|
if ( pWaitEvent->fWaiter ) {
|
|
pWaitEvent->WaitResult = STATUS_SUCCESS;
|
|
NtSetEvent( pWaitEvent->Event, NULL );
|
|
}
|
|
}
|
|
}
|
|
|
|
RtlLeaveCriticalSection( &WinStationListLock );
|
|
}
|
|
|
|
/*****************************************************************************
|
|
* WinStationDisconnectWorker
|
|
*
|
|
* Function to disconnect a Winstation based on an RPC API request.
|
|
*
|
|
* ENTRY:
|
|
* pContext (input)
|
|
* Pointer to our context structure describing the connection.
|
|
* pMsg (input/output)
|
|
* Pointer to the API message, a superset of NT LPC PORT_MESSAGE.
|
|
****************************************************************************/
|
|
NTSTATUS
|
|
WinStationDisconnectWorker(
|
|
ULONG LogonId,
|
|
BOOLEAN bWait,
|
|
BOOLEAN CallerIsRpc
|
|
)
|
|
{
|
|
PWINSTATION pWinStation;
|
|
ULONG ClientLogonId;
|
|
ULONG PdFlag;
|
|
WINSTATIONNAME WinStationName;
|
|
WINSTATIONNAME ListenName;
|
|
NTSTATUS Status;
|
|
BOOLEAN bConsoleSession = FALSE;
|
|
UINT LocalFlag = FALSE;
|
|
BOOLEAN bRelock;
|
|
BOOLEAN bIncrementFlag = FALSE;
|
|
|
|
TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: WinStationDisconnect, LogonId=%d\n", LogonId ));
|
|
|
|
//
|
|
//There are some bad ginas that break
|
|
//console disconnection bug 345286
|
|
//
|
|
if(LogonId == 0 && !IsGinaVersionCurrent()) {
|
|
Status = STATUS_CTX_CONSOLE_DISCONNECT;
|
|
goto done;
|
|
}
|
|
|
|
/*
|
|
* Find and lock the WinStation struct for the specified LogonId
|
|
*/
|
|
pWinStation = FindWinStationById( LogonId, FALSE );
|
|
if ( pWinStation == NULL ) {
|
|
Status = STATUS_CTX_WINSTATION_NOT_FOUND;
|
|
goto done;
|
|
}
|
|
|
|
if (LogonId == 0 && !bConsoleConnected){
|
|
|
|
Status = WaitForConsoleConnectWorker( pWinStation );
|
|
if (NT_SUCCESS(Status)) {
|
|
bConsoleConnected=TRUE;
|
|
} else {
|
|
ReleaseWinStation( pWinStation );
|
|
goto done;
|
|
}
|
|
|
|
}
|
|
|
|
/*
|
|
* Note if we are disconnecting a session that is connected to the console terminal.
|
|
*/
|
|
|
|
bConsoleSession = pWinStation->fOwnsConsoleTerminal;
|
|
|
|
/*
|
|
* Verify that client has DISCONNECT access if its an RPC (external) caller.
|
|
*
|
|
* When ICASRV calls this function internally, it is not impersonating
|
|
* and fails the RpcCheckClientAccess() call. Internal calls are
|
|
* not a security problem since they come in as LPC messages on a secured
|
|
* port.
|
|
*/
|
|
if ( CallerIsRpc ) {
|
|
RPC_STATUS RpcStatus;
|
|
|
|
/*
|
|
* Impersonate the client
|
|
*/
|
|
RpcStatus = RpcImpersonateClient( NULL );
|
|
if ( RpcStatus != RPC_S_OK ) {
|
|
ReleaseWinStation( pWinStation );
|
|
KdPrintEx((DPFLTR_TERMSRV_ID, DPFLTR_ERROR_LEVEL, "TERMSRV: WinStationDisconnectWorker: Not impersonating! RpcStatus 0x%x\n",RpcStatus));
|
|
Status = STATUS_CANNOT_IMPERSONATE;
|
|
goto done;
|
|
}
|
|
|
|
Status = RpcCheckClientAccess( pWinStation, WINSTATION_DISCONNECT, TRUE );
|
|
if ( !NT_SUCCESS( Status ) ) {
|
|
RpcRevertToSelf();
|
|
ReleaseWinStation( pWinStation );
|
|
goto done;
|
|
}
|
|
|
|
//
|
|
// If its remote RPC call we should ignore ClientLogonId
|
|
//
|
|
RpcStatus = I_RpcBindingIsClientLocal(
|
|
0, // Active RPC call we are servicing
|
|
&LocalFlag
|
|
);
|
|
|
|
if( RpcStatus != RPC_S_OK ) {
|
|
RpcRevertToSelf();
|
|
ReleaseWinStation( pWinStation );
|
|
KdPrintEx((DPFLTR_TERMSRV_ID, DPFLTR_ERROR_LEVEL, "TERMSRV: WinStationDisconnectWorker: IsClientLocal failed! RpcStatus 0x%x\n",RpcStatus));
|
|
Status = STATUS_UNSUCCESSFUL;
|
|
goto done;
|
|
}
|
|
|
|
if ( LocalFlag ) {
|
|
Status = RpcGetClientLogonId( &ClientLogonId );
|
|
if ( !NT_SUCCESS( Status ) ) {
|
|
RpcRevertToSelf();
|
|
ReleaseWinStation( pWinStation );
|
|
goto done;
|
|
}
|
|
}
|
|
|
|
RpcRevertToSelf();
|
|
}
|
|
|
|
/*
|
|
* If WinStation is already disconnected, then we're done
|
|
*/
|
|
if ( !pWinStation->WinStationName[0] ) {
|
|
ReleaseWinStation( pWinStation );
|
|
return (STATUS_SUCCESS);
|
|
}
|
|
|
|
/*
|
|
* If we are disconnecting the console session, we want to make sure
|
|
* that we can precreate a session that would become the console session.
|
|
*/
|
|
if (bConsoleSession && !ShutdownInProgress) {
|
|
UnlockWinStation(pWinStation);
|
|
Status = CheckIdleWinstation();
|
|
bRelock = RelockWinStation(pWinStation);
|
|
if (!NT_SUCCESS(Status) || !bRelock) {
|
|
if (NT_SUCCESS(Status)) {
|
|
Status = STATUS_CTX_WINSTATION_NOT_FOUND;
|
|
}
|
|
ReleaseWinStation( pWinStation );
|
|
goto done;
|
|
}
|
|
|
|
}
|
|
|
|
/*
|
|
* If busy with something already, don't do this
|
|
*/
|
|
if ( pWinStation->NeverConnected || pWinStation->Flags ) {
|
|
|
|
ReleaseWinStation( pWinStation );
|
|
Status = STATUS_CTX_WINSTATION_BUSY;
|
|
goto done;
|
|
}
|
|
|
|
|
|
if (bConsoleSession) {
|
|
InterlockedIncrement(&gConsoleCreationDisable);
|
|
bIncrementFlag = TRUE;
|
|
}
|
|
|
|
/*
|
|
* If no broken reason/source have been set, then set them here.
|
|
*
|
|
* BrokenReason is Disconnect. BrokenSource is User if we are
|
|
* called via RPC and caller is disconnecting his own LogonId.
|
|
*/
|
|
if ( pWinStation->BrokenReason == 0 ) {
|
|
pWinStation->BrokenReason = Broken_Disconnect;
|
|
if ( CallerIsRpc && LocalFlag && ClientLogonId == pWinStation->LogonId ) {
|
|
pWinStation->BrokenSource = BrokenSource_User;
|
|
} else {
|
|
pWinStation->BrokenSource = BrokenSource_Server;
|
|
}
|
|
}
|
|
|
|
/*
|
|
* If it's an external request (RPC) then set the last error
|
|
* state to the client to indicate what the reason for the
|
|
* disconnection was.
|
|
*/
|
|
if ( CallerIsRpc && pWinStation)
|
|
{
|
|
if(pWinStation->pWsx &&
|
|
pWinStation->pWsx->pWsxSetErrorInfo &&
|
|
pWinStation->pWsxContext)
|
|
{
|
|
pWinStation->pWsx->pWsxSetErrorInfo(
|
|
pWinStation->pWsxContext,
|
|
TS_ERRINFO_RPC_INITIATED_DISCONNECT,
|
|
FALSE); //stack lock not held
|
|
}
|
|
}
|
|
|
|
/*
|
|
* If the RPC caller did not wish to wait for this disconnect,
|
|
* then queue an internal call for this to be done.
|
|
* This is safe now that we have done all of the above checks
|
|
* to determine that the caller has access to perform the
|
|
* disconnect and have set BrokenSource/Reason above.
|
|
*/
|
|
if ( CallerIsRpc && !bWait ) {
|
|
ReleaseWinStation( pWinStation );
|
|
QueueWinStationDisconnect( LogonId );
|
|
Status = STATUS_SUCCESS;
|
|
goto done;
|
|
}
|
|
|
|
/*
|
|
* Preserve some of this WinStation's state in case it's
|
|
* needed after we disconnect and release it.
|
|
*/
|
|
PdFlag = pWinStation->Config.Pd[0].Create.PdFlag;
|
|
wcscpy( WinStationName, pWinStation->WinStationName );
|
|
if ( gbListenerOff ) {
|
|
wcscpy( ListenName, pWinStation->ListenName );
|
|
}
|
|
|
|
/*
|
|
* Notify the licensing core of the disconnect. Failures are ignored.
|
|
*/
|
|
|
|
(VOID)LCProcessConnectionDisconnect(pWinStation);
|
|
|
|
/*
|
|
* Disconnect the WinStation
|
|
*/
|
|
pWinStation->Flags |= WSF_DISCONNECT;
|
|
Status = WinStationDoDisconnect( pWinStation, NULL, FALSE );
|
|
pWinStation->Flags &= ~WSF_DISCONNECT;
|
|
|
|
/*
|
|
* If there is no user logged on (logon time is 0),
|
|
* then queue a reset for this WinStation.
|
|
*
|
|
* We don't want to do this here directly since the RPC client may
|
|
* NOT have reset access. However, the behavior we want is that if
|
|
* a WinStation with no user logged on is disconnected, it gets reset.
|
|
* This is consistent with how we handle broken connections
|
|
* (see WinStationBrokenConnection() in wstlpc.c).
|
|
*/
|
|
if ( RtlLargeIntegerEqualToZero( pWinStation->LogonTime ) ) {
|
|
QueueWinStationReset( pWinStation->LogonId);
|
|
}
|
|
|
|
ReleaseWinStation( pWinStation );
|
|
|
|
// Increment the total number of disconnected sessions
|
|
if (Status == STATUS_SUCCESS) {
|
|
InterlockedIncrement(&g_TermSrvDiscSessions);
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
* For single-instance transports a listener must be re-created
|
|
* upon disconnection
|
|
*/
|
|
KdPrintEx((DPFLTR_TERMSRV_ID, DPFLTR_INFO_LEVEL, "TERMSRV: WinStationDisconnect: after disconnecting\n" ));
|
|
|
|
|
|
if ( PdFlag & PD_SINGLE_INST ) {
|
|
|
|
Status = QueueWinStationCreate( WinStationName );
|
|
KdPrintEx((DPFLTR_TERMSRV_ID, DPFLTR_INFO_LEVEL, "TERMSRV: WinStationDisconnect: QueueWinStationCreate returned 0x%x\n", Status ));
|
|
if ( !NT_SUCCESS( Status ) ) {
|
|
goto done;
|
|
}
|
|
}
|
|
|
|
if ( gbListenerOff && ListenName[0]) {
|
|
|
|
StartStopListeners( ListenName, FALSE );
|
|
}
|
|
|
|
/*
|
|
* Determine return status and cleanup
|
|
*/
|
|
done:
|
|
TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: WinStationDisconnect, Status=0x%x\n", Status ));
|
|
|
|
if (bIncrementFlag) {
|
|
InterlockedDecrement(&gConsoleCreationDisable);
|
|
bIncrementFlag = FALSE;
|
|
}
|
|
|
|
// If we disconnected a Session owning the console terminal, go an create a new one
|
|
// to own it.
|
|
|
|
if (bConsoleSession) {
|
|
ENTERCRIT(&ConsoleLock);
|
|
if (!WinStationCheckConsoleSession()) {
|
|
/*
|
|
* Wake up the WinStationIdleControlThread
|
|
*/
|
|
NtSetEvent(WinStationIdleControlEvent, NULL);
|
|
|
|
}
|
|
LEAVECRIT(&ConsoleLock);
|
|
}
|
|
return( Status );
|
|
}
|
|
|
|
|
|
|
|
/*****************************************************************************
|
|
* RpcGetUserSID
|
|
*
|
|
* Helper function to get the SID of the caller
|
|
*
|
|
* ENTRY:
|
|
* - BOOLEAN AlreadyImpersonating TRUE if the caller is already impersonating
|
|
* the client
|
|
* - PSID* ppSid : pointer to receive the SID pointer
|
|
*
|
|
* RETURN:
|
|
* - nt Status, the pointer to the Sid in ppSid if success, NULL otherwise.
|
|
****************************************************************************/
|
|
NTSTATUS
|
|
RpcGetUserSID(
|
|
BOOLEAN AlreadyImpersonating,
|
|
PSID* ppSid
|
|
)
|
|
{
|
|
PSID pClientSid = NULL;
|
|
PTOKEN_USER TokenInfo = NULL;
|
|
HANDLE CurrentThreadToken = NULL;
|
|
ULONG SidLength;
|
|
ULONG Length;
|
|
RPC_STATUS RpcStatus;
|
|
NTSTATUS Status;
|
|
|
|
|
|
if (ppSid == NULL) {
|
|
return STATUS_INVALID_PARAMETER;
|
|
}
|
|
|
|
*ppSid = NULL;
|
|
|
|
/*
|
|
* Impersonate the client
|
|
*/
|
|
if (!AlreadyImpersonating) {
|
|
RpcStatus = RpcImpersonateClient( NULL );
|
|
if (RpcStatus != RPC_S_OK) {
|
|
KdPrintEx((DPFLTR_TERMSRV_ID, DPFLTR_ERROR_LEVEL, "TERMSRV: RpcGetUserSID: Not impersonating! RpcStatus 0x%x\n",RpcStatus));
|
|
return STATUS_CANNOT_IMPERSONATE;
|
|
}
|
|
}
|
|
|
|
Status = NtOpenThreadToken(
|
|
NtCurrentThread(),
|
|
TOKEN_QUERY,
|
|
TRUE, // Use service's security context to open thread token
|
|
&CurrentThreadToken
|
|
);
|
|
|
|
if (!NT_SUCCESS(Status)) {
|
|
KdPrintEx((DPFLTR_TERMSRV_ID, DPFLTR_ERROR_LEVEL, "TERMSRV: RpcGetUserSID: Cannot open the current thread token %08lx\n",
|
|
Status));
|
|
goto done;
|
|
}
|
|
|
|
/*
|
|
* Determine size needed for token info buffer and allocate it
|
|
*/
|
|
Status = NtQueryInformationToken( CurrentThreadToken, TokenUser,
|
|
NULL, 0, &Length );
|
|
if ( Status != STATUS_BUFFER_TOO_SMALL ) {
|
|
goto done;
|
|
}
|
|
|
|
TokenInfo = MemAlloc( Length );
|
|
if (TokenInfo == NULL) {
|
|
Status = STATUS_NO_MEMORY;
|
|
goto done;
|
|
}
|
|
|
|
/*
|
|
* Query token information to get client user's SID
|
|
*/
|
|
Status = NtQueryInformationToken( CurrentThreadToken, TokenUser,
|
|
TokenInfo, Length, &Length );
|
|
if (!NT_SUCCESS( Status )) {
|
|
goto done;
|
|
}
|
|
|
|
SidLength = RtlLengthSid( TokenInfo->User.Sid );
|
|
|
|
pClientSid = (PSID) MemAlloc( SidLength );
|
|
if (pClientSid == NULL) {
|
|
Status = STATUS_NO_MEMORY;
|
|
goto done;
|
|
}
|
|
|
|
Status = RtlCopySid(SidLength, pClientSid, TokenInfo->User.Sid);
|
|
|
|
|
|
done:
|
|
if ( !AlreadyImpersonating ) {
|
|
RpcRevertToSelf();
|
|
}
|
|
|
|
if (CurrentThreadToken) {
|
|
NtClose( CurrentThreadToken );
|
|
}
|
|
|
|
if (TokenInfo) {
|
|
MemFree( TokenInfo );
|
|
}
|
|
|
|
if (!NT_SUCCESS(Status)) {
|
|
if (pClientSid) {
|
|
MemFree( pClientSid );
|
|
}
|
|
} else {
|
|
*ppSid = pClientSid;
|
|
}
|
|
|
|
return Status;
|
|
}
|
|
|
|
|
|
/*****************************************************************************
|
|
* WinStationConnectWorker
|
|
*
|
|
* Worker for handling WinStation connection called from RPC server.
|
|
*
|
|
* ENTRY:
|
|
* pContext (input)
|
|
* Pointer to our context structure describing the connection.
|
|
* bAutoReconnecting (input)
|
|
* Boolean set to TRUE to indicate that this is a connection for the
|
|
* purposes of autoreconnection. This is important to allow an atomic
|
|
* autoreconnection by properly handling the WSF_AUTORECONNECTING flag
|
|
* that otherwise guards against race conditions while autoreconnecting.
|
|
*
|
|
* pMsg (input/output)
|
|
* Pointer to the API message, a superset of NT LPC PORT_MESSAGE.
|
|
****************************************************************************/
|
|
NTSTATUS
|
|
WinStationConnectWorker(
|
|
ULONG ClientLogonId,
|
|
ULONG ConnectLogonId,
|
|
ULONG TargetLogonId,
|
|
PWCHAR pPassword,
|
|
DWORD PasswordSize,
|
|
BOOLEAN bWait,
|
|
BOOLEAN bAutoReconnecting
|
|
)
|
|
{
|
|
PWINSTATION pClientWinStation;
|
|
PWINSTATION pSourceWinStation;
|
|
PWINSTATION pTargetWinStation;
|
|
PWINSTATION pWinStation;
|
|
PSID pClientSid;
|
|
UNICODE_STRING PasswordString;
|
|
BOOLEAN fWrongPassword;
|
|
PRECONNECT_INFO pTargetReconnectInfo = NULL;
|
|
PRECONNECT_INFO pSourceReconnectInfo = NULL;
|
|
BOOLEAN SourceConnected = FALSE;
|
|
WINSTATIONNAME SourceWinStationName;
|
|
NTSTATUS Status;
|
|
BOOLEAN bConsoleSession = FALSE;
|
|
ULONG ulIndex;
|
|
LONG lActiveCount = 0;
|
|
PLIST_ENTRY Head, Next;
|
|
BOOLEAN fSourceAutoReconnecting = FALSE;
|
|
BOOLEAN fTargetAutoReconnecting = FALSE;
|
|
|
|
//------------------------------------------------------------
|
|
/*
|
|
* Target winstation might still have user password
|
|
* used for auto-logon. Let's clear it here.
|
|
*/
|
|
pTargetWinStation = FindWinStationById( TargetLogonId, FALSE );
|
|
if ( pTargetWinStation == NULL ) {
|
|
Status = STATUS_CTX_WINSTATION_NOT_FOUND;
|
|
return Status;
|
|
}
|
|
|
|
//Since we don't need the password anymore, clean it up
|
|
if (pTargetWinStation->pNewClientCredentials != NULL) {
|
|
RtlSecureZeroMemory(pTargetWinStation->pNewClientCredentials->Password,
|
|
sizeof(pTargetWinStation->pNewClientCredentials->Password));
|
|
}
|
|
|
|
RtlSecureZeroMemory(pTargetWinStation->Config.Config.User.Password,
|
|
sizeof(pTargetWinStation->Config.Config.User.Password));
|
|
|
|
ReleaseWinStation( pTargetWinStation );
|
|
//------------------------------------------------------------
|
|
|
|
// Do not allow reconnection to the same session, for any session.
|
|
// BUG 506808
|
|
// This problem was only happening on a non-logged in console (bConsoleConnected=FALSE), when from
|
|
// some other session, TsCon was used to connection session0 to console session:
|
|
// tscon 0 /dest:console
|
|
//
|
|
|
|
if (TargetLogonId == ConnectLogonId)
|
|
{
|
|
Status = STATUS_CTX_WINSTATION_ACCESS_DENIED;
|
|
return Status;
|
|
}
|
|
|
|
//
|
|
//On session 0 it might happen that user already logged on,
|
|
//but termsrv is not notified yet.
|
|
//in this case "Local\\WinlogonTSSynchronizeEvent" event will be in
|
|
//nonsignaled state. We need to refuse all attempts to connect to
|
|
//session 0 untill this event is signaled.
|
|
//
|
|
if (ConnectLogonId == 0) {
|
|
|
|
|
|
HANDLE hSyncEvent;
|
|
DWORD dwWaitResult;
|
|
|
|
hSyncEvent = OpenEventW(SYNCHRONIZE, FALSE, L"Local\\WinlogonTSSynchronizeEvent");
|
|
if ( !hSyncEvent){
|
|
KdPrintEx((DPFLTR_TERMSRV_ID, DPFLTR_ERROR_LEVEL,
|
|
"TERMSRV: Cannot open WinlogonTSSynchronizeEvent event. ERROR: %d\n",GetLastError()));
|
|
return STATUS_OBJECT_NAME_NOT_FOUND;
|
|
}
|
|
|
|
dwWaitResult = WaitForSingleObject(hSyncEvent,0);
|
|
|
|
CloseHandle(hSyncEvent);
|
|
|
|
if(dwWaitResult != WAIT_OBJECT_0) {
|
|
TRACE((hTrace,TC_ICASRV,TT_API1,
|
|
"TERMSRV: WinStationConnectWorker. WinlogonTSSynchronizeEvent is not signaled.\n"));
|
|
return STATUS_CTX_WINSTATION_BUSY;
|
|
}
|
|
|
|
}
|
|
|
|
TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: WinStationConnect, LogonId=%u, Target LogonId=%u, (%S)\n",
|
|
ConnectLogonId, TargetLogonId, pPassword ));
|
|
|
|
/*
|
|
* Allocate RECONNECT_INFO structures
|
|
*/
|
|
|
|
if ((pTargetReconnectInfo = MemAlloc(sizeof(*pTargetReconnectInfo))) == NULL) {
|
|
return STATUS_NO_MEMORY;
|
|
}
|
|
|
|
if ((pSourceReconnectInfo = MemAlloc(sizeof(*pSourceReconnectInfo))) == NULL) {
|
|
MemFree(pTargetReconnectInfo);
|
|
return STATUS_NO_MEMORY;
|
|
}
|
|
|
|
|
|
Status = RpcGetUserSID( FALSE, &pClientSid);
|
|
if(!NT_SUCCESS(Status)) {
|
|
goto done;
|
|
}
|
|
|
|
/*
|
|
* on non server make sure to fail reconnect if it is going to endup in more than one active session.
|
|
*/
|
|
|
|
if (!gbServer) {
|
|
Head = &WinStationListHead;
|
|
ENTERCRIT( &WinStationListLock );
|
|
for ( Next = Head->Flink; Next != Head; Next = Next->Flink) {
|
|
pWinStation = CONTAINING_RECORD( Next, WINSTATION, Links );
|
|
if ( (pWinStation->State == State_Active) || (pWinStation->State == State_Shadow) ){
|
|
if (pWinStation->LogonId != ConnectLogonId && pWinStation->LogonId != TargetLogonId ) {
|
|
if (!TSIsSessionHelpSession(pWinStation, NULL)) {
|
|
lActiveCount ++;
|
|
}
|
|
}
|
|
}
|
|
}
|
|
LEAVECRIT( &WinStationListLock );
|
|
if (lActiveCount != 0) {
|
|
Status = STATUS_CTX_WINSTATION_NOT_FOUND;
|
|
MemFree( pClientSid );
|
|
goto done;
|
|
}
|
|
}
|
|
|
|
|
|
/*
|
|
* Find and lock the WinStation (source) for the specified LogonId
|
|
*/
|
|
|
|
pSourceWinStation = FindWinStationById( ConnectLogonId, FALSE );
|
|
if ( pSourceWinStation == NULL ) {
|
|
Status = STATUS_CTX_WINSTATION_NOT_FOUND;
|
|
MemFree( pClientSid );
|
|
goto done;
|
|
}
|
|
if (ConnectLogonId == 0 && !bConsoleConnected ){
|
|
|
|
Status = WaitForConsoleConnectWorker( pSourceWinStation );
|
|
if (NT_SUCCESS(Status)) {
|
|
bConsoleConnected=TRUE;
|
|
} else{
|
|
ReleaseWinStation( pSourceWinStation );
|
|
MemFree( pClientSid );
|
|
goto done;
|
|
}
|
|
|
|
}
|
|
|
|
/*
|
|
* Verify that there is someone logged on (SALIMC)
|
|
*/
|
|
if ( (ConnectLogonId != 0) && !pSourceWinStation->pUserSid ) {
|
|
Status = STATUS_CTX_WINSTATION_ACCESS_DENIED;
|
|
ReleaseWinStation( pSourceWinStation );
|
|
MemFree( pClientSid );
|
|
goto done;
|
|
}
|
|
|
|
/*
|
|
* Verify that client has CONNECT access
|
|
*
|
|
* NOTE: This function clears pPassword whether successful or not
|
|
* to prevent its being paged out as clear text.
|
|
*/
|
|
Status = _CheckConnectAccess(
|
|
pSourceWinStation,
|
|
pClientSid,
|
|
ClientLogonId,
|
|
pPassword,
|
|
PasswordSize
|
|
);
|
|
MemFree( pClientSid );
|
|
if ( !NT_SUCCESS( Status ) ) {
|
|
ReleaseWinStation( pSourceWinStation );
|
|
goto done;
|
|
}
|
|
|
|
//
|
|
// Deterime if source is part of an autoreconnection
|
|
//
|
|
fSourceAutoReconnecting = bAutoReconnecting &&
|
|
(pSourceWinStation->Flags & WSF_AUTORECONNECTING);
|
|
|
|
/*
|
|
* Mark the winstation as being connected. (SALIMC)
|
|
* If any operation (create/delete/reset/...) is already in progress
|
|
* on this winstation, then don't proceed with the connect.
|
|
* unless that operation is an autoreconnect and we are autoreconnecting
|
|
*/
|
|
if (pSourceWinStation->LogonId == 0) {
|
|
|
|
if (pSourceWinStation->Flags && !fSourceAutoReconnecting) {
|
|
if ((pSourceWinStation->Flags & WSF_DISCONNECT) && (pSourceWinStation->UserName[0] == L'\0')) {
|
|
/* Let us wait for sometime here before setting Busy flag and exiting */
|
|
for (ulIndex=0; ulIndex < WINSTATION_WAIT_RETRIES; ulIndex++) {
|
|
if ( pSourceWinStation->Flags ) {
|
|
LARGE_INTEGER Timeout;
|
|
Timeout = RtlEnlargedIntegerMultiply( WINSTATION_WAIT_DURATION, -10000 );
|
|
UnlockWinStation( pSourceWinStation );
|
|
NtDelayExecution( FALSE, &Timeout );
|
|
if ( !RelockWinStation( pSourceWinStation ) ) {
|
|
ReleaseWinStation( pSourceWinStation );
|
|
Status = STATUS_CTX_WINSTATION_BUSY;
|
|
goto done;
|
|
}
|
|
} else {
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
if (pSourceWinStation->Flags && !fSourceAutoReconnecting) {
|
|
#if DBG
|
|
DbgPrint("WinstationConnectWorker : Even after waiting for 2 mins,Winstation flag is not clear. Sending STATUS_CTX_WINSTATION_BUSY.\n");
|
|
#endif
|
|
Status = STATUS_CTX_WINSTATION_BUSY;
|
|
ReleaseWinStation( pSourceWinStation );
|
|
goto done;
|
|
}
|
|
}
|
|
|
|
} else if ( pSourceWinStation->NeverConnected ||
|
|
(pSourceWinStation->Flags && !fSourceAutoReconnecting) ||
|
|
(pSourceWinStation->State != State_Active &&
|
|
pSourceWinStation->State != State_Disconnected) ) {
|
|
Status = STATUS_CTX_WINSTATION_BUSY;
|
|
ReleaseWinStation( pSourceWinStation );
|
|
goto done;
|
|
}
|
|
|
|
pSourceWinStation->Flags |= WSF_CONNECT;
|
|
|
|
/*
|
|
* Unlock the source WinStation but keep a reference to it.
|
|
*/
|
|
UnlockWinStation( pSourceWinStation );
|
|
|
|
/*
|
|
* Now find and lock the target WinStation
|
|
*/
|
|
pTargetWinStation = FindWinStationById( TargetLogonId, FALSE );
|
|
if ( pTargetWinStation == NULL ) {
|
|
Status = STATUS_CTX_WINSTATION_NOT_FOUND;
|
|
goto badname;
|
|
}
|
|
|
|
/*
|
|
* If this is a re-connection to Session 0 where no one is logged on, then it must be a request from the Client or should be a from a temp session attached to console
|
|
*/
|
|
|
|
if ( (gbServer) && (ConnectLogonId == 0) && (!pSourceWinStation->pUserSid) ) {
|
|
BOOLEAN Check1 = FALSE, Check2 = FALSE ;
|
|
|
|
Check1 = pTargetWinStation->bRequestedSessionIDFieldValid && (pTargetWinStation->RequestedSessionID == 0);
|
|
Check2 = pTargetWinStation->fOwnsConsoleTerminal;
|
|
|
|
if ( !(Check1 || Check2) ) {
|
|
Status = STATUS_CTX_WINSTATION_ACCESS_DENIED;
|
|
ReleaseWinStation( pTargetWinStation );
|
|
goto badname;
|
|
}
|
|
}
|
|
|
|
|
|
if (TargetLogonId == 0 && !bConsoleConnected){
|
|
|
|
Status = WaitForConsoleConnectWorker( pTargetWinStation );
|
|
if (NT_SUCCESS(Status)) {
|
|
bConsoleConnected=TRUE;
|
|
} else {
|
|
ReleaseWinStation( pTargetWinStation );
|
|
goto badname;
|
|
}
|
|
}
|
|
|
|
/*
|
|
* Verify that client has DISCONNECT access
|
|
*/
|
|
Status = RpcCheckClientAccess( pTargetWinStation, WINSTATION_DISCONNECT, FALSE );
|
|
if ( !NT_SUCCESS( Status ) )
|
|
goto targetnoaccess;
|
|
|
|
#if 0
|
|
BUG 495195
|
|
http://liveraid/?id=495195
|
|
|
|
/*
|
|
* Do not allow a client running on the same machine to reconnect a the console session to its own session.
|
|
*/
|
|
if (IsValidLoopBack(pTargetWinStation, ConnectLogonId, ClientLogonId)) {
|
|
Status = STATUS_CTX_CONSOLE_CONNECT;
|
|
goto targetnoconsole;
|
|
}
|
|
#endif
|
|
|
|
/*
|
|
* On server do not allow reconnecting a non zero session to the iconsole.
|
|
*/
|
|
|
|
if (pTargetWinStation->fOwnsConsoleTerminal && gbServer && (ConnectLogonId != 0)) {
|
|
Status = STATUS_CTX_CONSOLE_DISCONNECT;
|
|
goto targetnoconsole;
|
|
}
|
|
|
|
// Whistler supports reconnecting a session from Console to a given Remote Protocol
|
|
// But Whistler does not support direct reconnect from one remote protocol to a different remote protocol
|
|
// Check for the above condition and block this scenario
|
|
|
|
if ( (pSourceWinStation->Client.ProtocolType != PROTOCOL_CONSOLE) && (pTargetWinStation->Client.ProtocolType != PROTOCOL_CONSOLE) ) {
|
|
// This is not a Direct Console Disconnect/Reconnect Scenario
|
|
if (pSourceWinStation->Client.ProtocolType != pTargetWinStation->Client.ProtocolType) {
|
|
Status = STATUS_CTX_BAD_VIDEO_MODE ;
|
|
goto targetnoaccess;
|
|
|
|
}
|
|
}
|
|
|
|
/*
|
|
* Make sure the reconnected session is licensed.
|
|
*/
|
|
|
|
Status = LCProcessConnectionReconnect(pSourceWinStation, pTargetWinStation);
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
goto badlicense;
|
|
}
|
|
|
|
fTargetAutoReconnecting = bAutoReconnecting &&
|
|
(pTargetWinStation->Flags & WSF_AUTORECONNECTING);
|
|
|
|
/*
|
|
* Mark the winstation as being disconnected.
|
|
* If any operation (create/delete/reset/...) is already in progress
|
|
* on this winstation, then don't proceed with the connect.
|
|
*/
|
|
if ( pTargetWinStation->NeverConnected ||
|
|
(pTargetWinStation->Flags && !fTargetAutoReconnecting)) {
|
|
Status = STATUS_CTX_WINSTATION_BUSY;
|
|
goto targetbusy;
|
|
}
|
|
|
|
|
|
pTargetWinStation->Flags |= WSF_DISCONNECT;
|
|
|
|
|
|
/*
|
|
* Disconnect the target WinStation
|
|
*/
|
|
KdPrintEx((DPFLTR_TERMSRV_ID, DPFLTR_INFO_LEVEL, "WinStationConnectWorker Disconnecting target!\n"));
|
|
|
|
/*
|
|
* Note if we are disconnecting the session that owns the console
|
|
*/
|
|
if (pTargetWinStation->fOwnsConsoleTerminal) {
|
|
|
|
bConsoleSession = TRUE;
|
|
UnlockWinStation( pTargetWinStation );
|
|
ENTERCRIT(&ConsoleLock);
|
|
InterlockedIncrement(&gConsoleCreationDisable);
|
|
LEAVECRIT(&ConsoleLock);
|
|
if (!RelockWinStation( pTargetWinStation )) {
|
|
Status = STATUS_CTX_WINSTATION_NOT_FOUND;
|
|
goto baddisconnecttarget;
|
|
}
|
|
|
|
}
|
|
|
|
Status = WinStationDoDisconnect( pTargetWinStation, pTargetReconnectInfo, FALSE );
|
|
|
|
if ( !NT_SUCCESS( Status ) ) {
|
|
KdPrintEx((DPFLTR_TERMSRV_ID, DPFLTR_ERROR_LEVEL, "WinStationConnectWorker Disconnecting target failed Status = %x!\n", Status));
|
|
goto baddisconnecttarget;
|
|
}
|
|
|
|
/*
|
|
* Unlock target WinStation but leave it referenced
|
|
*/
|
|
UnlockWinStation( pTargetWinStation );
|
|
|
|
|
|
/*
|
|
* Relock the source WinStation
|
|
*/
|
|
if ( !RelockWinStation( pSourceWinStation ) )
|
|
goto sourcedeleted;
|
|
|
|
/*
|
|
* The source Winstation might have been deleted while it was unlocked.
|
|
* Let's check this didn't happen because we don't want to reconnect to a
|
|
* going away session (Bug#206614).
|
|
*/
|
|
if (pSourceWinStation->Terminating || pSourceWinStation->StateFlags & WSF_ST_WINSTATIONTERMINATE)
|
|
goto sourcedeleted;
|
|
|
|
/*
|
|
* If the source WinStation is currently connected, then disconnect it.
|
|
*/
|
|
if ( pSourceWinStation->WinStationName[0] ) {
|
|
SourceConnected = TRUE;
|
|
|
|
/*
|
|
* For single-instance transports a listener must be re-created upon disconnection
|
|
* so we remember the source WinStation name.
|
|
*/
|
|
if ( pSourceWinStation->Config.Pd[0].Create.PdFlag & PD_SINGLE_INST ) {
|
|
wcscpy( SourceWinStationName, pSourceWinStation->WinStationName );
|
|
}
|
|
|
|
KdPrintEx((DPFLTR_TERMSRV_ID, DPFLTR_INFO_LEVEL, "WinStationConnectWorker Disconnecting Source!\n"));
|
|
|
|
|
|
/*
|
|
* Note if we are disconnecting the session that owns the console
|
|
*/
|
|
if (pSourceWinStation->fOwnsConsoleTerminal) {
|
|
/*
|
|
* If we are disconnecting the console session, we want to make sure
|
|
* that we can precreate a session that would become the console session.
|
|
*/
|
|
|
|
UnlockWinStation( pSourceWinStation );
|
|
if ( !ShutdownInProgress) {
|
|
Status = CheckIdleWinstation();
|
|
if (!NT_SUCCESS(Status)) {
|
|
RelockWinStation(pSourceWinStation);
|
|
goto baddisconnectsource;
|
|
}
|
|
|
|
}
|
|
|
|
bConsoleSession = TRUE;
|
|
ENTERCRIT(&ConsoleLock);
|
|
InterlockedIncrement(&gConsoleCreationDisable);
|
|
LEAVECRIT(&ConsoleLock);
|
|
if (!RelockWinStation( pSourceWinStation )) {
|
|
Status = STATUS_CTX_WINSTATION_NOT_FOUND;
|
|
goto baddisconnectsource;
|
|
}
|
|
|
|
}
|
|
|
|
|
|
if(pSourceWinStation->pWsx &&
|
|
pSourceWinStation->pWsx->pWsxSetErrorInfo &&
|
|
pSourceWinStation->pWsxContext)
|
|
{
|
|
//
|
|
// Extended error reporting, set status to client.
|
|
//
|
|
pSourceWinStation->pWsx->pWsxSetErrorInfo(
|
|
pSourceWinStation->pWsxContext,
|
|
TS_ERRINFO_DISCONNECTED_BY_OTHERCONNECTION,
|
|
FALSE); //stack lock not held
|
|
}
|
|
|
|
|
|
Status = WinStationDoDisconnect( pSourceWinStation, pSourceReconnectInfo, TRUE );
|
|
if ( !NT_SUCCESS( Status ) ) {
|
|
KdPrintEx((DPFLTR_TERMSRV_ID, DPFLTR_ERROR_LEVEL, "WinStationConnectWorker Disconnecting source failed Status = %x!\n", Status));
|
|
goto baddisconnectsource;
|
|
}
|
|
|
|
|
|
}
|
|
|
|
/*
|
|
* Cause the source WinStation to connect using the stack state
|
|
* obtained from the target WinStation.
|
|
*/
|
|
|
|
|
|
Status = WinStationDoReconnect( pSourceWinStation, pTargetReconnectInfo );
|
|
|
|
|
|
|
|
if ( !NT_SUCCESS( Status ) )
|
|
goto badconnectsource;
|
|
|
|
/*
|
|
* Indicate source WinStation connect is complete and unlock it.
|
|
*/
|
|
pSourceWinStation->Flags &= ~WSF_CONNECT;
|
|
|
|
/*
|
|
* Set Last Reconnect Type for the Source WinStation
|
|
*/
|
|
|
|
if (bAutoReconnecting) {
|
|
pSourceWinStation->LastReconnectType = AutoReconnect;
|
|
} else {
|
|
pSourceWinStation->LastReconnectType = ManualReconnect;
|
|
}
|
|
|
|
ReleaseWinStation( pSourceWinStation );
|
|
|
|
|
|
/*
|
|
* Indicate target WinStation disconnect is complete and unlock it.
|
|
*/
|
|
if ( RelockWinStation( pTargetWinStation ) ) {
|
|
pTargetWinStation->Flags &= ~WSF_DISCONNECT;
|
|
|
|
/*
|
|
* Clear all client license data and indicate
|
|
* this WinStaion no longer holds a license.
|
|
*/
|
|
if ( pTargetWinStation->pWsx &&
|
|
pTargetWinStation->pWsx->pWsxClearContext ) {
|
|
pTargetWinStation->pWsx->pWsxClearContext( pTargetWinStation->pWsxContext );
|
|
}
|
|
}
|
|
|
|
ReleaseWinStation( pTargetWinStation );
|
|
|
|
/*
|
|
* If the source WinStation was connected and we disconnected it above,
|
|
* then make sure we cleanup the reconnect structure.
|
|
* (This will also complete the disconnect by closing the endpoint
|
|
* that was connected to the source WinStation).
|
|
* Also, if the source WinStation was a single-instance transport,
|
|
* then we must re-create the listener.
|
|
*/
|
|
if ( SourceConnected ) {
|
|
CleanupReconnect( pSourceReconnectInfo );
|
|
if ( (pSourceReconnectInfo->Config.Pd[0].Create.PdFlag & PD_SINGLE_INST) ) {
|
|
KdPrintEx((DPFLTR_TERMSRV_ID, DPFLTR_ERROR_LEVEL, "TERMSRV: WinstationConnectWorker create new winstation: %S \n ", SourceWinStationName));
|
|
QueueWinStationCreate( SourceWinStationName );
|
|
}
|
|
}
|
|
|
|
// Stop the listener if the target was the last WinStation.
|
|
if ( gbListenerOff ) {
|
|
|
|
StartStopListeners( NULL, FALSE );
|
|
}
|
|
|
|
goto done;
|
|
|
|
/*=============================================================================
|
|
== Error returns
|
|
=============================================================================*/
|
|
|
|
/*
|
|
* Could not connect source WinStation
|
|
*/
|
|
badconnectsource:
|
|
/*
|
|
* If source WinStation was connected, try to reconnect if it is
|
|
* NOT currently terminating. If the reconnect does not succeed,
|
|
* there's nothing else we can do.
|
|
*/
|
|
if ( SourceConnected ) {
|
|
CleanupReconnect( pSourceReconnectInfo );
|
|
if ( !pSourceWinStation->Terminating &&
|
|
!pSourceWinStation->WinStationName[0] ) {
|
|
if ( pSourceReconnectInfo->Config.Pd[0].Create.PdFlag & PD_SINGLE_INST ) {
|
|
QueueWinStationCreate( pSourceReconnectInfo->WinStationName );
|
|
}
|
|
}
|
|
}
|
|
|
|
/*
|
|
* Could not disconnect source WinStation
|
|
*/
|
|
baddisconnectsource:
|
|
|
|
/*
|
|
* Source WinStation was deleted
|
|
*/
|
|
sourcedeleted:
|
|
pSourceWinStation->Flags &= ~WSF_CONNECT;
|
|
ReleaseWinStation( pSourceWinStation );
|
|
pSourceWinStation = NULL; // indicate source WinStation is released
|
|
|
|
/*
|
|
* Try to relock and reconnect the target WinStation.
|
|
*/
|
|
if ( RelockWinStation( pTargetWinStation ) &&
|
|
!pTargetWinStation->Terminating &&
|
|
!pTargetWinStation->WinStationName[0] ) {
|
|
NTSTATUS st;
|
|
|
|
st = WinStationDoReconnect( pTargetWinStation, pTargetReconnectInfo );
|
|
if ( !NT_SUCCESS( st ) ) {
|
|
CleanupReconnect( pTargetReconnectInfo );
|
|
if ( pTargetReconnectInfo->Config.Pd[0].Create.PdFlag & PD_SINGLE_INST ) {
|
|
QueueWinStationCreate( pTargetReconnectInfo->WinStationName );
|
|
}
|
|
}
|
|
} else {
|
|
CleanupReconnect( pTargetReconnectInfo );
|
|
}
|
|
|
|
/*
|
|
* Could not disconnect target WinStation
|
|
* Could not query target WinStation stack state
|
|
*/
|
|
baddisconnecttarget:
|
|
/* clear disconnect flag, unlock/derererence target WinStation */
|
|
pTargetWinStation->Flags &= ~WSF_DISCONNECT;
|
|
|
|
/*
|
|
* Target WinStation is busy or is the console
|
|
*/
|
|
targetbusy:
|
|
badlicense:
|
|
targetnoconsole:
|
|
targetnoaccess:
|
|
ReleaseWinStation( pTargetWinStation );
|
|
|
|
badname:
|
|
/* clear connect flag, unlock/derererence source WinStation */
|
|
if ( pSourceWinStation ) {
|
|
if ( RelockWinStation( pSourceWinStation ) )
|
|
pSourceWinStation->Flags &= ~WSF_CONNECT;
|
|
ReleaseWinStation( pSourceWinStation );
|
|
}
|
|
|
|
done:
|
|
TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: WinStationConnect, Status=0x%x\n", Status ));
|
|
|
|
// If we disconnected a Session owning the console terminal, go an create a new one
|
|
// to own it.
|
|
|
|
if (bConsoleSession) {
|
|
ENTERCRIT(&ConsoleLock);
|
|
|
|
InterlockedDecrement(&gConsoleCreationDisable);
|
|
|
|
|
|
|
|
|
|
|
|
if (!WinStationCheckConsoleSession()) {
|
|
/*
|
|
* Wake up the WinStationIdleControlThread
|
|
*/
|
|
NtSetEvent(WinStationIdleControlEvent, NULL);
|
|
|
|
}
|
|
LEAVECRIT(&ConsoleLock);
|
|
}
|
|
|
|
// Increment total number of reconnected sessions
|
|
if (Status == STATUS_SUCCESS) {
|
|
InterlockedIncrement(&g_TermSrvReconSessions);
|
|
}
|
|
|
|
// free RECONNECT_INFO structures
|
|
|
|
MemFree(pTargetReconnectInfo);
|
|
MemFree(pSourceReconnectInfo);
|
|
|
|
return( Status );
|
|
}
|
|
|
|
|
|
/*****************************************************************************
|
|
* WinStationResetWorker
|
|
*
|
|
* Function to reset a Winstation based on an RPC API request.
|
|
*
|
|
* ENTRY:
|
|
* pContext (input)
|
|
* Pointer to our context structure describing the connection.
|
|
* pMsg (input/output)
|
|
* Pointer to the API message, a superset of NT LPC PORT_MESSAGE.
|
|
****************************************************************************/
|
|
NTSTATUS
|
|
WinStationResetWorker(
|
|
ULONG LogonId,
|
|
BOOLEAN bWait,
|
|
BOOLEAN CallerIsRpc,
|
|
BOOLEAN bRecreate
|
|
)
|
|
{
|
|
PWINSTATION pWinStation;
|
|
ULONG ClientLogonId;
|
|
WINSTATIONNAME ListenName;
|
|
NTSTATUS Status;
|
|
ULONG ulIndex;
|
|
BOOL bConnectDisconnectPending = TRUE;
|
|
BOOL bConsoleSession = FALSE;
|
|
BOOL bListener = FALSE;
|
|
UINT LocalFlag = 0;
|
|
BOOLEAN bRelock;
|
|
DWORD dwWaitStatus ;
|
|
DWORD dwTimeOut ;
|
|
|
|
TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: WinStationReset, LogonId=%d\n", LogonId ));
|
|
|
|
/*
|
|
* Find and lock the WinStation struct for the specified LogonId
|
|
*/
|
|
pWinStation = FindWinStationById( LogonId, FALSE );
|
|
if ( pWinStation == NULL ) {
|
|
Status = STATUS_CTX_WINSTATION_NOT_FOUND;
|
|
goto done;
|
|
}
|
|
|
|
/*
|
|
* For non zero sessions which are connected and has not yet been initialized, wait for it to be initialized (for max 10 mins)
|
|
*/
|
|
|
|
if ((pWinStation->LogonId != 0) && (pWinStation->State == State_Connected)) {
|
|
dwTimeOut = 10 * 60 * 1000 ; // 10 mins
|
|
UnlockWinStation( pWinStation );
|
|
dwWaitStatus = WaitForSingleObject(pWinStation->SessionInitializedEvent, dwTimeOut);
|
|
RelockWinStation( pWinStation );
|
|
if (dwWaitStatus != WAIT_OBJECT_0) {
|
|
KdPrintEx((DPFLTR_TERMSRV_ID, DPFLTR_ERROR_LEVEL, "TERMSRV: WinStationResetWorker: Timed out waiting for the Session to be initialized before Resetting. \n"));
|
|
Status = STATUS_TIMEOUT;
|
|
ReleaseWinStation( pWinStation );
|
|
goto done ;
|
|
}
|
|
}
|
|
|
|
/*
|
|
* Note if we are disconnecting a session that is connected to the console terminal.
|
|
*/
|
|
bConsoleSession = pWinStation->fOwnsConsoleTerminal;
|
|
|
|
|
|
/*
|
|
* If we are Resetting a non-zero console session, we want to make sure
|
|
* that we can precreate a session that would become the console session.
|
|
*/
|
|
if (bConsoleSession && !ShutdownInProgress && (pWinStation->LogonId != 0)) {
|
|
UnlockWinStation(pWinStation);
|
|
Status = CheckIdleWinstation();
|
|
bRelock = RelockWinStation(pWinStation);
|
|
if (!NT_SUCCESS(Status) || !bRelock) {
|
|
if (NT_SUCCESS(Status)) {
|
|
Status = STATUS_CTX_WINSTATION_NOT_FOUND;
|
|
}
|
|
ReleaseWinStation( pWinStation );
|
|
goto done;
|
|
}
|
|
|
|
}
|
|
|
|
|
|
/*
|
|
* Save off the listen name if needed later.
|
|
*/
|
|
if ( pWinStation->Flags & WSF_LISTEN ) {
|
|
wcscpy(ListenName, pWinStation->WinStationName);
|
|
bListener = TRUE;
|
|
} else if (gbListenerOff) {
|
|
wcscpy(ListenName, pWinStation->ListenName);
|
|
}
|
|
|
|
/*
|
|
* Verify that client has RESET access if its an RPC (external) caller.
|
|
*
|
|
* When ICASRV calls this function internally, it is not impersonating
|
|
* and fails the RpcCheckClientAccess() call. Internal calls are
|
|
* not a security problem since they come in as LPC messages on a secured
|
|
* port.
|
|
*/
|
|
if ( CallerIsRpc ) {
|
|
RPC_STATUS RpcStatus;
|
|
|
|
/*
|
|
* Impersonate the client
|
|
*/
|
|
RpcStatus = RpcImpersonateClient( NULL );
|
|
if ( RpcStatus != RPC_S_OK ) {
|
|
ReleaseWinStation( pWinStation );
|
|
KdPrintEx((DPFLTR_TERMSRV_ID, DPFLTR_ERROR_LEVEL, "TERMSRV: WinStationResetWorker: Not impersonating! RpcStatus 0x%x\n",RpcStatus));
|
|
Status = STATUS_CANNOT_IMPERSONATE;
|
|
goto done;
|
|
}
|
|
|
|
Status = RpcCheckClientAccess( pWinStation, WINSTATION_RESET, TRUE );
|
|
if ( !NT_SUCCESS( Status ) ) {
|
|
RpcRevertToSelf();
|
|
ReleaseWinStation( pWinStation );
|
|
goto done;
|
|
}
|
|
|
|
//
|
|
// If its remote RPC call we should ignore ClientLogonId
|
|
//
|
|
RpcStatus = I_RpcBindingIsClientLocal(
|
|
0, // Active RPC call we are servicing
|
|
&LocalFlag
|
|
);
|
|
|
|
if( RpcStatus != RPC_S_OK ) {
|
|
RpcRevertToSelf();
|
|
ReleaseWinStation( pWinStation );
|
|
KdPrintEx((DPFLTR_TERMSRV_ID, DPFLTR_ERROR_LEVEL, "TERMSRV: WinStationResetWorker: IsClientLocal failed! RpcStatus 0x%x\n",RpcStatus));
|
|
Status = STATUS_UNSUCCESSFUL;
|
|
goto done;
|
|
}
|
|
|
|
if ( LocalFlag ) {
|
|
Status = RpcGetClientLogonId( &ClientLogonId );
|
|
if ( !NT_SUCCESS( Status ) ) {
|
|
RpcRevertToSelf();
|
|
ReleaseWinStation( pWinStation );
|
|
goto done;
|
|
}
|
|
}
|
|
|
|
RpcRevertToSelf();
|
|
|
|
if(pWinStation->WinStationName[0] &&
|
|
pWinStation->pWsx &&
|
|
pWinStation->pWsx->pWsxSetErrorInfo &&
|
|
pWinStation->pWsxContext)
|
|
{
|
|
pWinStation->pWsx->pWsxSetErrorInfo(
|
|
pWinStation->pWsxContext,
|
|
TS_ERRINFO_RPC_INITIATED_LOGOFF,
|
|
FALSE); //stack lock not held
|
|
}
|
|
}
|
|
|
|
/*
|
|
* For console reset, logoff (SALIMC)
|
|
*/
|
|
if ( LogonId == 0 ) {
|
|
|
|
Status = LogoffWinStation( pWinStation,EWX_FORCE | EWX_LOGOFF);
|
|
ReleaseWinStation( pWinStation );
|
|
if (NT_SUCCESS(Status) && bWait) {
|
|
DWORD dwRet;
|
|
dwRet = WaitForSingleObject(ConsoleLogoffEvent,120*1000);
|
|
if (dwRet == WAIT_TIMEOUT)
|
|
{
|
|
KdPrintEx((DPFLTR_TERMSRV_ID, DPFLTR_ERROR_LEVEL, "TERMSRV: TimedOut wait for ConsoleLogoffEvent\n"));
|
|
Status = STATUS_TIMEOUT;
|
|
}
|
|
}
|
|
goto done;
|
|
}
|
|
|
|
/*
|
|
* Mark the winstation as being reset.
|
|
* If a reset/delete operation is already in progress
|
|
* on this winstation, then don't proceed with the delete.
|
|
* If the WinStation is currently in the process of connecting or
|
|
* disconnecting, then give it some time to complete before we continue.
|
|
* If connect/disconnect doesn't complete whithin timeout duration
|
|
* do not proceed with termination (bug#204614).
|
|
*/
|
|
for (ulIndex=0; ulIndex < WINSTATION_WAIT_COMPLETE_RETRIES; ulIndex++) {
|
|
if ( pWinStation->Flags & (WSF_RESET | WSF_DELETE) ) {
|
|
ReleaseWinStation( pWinStation );
|
|
Status = STATUS_CTX_WINSTATION_BUSY;
|
|
goto done;
|
|
}
|
|
|
|
if ( pWinStation->Flags & (WSF_CONNECT | WSF_DISCONNECT |
|
|
WSF_AUTORECONNECTING) ) {
|
|
LARGE_INTEGER Timeout;
|
|
Timeout = RtlEnlargedIntegerMultiply( WINSTATION_WAIT_COMPLETE_DURATION, -10000 );
|
|
UnlockWinStation( pWinStation );
|
|
NtDelayExecution( FALSE, &Timeout );
|
|
if ( !RelockWinStation( pWinStation ) ) {
|
|
ReleaseWinStation( pWinStation );
|
|
Status = STATUS_SUCCESS;
|
|
goto done;
|
|
}
|
|
} else {
|
|
bConnectDisconnectPending = FALSE;
|
|
break;
|
|
}
|
|
}
|
|
|
|
if ( bConnectDisconnectPending ) {
|
|
ReleaseWinStation( pWinStation );
|
|
Status = STATUS_CTX_WINSTATION_BUSY;
|
|
goto done;
|
|
}
|
|
|
|
pWinStation->Flags |= WSF_RESET;
|
|
|
|
/*
|
|
* If no broken reason/source have been set, then set them here.
|
|
*
|
|
* BrokenReason is Terminate. BrokenSource is User if we are
|
|
* called via RPC and caller is resetting his own LogonId, or if
|
|
* the "Terminating" field is already set, then this is a reset
|
|
* from the WinStationTerminateThread after seeing WinLogon/CSR exit.
|
|
* Otherwise, this reset is the result of a call from another
|
|
* WinStation or a QueueWinStationReset call from within ICASRV.
|
|
*/
|
|
if ( pWinStation->BrokenReason == 0 ) {
|
|
pWinStation->BrokenReason = Broken_Terminate;
|
|
if ( CallerIsRpc && LocalFlag && ClientLogonId == pWinStation->LogonId
|
|
|| pWinStation->Terminating ) {
|
|
pWinStation->BrokenSource = BrokenSource_User;
|
|
} else {
|
|
pWinStation->BrokenSource = BrokenSource_Server;
|
|
}
|
|
}
|
|
|
|
/*
|
|
* If the RPC caller did not wish to wait for this reset,
|
|
* then queue an internal call for this to be done.
|
|
* This is safe now that we have done all of the above checks
|
|
* to determine that the caller has access to perform the
|
|
* reset and have set BrokenSource/Reason above.
|
|
*/
|
|
if ( CallerIsRpc && !bWait ) {
|
|
// clear reset flag so the internal reset will proceed
|
|
pWinStation->Flags &= ~WSF_RESET;
|
|
ReleaseWinStation( pWinStation );
|
|
QueueWinStationReset( LogonId);
|
|
Status = STATUS_SUCCESS;
|
|
goto done;
|
|
}
|
|
|
|
/*
|
|
* Make sure this WinStation is ready to reset
|
|
*/
|
|
WinStationTerminate( pWinStation );
|
|
|
|
/*
|
|
* If it's a listener, reset all active winstations of the same type
|
|
*/
|
|
if ((pWinStation->Flags & WSF_LISTEN) && ListenName[0] && bRecreate) {
|
|
ResetGroupByListener(ListenName);
|
|
}
|
|
|
|
/*
|
|
* If WinStation is marked DownPending (and is not disconnected),
|
|
* then set it to the Down state, clear the DownPending and Reset flags,
|
|
* and release the WinStation.
|
|
*/
|
|
if ( (pWinStation->Flags & WSF_DOWNPENDING) && pWinStation->WinStationName[0] ) {
|
|
pWinStation->State = State_Down;
|
|
pWinStation->Flags &= ~(WSF_DOWNPENDING | WSF_RESET);
|
|
ReleaseWinStation( pWinStation );
|
|
Status = STATUS_SUCCESS;
|
|
|
|
/*
|
|
* The WinStation is not DownPending so complete deleting it
|
|
* and then recreate it.
|
|
*/
|
|
} else {
|
|
ULONG PdFlag;
|
|
ULONG WinStationFlags;
|
|
WINSTATIONNAME WinStationName;
|
|
|
|
/*
|
|
* Save WinStation name for later create call
|
|
*/
|
|
WinStationFlags = pWinStation->Flags;
|
|
PdFlag = pWinStation->Config.Pd[0].Create.PdFlag;
|
|
wcscpy( WinStationName, pWinStation->WinStationName );
|
|
|
|
/*
|
|
* Call the WinStationDelete worker
|
|
*/
|
|
WinStationDeleteWorker( pWinStation );
|
|
|
|
/*
|
|
* Now recreate the WinStation
|
|
*/
|
|
if ( WinStationName[0] &&
|
|
bRecreate &&
|
|
((WinStationFlags & WSF_LISTEN) || (PdFlag & PD_SINGLE_INST)) ) {
|
|
Status = WinStationCreateWorker( WinStationName, NULL, TRUE );
|
|
} else if ( WinStationFlags & WSF_IDLE ) {
|
|
// wake up WinStationIdleControlThread so that it recreates an idle session
|
|
NtSetEvent(WinStationIdleControlEvent, NULL);
|
|
} else {
|
|
Status = STATUS_SUCCESS;
|
|
}
|
|
}
|
|
|
|
// If we disconnected a Session owning the console terminal, go an create a new one
|
|
// to own it.
|
|
if (bConsoleSession) {
|
|
ENTERCRIT(&ConsoleLock);
|
|
if (!WinStationCheckConsoleSession()) {
|
|
/*
|
|
* Wake up the WinStationIdleControlThread
|
|
*/
|
|
NtSetEvent(WinStationIdleControlEvent, NULL);
|
|
|
|
}
|
|
LEAVECRIT(&ConsoleLock);
|
|
}
|
|
|
|
if ( gbListenerOff && !bListener && ListenName[0] ) {
|
|
|
|
StartStopListeners( ListenName, FALSE );
|
|
}
|
|
/*
|
|
* Save return status
|
|
*/
|
|
done:
|
|
TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: WinStationReset, Status=0x%x\n", Status ));
|
|
return( Status );
|
|
}
|
|
|
|
|
|
/*****************************************************************************
|
|
* WinStationShutdownSystemWorker
|
|
*
|
|
* Function to shutdown the system from an RPC API request
|
|
*
|
|
* ENTRY:
|
|
* pContext (input)
|
|
* Pointer to our context structure describing the connection.
|
|
* pMsg (input/output)
|
|
* Pointer to the API message, a superset of NT LPC PORT_MESSAGE.
|
|
****************************************************************************/
|
|
NTSTATUS
|
|
WinStationShutdownSystemWorker(
|
|
ULONG ClientLogonId,
|
|
ULONG ShutdownFlags
|
|
)
|
|
{
|
|
BOOL rc;
|
|
BOOLEAN WasEnabled;
|
|
NTSTATUS Status = 0;
|
|
NTSTATUS Status2;
|
|
PWINSTATION pWinStation;
|
|
UINT ExitWindowsFlags;
|
|
RPC_STATUS RpcStatus;
|
|
UINT LocalFlag;
|
|
|
|
|
|
TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: WinStationShutdownSystem, Flags=%d\n", ShutdownFlags ));
|
|
|
|
/*
|
|
* Impersonate the client so that when the attempt is made to enable
|
|
* the SE_SHUTDOWN_PRIVILEGE, it will fail if the account is not admin.
|
|
*/
|
|
RpcStatus = RpcImpersonateClient( NULL );
|
|
if( RpcStatus != RPC_S_OK ) {
|
|
KdPrintEx((DPFLTR_TERMSRV_ID, DPFLTR_ERROR_LEVEL, "TERMSRV: WinStationShutdownSystemWorker: Not impersonating! RpcStatus 0x%x\n",RpcStatus));
|
|
Status = STATUS_CANNOT_IMPERSONATE;
|
|
goto done;
|
|
}
|
|
|
|
//
|
|
// If its remote RPC call we should ignore ClientLogonId
|
|
//
|
|
RpcStatus = I_RpcBindingIsClientLocal(
|
|
0, // Active RPC call we are servicing
|
|
&LocalFlag
|
|
);
|
|
|
|
if( RpcStatus != RPC_S_OK ) {
|
|
KdPrintEx((DPFLTR_TERMSRV_ID, DPFLTR_ERROR_LEVEL, " I_RpcBindingIsClientLocal() failed : 0x%x\n",RpcStatus));
|
|
RpcRevertToSelf();
|
|
Status = STATUS_UNSUCCESSFUL;
|
|
goto done;
|
|
}
|
|
|
|
//
|
|
// we dont care about client logon id if this is called from remote machine.
|
|
// so lets set it zero. So its treated as shutdown from session 0.
|
|
//
|
|
if (!LocalFlag) {
|
|
ClientLogonId = 0;
|
|
}
|
|
|
|
|
|
/*
|
|
* We are called under RPC impersonation so that the current
|
|
* thread token represents the RPC client. If the RPC client
|
|
* does not have SE_SHUTDOWN_PRIVILEGE, the RtlAdjustPrivilege()
|
|
* will fail.
|
|
*/
|
|
Status = RtlAdjustPrivilege(
|
|
SE_SHUTDOWN_PRIVILEGE,
|
|
TRUE, // Enable the PRIVILEGE
|
|
TRUE, // Use Thread token (under impersonation)
|
|
&WasEnabled
|
|
);
|
|
if( NT_SUCCESS( Status ) && !WasEnabled ) {
|
|
/*
|
|
* Principle of least rights says to not go around with privileges
|
|
* held you do not need. So we must disable the shutdown privilege
|
|
* if it was just a logoff force.
|
|
*/
|
|
Status2 = RtlAdjustPrivilege(
|
|
SE_SHUTDOWN_PRIVILEGE,
|
|
FALSE, // Disable the PRIVILEGE
|
|
TRUE, // Use Thread token (under impersonation)
|
|
&WasEnabled
|
|
);
|
|
|
|
ASSERT( NT_SUCCESS(Status2) );
|
|
}
|
|
|
|
RpcRevertToSelf();
|
|
|
|
if ( Status == STATUS_NO_TOKEN ) {
|
|
KdPrintEx((DPFLTR_TERMSRV_ID, DPFLTR_ERROR_LEVEL, "TERMSRV: WinStationShutdownSystemWorker: No Thread token!\n"));
|
|
goto done;
|
|
}
|
|
|
|
if ( !NT_SUCCESS( Status ) ) {
|
|
KdPrintEx((DPFLTR_TERMSRV_ID, DPFLTR_ERROR_LEVEL, "TERMSRV: WinStationShutdownSystemWorker: RtlAdjustPrivilege failure 0x%x\n",Status));
|
|
goto done;
|
|
}
|
|
|
|
if ( ShutdownFlags == 0 )
|
|
goto done;
|
|
|
|
//
|
|
// At this point we know that the client has access to shutdown the machine.
|
|
// Now enable Shutdown privilege for the termsrv.exe process. This is done
|
|
// because winlogon only allow system processes to shutdown the machine if
|
|
// if no one is logged on the console session. If we just enable privilige
|
|
// for the impersonating thread winlogon will not consider it as a system
|
|
// process
|
|
//
|
|
Status = RtlAdjustPrivilege(
|
|
SE_SHUTDOWN_PRIVILEGE,
|
|
TRUE, // Enable the PRIVILEGE
|
|
FALSE, // Use Process Token
|
|
&WasEnabled
|
|
);
|
|
if ( !NT_SUCCESS( Status ) ) {
|
|
KdPrintEx((DPFLTR_TERMSRV_ID, DPFLTR_ERROR_LEVEL, "TERMSRV: WinStationShutdownSystemWorker: RtlAdjustPrivilege failure 0x%x\n",Status));
|
|
goto done;
|
|
}
|
|
|
|
/*
|
|
* Set global shutdown flag
|
|
*/
|
|
ShutdownInProgress = TRUE;
|
|
|
|
// Let TS leave SD in case of shutdown
|
|
if (!g_bPersonalTS && g_fAppCompat && g_bAdvancedServer) {
|
|
DestroySessionDirectory();
|
|
}
|
|
|
|
/*
|
|
* If logoff option is specified, then cause all WinStations
|
|
* to logoff now and don't restart them.
|
|
*/
|
|
if ( ShutdownFlags & (WSD_SHUTDOWN | WSD_LOGOFF) ) {
|
|
Status = ShutdownLogoff( ClientLogonId, ShutdownFlags );
|
|
}
|
|
|
|
if ( ShutdownFlags & (WSD_SHUTDOWN | WSD_REBOOT | WSD_POWEROFF) ) {
|
|
/*
|
|
* If system will be rebooted or powered off, then cause
|
|
* the client WinStation that called us to logoff now.
|
|
* If shutdown from non-console, close the connection (self) here.
|
|
*/
|
|
if ( (ShutdownFlags & (WSD_REBOOT | WSD_POWEROFF)) || ClientLogonId != 0) {
|
|
|
|
if (!ShutDownFromSessionID)
|
|
ShutDownFromSessionID = ClientLogonId;
|
|
|
|
// ShutdownTerminateNoWait = TRUE;
|
|
KdPrintEx((DPFLTR_TERMSRV_ID, DPFLTR_ERROR_LEVEL, "TERMSRV: Start reset of last WinStation\n" ));
|
|
(VOID) DoForWinStationGroup( &ClientLogonId, 1,
|
|
(LPTHREAD_START_ROUTINE) WinStationShutdownReset );
|
|
KdPrintEx((DPFLTR_TERMSRV_ID, DPFLTR_ERROR_LEVEL, "TERMSRV: Last WinStation reset\n" ));
|
|
|
|
|
|
if ( ClientLogonId == 0 ) {
|
|
|
|
DWORD dwRet;
|
|
dwRet = WaitForSingleObject(ConsoleLogoffEvent,120*1000);
|
|
if (dwRet == WAIT_TIMEOUT)
|
|
{
|
|
KdPrintEx((DPFLTR_TERMSRV_ID, DPFLTR_ERROR_LEVEL, "TERMSRV: WinStationShutdownSystemWorker: Timedout waiting for ConsoleLogoffEvent\n"));
|
|
Status = STATUS_TIMEOUT;
|
|
}
|
|
}
|
|
}
|
|
|
|
/*
|
|
* Now complete system shutdown.
|
|
*
|
|
* Use ExitWindowsEx() so that console winlogon completes
|
|
* our shutdown. This is so that services get shutdown
|
|
* properly.
|
|
*/
|
|
if (ClientLogonId == (USER_SHARED_DATA->ActiveConsoleId) ) {
|
|
ExitWindowsFlags = 0;
|
|
} else {
|
|
ExitWindowsFlags = EWX_FORCE;
|
|
}
|
|
if ( ShutdownFlags & WSD_REBOOT )
|
|
ExitWindowsFlags |= EWX_REBOOT;
|
|
else if ( ShutdownFlags & WSD_POWEROFF )
|
|
ExitWindowsFlags |= EWX_POWEROFF;
|
|
else
|
|
ExitWindowsFlags |= EWX_SHUTDOWN;
|
|
|
|
/*
|
|
* Need to pass the EWX_TERMSRV_INITIATED to let winlogon know
|
|
* that the shutdown was initiated by termsrv.
|
|
*/
|
|
rc = ExitWindowsEx( ExitWindowsFlags | EWX_TERMSRV_INITIATED,SHTDN_REASON_LEGACY_API|SHTDN_REASON_MINOR_TERMSRV );
|
|
if( !rc ) {
|
|
KdPrintEx((DPFLTR_TERMSRV_ID, DPFLTR_ERROR_LEVEL, "TERMSRV: ExitWindowsEx failed %d\n",GetLastError() ));
|
|
}
|
|
}
|
|
|
|
if( !WasEnabled ) {
|
|
|
|
/*
|
|
* Principle of least rights says to not go around with privileges
|
|
* held you do not need. So we must disable the shutdown privilege
|
|
* if it was just a logoff force.
|
|
*/
|
|
Status2 = RtlAdjustPrivilege(
|
|
SE_SHUTDOWN_PRIVILEGE,
|
|
FALSE, // Disable the PRIVILEGE
|
|
FALSE, // Use Process Token
|
|
&WasEnabled
|
|
);
|
|
ASSERT( NT_SUCCESS(Status2) );
|
|
}
|
|
|
|
/*
|
|
* Save return status in API message
|
|
*/
|
|
done:
|
|
TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: WinStationShutdownSystem, Status=0x%x\n", Status ));
|
|
return( Status );
|
|
}
|
|
|
|
|
|
/*****************************************************************************
|
|
* WinStationTerminateProcessWorker
|
|
*
|
|
* Terminate the specified process
|
|
*
|
|
* ENTRY:
|
|
* ProcessId (input)
|
|
* process id of the process to terminate
|
|
* ExitCode (input)
|
|
* Termination status for each thread in the process
|
|
****************************************************************************/
|
|
NTSTATUS
|
|
WinStationTerminateProcessWorker(
|
|
ULONG ProcessId,
|
|
ULONG ExitCode
|
|
)
|
|
{
|
|
OBJECT_ATTRIBUTES Obja;
|
|
CLIENT_ID ClientId;
|
|
BOOLEAN fWasEnabled = FALSE;
|
|
NTSTATUS Status;
|
|
NTSTATUS Status2;
|
|
SID_IDENTIFIER_AUTHORITY NtSidAuthority = SECURITY_NT_AUTHORITY;
|
|
HANDLE ProcHandle = NULL;
|
|
HANDLE TokenHandle = NULL;
|
|
PTOKEN_USER pTokenInfo = NULL;
|
|
ULONG TokenInfoLength;
|
|
ULONG ReturnLength;
|
|
int rc;
|
|
|
|
TRACE(( hTrace,TC_ICASRV,TT_API1, "TERMSRV: WinStationTerminateProcess, PID=%d, ExitCode %u\n",
|
|
ProcessId, ExitCode ));
|
|
|
|
/*
|
|
* If possible, enable the debug privilege
|
|
*/
|
|
(void) RtlAdjustPrivilege( SE_DEBUG_PRIVILEGE,
|
|
TRUE, // Enable the PRIVILEGE
|
|
TRUE, // Use Thread token (under impersonation)
|
|
&fWasEnabled );
|
|
|
|
/*
|
|
* Attempt to open the process for query and terminate access.
|
|
*/
|
|
ClientId.UniqueThread = (HANDLE) NULL;
|
|
ClientId.UniqueProcess = (HANDLE) LongToHandle( ProcessId );
|
|
InitializeObjectAttributes( &Obja, NULL, 0, NULL, NULL );
|
|
Status = NtOpenProcess( &ProcHandle,
|
|
PROCESS_QUERY_INFORMATION | PROCESS_TERMINATE,
|
|
&Obja,
|
|
&ClientId );
|
|
if ( !NT_SUCCESS(Status) )
|
|
goto restore;
|
|
|
|
/*
|
|
* Open the process token so we can query the user SID. If the user
|
|
* SID for this process is the SYSTEM SID, we will deny access to it.
|
|
* This is to prevent ADMINs from killing system processes.
|
|
*/
|
|
Status = NtOpenProcessToken( ProcHandle, TOKEN_QUERY, &TokenHandle );
|
|
|
|
/*
|
|
* Its possible for OpenProcess above to succeed and NtOpenProcessToken
|
|
* to fail. One scenario is an ADMIN user trying to kill a USER process.
|
|
* Standard security allows ADMIN terminate access to the process but
|
|
* does not allow any access to the process token. In this case we
|
|
* will just skip the SID check and do the terminate below.
|
|
*/
|
|
if ( NT_SUCCESS( Status ) ) {
|
|
/*
|
|
* Allocate buffer for reading user SID
|
|
*/
|
|
TokenInfoLength = sizeof(TOKEN_USER) +
|
|
RtlLengthRequiredSid( SID_MAX_SUB_AUTHORITIES );
|
|
pTokenInfo = MemAlloc( TokenInfoLength );
|
|
if ( pTokenInfo == NULL ) {
|
|
Status = STATUS_NO_MEMORY;
|
|
goto freeit;
|
|
}
|
|
|
|
/*
|
|
* Query the user SID in the token
|
|
*/
|
|
Status = NtQueryInformationToken( TokenHandle, TokenUser, pTokenInfo,
|
|
TokenInfoLength, &ReturnLength );
|
|
if ( !NT_SUCCESS( Status ) )
|
|
goto freeit;
|
|
|
|
/*
|
|
* If user SID for this process is the SYSTEM SID,
|
|
* then we don't allow it to be terminated.
|
|
*/
|
|
if ( RtlEqualSid( gSystemSid, pTokenInfo->User.Sid ) ) {
|
|
Status = STATUS_ACCESS_DENIED;
|
|
goto freeit;
|
|
}
|
|
}
|
|
|
|
/*
|
|
* Now try to terminate the process
|
|
*/
|
|
Status = NtTerminateProcess( ProcHandle, (NTSTATUS)ExitCode );
|
|
|
|
freeit:
|
|
if ( pTokenInfo )
|
|
MemFree( pTokenInfo );
|
|
|
|
if ( TokenHandle )
|
|
CloseHandle( TokenHandle );
|
|
|
|
if ( ProcHandle )
|
|
CloseHandle( ProcHandle );
|
|
|
|
restore:
|
|
if( !fWasEnabled ) {
|
|
|
|
/*
|
|
* Principle of least rights says to not go around with privileges
|
|
* held you do not need. So we must disable the debug privilege
|
|
* if it was not enabled on entry to this routine.
|
|
*/
|
|
Status2 = RtlAdjustPrivilege(
|
|
SE_DEBUG_PRIVILEGE,
|
|
FALSE, // Disable the PRIVILEGE
|
|
TRUE, // Use Thread token (under impersonation)
|
|
&fWasEnabled
|
|
);
|
|
|
|
ASSERT( NT_SUCCESS(Status2) );
|
|
}
|
|
|
|
TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: WinStationTerminateProcess, Status=0x%x\n", Status ));
|
|
return( Status );
|
|
}
|
|
|
|
|
|
/*****************************************************************************
|
|
* WinStationWaitSystemEventWorker
|
|
*
|
|
* Function to wait for a system event from an RPC API request.
|
|
*
|
|
* Only one event wait may be posted per server handle at a time. The
|
|
* code protects itself from misuse by returning STATUS_PIPE_BUSY if
|
|
* an eventwait is already outstanding, and the request is not a cancel.
|
|
*
|
|
* ENTRY:
|
|
* pContext (input)
|
|
* Pointer to our context structure describing the connection.
|
|
* pMsg (input/output)
|
|
* Pointer to the API message, a superset of NT LPC PORT_MESSAGE.
|
|
****************************************************************************/
|
|
NTSTATUS
|
|
WinStationWaitSystemEventWorker(
|
|
HANDLE hServer,
|
|
ULONG EventMask,
|
|
PULONG pEventFlags
|
|
)
|
|
{
|
|
NTSTATUS Status;
|
|
PEVENT pWaitEvent;
|
|
OBJECT_ATTRIBUTES ObjA;
|
|
PRPC_CLIENT_CONTEXT pContext = (PRPC_CLIENT_CONTEXT)hServer;
|
|
static long s_cEvents = 0; //Used to count events in SystemEvent list.
|
|
//Protected by "WinStationListLock" Critical Section.
|
|
TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: WinStationWaitSystemEventWorker, Mask=0x%08x\n", EventMask ));
|
|
ASSERT( MAX_WINSTATION_RPC_THREADS > MAX_SYSTEM_EVENTS);
|
|
/*
|
|
* Protect ourselves from multiple threads calling in at once
|
|
*/
|
|
RtlEnterCriticalSection( &WinStationListLock );
|
|
|
|
/*
|
|
* If client doesn't already have an event block,
|
|
* then allocate and initialize one now.
|
|
*/
|
|
if ( pContext->pWaitEvent == NULL ) {
|
|
|
|
// If event mask is null or flush specified, then nothing to do
|
|
if ( EventMask == WEVENT_NONE || (EventMask & WEVENT_FLUSH) ) {
|
|
Status = STATUS_SUCCESS;
|
|
RtlLeaveCriticalSection( &WinStationListLock );
|
|
goto done;
|
|
}
|
|
|
|
if(s_cEvents == MAX_SYSTEM_EVENTS)
|
|
{
|
|
Status = STATUS_PIPE_BUSY;
|
|
RtlLeaveCriticalSection( &WinStationListLock );
|
|
goto done;
|
|
}
|
|
|
|
/*
|
|
* Allocate event block and initialize it
|
|
*/
|
|
if ( (pWaitEvent = MemAlloc( sizeof(EVENT) )) == NULL ) {
|
|
Status = STATUS_NO_MEMORY;
|
|
RtlLeaveCriticalSection( &WinStationListLock );
|
|
goto done;
|
|
}
|
|
RtlZeroMemory( pWaitEvent, sizeof(EVENT) );
|
|
|
|
pWaitEvent->fWaiter = FALSE;
|
|
pWaitEvent->EventMask = EventMask;
|
|
pWaitEvent->EventFlags = 0;
|
|
|
|
/*
|
|
* Create an event to wait on
|
|
*/
|
|
InitializeObjectAttributes( &ObjA, NULL, 0, NULL, NULL );
|
|
Status = NtCreateEvent( &pWaitEvent->Event, EVENT_ALL_ACCESS, &ObjA,
|
|
NotificationEvent, FALSE );
|
|
|
|
if( !NT_SUCCESS(Status) ) {
|
|
MemFree( pWaitEvent );
|
|
RtlLeaveCriticalSection( &WinStationListLock );
|
|
goto done;
|
|
}
|
|
TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: WinStationWaitSystemEvent, Event=%p\n", pWaitEvent->Event ));
|
|
|
|
TRACE((hTrace,TC_ICAAPI,TT_API3, "TERMSRV: WinStationWaitSystemEvent, Event block=%p\n", pWaitEvent ));
|
|
|
|
/*
|
|
* Save event block pointer in RPC client context structure
|
|
* and insert in system event list.
|
|
*/
|
|
pContext->pWaitEvent = pWaitEvent;
|
|
InsertTailList( &SystemEventHead, &pWaitEvent->EventListEntry );
|
|
|
|
s_cEvents++;
|
|
ASSERT(s_cEvents <= MAX_SYSTEM_EVENTS);
|
|
/*
|
|
* Wait for the event to be signaled
|
|
*/
|
|
pWaitEvent->fWaiter = TRUE;
|
|
RtlLeaveCriticalSection( &WinStationListLock );
|
|
Status = WaitForSingleObject( pWaitEvent->Event, (DWORD)-1 );
|
|
RtlEnterCriticalSection( &WinStationListLock );
|
|
pWaitEvent->fWaiter = FALSE;
|
|
|
|
if ( NT_SUCCESS(Status) ) {
|
|
Status = pWaitEvent->WaitResult;
|
|
if( NT_SUCCESS(Status) ) {
|
|
*pEventFlags = pWaitEvent->EventFlags;
|
|
/*
|
|
* makarp - Fix For . (#21929)
|
|
*/
|
|
pWaitEvent->EventFlags = 0;
|
|
}
|
|
}
|
|
|
|
/*
|
|
* If fClosing is set, then cleanup the eventwait entry and free it.
|
|
*/
|
|
if ( pWaitEvent->fClosing ) {
|
|
pContext->pWaitEvent = NULL;
|
|
RemoveEntryList( &pWaitEvent->EventListEntry );
|
|
s_cEvents--;
|
|
ASSERT(s_cEvents >= 0);
|
|
RtlLeaveCriticalSection( &WinStationListLock );
|
|
NtClose( pWaitEvent->Event );
|
|
pWaitEvent->Event = NULL;
|
|
MemFree( pWaitEvent );
|
|
} else {
|
|
RtlLeaveCriticalSection( &WinStationListLock );
|
|
}
|
|
TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: WinStationWaitSystemEvent, Status=0x%x\n", Status ));
|
|
return( Status );
|
|
|
|
/*
|
|
* Client has an event block but wants to remove it
|
|
*/
|
|
} else if ( EventMask == WEVENT_NONE ) {
|
|
|
|
pWaitEvent = pContext->pWaitEvent;
|
|
|
|
// If we have a waiter, mark the eventwait struct as closing
|
|
// and let the waiter clean up.
|
|
if ( pWaitEvent->fWaiter ) {
|
|
pWaitEvent->fClosing = TRUE;
|
|
pWaitEvent->WaitResult = STATUS_CANCELLED;
|
|
NtSetEvent( pWaitEvent->Event, NULL );
|
|
RtlLeaveCriticalSection( &WinStationListLock );
|
|
Status = STATUS_SUCCESS;
|
|
TRACE((hTrace,TC_ICASRV,TT_ERROR, "TERMSRV: WinStationWaitSystemEvent, Status=0x%x\n", Status ));
|
|
return( Status );
|
|
}
|
|
pContext->pWaitEvent = NULL;
|
|
RemoveEntryList( &pWaitEvent->EventListEntry );
|
|
s_cEvents--;
|
|
ASSERT(s_cEvents >= 0);
|
|
RtlLeaveCriticalSection( &WinStationListLock );
|
|
NtClose( pWaitEvent->Event );
|
|
pWaitEvent->Event = NULL;
|
|
MemFree( pWaitEvent );
|
|
Status = STATUS_SUCCESS;
|
|
TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: WinStationWaitSystemEvent, Status=0x%x\n", Status ));
|
|
return( Status );
|
|
|
|
/*
|
|
* Flush specified so we must release waiting client
|
|
*/
|
|
} else if ( EventMask & WEVENT_FLUSH ) {
|
|
pWaitEvent = pContext->pWaitEvent;
|
|
if ( pWaitEvent->fWaiter ) {
|
|
pWaitEvent->WaitResult = STATUS_CANCELLED;
|
|
NtSetEvent( pWaitEvent->Event, NULL );
|
|
TRACE((hTrace,TC_ICAAPI,TT_API3, "TERMSRV: WinStationWaitSystemEvent, event wait cancelled\n" ));
|
|
}
|
|
RtlLeaveCriticalSection( &WinStationListLock );
|
|
Status = STATUS_SUCCESS;
|
|
TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: WinStationWaitSystemEvent, Status=0x%x\n", Status ));
|
|
return( Status );
|
|
|
|
/*
|
|
* Client already has an event block and is calling again
|
|
* to wait for another event. Update the EventMask in case it
|
|
* changed from the original call.
|
|
*/
|
|
} else {
|
|
|
|
pWaitEvent = pContext->pWaitEvent;
|
|
|
|
// Only allow one waiter
|
|
if ( pWaitEvent->fWaiter ) {
|
|
RtlLeaveCriticalSection( &WinStationListLock );
|
|
Status = STATUS_PIPE_BUSY;
|
|
TRACE((hTrace,TC_ICASRV,TT_ERROR, "TERMSRV: WinStationWaitSystemEvent, Status=0x%x\n", Status ));
|
|
return( Status );
|
|
}
|
|
|
|
pWaitEvent->EventMask = EventMask;
|
|
|
|
/*
|
|
* If additional events occured while client was processing
|
|
* previous events, then just return to the client now.
|
|
*/
|
|
if ( pWaitEvent->EventFlags &= EventMask ) {
|
|
*pEventFlags = pWaitEvent->EventFlags;
|
|
pWaitEvent->EventFlags = 0;
|
|
Status = STATUS_SUCCESS;
|
|
RtlLeaveCriticalSection( &WinStationListLock );
|
|
TRACE((hTrace,TC_ICAAPI,TT_API3, "TERMSRV: WinStationWaitSystemEvent, returning immediately\n" ));
|
|
return( Status );
|
|
} else {
|
|
|
|
TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: WinStationWaitSystemEvent, waiting for event\n" ));
|
|
|
|
// Reset the event
|
|
NtResetEvent( pWaitEvent->Event, NULL );
|
|
|
|
/*
|
|
* Wait for the event to be signaled
|
|
*/
|
|
pWaitEvent->fWaiter = TRUE;
|
|
RtlLeaveCriticalSection( &WinStationListLock );
|
|
Status = WaitForSingleObject( pWaitEvent->Event, (DWORD)-1 );
|
|
RtlEnterCriticalSection( &WinStationListLock );
|
|
pWaitEvent->fWaiter = FALSE;
|
|
|
|
if( NT_SUCCESS(Status) ) {
|
|
Status = pWaitEvent->WaitResult;
|
|
if( NT_SUCCESS(Status) ) {
|
|
*pEventFlags = pWaitEvent->EventFlags;
|
|
/*
|
|
* makarp - Fix For . (#21929)
|
|
*/
|
|
pWaitEvent->EventFlags = 0;
|
|
}
|
|
}
|
|
|
|
/*
|
|
* If fClosing is set, then cleanup the eventwait entry and free it.
|
|
*/
|
|
if ( pWaitEvent->fClosing ) {
|
|
pContext->pWaitEvent = NULL;
|
|
RemoveEntryList( &pWaitEvent->EventListEntry );
|
|
s_cEvents--;
|
|
ASSERT(s_cEvents >= 0);
|
|
RtlLeaveCriticalSection( &WinStationListLock );
|
|
NtClose( pWaitEvent->Event );
|
|
pWaitEvent->Event = NULL;
|
|
MemFree( pWaitEvent );
|
|
} else {
|
|
RtlLeaveCriticalSection( &WinStationListLock );
|
|
}
|
|
TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: WinStationWaitSystemEvent, Status=0x%x\n", Status ));
|
|
return( Status );
|
|
}
|
|
}
|
|
|
|
done:
|
|
TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: WinStationWaitSystemEvent, Status=0x%x\n", Status ));
|
|
return( Status );
|
|
}
|
|
|
|
|
|
/*****************************************************************************
|
|
* WinStationCallbackWorker
|
|
*
|
|
* Perform callback processing for the specified WinStation.
|
|
*
|
|
* ENTRY:
|
|
* LogonId (input)
|
|
* Logon Id of WinStation
|
|
* pPhoneNumber (input)
|
|
* Phone number string suitable for processing by TAPI
|
|
****************************************************************************/
|
|
NTSTATUS
|
|
WinStationCallbackWorker(
|
|
ULONG LogonId,
|
|
PWCHAR pPhoneNumber
|
|
)
|
|
{
|
|
PWINSTATION pWinStation;
|
|
NTSTATUS Status;
|
|
|
|
/*
|
|
* Find and lock client WinStation
|
|
*/
|
|
pWinStation = FindWinStationById( LogonId, FALSE );
|
|
if ( pWinStation == NULL ) {
|
|
Status = STATUS_CTX_WINSTATION_NOT_FOUND;
|
|
return( Status );
|
|
}
|
|
|
|
/*
|
|
* Unlock WinStation while Callback is in progress
|
|
*/
|
|
UnlockWinStation( pWinStation );
|
|
|
|
if (pWinStation->hStack != NULL) {
|
|
Status = IcaStackCallback( pWinStation->hStack,
|
|
&pWinStation->Config,
|
|
pPhoneNumber,
|
|
pWinStation->pEndpoint,
|
|
pWinStation->EndpointLength,
|
|
&pWinStation->EndpointLength );
|
|
} else {
|
|
Status = STATUS_INVALID_PARAMETER;
|
|
|
|
}
|
|
|
|
return( Status );
|
|
}
|
|
|
|
|
|
/*****************************************************************************
|
|
* WinStationBreakPointWorker
|
|
*
|
|
* Message parameter unmarshalling function for WinStation API.
|
|
*
|
|
* ENTRY:
|
|
* pContext (input)
|
|
* Pointer to our context structure describing the connection.
|
|
*
|
|
* pMsg (input/output)
|
|
* Pointer to the API message, a superset of NT LPC PORT_MESSAGE.
|
|
****************************************************************************/
|
|
NTSTATUS
|
|
WinStationBreakPointWorker(
|
|
ULONG LogonId,
|
|
BOOLEAN KernelFlag
|
|
)
|
|
{
|
|
NTSTATUS Status;
|
|
NTSTATUS Status2;
|
|
BOOLEAN WasEnabled;
|
|
WINSTATION_APIMSG WMsg;
|
|
PWINSTATION pWinStation;
|
|
|
|
/*
|
|
* We are called under RPC impersonation so that the current
|
|
* thread token represents the RPC client. If the RPC client
|
|
* does not have SE_SHUTDOWN_PRIVILEGE, the RtlAdjustPrivilege()
|
|
* will fail.
|
|
*
|
|
* SE_SHUTDOWN_PRIVILEGE is used for breakpoints because that is
|
|
* effectively what a break point does to the system.
|
|
*/
|
|
Status = RtlAdjustPrivilege(
|
|
SE_SHUTDOWN_PRIVILEGE,
|
|
TRUE, // Enable the PRIVILEGE
|
|
TRUE, // Use Thread token (under impersonation)
|
|
&WasEnabled
|
|
);
|
|
|
|
if ( Status == STATUS_NO_TOKEN ) {
|
|
KdPrintEx((DPFLTR_TERMSRV_ID, DPFLTR_ERROR_LEVEL, "TERMSRV: WinStationBreakPointWorker: No Thread token!\n"));
|
|
return( Status );
|
|
}
|
|
|
|
if ( !NT_SUCCESS( Status ) ) {
|
|
KdPrintEx((DPFLTR_TERMSRV_ID, DPFLTR_ERROR_LEVEL, "TERMSRV: WinStationBreakPointWorker: RtlAdjustPrivilege failure 0x%x\n",Status));
|
|
return( Status );
|
|
}
|
|
|
|
/*
|
|
* Stop here if that's what was requested
|
|
*/
|
|
if ( LogonId == (ULONG)-2 ) {
|
|
DbgBreakPoint();
|
|
Status = STATUS_SUCCESS;
|
|
goto Done;
|
|
}
|
|
|
|
/*
|
|
* Find and lock client WinStation
|
|
*/
|
|
pWinStation = FindWinStationById( LogonId, FALSE );
|
|
if ( pWinStation == NULL ) {
|
|
Status = STATUS_CTX_WINSTATION_NOT_FOUND;
|
|
goto Done;
|
|
}
|
|
|
|
/*
|
|
* Tell the WinStation to breakpoint
|
|
*/
|
|
|
|
WMsg.ApiNumber = SMWinStationDoBreakPoint;
|
|
WMsg.u.BreakPoint.KernelFlag = KernelFlag;
|
|
Status = SendWinStationCommand( pWinStation, &WMsg, 0 );
|
|
|
|
ReleaseWinStation( pWinStation );
|
|
|
|
Done:
|
|
|
|
if( !WasEnabled ) {
|
|
/*
|
|
* Principle of least rights says to not go around with privileges
|
|
* held you do not need.
|
|
*/
|
|
Status2 = RtlAdjustPrivilege(
|
|
SE_SHUTDOWN_PRIVILEGE,
|
|
FALSE, // Disable the PRIVILEGE
|
|
TRUE, // Use Thread token (under impersonation)
|
|
&WasEnabled
|
|
);
|
|
|
|
ASSERT( NT_SUCCESS(Status2) );
|
|
}
|
|
|
|
return( Status );
|
|
}
|
|
|
|
|
|
NTSTATUS
|
|
WinStationEnableSessionIo(
|
|
PWINSTATION pWinStation,
|
|
BOOL bEnable
|
|
)
|
|
/*++
|
|
|
|
Description:
|
|
|
|
Funtion to disable keyboard and mouse input from session, this is to prevent
|
|
security hole that a hacker can send keystrock to bring up utility manager
|
|
before shadowing.
|
|
|
|
Parameters:
|
|
|
|
pWinStation (INPUT) : Pointer to winstation, function will ignore if session is
|
|
not a help session.
|
|
bEnable (INPUT) : TRUE to enable keyboard/mouse, FALSE otherwise.
|
|
|
|
Returns:
|
|
|
|
...
|
|
|
|
Note:
|
|
|
|
WINSTATION structure must be locked. Two new IOCTL code so we don't introduce any regression.
|
|
|
|
|
|
--*/
|
|
{
|
|
HANDLE ChannelHandle;
|
|
NTSTATUS Status;
|
|
|
|
if( pWinStation->fOwnsConsoleTerminal )
|
|
{
|
|
//
|
|
// Don't want to disable mouse/keyboard input on active console session,
|
|
//
|
|
Status = STATUS_SUCCESS;
|
|
}
|
|
else
|
|
{
|
|
Status = IcaChannelOpen(
|
|
pWinStation->hIca,
|
|
Channel_Keyboard,
|
|
NULL,
|
|
&ChannelHandle
|
|
);
|
|
if ( NT_SUCCESS( Status ) ) {
|
|
Status = IcaChannelIoControl(
|
|
ChannelHandle,
|
|
(bEnable) ? IOCTL_ICA_CHANNEL_ENABLE_SESSION_IO : IOCTL_ICA_CHANNEL_DISABLE_SESSION_IO,
|
|
NULL, 0, NULL, 0, NULL
|
|
);
|
|
IcaChannelClose( ChannelHandle );
|
|
}
|
|
|
|
Status = IcaChannelOpen(
|
|
pWinStation->hIca,
|
|
Channel_Mouse,
|
|
NULL,
|
|
&ChannelHandle
|
|
);
|
|
if ( NT_SUCCESS( Status ) ) {
|
|
Status = IcaChannelIoControl( ChannelHandle,
|
|
(bEnable) ? IOCTL_ICA_CHANNEL_ENABLE_SESSION_IO : IOCTL_ICA_CHANNEL_DISABLE_SESSION_IO,
|
|
NULL, 0, NULL, 0, NULL );
|
|
IcaChannelClose( ChannelHandle );
|
|
}
|
|
}
|
|
|
|
return Status;
|
|
}
|
|
|
|
/*****************************************************************************
|
|
* WinStationNotifyLogonWorker
|
|
*
|
|
* Message parameter unmarshalling function for WinStation API.
|
|
****************************************************************************/
|
|
NTSTATUS WinStationNotifyLogonWorker(
|
|
DWORD ClientLogonId,
|
|
DWORD ClientProcessId,
|
|
BOOLEAN fUserIsAdmin,
|
|
DWORD UserToken,
|
|
PWCHAR pDomain,
|
|
DWORD DomainSize,
|
|
PWCHAR pUserName,
|
|
DWORD UserNameSize,
|
|
PWCHAR pPassword,
|
|
DWORD PasswordSize,
|
|
UCHAR Seed,
|
|
PCHAR pUserConfig,
|
|
DWORD ConfigSize,
|
|
BOOLEAN *pfIsRedirected
|
|
)
|
|
{
|
|
extern GENERIC_MAPPING WinStaMapping;
|
|
extern LPCWSTR szTermsrv;
|
|
extern LPCWSTR szTermsrvSession;
|
|
|
|
PWINSTATION pWinStation;
|
|
HANDLE ClientToken, NewToken;
|
|
SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService;
|
|
OBJECT_ATTRIBUTES ObjA;
|
|
HANDLE ImpersonationToken;
|
|
PTOKEN_USER TokenInfo;
|
|
ULONG Length;
|
|
NTSTATUS Status = STATUS_SUCCESS;
|
|
ULONG UserNameLength = USERNAME_LENGTH;
|
|
ULONG DomainLength = DOMAIN_LENGTH;
|
|
BOOL bAccessCheckOk = FALSE;
|
|
DWORD GrantedAccess;
|
|
BOOL AccessStatus;
|
|
BOOL fGenerateOnClose;
|
|
PTSSD_CreateSessionInfo pCreateInfo = NULL;
|
|
BOOL bHaveCreateInfo = FALSE;
|
|
BOOL bQueueReset = FALSE;
|
|
BOOL bRedirect = FALSE; // TRUE: redirect this connection
|
|
BOOL bValidHelpSession;
|
|
BOOL bNoAccessCheck = FALSE;
|
|
BOOL fReconnectingToConsole = FALSE;
|
|
BOOL RetValue = FALSE;
|
|
|
|
|
|
TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: WinStationNotifyLogon, LogonId=%d\n", ClientLogonId ));
|
|
|
|
*pfIsRedirected = FALSE;
|
|
|
|
/*
|
|
* Find and lock client WinStation
|
|
*/
|
|
pWinStation = FindWinStationById( ClientLogonId, FALSE );
|
|
if ( pWinStation == NULL ) {
|
|
Status = STATUS_CTX_WINSTATION_NOT_FOUND;
|
|
return Status;
|
|
}
|
|
|
|
//Since we don't need the password anymore, clean it up
|
|
if (pWinStation->pNewClientCredentials != NULL) {
|
|
RtlSecureZeroMemory(pWinStation->pNewClientCredentials->Password,
|
|
sizeof(pWinStation->pNewClientCredentials->Password));
|
|
}
|
|
|
|
RtlSecureZeroMemory(pWinStation->Config.Config.User.Password,
|
|
sizeof(pWinStation->Config.Config.User.Password));
|
|
|
|
if( sizeof( USERCONFIGW ) > ConfigSize ) {
|
|
ReleaseWinStation( pWinStation );
|
|
return( STATUS_ACCESS_VIOLATION );
|
|
}
|
|
|
|
//
|
|
// If this is a notification from Session 0, then clear the Mpr notification information
|
|
// Termsrv already erases this after query, but since this is critical information, lets Erase everything again
|
|
// This is to take care of the case where reconnect to Session 0 failed for some reason and we do not Erase these after Query
|
|
//
|
|
|
|
if (ClientLogonId == 0) {
|
|
RtlSecureZeroMemory( g_MprNotifyInfo.Domain, wcslen(g_MprNotifyInfo.Domain) * sizeof(WCHAR) );
|
|
RtlSecureZeroMemory( g_MprNotifyInfo.UserName, wcslen(g_MprNotifyInfo.UserName) * sizeof(WCHAR) );
|
|
RtlSecureZeroMemory( g_MprNotifyInfo.Password, wcslen(g_MprNotifyInfo.Password) * sizeof(WCHAR) );
|
|
}
|
|
|
|
if ( ShutdownInProgress ) {
|
|
ReleaseWinStation( pWinStation );
|
|
return ( STATUS_CTX_WINSTATION_ACCESS_DENIED );
|
|
}
|
|
|
|
pCreateInfo = MemAlloc(sizeof(TSSD_CreateSessionInfo));
|
|
if (NULL == pCreateInfo) {
|
|
ReleaseWinStation( pWinStation );
|
|
return ( STATUS_NO_MEMORY );
|
|
}
|
|
|
|
//
|
|
// Release filtered address
|
|
//
|
|
if (pWinStation->pRememberedAddress != NULL) {
|
|
Filter_RemoveOutstandingConnection( &pWinStation->pRememberedAddress->addr[0], pWinStation->pRememberedAddress->length );
|
|
MemFree(pWinStation->pRememberedAddress);
|
|
pWinStation->pRememberedAddress = NULL;
|
|
if( (ULONG)InterlockedDecrement( &NumOutStandingConnect ) == MaxOutStandingConnect )
|
|
{
|
|
if (hConnectEvent != NULL)
|
|
{
|
|
SetEvent(hConnectEvent);
|
|
}
|
|
}
|
|
|
|
|
|
}
|
|
|
|
// The client has communicated its initial configuration
|
|
// information. Check if we need to redirect the client for
|
|
// load balancing. Ignore the console!
|
|
// Note: Only go through this if SD is enabled, i.e. GetTSSD() returns valid value
|
|
if (ClientLogonId != 0 && !g_bPersonalTS && g_fAppCompat && g_bAdvancedServer && GetTSSD()) {
|
|
PTS_LOAD_BALANCE_INFO pLBInfo = NULL;
|
|
PWINSTATION pTargetWinStation = pWinStation;
|
|
ULONG ReturnLength;
|
|
BOOL bSuccess = FALSE;
|
|
|
|
pLBInfo = MemAlloc(sizeof(TS_LOAD_BALANCE_INFO));
|
|
if (NULL == pLBInfo) {
|
|
Status = STATUS_NO_MEMORY;
|
|
if (pWinStation->pNewNotificationCredentials != NULL) {
|
|
MemFree(pWinStation->pNewNotificationCredentials);
|
|
pWinStation->pNewNotificationCredentials = NULL;
|
|
}
|
|
ReleaseWinStation( pWinStation );
|
|
goto done;
|
|
}
|
|
|
|
// need to release it
|
|
ReleaseTSSD();
|
|
|
|
// Get the client load balance capability info. We continue onward
|
|
// to do a session directory query only when the client supports
|
|
// redirection and has not already been redirected to this server.
|
|
memset(pLBInfo, 0, sizeof(TS_LOAD_BALANCE_INFO));
|
|
Status = IcaStackIoControl(pTargetWinStation->hStack,
|
|
IOCTL_TS_STACK_QUERY_LOAD_BALANCE_INFO,
|
|
NULL, 0,
|
|
pLBInfo, sizeof(TS_LOAD_BALANCE_INFO),
|
|
&ReturnLength);
|
|
|
|
// Only check for possible redirection if this is the initial request
|
|
if (NT_SUCCESS(Status) && !pLBInfo->bRequestedSessionIDFieldValid) {
|
|
// On non-success, we'll have FALSE for all of our entries, on
|
|
// success valid values. So, save off the cluster info into the
|
|
// WinStation struct now.
|
|
pTargetWinStation->bClientSupportsRedirection =
|
|
pLBInfo->bClientSupportsRedirection;
|
|
pTargetWinStation->bRequestedSessionIDFieldValid =
|
|
pLBInfo->bRequestedSessionIDFieldValid;
|
|
pTargetWinStation->bClientRequireServerAddr =
|
|
pLBInfo->bClientRequireServerAddr;
|
|
pTargetWinStation->RequestedSessionID = pLBInfo->RequestedSessionID;
|
|
|
|
// Use the name & domain they used to actually log on
|
|
memset(pLBInfo->Domain, 0, sizeof(pLBInfo->Domain));
|
|
memset(pLBInfo->UserName, 0, sizeof(pLBInfo->UserName));
|
|
wcsncpy(pLBInfo->Domain, pDomain, DomainLength);
|
|
wcsncpy(pLBInfo->UserName, pUserName, UserNameLength);
|
|
|
|
TRACE((hTrace,TC_LOAD,TT_API1,
|
|
"Client LBInfo: Supports Redirect [%lx], "
|
|
"Session Id valid [%lx]:%lx, "
|
|
"Creds [%S\\%S]\n",
|
|
pLBInfo->bClientSupportsRedirection,
|
|
pLBInfo->bRequestedSessionIDFieldValid,
|
|
pLBInfo->RequestedSessionID,
|
|
pLBInfo->UserName, pLBInfo->Domain));
|
|
|
|
wcsncpy(pLBInfo->Password, pPassword, PasswordSize);
|
|
|
|
bSuccess = SessDirCheckRedirectClient(pTargetWinStation, pLBInfo);
|
|
|
|
// Clear password
|
|
if (0 != PasswordSize)
|
|
SecureZeroMemory(pLBInfo->Password, PasswordSize);
|
|
|
|
if (bSuccess) {
|
|
// The client should drop the socket, and we'll
|
|
// go ahead and drop this ongoing connection.
|
|
// Set an error status.
|
|
Status = STATUS_UNSUCCESSFUL;
|
|
*pfIsRedirected = TRUE;
|
|
bRedirect = TRUE;
|
|
|
|
TRACE((hTrace,TC_LOAD,TT_API1,
|
|
"Disconnected session found: redirecting client!\n"));
|
|
|
|
if (pLBInfo != NULL) {
|
|
MemFree(pLBInfo);
|
|
pLBInfo = NULL;
|
|
}
|
|
|
|
goto release;
|
|
}
|
|
else {
|
|
TRACE((hTrace,TC_LOAD,TT_API1,
|
|
"Disconnected session not found: status [%lx], pers [%ld], appcompat [%ld]\n",
|
|
Status, g_bPersonalTS, g_fAppCompat));
|
|
}
|
|
}
|
|
|
|
if (pLBInfo != NULL) {
|
|
MemFree(pLBInfo);
|
|
pLBInfo = NULL;
|
|
}
|
|
}
|
|
|
|
|
|
if (ClientLogonId == 0) {
|
|
//
|
|
//ReSet the Console Logon Event
|
|
//
|
|
KdPrintEx((DPFLTR_TERMSRV_ID, DPFLTR_INFO_LEVEL, "TERMSRV: WinStationNotifyLogon, ReSetting ConsoleLogoffEvent\n"));
|
|
NtResetEvent(ConsoleLogoffEvent, NULL);
|
|
}
|
|
/*
|
|
* Do not do anything if the session is not connected. The processing in this API assumes we are connected and have a
|
|
* valid stack.
|
|
*/
|
|
|
|
if ((ClientLogonId != 0) && ((pWinStation->State != State_Connected) || pWinStation->StateFlags & WSF_ST_IN_DISCONNECT)) {
|
|
Status = STATUS_CTX_CLOSE_PENDING;
|
|
if (pWinStation->pNewNotificationCredentials != NULL) {
|
|
MemFree(pWinStation->pNewNotificationCredentials);
|
|
pWinStation->pNewNotificationCredentials = NULL;
|
|
}
|
|
ReleaseWinStation( pWinStation );
|
|
goto done;
|
|
}
|
|
|
|
|
|
if (ClientLogonId == 0 && !bConsoleConnected ){
|
|
|
|
Status = WaitForConsoleConnectWorker( pWinStation );
|
|
if (NT_SUCCESS(Status)) {
|
|
bConsoleConnected=TRUE;
|
|
} else {
|
|
if (pWinStation->pNewNotificationCredentials != NULL) {
|
|
MemFree(pWinStation->pNewNotificationCredentials);
|
|
pWinStation->pNewNotificationCredentials = NULL;
|
|
}
|
|
ReleaseWinStation( pWinStation );
|
|
goto done;
|
|
}
|
|
}
|
|
|
|
/*
|
|
* Upper level code has verified that this RPC
|
|
* is coming from a local client with SYSTEM access.
|
|
*
|
|
* We should be able to trust the ClientProcessId from
|
|
* SYSTEM code.
|
|
*/
|
|
|
|
/*
|
|
* Ensure this is WinLogon calling
|
|
*/
|
|
if ( (HANDLE)(ULONG_PTR)ClientProcessId != pWinStation->InitialCommandProcessId ) {
|
|
/*
|
|
* The console has a special problem with NTSD starting winlogon.
|
|
* It doesn't get notified until now what the PID if winlogon.exe
|
|
* instead of ntsd.exe is.
|
|
*/
|
|
if ( !pWinStation->LogonId && !pWinStation->InitialProcessSet ) {
|
|
pWinStation->InitialCommandProcess = OpenProcess(
|
|
PROCESS_ALL_ACCESS,
|
|
FALSE,
|
|
(DWORD) ClientProcessId );
|
|
|
|
if ( pWinStation->InitialCommandProcess == NULL ) {
|
|
Status = STATUS_ACCESS_DENIED;
|
|
if (pWinStation->pNewNotificationCredentials != NULL) {
|
|
MemFree(pWinStation->pNewNotificationCredentials);
|
|
pWinStation->pNewNotificationCredentials = NULL;
|
|
}
|
|
ReleaseWinStation( pWinStation );
|
|
goto done;
|
|
}
|
|
pWinStation->InitialCommandProcessId = (HANDLE)(ULONG_PTR)ClientProcessId;
|
|
pWinStation->InitialProcessSet = TRUE;
|
|
|
|
}
|
|
else {
|
|
//Set flag saying that WinStationNotifyLogonWorker
|
|
//was successfully completed
|
|
pWinStation->StateFlags |= WSF_ST_LOGON_NOTIFIED;
|
|
if (pWinStation->pNewNotificationCredentials != NULL) {
|
|
MemFree(pWinStation->pNewNotificationCredentials);
|
|
pWinStation->pNewNotificationCredentials = NULL;
|
|
}
|
|
ReleaseWinStation( pWinStation );
|
|
Status = STATUS_SUCCESS;
|
|
goto done;
|
|
}
|
|
}
|
|
|
|
/*
|
|
* Verify the client license if appropriate
|
|
*/
|
|
if ( pWinStation->pWsx && pWinStation->pWsx->pWsxVerifyClientLicense ) {
|
|
Status = pWinStation->pWsx->pWsxVerifyClientLicense(
|
|
pWinStation->pWsxContext,
|
|
pWinStation->Config.Pd[0].Create.SdClass);
|
|
}
|
|
|
|
if ( Status != STATUS_SUCCESS) {
|
|
if (pWinStation->pNewNotificationCredentials != NULL) {
|
|
MemFree(pWinStation->pNewNotificationCredentials);
|
|
pWinStation->pNewNotificationCredentials = NULL;
|
|
}
|
|
ReleaseWinStation( pWinStation );
|
|
goto done;
|
|
}
|
|
|
|
//
|
|
// DON'T CHECK RpcClientAccess. The client is always winlogon (verified
|
|
// before the call to this function) so this call does not check against
|
|
// the actual user logging in. This is done further down from here.
|
|
//
|
|
#if 0
|
|
if (ClientLogonId != 0)
|
|
{
|
|
Status = RpcCheckClientAccess( pWinStation, WINSTATION_LOGON, FALSE );
|
|
if ( !NT_SUCCESS( Status ) ) {
|
|
if (pWinStation->pNewNotificationCredentials != NULL) {
|
|
MemFree(pWinStation->pNewNotificationCredentials);
|
|
pWinStation->pNewNotificationCredentials = NULL;
|
|
}
|
|
ReleaseWinStation( pWinStation );
|
|
KdPrintEx((DPFLTR_TERMSRV_ID, DPFLTR_ERROR_LEVEL, "TERMSRV: WinStationNotifyLogon, RpcCheckClientAccess failed=%x\n", Status ));
|
|
goto done;
|
|
}
|
|
}
|
|
#endif
|
|
|
|
/*
|
|
* Save user status
|
|
*
|
|
* NOTE: This flag should only be used by the annoyance thread,
|
|
* and not for any security sensitive operations. All
|
|
* security sensitive operations need to go through the
|
|
* NT SeAccessCheck so that auditing is done properly.
|
|
*/
|
|
|
|
pWinStation->fUserIsAdmin = fUserIsAdmin;
|
|
|
|
if (!ClientLogonId && !pWinStation->pWsx) {
|
|
PLIST_ENTRY Head, Next;
|
|
PWSEXTENSION pWsx;
|
|
ICASRVPROCADDR IcaSrvProcAddr;
|
|
|
|
RtlEnterCriticalSection( &WsxListLock );
|
|
|
|
Head = &WsxListHead;
|
|
for ( Next = Head->Flink; Next != Head; Next = Next->Flink ) {
|
|
pWsx = CONTAINING_RECORD( Next, WSEXTENSION, Links );
|
|
if ( pWsx->pWsxGetLicense ) {
|
|
if (!pWinStation->pWsxContext && pWsx->pWsxWinStationInitialize) {
|
|
Status = pWsx->pWsxWinStationInitialize(&pWinStation->pWsxContext);
|
|
}
|
|
Status = pWsx->pWsxGetLicense(pWinStation->pWsxContext,
|
|
pWinStation->hStack,
|
|
pWinStation->LogonId,
|
|
fUserIsAdmin);
|
|
break;
|
|
}
|
|
}
|
|
|
|
RtlLeaveCriticalSection( &WsxListLock );
|
|
} else {
|
|
if ( pWinStation->pWsx && pWinStation->pWsx->pWsxGetLicense ) {
|
|
Status = pWinStation->pWsx->pWsxGetLicense( pWinStation->pWsxContext,
|
|
pWinStation->hStack,
|
|
pWinStation->LogonId,
|
|
fUserIsAdmin );
|
|
}
|
|
}
|
|
|
|
if ( Status != STATUS_SUCCESS) {
|
|
HANDLE h;
|
|
PWSTR Strings[2];
|
|
|
|
/*
|
|
* Send event to event log
|
|
*/
|
|
h = RegisterEventSource(NULL, gpszServiceName);
|
|
if (h) {
|
|
//
|
|
// Would have used UserName and Domain in this error message,
|
|
// but they aren't set yet.
|
|
//
|
|
Strings[0] = pUserName;
|
|
Strings[1] = pDomain;
|
|
ReportEvent(h, EVENTLOG_WARNING_TYPE, 0, EVENT_NO_LICENSES, NULL, 2, 0, Strings, NULL);
|
|
DeregisterEventSource(h);
|
|
}
|
|
if (pWinStation->pNewNotificationCredentials != NULL) {
|
|
MemFree(pWinStation->pNewNotificationCredentials);
|
|
pWinStation->pNewNotificationCredentials = NULL;
|
|
}
|
|
ReleaseWinStation( pWinStation );
|
|
goto done;
|
|
}
|
|
|
|
/*
|
|
* Get a valid copy of the clients token handle
|
|
*/
|
|
Status = NtDuplicateObject( pWinStation->InitialCommandProcess,
|
|
(HANDLE)LongToHandle( UserToken ),
|
|
NtCurrentProcess(),
|
|
&ClientToken,
|
|
0, 0,
|
|
DUPLICATE_SAME_ACCESS |
|
|
DUPLICATE_SAME_ATTRIBUTES );
|
|
if ( !NT_SUCCESS( Status ) )
|
|
goto baddupobject;
|
|
|
|
/*
|
|
* ClientToken is a primary token - create an impersonation token
|
|
* version of it so we can set it on our thread
|
|
*/
|
|
InitializeObjectAttributes( &ObjA, NULL, 0L, NULL, NULL );
|
|
|
|
SecurityQualityOfService.Length = sizeof(SECURITY_QUALITY_OF_SERVICE);
|
|
SecurityQualityOfService.ImpersonationLevel = SecurityImpersonation;
|
|
SecurityQualityOfService.ContextTrackingMode = SECURITY_DYNAMIC_TRACKING;
|
|
SecurityQualityOfService.EffectiveOnly = FALSE;
|
|
|
|
ObjA.SecurityQualityOfService = &SecurityQualityOfService;
|
|
|
|
|
|
Status = NtDuplicateToken( ClientToken,
|
|
TOKEN_IMPERSONATE,
|
|
&ObjA,
|
|
FALSE,
|
|
TokenImpersonation,
|
|
&ImpersonationToken );
|
|
if ( !NT_SUCCESS( Status ) )
|
|
goto badduptoken;
|
|
|
|
/*
|
|
* Impersonate the client
|
|
*/
|
|
Status = NtSetInformationThread( NtCurrentThread(),
|
|
ThreadImpersonationToken,
|
|
(PVOID)&ImpersonationToken,
|
|
(ULONG)sizeof(HANDLE) );
|
|
if ( !NT_SUCCESS( Status ) )
|
|
goto badimpersonate;
|
|
|
|
//
|
|
// security check
|
|
//
|
|
Status = ApplyWinStaMapping( pWinStation );
|
|
if( !NT_SUCCESS( Status ) )
|
|
{
|
|
KdPrintEx((DPFLTR_TERMSRV_ID, DPFLTR_ERROR_LEVEL, "TERMSRV: WinStationNotifyLogon, ApplyWinStaMapping failed=%x\n", Status ));
|
|
goto noaccess;
|
|
}
|
|
|
|
// There is a race condition between this function and Reconnect - we may reach here when Reconnect is still pending
|
|
// In that case the ActiveConsoleId is -1 and we do access check for a non-admin user - this leads to access check failure
|
|
// Check for this special case and dont call AccessCheck for this Special case
|
|
|
|
fReconnectingToConsole = pWinStation->fReconnectingToConsole;
|
|
|
|
if ( (ClientLogonId == 0) && (USER_SHARED_DATA->ActiveConsoleId == -1) && (pWinStation->fReconnectPending) && (pWinStation->fReconnectingToConsole) ) {
|
|
bNoAccessCheck = TRUE ;
|
|
}
|
|
|
|
if (bNoAccessCheck == FALSE) {
|
|
|
|
if (ClientLogonId != (USER_SHARED_DATA->ActiveConsoleId))
|
|
//
|
|
// Since for PTS the remote session could have an ID of 0 or (1),
|
|
// we check for access only if session is not on console.
|
|
//
|
|
{
|
|
|
|
bAccessCheckOk = AccessCheckAndAuditAlarm(szTermsrv,
|
|
NULL,
|
|
(LPWSTR)szTermsrvSession,
|
|
(LPWSTR)szTermsrvSession,
|
|
WinStationGetSecurityDescriptor(pWinStation),
|
|
WINSTATION_LOGON,
|
|
&WinStaMapping,
|
|
FALSE,
|
|
&GrantedAccess,
|
|
&AccessStatus,
|
|
&fGenerateOnClose);
|
|
|
|
if (bAccessCheckOk)
|
|
{
|
|
if (AccessStatus == FALSE)
|
|
{
|
|
TRACE((hTrace,TC_ICASRV,TT_ERROR, "TERMSRV: WinStationNotifyLogon, AccessCheckAndAuditAlarm(%u) returned error 0x%x\n",
|
|
pWinStation->LogonId, GetLastError() ));
|
|
Status = STATUS_CTX_WINSTATION_ACCESS_DENIED;
|
|
goto noaccess;
|
|
}
|
|
else
|
|
{
|
|
TRACE((hTrace,TC_ICASRV,TT_ERROR, "TERMSRV: WinStationNotifyLogon, AccessCheckAndAuditAlarm(%u) returned no error \n",
|
|
pWinStation->LogonId));
|
|
}
|
|
}
|
|
else
|
|
{
|
|
TRACE((hTrace,TC_ICASRV,TT_ERROR, "TERMSRV: WinStationNotifyLogon, AccessCheckAndAuditAlarm(%u) failed 0x%x\n",
|
|
pWinStation->LogonId, GetLastError() ));
|
|
goto noaccess;
|
|
}
|
|
}
|
|
} // if ( !bNoAccessCheck)
|
|
|
|
/*
|
|
* Revert back to our threads default token.
|
|
*/
|
|
NewToken = NULL;
|
|
NtSetInformationThread( NtCurrentThread(),
|
|
ThreadImpersonationToken,
|
|
(PVOID)&NewToken,
|
|
(ULONG)sizeof(HANDLE) );
|
|
|
|
/*
|
|
* See if OpenWinStation was successful
|
|
*/
|
|
if ( !NT_SUCCESS( Status ) ) {
|
|
TRACE((hTrace,TC_ICASRV,TT_ERROR, "TERMSRV: WinStationNotifyLogon, OpenWinStation(%u) failed 0x%x\n",
|
|
pWinStation->LogonId, Status ));
|
|
goto noaccess;
|
|
}
|
|
|
|
/*
|
|
* Save User Name and Domain Name. Do this before the call into the
|
|
* license core so that the core knows who is calling.
|
|
*/
|
|
|
|
wcsncpy( pWinStation->Domain, pDomain, DomainLength );
|
|
wcsncpy( pWinStation->UserName, pUserName, UserNameLength );
|
|
|
|
/*
|
|
* Call into the licensing core.
|
|
*/
|
|
|
|
Status = LCProcessConnectionPostLogon(pWinStation);
|
|
|
|
if (Status != STATUS_SUCCESS)
|
|
{
|
|
goto nolicense;
|
|
}
|
|
|
|
/*
|
|
* note that post logon licensing happened
|
|
*/
|
|
|
|
pWinStation->StateFlags |= WSF_ST_LICENSING;
|
|
|
|
|
|
|
|
if (pWinStation->pWsx &&
|
|
pWinStation->pWsx->pWsxLogonNotify) {
|
|
if ((ClientLogonId != 0) && (pWinStation->State != State_Connected || pWinStation->StateFlags & WSF_ST_IN_DISCONNECT)) {
|
|
Status = STATUS_CTX_CLOSE_PENDING;
|
|
} else {
|
|
|
|
PWCHAR pDomainToSend, pUserNameToSend ;
|
|
|
|
// Use the Notification given by GINA (WinStationUpdateClientCachedCredentials) if they are available
|
|
// This is because the credentials got in this call are not UPN names
|
|
if (pWinStation->pNewNotificationCredentials) {
|
|
pDomainToSend = pWinStation->pNewNotificationCredentials->Domain;
|
|
pUserNameToSend = pWinStation->pNewNotificationCredentials->UserName;
|
|
} else {
|
|
pDomainToSend = pDomain;
|
|
pUserNameToSend = pUserName;
|
|
}
|
|
|
|
/*
|
|
* Reset any autoreconnect information prior to reconnection
|
|
* as it is stale. New information will be generated by the stack
|
|
* when login completes.
|
|
*/
|
|
ResetAutoReconnectInfo(pWinStation);
|
|
|
|
Status = pWinStation->pWsx->pWsxLogonNotify(pWinStation->pWsxContext,
|
|
pWinStation->LogonId,
|
|
ClientToken,
|
|
pDomainToSend,
|
|
pUserNameToSend);
|
|
|
|
if (pWinStation->pNewNotificationCredentials != NULL) {
|
|
MemFree(pWinStation->pNewNotificationCredentials);
|
|
pWinStation->pNewNotificationCredentials = NULL;
|
|
}
|
|
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if( !NT_SUCCESS(Status) ) {
|
|
KdPrintEx((DPFLTR_TERMSRV_ID, DPFLTR_ERROR_LEVEL, "TERMSRV: pWsxLogonNotify rejected logon status 0x%x\n",Status));
|
|
goto badwsxnotify;
|
|
}
|
|
|
|
/*
|
|
* Determine size needed for token info buffer and allocate it
|
|
*/
|
|
Status = NtQueryInformationToken( ClientToken, TokenUser,
|
|
NULL, 0, &Length );
|
|
if ( Status != STATUS_BUFFER_TOO_SMALL )
|
|
goto badquerytoken;
|
|
TokenInfo = MemAlloc( Length );
|
|
if ( TokenInfo == NULL ) {
|
|
Status = STATUS_NO_MEMORY;
|
|
goto badquerytoken;
|
|
}
|
|
|
|
/*
|
|
* Query token information to get user's SID
|
|
*/
|
|
Status = NtQueryInformationToken( ClientToken, TokenUser,
|
|
TokenInfo, Length, &Length );
|
|
if ( !NT_SUCCESS( Status ) ) {
|
|
MemFree( TokenInfo );
|
|
goto badquerytoken;
|
|
}
|
|
|
|
/*
|
|
* Save copy of user's SID and password in WinStation
|
|
*/
|
|
Length = RtlLengthSid( TokenInfo->User.Sid );
|
|
|
|
if (pWinStation->pUserSid) {
|
|
MemFree(pWinStation->pUserSid);
|
|
}
|
|
// clean up usertoken
|
|
if ( pWinStation->UserToken ) {
|
|
NtClose( pWinStation->UserToken );
|
|
pWinStation->UserToken = NULL;
|
|
}
|
|
|
|
pWinStation->pUserSid = MemAlloc( Length );
|
|
|
|
/* makarp; check for allocation failure. #182624 */
|
|
if (!pWinStation->pUserSid) {
|
|
Status = STATUS_NO_MEMORY;
|
|
goto badusersid;
|
|
}
|
|
|
|
RtlCopySid( Length, pWinStation->pUserSid, TokenInfo->User.Sid );
|
|
MemFree( TokenInfo );
|
|
NtClose( ImpersonationToken );
|
|
|
|
//For console session profile cleanup is done at next
|
|
//logon because the session is never unloaded.
|
|
if (pWinStation->pProfileSid != NULL) {
|
|
ASSERT(pWinStation->LogonId == 0);
|
|
if (pWinStation->LogonId == 0) {
|
|
if (!RtlEqualSid(pWinStation->pProfileSid, pWinStation->pUserSid )) {
|
|
WinstationUnloadProfile(pWinStation);
|
|
}
|
|
}
|
|
MemFree(pWinStation->pProfileSid);
|
|
pWinStation->pProfileSid = NULL;
|
|
}
|
|
|
|
|
|
/*
|
|
* Save copy of Client token in WinStation
|
|
*/
|
|
pWinStation->UserToken = ClientToken;
|
|
|
|
#if 0
|
|
//
|
|
// C2 WARNING - WARNING - WARNING
|
|
//
|
|
// This is no longer done, or needed. See comments in acl.c
|
|
//
|
|
// C2 WARNING - WARNING - WARNING
|
|
//
|
|
RtlCopyMemory( pWinStation->Password, pPassword,
|
|
sizeof(pWinStation->Password) );
|
|
|
|
pWinStation->Seed = Seed;
|
|
#endif
|
|
|
|
/*
|
|
* Fixup the security descriptors for the session
|
|
* so this user has access to their named WIN32
|
|
* object directory's.
|
|
*/
|
|
RetValue = ConfigurePerSessionSecurity( pWinStation );
|
|
if (RetValue != TRUE) {
|
|
// Set WinStation's UserToken to NULL here as the error path closes the ClientToken
|
|
pWinStation->UserToken = NULL;
|
|
goto badduptoken;
|
|
}
|
|
|
|
|
|
/*
|
|
* Add ACE for logged on user to the WinStation object SD
|
|
*/
|
|
Status = AddUserAce( pWinStation );
|
|
if (Status != STATUS_SUCCESS) {
|
|
// Set WinStation's UserToken to NULL here as the error path closes the ClientToken
|
|
pWinStation->UserToken = NULL;
|
|
goto badduptoken;
|
|
}
|
|
|
|
/*
|
|
* Notify clients of WinStation logon
|
|
*/
|
|
NotifySystemEvent( WEVENT_LOGON );
|
|
NotifyLogon(pWinStation);
|
|
|
|
/*
|
|
* State is now active
|
|
*/
|
|
if ( pWinStation->State != (ULONG) State_Active ) {
|
|
|
|
// make sure repopulating thread don't include this winstation
|
|
// in the list reporting to SD and let this thread do its
|
|
// own reporting.
|
|
if (!g_bPersonalTS && g_fAppCompat && g_bAdvancedServer) {
|
|
SessDirWaitForRepopulate();
|
|
}
|
|
|
|
pWinStation->State = State_Active;
|
|
NotifySystemEvent( WEVENT_STATECHANGE );
|
|
}
|
|
|
|
(VOID) NtQuerySystemTime( &(pWinStation->LogonTime) );
|
|
|
|
// 2nd and 3rd parama are NULL, since we don't yet have policy data.
|
|
// policy data will be aquired when user hive is loaded and winlogin fires
|
|
// a shell-startup notify.
|
|
MergeUserConfigData(pWinStation, NULL, NULL, (PUSERCONFIGW)pUserConfig ) ;
|
|
|
|
/*
|
|
* Save User Name and Domain Name into the USERCONFIG of the WINSTATION
|
|
*/
|
|
wcsncpy( pWinStation->Config.Config.User.UserName, pUserName, UserNameLength );
|
|
wcsncpy( pWinStation->Config.Config.User.Domain, pDomain, DomainLength );
|
|
|
|
/*
|
|
* Convert any "published app" to absolute path. This will also return
|
|
* failure if a non-published app is trying to run on a WinStation that
|
|
* is configured to only run published apps.
|
|
*/
|
|
if ( pWinStation->pWsx &&
|
|
pWinStation->pWsx->pWsxConvertPublishedApp ) {
|
|
if ((Status = pWinStation->pWsx->pWsxConvertPublishedApp(
|
|
pWinStation->pWsxContext, &pWinStation->Config.Config.User)) !=
|
|
STATUS_SUCCESS)
|
|
goto release;
|
|
}
|
|
|
|
// Now that we have all the WinStation data, notify the session directory.
|
|
// Copy off the pertinent info, which we will send to the directory after
|
|
// we release the WinStation lock.
|
|
wcsncpy(pCreateInfo->UserName, pWinStation->UserName,
|
|
sizeof(pCreateInfo->UserName) / sizeof(WCHAR) - 1);
|
|
wcsncpy(pCreateInfo->Domain, pWinStation->Domain,
|
|
sizeof(pCreateInfo->Domain) / sizeof(WCHAR) - 1);
|
|
pCreateInfo->SessionID = pWinStation->LogonId;
|
|
pCreateInfo->TSProtocol = pWinStation->Client.ProtocolType;
|
|
// If InitialProgram is set on the server side, use it for the Applicationtype
|
|
if (!pWinStation->Config.Config.User.fInheritInitialProgram) {
|
|
wcsncpy(pCreateInfo->ApplicationType, pWinStation->Config.Config.User.InitialProgram,
|
|
sizeof(pCreateInfo->ApplicationType) / sizeof(WCHAR) - 1);
|
|
}
|
|
else {
|
|
wcsncpy(pCreateInfo->ApplicationType, pWinStation->Client.InitialProgram,
|
|
sizeof(pCreateInfo->ApplicationType) / sizeof(WCHAR) - 1);
|
|
}
|
|
pCreateInfo->ResolutionWidth = pWinStation->Client.HRes;
|
|
pCreateInfo->ResolutionHeight = pWinStation->Client.VRes;
|
|
pCreateInfo->ColorDepth = pWinStation->Client.ColorDepth;
|
|
memcpy(&(pCreateInfo->CreateTime), &pWinStation->LogonTime,
|
|
sizeof(pCreateInfo->CreateTime));
|
|
bHaveCreateInfo = TRUE;
|
|
|
|
|
|
if(Status == STATUS_SUCCESS)
|
|
{
|
|
//Set flag saying that WinStationNotifyLogonWorker
|
|
//was successfully completed
|
|
pWinStation->StateFlags |= WSF_ST_LOGON_NOTIFIED;
|
|
}
|
|
|
|
if( TSIsSessionHelpSession(pWinStation, &bValidHelpSession) )
|
|
{
|
|
WINSTATION_APIMSG msg;
|
|
|
|
// we disconnect RA if ticket is invalid at conntion time so assert
|
|
// if we ever come to this.
|
|
ASSERT( TRUE == bValidHelpSession );
|
|
|
|
//
|
|
// Disable IO from Help Session
|
|
//
|
|
WinStationEnableSessionIo( pWinStation, FALSE );
|
|
|
|
msg.ApiNumber = SMWinStationNotify;
|
|
msg.WaitForReply = FALSE;
|
|
msg.u.DoNotify.NotifyEvent = WinStation_Notify_DisableScrnSaver;
|
|
Status = SendWinStationCommand( pWinStation, &msg, 0 );
|
|
|
|
ASSERT( NT_SUCCESS(Status) );
|
|
|
|
// ignore this error, help can still proceed.
|
|
Status = STATUS_SUCCESS;
|
|
}
|
|
|
|
/*
|
|
* Release the winstation lock
|
|
*/
|
|
release:
|
|
|
|
if (pWinStation != NULL) {
|
|
if (pWinStation->pNewNotificationCredentials != NULL) {
|
|
MemFree(pWinStation->pNewNotificationCredentials);
|
|
pWinStation->pNewNotificationCredentials = NULL;
|
|
}
|
|
}
|
|
|
|
ReleaseWinStation( pWinStation );
|
|
|
|
// Now inform the session directory while we're not holding the lock.
|
|
if (!bQueueReset && bHaveCreateInfo && !g_bPersonalTS && g_fAppCompat && g_bAdvancedServer && !bRedirect)
|
|
SessDirNotifyLogon(pCreateInfo);
|
|
|
|
/*
|
|
* Save return status in API message
|
|
*/
|
|
done:
|
|
// Clear password
|
|
if (0 != PasswordSize)
|
|
SecureZeroMemory(pPassword, PasswordSize);
|
|
TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: WinStationNotifyLogon, Status=0x%x\n", Status ));
|
|
|
|
if (pCreateInfo != NULL) {
|
|
MemFree(pCreateInfo);
|
|
pCreateInfo = NULL;
|
|
}
|
|
|
|
// Update the counters for successful logons.
|
|
if (Status == STATUS_SUCCESS) {
|
|
|
|
InterlockedIncrement(&g_TermSrvSuccTotalLogons);
|
|
|
|
if (ClientLogonId == 0) {
|
|
// Connecting to console.
|
|
InterlockedIncrement(&g_TermSrvSuccSession0Logons);
|
|
}
|
|
|
|
if (fReconnectingToConsole) {
|
|
// Reconnecting locally to console.
|
|
InterlockedIncrement(&g_TermSrvSuccLocalLogons);
|
|
}
|
|
else {
|
|
if ( (ClientLogonId == 0) && (USER_SHARED_DATA->ActiveConsoleId == 0) ) {
|
|
// Logging on to console locally (When no one is connected to console).
|
|
InterlockedIncrement(&g_TermSrvSuccLocalLogons);
|
|
}
|
|
else {
|
|
// Connecting remotely. (if ClientLogonId is 0, then connecting remotely to console, else connecting to non-console).
|
|
InterlockedIncrement(&g_TermSrvSuccRemoteLogons);
|
|
}
|
|
}
|
|
}
|
|
|
|
return Status;
|
|
|
|
/*=============================================================================
|
|
== Error returns
|
|
=============================================================================*/
|
|
|
|
/* Could not allocate for pWinStation->pUserSid, makarp #182624 */
|
|
badusersid:
|
|
MemFree( TokenInfo );
|
|
|
|
/*
|
|
* Could not query token info
|
|
* WinStation Open failed (no access)
|
|
* Could not impersonate client token
|
|
* Could not duplicate client token
|
|
*/
|
|
badquerytoken:
|
|
badwsxnotify:
|
|
nolicense:
|
|
noaccess:
|
|
badimpersonate:
|
|
NtClose( ImpersonationToken );
|
|
badduptoken:
|
|
NtClose( ClientToken );
|
|
|
|
/*
|
|
* Could not duplicate client token handle
|
|
*/
|
|
baddupobject:
|
|
#ifdef not_hydrix
|
|
pWinStation->HasLicense = FALSE;
|
|
RtlZeroMemory( pWinStation->ClientLicense,
|
|
sizeof(pWinStation->ClientLicense) );
|
|
#else
|
|
if ( pWinStation->pWsx &&
|
|
pWinStation->pWsx->pWsxClearContext ) {
|
|
pWinStation->pWsx->pWsxClearContext( pWinStation->pWsxContext );
|
|
}
|
|
#endif
|
|
|
|
if (pWinStation->pNewNotificationCredentials != NULL) {
|
|
MemFree(pWinStation->pNewNotificationCredentials);
|
|
pWinStation->pNewNotificationCredentials = NULL;
|
|
}
|
|
|
|
ReleaseWinStation( pWinStation );
|
|
TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: WinStationNotifyLogon, Status=0x%x\n", Status ));
|
|
|
|
// Clear password
|
|
if (0 != PasswordSize)
|
|
memset(pPassword, 0, PasswordSize);
|
|
|
|
if (pCreateInfo != NULL) {
|
|
MemFree(pCreateInfo);
|
|
pCreateInfo = NULL;
|
|
}
|
|
|
|
return Status;
|
|
}
|
|
|
|
|
|
/*****************************************************************************
|
|
* WinStationNotifyLogoffWorker
|
|
*
|
|
* Message parameter unmarshalling function for WinStation API.
|
|
****************************************************************************/
|
|
NTSTATUS WinStationNotifyLogoffWorker(
|
|
DWORD ClientLogonId,
|
|
DWORD ClientProcessId)
|
|
{
|
|
|
|
NTSTATUS Status;
|
|
PWINSTATION pWinStation;
|
|
DWORD SessionID = 0;
|
|
|
|
|
|
TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: WinStationNotifyLogoff, LogonId=%d\n", ClientLogonId ));
|
|
KdPrintEx((DPFLTR_TERMSRV_ID, DPFLTR_ERROR_LEVEL, "TERMSRV: WinStationNotifyLogoff, LogonId=%d\n", ClientLogonId ));
|
|
|
|
Status = STATUS_SUCCESS;
|
|
|
|
/*
|
|
* Find and lock client WinStation
|
|
*/
|
|
pWinStation = FindWinStationById( ClientLogonId, FALSE );
|
|
if ( pWinStation == NULL ) {
|
|
Status = STATUS_CTX_WINSTATION_NOT_FOUND;
|
|
goto done;
|
|
}
|
|
|
|
//See if WinStation was notified of logon
|
|
if(pWinStation->StateFlags & WSF_ST_LOGON_NOTIFIED)
|
|
{
|
|
//Clear the flag
|
|
pWinStation->StateFlags &= ~WSF_ST_LOGON_NOTIFIED;
|
|
}
|
|
else
|
|
{
|
|
//WinStation was not notified of logon.
|
|
//do nothing; return error. However if postlogon licensing happened, do post logoff licensing.
|
|
|
|
if (pWinStation->StateFlags & WSF_ST_LICENSING) {
|
|
(VOID)LCProcessConnectionLogoff(pWinStation);
|
|
pWinStation->StateFlags &= ~WSF_ST_LICENSING;
|
|
}
|
|
|
|
KdPrint(("TERMSRV: WinStationNotifyLogoff FAILED, WinStation was not notified of logon!\n"));
|
|
ReleaseWinStation( pWinStation );
|
|
Status = STATUS_INVALID_PARAMETER; //probably need some special error code
|
|
goto done;
|
|
}
|
|
|
|
|
|
/*
|
|
* The upper level has verified the client caller
|
|
* is local and has SYSTEM access. So we can trust
|
|
* the parameters passed.
|
|
*/
|
|
|
|
/*
|
|
* Ensure this is WinLogon calling
|
|
*/
|
|
if ( (HANDLE)(ULONG_PTR)ClientProcessId != pWinStation->InitialCommandProcessId ) {
|
|
ReleaseWinStation( pWinStation );
|
|
goto done;
|
|
}
|
|
|
|
/*
|
|
* Stop the shadow on console if needed.
|
|
*/
|
|
if ( pWinStation->fOwnsConsoleTerminal ) {
|
|
WinStationStopAllShadows( pWinStation );
|
|
}
|
|
|
|
/*
|
|
* Remove ACE for logged on user to the WinStation object SD
|
|
*/
|
|
if (pWinStation->pSecurityDescriptor != NULL) {
|
|
RemoveUserAce( pWinStation );
|
|
}
|
|
|
|
if ( pWinStation->pUserSid ) {
|
|
ASSERT(pWinStation->pProfileSid == NULL);
|
|
pWinStation->pProfileSid = pWinStation->pUserSid;
|
|
pWinStation->pUserSid = NULL;
|
|
}
|
|
|
|
/*
|
|
* Cleanup UserToken
|
|
*/
|
|
if ( pWinStation->UserToken ) {
|
|
NtClose( pWinStation->UserToken );
|
|
pWinStation->UserToken = NULL;
|
|
}
|
|
|
|
/*
|
|
* Indicate this WinStation no longer has a license
|
|
*/
|
|
#ifdef not_hydrix
|
|
pWinStation->HasLicense = FALSE;
|
|
RtlZeroMemory( pWinStation->ClientLicense,
|
|
sizeof(pWinStation->ClientLicense) );
|
|
#else
|
|
if ( pWinStation->pWsx &&
|
|
pWinStation->pWsx->pWsxClearContext ) {
|
|
pWinStation->pWsx->pWsxClearContext( pWinStation->pWsxContext );
|
|
}
|
|
#endif
|
|
|
|
if (!g_bPersonalTS && g_fAppCompat && g_bAdvancedServer) {
|
|
// TS only reset the Flag not the the winstation state for logoff session
|
|
// so we wait and let repopulating thread has enough time to pick up this
|
|
// winstation/report to SD then this thread can continue to notify SD
|
|
// about logoff
|
|
SessDirWaitForRepopulate();
|
|
}
|
|
|
|
/*
|
|
* do needed data cleanup.
|
|
*/
|
|
|
|
RtlZeroMemory( pWinStation->Domain,
|
|
sizeof( pWinStation->Domain ) );
|
|
RtlZeroMemory( pWinStation->UserName,
|
|
sizeof( pWinStation->UserName ) );
|
|
RtlZeroMemory( &pWinStation->LogonTime,
|
|
sizeof( pWinStation->LogonTime ) );
|
|
|
|
ResetUserConfigData( pWinStation );
|
|
|
|
pWinStation->Config.Config.User.UserName[0] = L'\0';
|
|
pWinStation->Config.Config.User.Domain[0] = L'\0';
|
|
pWinStation->Config.Config.User.Password[0] = L'\0';
|
|
|
|
if ( pWinStation->LogonId == 0 ) {
|
|
|
|
|
|
/*
|
|
* No need to do anything else for console state change.
|
|
*/
|
|
|
|
if ( pWinStation->State != (ULONG) State_Connected &&
|
|
pWinStation->State != (ULONG) State_Disconnected) {
|
|
|
|
pWinStation->State = State_Connected;
|
|
NotifySystemEvent( WEVENT_STATECHANGE );
|
|
}
|
|
|
|
//
|
|
//Set the Console Logon Event
|
|
//
|
|
|
|
KdPrintEx((DPFLTR_TERMSRV_ID, DPFLTR_ERROR_LEVEL, "TERMSRV: WinStationNotifyLogoff, Setting ConsoleLogoffEvent\n"));
|
|
NtSetEvent(ConsoleLogoffEvent, NULL);
|
|
|
|
/*
|
|
* For non-Console WinStations, mark this WinStation as terminating
|
|
* and set the broken reason and source for later use.
|
|
*/
|
|
} else {
|
|
//pWinStation->Terminating = TRUE;
|
|
pWinStation->BrokenReason = Broken_Terminate;
|
|
pWinStation->BrokenSource = BrokenSource_User;
|
|
|
|
// Save off the session dir for sending to the session directory
|
|
// below.
|
|
SessionID = pWinStation->LogonId;
|
|
}
|
|
|
|
// Clean up the New Client Credentials struct for Long UserName
|
|
|
|
if (pWinStation->pNewClientCredentials != NULL) {
|
|
|
|
MemFree(pWinStation->pNewClientCredentials);
|
|
pWinStation->pNewClientCredentials = NULL;
|
|
}
|
|
|
|
/*
|
|
* Call into licensing core for logoff. Ignore errors.
|
|
*/
|
|
if (pWinStation->StateFlags & WSF_ST_LICENSING) {
|
|
(VOID)LCProcessConnectionLogoff(pWinStation);
|
|
pWinStation->StateFlags &= ~WSF_ST_LICENSING;
|
|
}
|
|
|
|
NotifyLogoff(pWinStation);
|
|
ReleaseWinStation( pWinStation );
|
|
|
|
// Notify the session directory.
|
|
if (!g_bPersonalTS && g_fAppCompat && g_bAdvancedServer) {
|
|
SessDirNotifyLogoff(SessionID);
|
|
}
|
|
|
|
/*
|
|
* Notify clients of WinStation logoff
|
|
*/
|
|
NotifySystemEvent(WEVENT_LOGOFF);
|
|
|
|
done:
|
|
TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: WinStationNotifyLogoff, Status=0x%x\n", Status ));
|
|
return Status;
|
|
}
|
|
|
|
|
|
/*****************************************************************************
|
|
* OldRpcWinStationEnumerateProcesses
|
|
*
|
|
* WinStationEnumerateProcesses API for Beta servers
|
|
*
|
|
* The format changed after Beta. New winsta.dll's were trapping when talking
|
|
* to old hosts.
|
|
****************************************************************************/
|
|
BOOLEAN
|
|
OldRpcWinStationEnumerateProcesses(
|
|
HANDLE hServer,
|
|
DWORD *pResult,
|
|
PBYTE pProcessBuffer,
|
|
DWORD ByteCount
|
|
)
|
|
{
|
|
return ( RpcWinStationEnumerateProcesses( hServer, pResult, pProcessBuffer, ByteCount ) );
|
|
}
|
|
|
|
|
|
/*******************************************************************************
|
|
* RpcWinStationCheckForApplicationName
|
|
*
|
|
* Handles published applications.
|
|
*
|
|
* EXIT:
|
|
* TRUE -- The query succeeded, and the buffer contains the requested data.
|
|
* FALSE -- The operation failed. Extended error status is available
|
|
* using GetLastError.
|
|
******************************************************************************/
|
|
BOOLEAN
|
|
RpcWinStationCheckForApplicationName(
|
|
HANDLE hServer,
|
|
DWORD *pResult,
|
|
ULONG LogonId,
|
|
PWCHAR pUserName,
|
|
DWORD UserNameSize,
|
|
PWCHAR pDomain,
|
|
DWORD DomainSize,
|
|
PWCHAR pPassword,
|
|
DWORD *pPasswordSize,
|
|
DWORD MaxPasswordSize,
|
|
PCHAR pSeed,
|
|
PBOOLEAN pfPublished,
|
|
PBOOLEAN pfAnonymous
|
|
)
|
|
{
|
|
/*
|
|
* This is obsolete and should be removed from the RPC
|
|
*/
|
|
*pResult = STATUS_NOT_IMPLEMENTED;
|
|
RpcRaiseException(ERROR_INVALID_FUNCTION);
|
|
return FALSE;
|
|
}
|
|
|
|
|
|
/*******************************************************************************
|
|
*
|
|
* RpcWinStationGetApplicationInfo
|
|
*
|
|
* Gets info about published applications.
|
|
*
|
|
* ENTRY:
|
|
*
|
|
* EXIT:
|
|
*
|
|
* TRUE -- The query succeeded, and the buffer contains the requested data.
|
|
*
|
|
* FALSE -- The operation failed. Extended error status is available
|
|
* using GetLastError.
|
|
*
|
|
******************************************************************************/
|
|
|
|
BOOLEAN
|
|
RpcWinStationGetApplicationInfo(
|
|
HANDLE hServer,
|
|
DWORD *pResult,
|
|
ULONG LogonId,
|
|
PBOOLEAN pfPublished,
|
|
PBOOLEAN pfAnonymous
|
|
)
|
|
{
|
|
/*
|
|
* This is obsolete and should be removed from the RPC code.
|
|
*/
|
|
*pResult = STATUS_NOT_IMPLEMENTED;
|
|
RpcRaiseException(ERROR_INVALID_FUNCTION);
|
|
return FALSE;
|
|
}
|
|
|
|
|
|
/*******************************************************************************
|
|
*
|
|
* RpcWinStationNtsdDebug
|
|
*
|
|
* Sets up connection for Ntsd to debug processes belonging to another
|
|
* CSR.
|
|
*
|
|
* ENTRY:
|
|
*
|
|
* EXIT:
|
|
*
|
|
* TRUE -- The query succeeded, and the buffer contains the requested data.
|
|
*
|
|
* FALSE -- The operation failed. Extended error status is available
|
|
* using GetLastError.
|
|
*
|
|
******************************************************************************/
|
|
|
|
BOOLEAN
|
|
RpcWinStationNtsdDebug(
|
|
HANDLE hServer,
|
|
DWORD *pResult,
|
|
ULONG LogonId,
|
|
LONG ProcessId,
|
|
ULONG DbgProcessId,
|
|
ULONG DbgThreadId,
|
|
DWORD_PTR AttachCompletionRoutine
|
|
)
|
|
{
|
|
|
|
*pResult = STATUS_NOT_IMPLEMENTED;
|
|
RpcRaiseException(ERROR_INVALID_FUNCTION);
|
|
return FALSE;
|
|
}
|
|
|
|
/*******************************************************************************
|
|
*
|
|
* RpcWinStationGetTermSrvCountersValue
|
|
*
|
|
* Gets TermSrv Counters value
|
|
*
|
|
* ENTRY:
|
|
*
|
|
* EXIT:
|
|
*
|
|
* TRUE -- The query succeeded, and the buffer contains the requested data.
|
|
*
|
|
* FALSE -- The operation failed. Extended error status is available
|
|
* using GetLastError.
|
|
*
|
|
******************************************************************************/
|
|
|
|
BOOLEAN
|
|
RpcWinStationGetTermSrvCountersValue(
|
|
HANDLE hServer,
|
|
DWORD *pResult,
|
|
DWORD dwEntries,
|
|
PTS_COUNTER pCounter
|
|
)
|
|
{
|
|
UINT i;
|
|
PLIST_ENTRY Head, Next;
|
|
PWINSTATION pWinStation;
|
|
BOOLEAN bWalkedList = FALSE;
|
|
ULONG cActive, cDisconnected;
|
|
|
|
if(!hServer)
|
|
{
|
|
*pResult = STATUS_UNSUCCESSFUL;
|
|
return( FALSE );
|
|
}
|
|
|
|
*pResult = STATUS_UNSUCCESSFUL;
|
|
|
|
if (pCounter != NULL) {
|
|
for (i = 0; i < dwEntries; i++) {
|
|
// set the TermSrv counter value. Currently, startTime is always
|
|
// set to 0 because we don't support time stamp.
|
|
pCounter[i].startTime.QuadPart = 0;
|
|
|
|
switch (pCounter[i].counterHead.dwCounterID) {
|
|
|
|
case TERMSRV_TOTAL_SESSIONS:
|
|
{
|
|
pCounter[i].counterHead.bResult = TRUE;
|
|
pCounter[i].dwValue = g_TermSrvTotalSessions;
|
|
|
|
*pResult = STATUS_SUCCESS;
|
|
}
|
|
break;
|
|
|
|
case TERMSRV_DISC_SESSIONS:
|
|
{
|
|
pCounter[i].counterHead.bResult = TRUE;
|
|
pCounter[i].dwValue = g_TermSrvDiscSessions;
|
|
|
|
*pResult = STATUS_SUCCESS;
|
|
}
|
|
break;
|
|
|
|
case TERMSRV_RECON_SESSIONS:
|
|
{
|
|
pCounter[i].counterHead.bResult = TRUE;
|
|
pCounter[i].dwValue = g_TermSrvReconSessions;
|
|
|
|
*pResult = STATUS_SUCCESS;
|
|
}
|
|
break;
|
|
|
|
case TERMSRV_CURRENT_ACTIVE_SESSIONS:
|
|
case TERMSRV_CURRENT_DISC_SESSIONS:
|
|
{
|
|
if ( !bWalkedList ) {
|
|
|
|
cActive = cDisconnected = 0;
|
|
|
|
Head = &WinStationListHead;
|
|
ENTERCRIT( &WinStationListLock );
|
|
for ( Next = Head->Flink; Next != Head; Next = Next->Flink ) {
|
|
|
|
pWinStation = CONTAINING_RECORD( Next, WINSTATION, Links );
|
|
|
|
if ( (pWinStation->State == State_Active) ||
|
|
(pWinStation->State == State_Shadow) )
|
|
cActive ++;
|
|
|
|
if ( pWinStation->State == State_Disconnected )
|
|
if ( pWinStation->LogonId != 0 )
|
|
cDisconnected ++;
|
|
else if ( pWinStation->UserName[0] )
|
|
// For session 0, test if a user is logged on.
|
|
cDisconnected ++;
|
|
}
|
|
LEAVECRIT( &WinStationListLock );
|
|
|
|
bWalkedList = TRUE;
|
|
}
|
|
|
|
pCounter[i].counterHead.bResult = TRUE;
|
|
|
|
if ( pCounter[i].counterHead.dwCounterID == TERMSRV_CURRENT_ACTIVE_SESSIONS )
|
|
pCounter[i].dwValue = cActive;
|
|
else
|
|
pCounter[i].dwValue = cDisconnected;
|
|
|
|
*pResult = STATUS_SUCCESS;
|
|
}
|
|
break;
|
|
|
|
case TERMSRV_PENDING_SESSIONS:
|
|
{
|
|
pCounter[i].counterHead.bResult = TRUE;
|
|
pCounter[i].dwValue = NumOutStandingConnect;
|
|
|
|
*pResult = STATUS_SUCCESS;
|
|
}
|
|
break;
|
|
|
|
case TERMSRV_SUCC_TOTAL_LOGONS:
|
|
{
|
|
pCounter[i].counterHead.bResult = TRUE;
|
|
pCounter[i].dwValue = g_TermSrvSuccTotalLogons;
|
|
|
|
*pResult = STATUS_SUCCESS;
|
|
}
|
|
break;
|
|
|
|
case TERMSRV_SUCC_LOCAL_LOGONS:
|
|
{
|
|
pCounter[i].counterHead.bResult = TRUE;
|
|
pCounter[i].dwValue = g_TermSrvSuccLocalLogons;
|
|
|
|
*pResult = STATUS_SUCCESS;
|
|
}
|
|
break;
|
|
|
|
case TERMSRV_SUCC_REMOTE_LOGONS:
|
|
{
|
|
pCounter[i].counterHead.bResult = TRUE;
|
|
pCounter[i].dwValue = g_TermSrvSuccRemoteLogons;
|
|
|
|
*pResult = STATUS_SUCCESS;
|
|
}
|
|
break;
|
|
|
|
case TERMSRV_SUCC_SESSION0_LOGONS:
|
|
{
|
|
pCounter[i].counterHead.bResult = TRUE;
|
|
pCounter[i].dwValue = g_TermSrvSuccSession0Logons;
|
|
|
|
*pResult = STATUS_SUCCESS;
|
|
}
|
|
break;
|
|
|
|
default:
|
|
{
|
|
pCounter[i].counterHead.bResult = FALSE;
|
|
pCounter[i].dwValue = 0;
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
return ( *pResult == STATUS_SUCCESS );
|
|
}
|
|
|
|
/******************************************************************************
|
|
*
|
|
* RpcServerGetInternetConnectorStatus
|
|
*
|
|
* Returns whether Internet Connector licensing is being used
|
|
*
|
|
* ENTRY:
|
|
*
|
|
* EXIT:
|
|
*
|
|
* TRUE -- The query succeeded, and pfEnabled contains the requested data.
|
|
*
|
|
* FALSE -- The operation failed. Extended error status is in pResult
|
|
*
|
|
*****************************************************************************/
|
|
|
|
BOOLEAN
|
|
RpcServerGetInternetConnectorStatus(
|
|
HANDLE hServer,
|
|
DWORD *pResult,
|
|
PBOOLEAN pfEnabled
|
|
)
|
|
{
|
|
|
|
#if 0
|
|
if (pResult != NULL)
|
|
{
|
|
*pResult = STATUS_NOT_IMPLEMENTED;
|
|
}
|
|
|
|
if (pfEnabled != NULL)
|
|
{
|
|
*pfEnabled = FALSE;
|
|
}
|
|
|
|
return(FALSE);
|
|
#else
|
|
//
|
|
// TEMPORARY FUNCTION! THIS WILL GET NUKED ONCE THE LCRPC
|
|
// INTERFACE IS UP AND RUNNING AND TSCC CHANGES HAVE BEEN
|
|
// MADE!
|
|
//
|
|
|
|
if (pResult == NULL)
|
|
{
|
|
return(FALSE);
|
|
}
|
|
|
|
if(!hServer)
|
|
{
|
|
*pResult = STATUS_UNSUCCESSFUL;
|
|
return( FALSE );
|
|
}
|
|
|
|
if (pfEnabled == NULL)
|
|
{
|
|
*pResult = STATUS_INVALID_PARAMETER;
|
|
return(FALSE);
|
|
}
|
|
|
|
*pfEnabled = (LCGetPolicy() == (ULONG)3);
|
|
|
|
*pResult = STATUS_SUCCESS;
|
|
return(TRUE);
|
|
#endif
|
|
}
|
|
|
|
/******************************************************************************
|
|
*
|
|
* RpcServerSetInternetConnectorStatus
|
|
*
|
|
* This function will (if fEnabled has changed from its previous setting):
|
|
* Check that the caller has administrative privileges,
|
|
* Modify the corresponding value in the registry,
|
|
* Change licensing mode (between normal per-seat and Internet Connector.
|
|
* Enable/Disable the TsInternetUser account appropriately
|
|
*
|
|
* ENTRY:
|
|
*
|
|
* EXIT:
|
|
*
|
|
* TRUE -- The operation succeeded.
|
|
*
|
|
* FALSE -- The operation failed. Extended error status is in pResult
|
|
*
|
|
******************************************************************************/
|
|
|
|
BOOLEAN
|
|
RpcServerSetInternetConnectorStatus(
|
|
HANDLE hServer,
|
|
DWORD *pResult,
|
|
BOOLEAN fEnabled
|
|
)
|
|
{
|
|
|
|
|
|
#if 0
|
|
if (pResult != NULL)
|
|
{
|
|
*pResult = STATUS_NOT_IMPLEMENTED;
|
|
}
|
|
|
|
return(FALSE);
|
|
#else
|
|
//
|
|
// TEMPORARY FUNCTION! THIS WILL GET NUKED ONCE THE LCRPC
|
|
// INTERFACE IS UP AND RUNNING AND TSCC CHANGES HAVE BEEN
|
|
// MADE!
|
|
//
|
|
|
|
NTSTATUS NewStatus;
|
|
RPC_STATUS RpcStatus;
|
|
|
|
if (pResult == NULL)
|
|
{
|
|
return FALSE;
|
|
}
|
|
|
|
if(!hServer)
|
|
{
|
|
*pResult = STATUS_UNSUCCESSFUL;
|
|
return( FALSE );
|
|
}
|
|
|
|
RpcStatus = RpcImpersonateClient( NULL );
|
|
if( RpcStatus != RPC_S_OK ) {
|
|
*pResult = STATUS_CANNOT_IMPERSONATE;
|
|
return( FALSE );
|
|
}
|
|
|
|
if (!IsCallerAdmin())
|
|
{
|
|
RpcRevertToSelf();
|
|
*pResult = STATUS_PRIVILEGE_NOT_HELD;
|
|
return FALSE;
|
|
}
|
|
|
|
RpcRevertToSelf();
|
|
|
|
*pResult = LCSetPolicy(fEnabled ? 3 : 2, &NewStatus);
|
|
|
|
if ((*pResult == STATUS_SUCCESS) && (NewStatus == STATUS_SUCCESS))
|
|
{
|
|
return(TRUE);
|
|
}
|
|
|
|
//
|
|
// If there was an error, it was either in the core or the new policy.
|
|
// If its in the core, NewStatus will be success. If its in the new
|
|
// policy, *pResult will be unsuccessful, and the real error will be in
|
|
// NewStatus. Return the real error.
|
|
//
|
|
|
|
if (NewStatus != STATUS_SUCCESS)
|
|
{
|
|
*pResult = NewStatus;
|
|
}
|
|
|
|
return(FALSE);
|
|
#endif
|
|
}
|
|
|
|
/******************************************************************************
|
|
*
|
|
* RpcServerQueryInetConnectorInformation
|
|
*
|
|
* Queries configuration information about a Internet Connector licensing.
|
|
*
|
|
* ENTRY:
|
|
*
|
|
* pWinStationInformation (output)
|
|
* A pointer to a buffer that will receive information about the
|
|
* specified window station. The format and contents of the buffer
|
|
* depend on the specified information class being queried.
|
|
*
|
|
* WinStationInformationLength (input)
|
|
* Specifies the length in bytes of the window station information
|
|
* buffer.
|
|
*
|
|
* pReturnLength (output)
|
|
* An optional parameter that if specified, receives the number of
|
|
* bytes placed in the window station information buffer.
|
|
*
|
|
* EXIT:
|
|
*
|
|
* TRUE -- The query succeeded, and the buffer contains the requested data.
|
|
*
|
|
* False -- The operation failed or Internet Connector licensing isn't
|
|
* turned on. Extended error status is in pResult
|
|
*
|
|
*****************************************************************************/
|
|
|
|
BOOLEAN
|
|
RpcServerQueryInetConnectorInformation(
|
|
HANDLE hServer,
|
|
DWORD *pResult,
|
|
PCHAR pWinStationInformation,
|
|
DWORD WinStationInformationLength,
|
|
DWORD *pReturnLength
|
|
)
|
|
{
|
|
// doesn't return
|
|
RpcRaiseException(RPC_S_CANNOT_SUPPORT);
|
|
|
|
return FALSE;
|
|
}
|
|
|
|
/******************************************************************************
|
|
*
|
|
* RpcWinStationQueryLogonCredentials
|
|
*
|
|
* Queries autologon credentials for use in Winlogon/GINA.
|
|
*
|
|
*****************************************************************************/
|
|
|
|
BOOLEAN
|
|
RpcWinStationQueryLogonCredentials(
|
|
HANDLE hServer,
|
|
ULONG LogonId,
|
|
PCHAR *ppWire,
|
|
PULONG pcbWire
|
|
)
|
|
{
|
|
BOOL fRet;
|
|
BOOL fUseLcCredentials;
|
|
LCCREDENTIALS LcCredentials;
|
|
NTSTATUS Status;
|
|
PWINSTATION pWinStation;
|
|
RPC_STATUS RpcStatus;
|
|
WLX_CLIENT_CREDENTIALS_INFO_V2_0 WlxCredentials;
|
|
BOOL fHelpAssistant = FALSE;
|
|
BOOL bValidHelpSession;
|
|
|
|
pExtendedClientCredentials pHelpAssistantCredential = NULL;
|
|
|
|
if(!hServer)
|
|
{
|
|
return( FALSE );
|
|
}
|
|
|
|
//
|
|
// Impersonate client.
|
|
//
|
|
|
|
RpcStatus = RpcImpersonateClient(NULL);
|
|
|
|
if (RpcStatus != RPC_S_OK)
|
|
{
|
|
return(FALSE);
|
|
}
|
|
|
|
//
|
|
// Check for administration privileges.
|
|
//
|
|
|
|
if (!IsCallerSystem())
|
|
{
|
|
RpcRevertToSelf();
|
|
return(FALSE);
|
|
}
|
|
|
|
RpcRevertToSelf();
|
|
|
|
pWinStation = FindWinStationById(LogonId, FALSE);
|
|
|
|
if (pWinStation == NULL)
|
|
{
|
|
return(FALSE);
|
|
}
|
|
|
|
pHelpAssistantCredential = MemAlloc(sizeof(ExtendedClientCredentials));
|
|
if (pHelpAssistantCredential == NULL) {
|
|
ReleaseWinStation(pWinStation);
|
|
return FALSE;
|
|
}
|
|
|
|
ZeroMemory(&WlxCredentials, sizeof(WLX_CLIENT_CREDENTIALS_INFO_V2_0));
|
|
WlxCredentials.dwType = WLX_CREDENTIAL_TYPE_V2_0;
|
|
|
|
if( TSIsSessionHelpSession( pWinStation, &bValidHelpSession ) )
|
|
{
|
|
//
|
|
// We should not hit this since we will disconnect at winstation transfer time
|
|
//
|
|
ASSERT( TRUE == bValidHelpSession );
|
|
|
|
Status = TSHelpAssistantQueryLogonCredentials(pHelpAssistantCredential);
|
|
if( STATUS_SUCCESS == Status )
|
|
{
|
|
WlxCredentials.fDisconnectOnLogonFailure = TRUE;
|
|
WlxCredentials.fPromptForPassword = FALSE;
|
|
WlxCredentials.pszUserName = pHelpAssistantCredential->UserName;
|
|
WlxCredentials.pszDomain = pHelpAssistantCredential->Domain;
|
|
WlxCredentials.pszPassword = pHelpAssistantCredential->Password;
|
|
|
|
fUseLcCredentials = FALSE;
|
|
|
|
fHelpAssistant = TRUE;
|
|
}
|
|
}
|
|
|
|
if( FALSE == fHelpAssistant )
|
|
{
|
|
//
|
|
// Not Help Assistant, use whatever send in from client.
|
|
//
|
|
ZeroMemory(&LcCredentials, sizeof(LCCREDENTIALS));
|
|
|
|
Status = LCProvideAutoLogonCredentials(
|
|
pWinStation,
|
|
&fUseLcCredentials,
|
|
&LcCredentials
|
|
);
|
|
|
|
|
|
if (Status == STATUS_SUCCESS)
|
|
{
|
|
if (fUseLcCredentials)
|
|
{
|
|
WlxCredentials.fDisconnectOnLogonFailure = TRUE;
|
|
WlxCredentials.fPromptForPassword = FALSE;
|
|
WlxCredentials.pszUserName = LcCredentials.pUserName;
|
|
WlxCredentials.pszDomain = LcCredentials.pDomain;
|
|
WlxCredentials.pszPassword = LcCredentials.pPassword;
|
|
}
|
|
else
|
|
{
|
|
WlxCredentials.fDisconnectOnLogonFailure = FALSE;
|
|
WlxCredentials.fPromptForPassword = pWinStation->Config.Config.User.fPromptForPassword;
|
|
|
|
// If it's an app server, check if it's a SD redirected connection
|
|
// If yes, ignore fPromptForPassword setting and allow auto-logon
|
|
// Note: Only do it if SD is enabled, i.e. GetTSSD() returns a valide value
|
|
if (!g_bPersonalTS && g_fAppCompat && g_bAdvancedServer && GetTSSD()) {
|
|
TS_LOAD_BALANCE_INFO LBInfo;
|
|
ULONG ReturnLength;
|
|
|
|
// need to release it
|
|
ReleaseTSSD();
|
|
|
|
memset(&LBInfo, 0, sizeof(LBInfo));
|
|
Status = IcaStackIoControl(pWinStation->hStack,
|
|
IOCTL_TS_STACK_QUERY_LOAD_BALANCE_INFO,
|
|
NULL, 0,
|
|
&LBInfo, sizeof(LBInfo),
|
|
&ReturnLength);
|
|
|
|
if (NT_SUCCESS(Status)) {
|
|
if (LBInfo.RequestedSessionID &&
|
|
(LBInfo.ClientRedirectionVersion >= TS_CLUSTER_REDIRECTION_VERSION3)) {
|
|
WlxCredentials.fPromptForPassword = FALSE;
|
|
|
|
if (LBInfo.bUseSmartcardLogon) {
|
|
pWinStation->fSDRedirectedSmartCardLogon = TRUE;
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
// Check if we have to use New Credentials for long UserName and copy accordingly
|
|
if (pWinStation->pNewClientCredentials != NULL) {
|
|
WlxCredentials.pszUserName = pWinStation->pNewClientCredentials->UserName;
|
|
WlxCredentials.pszDomain = pWinStation->pNewClientCredentials->Domain;
|
|
WlxCredentials.pszPassword = pWinStation->pNewClientCredentials->Password;
|
|
} else {
|
|
WlxCredentials.pszUserName = pWinStation->Config.Config.User.UserName ;
|
|
WlxCredentials.pszDomain = pWinStation->Config.Config.User.Domain ;
|
|
WlxCredentials.pszPassword = pWinStation->Config.Config.User.Password ;
|
|
}
|
|
}
|
|
|
|
}
|
|
else
|
|
{
|
|
fRet = FALSE;
|
|
goto exit;
|
|
}
|
|
}
|
|
|
|
ASSERT(WlxCredentials.pszUserName != NULL);
|
|
ASSERT(WlxCredentials.pszDomain != NULL);
|
|
ASSERT(WlxCredentials.pszPassword != NULL);
|
|
|
|
*pcbWire = AllocateAndCopyCredToWire((PWLXCLIENTCREDWIREW*)ppWire, &WlxCredentials);
|
|
|
|
fRet = *pcbWire > 0;
|
|
|
|
//
|
|
// The values in LcCredentials are LocalAlloc-ed by the core.
|
|
//
|
|
|
|
if (fUseLcCredentials)
|
|
{
|
|
if (LcCredentials.pUserName != NULL)
|
|
{
|
|
LocalFree(LcCredentials.pUserName);
|
|
}
|
|
|
|
if (LcCredentials.pDomain != NULL)
|
|
{
|
|
LocalFree(LcCredentials.pDomain);
|
|
}
|
|
|
|
if (LcCredentials.pPassword != NULL)
|
|
{
|
|
//This code is never executed, but once it does we should call the below function.
|
|
//RtlSecureZeroMemory(LcCredentials.pPassword,
|
|
//lstrlenW(LcCredentials.pPassword)*sizeof(WCHAR));
|
|
LocalFree(LcCredentials.pPassword);
|
|
}
|
|
}
|
|
|
|
if( TRUE == fHelpAssistant )
|
|
{
|
|
// Zero out memory that contains password
|
|
RtlSecureZeroMemory( pHelpAssistantCredential, sizeof(ExtendedClientCredentials));
|
|
}
|
|
|
|
exit:
|
|
ReleaseWinStation(pWinStation);
|
|
|
|
if (pHelpAssistantCredential != NULL) {
|
|
MemFree(pHelpAssistantCredential);
|
|
pHelpAssistantCredential = NULL;
|
|
}
|
|
|
|
|
|
return((BOOLEAN)fRet);
|
|
}
|
|
|
|
/*****************************************************************************
|
|
* RPcWinStationBroadcastSystemMessage
|
|
* This is the server side for cleint's WinStationBroadcastSystemMessage
|
|
*
|
|
* Perform the the equivalent to BroadcastSystemMessage to each specified sessions
|
|
*
|
|
* Limittations:
|
|
* Caller must be system or Admin, and lparam can not be zero unless
|
|
* msg is WM_DEVICECHANGE
|
|
* Error checking is done on the clinet side (winsta\client\winsta.c)
|
|
*
|
|
* ENTRY:
|
|
* hServer
|
|
* this is a handle which identifies a Hydra server. For the local server, hServer
|
|
* should be set to SERVERNAME_CURRENT
|
|
* sessionID
|
|
* this idefntifies the hydra session to which message is being sent
|
|
* timeOut
|
|
* set this to the amount of time you are willing to wait to get a response
|
|
* from the specified winstation. Even though Window's SendMessage API
|
|
* is blocking, the call from this side MUST choose how long it is willing to
|
|
* wait for a response.
|
|
* dwFlags
|
|
* Option flags. Can be a combination of the following values: Value Meaning
|
|
* BSF_ALLOWSFW Windows NT 5.0 and later: Enables the recipient to set the foreground window while
|
|
* processing the message.
|
|
* BSF_FLUSHDISK Flush the disk after each recipient processes the message.
|
|
* BSF_FORCEIFHUNG Continue to broadcast the message, even if the time-out period elapses or one of
|
|
* the recipients is hung..
|
|
* BSF_IGNORECURRENTTASK Do not send the message to windows that belong to the current task.
|
|
* This prevents an application from receiving its own message.
|
|
* BSF_NOHANG Force a hung application to time out. If one of the recipients times out, do not continue
|
|
* broadcasting the message.
|
|
* BSF_NOTIMEOUTIFNOTHUNG Wait for a response to the message, as long as the recipient is not hung.
|
|
* Do not time out.
|
|
* ***
|
|
* *** DO NOT USE *** BSF_POSTMESSAGE Post the message. Do not use in combination with BSF_QUERY.
|
|
* ***
|
|
* BSF_QUERY Send the message to one recipient at a time, sending to a subsequent recipient only if the
|
|
* current recipient returns TRUE.
|
|
* lpdwRecipients
|
|
* Pointer to a variable that contains and receives information about the recipients of the message. The variable can be a combination of the following values: Value Meaning
|
|
* BSM_ALLCOMPONENTS Broadcast to all system components.
|
|
* BSM_ALLDESKTOPS Windows NT: Broadcast to all desktops. Requires the SE_TCB_NAME privilege.
|
|
* BSM_APPLICATIONS Broadcast to applications.
|
|
* BSM_INSTALLABLEDRIVERS Windows 95 and Windows 98: Broadcast to installable drivers.
|
|
* BSM_NETDRIVER Windows 95 and Windows 98: Broadcast to network drivers.
|
|
* BSM_VXDS Windows 95 and Windows 98: Broadcast to all system-level device drivers.
|
|
* When the function returns, this variable receives a combination of these values identifying which recipients actually received the message.
|
|
* If this parameter is NULL, the function broadcasts to all components.
|
|
* uiMessage
|
|
* the window's message to send
|
|
* wParam
|
|
* first message param
|
|
* lParam
|
|
* second message parameter
|
|
*
|
|
* pResponse
|
|
* This is the response to the broadcasted message
|
|
* If the function succeeds, the value is a positive value.
|
|
* If the function is unable to broadcast the message, the value is ?1.
|
|
* If the dwFlags parameter is BSF_QUERY and at least one recipient returned
|
|
* BROADCAST_QUERY_DENY to the corresponding message, the return value is zero
|
|
*
|
|
* EXIT:
|
|
* TRUE if all went well or
|
|
* FALSE if something went wrong.
|
|
*
|
|
* WARNING:
|
|
* Do not use flag BSF_POSTMESSAGE, since an app/window on a winstation is not setup to send back
|
|
* a response to the query in an asynchronous fashion. You must wait for the response (until the time out period).
|
|
*
|
|
* Comments:
|
|
* For more info, please see MSDN for BroadcastSystemMessage()
|
|
*
|
|
****************************************************************************/
|
|
LONG RpcWinStationBroadcastSystemMessage(
|
|
HANDLE hServer,
|
|
ULONG sessionID,
|
|
ULONG waitTime,
|
|
DWORD dwFlags,
|
|
DWORD *lpdwRecipients,
|
|
ULONG uiMessage,
|
|
WPARAM wParam,
|
|
LPARAM lParam,
|
|
PBYTE rpcBuffer,
|
|
ULONG bufferSize,
|
|
BOOLEAN fBufferHasValidData,
|
|
LONG *pResponse
|
|
)
|
|
{
|
|
// Broadcast system message to all winstations.
|
|
|
|
PWINSTATION pWinStation=NULL;
|
|
WINSTATION_APIMSG WMsg;
|
|
OBJECT_ATTRIBUTES ObjA;
|
|
NTSTATUS Status;
|
|
LONG rc;
|
|
int i;
|
|
RPC_STATUS RpcStatus;
|
|
UINT LocalFlag;
|
|
|
|
if(!hServer)
|
|
{
|
|
return( FALSE );
|
|
}
|
|
|
|
// KdPrintEx((DPFLTR_TERMSRV_ID, DPFLTR_ERROR_LEVEL, "in RpcWinStationBroadcastSystemMessage()\n"));
|
|
|
|
//
|
|
//
|
|
//
|
|
RpcStatus = RpcImpersonateClient( NULL );
|
|
if( RpcStatus != RPC_S_OK ) {
|
|
KdPrintEx((DPFLTR_TERMSRV_ID, DPFLTR_ERROR_LEVEL, " RpcImpersonateClient() failed : 0x%x\n",RpcStatus));
|
|
SetLastError(ERROR_CANNOT_IMPERSONATE );
|
|
return( FALSE );
|
|
}
|
|
|
|
//
|
|
// Inquire if local RPC call
|
|
//
|
|
RpcStatus = I_RpcBindingIsClientLocal(
|
|
0, // Active RPC call we are servicing
|
|
&LocalFlag
|
|
);
|
|
|
|
if( RpcStatus != RPC_S_OK ) {
|
|
KdPrintEx((DPFLTR_TERMSRV_ID, DPFLTR_ERROR_LEVEL, " I_RpcBindingIsClientLocal() failed : 0x%x\n",RpcStatus));
|
|
RpcRevertToSelf();
|
|
SetLastError(ERROR_ACCESS_DENIED);
|
|
return( FALSE );
|
|
}
|
|
|
|
if( !LocalFlag ) {
|
|
KdPrintEx((DPFLTR_TERMSRV_ID, DPFLTR_ERROR_LEVEL, " Not a local client call\n"));
|
|
RpcRevertToSelf();
|
|
return( FALSE );
|
|
}
|
|
|
|
// if the caller is system or admin, then let it thru, else, return
|
|
if( !(IsCallerSystem() | IsCallerAdmin() ) )
|
|
{
|
|
KdPrintEx((DPFLTR_TERMSRV_ID, DPFLTR_ERROR_LEVEL, " Caller must be system or admin \n"));
|
|
SetLastError(ERROR_ACCESS_DENIED);
|
|
RpcRevertToSelf();
|
|
return( FALSE );
|
|
}
|
|
|
|
//
|
|
// if we got this far, then client is admin or system
|
|
//
|
|
|
|
//
|
|
// done with the impersonation, we must have succeeded, otherwise, we would have exited above
|
|
//
|
|
RpcRevertToSelf();
|
|
|
|
|
|
/*
|
|
* Marshall in the [in] parameters
|
|
*
|
|
*/
|
|
|
|
WMsg.WaitForReply=TRUE;
|
|
WMsg.u.bMsg.dwFlags = dwFlags;
|
|
WMsg.u.bMsg.dwRecipients= *lpdwRecipients; //note that we are passing the value, and we will get a new value back
|
|
WMsg.u.bMsg.uiMessage = uiMessage;
|
|
WMsg.u.bMsg.wParam = wParam;
|
|
WMsg.u.bMsg.lParam = lParam;
|
|
WMsg.u.bMsg.dataBuffer = NULL;
|
|
WMsg.u.bMsg.bufferSize = 0;
|
|
WMsg.u.bMsg.Response = *pResponse;
|
|
|
|
WMsg.ApiNumber = SMWinStationBroadcastSystemMessage ;
|
|
|
|
/*
|
|
* Find and lock client WinStation
|
|
*/
|
|
// KdPrintEx((DPFLTR_TERMSRV_ID, DPFLTR_ERROR_LEVEL, "in RpcWinStationBroadcastSystemMessage() for sessionID = %d \n", sessionID ));
|
|
pWinStation = FindWinStationById( sessionID, FALSE );
|
|
|
|
if ( pWinStation == NULL )
|
|
{
|
|
KdPrintEx((DPFLTR_TERMSRV_ID, DPFLTR_ERROR_LEVEL, "Winstation not found \n"));
|
|
return( FALSE );
|
|
}
|
|
|
|
if ( pWinStation->Flags & WSF_LISTEN )
|
|
{
|
|
// this is a "listen" winstation, not an interactive one, so return an empty response.
|
|
*pResponse = 0;
|
|
ReleaseWinStation( pWinStation );
|
|
return( TRUE );
|
|
}
|
|
|
|
if ( !((pWinStation->State == State_Active) ||
|
|
(pWinStation->State == State_Disconnected) ) )
|
|
{
|
|
// This is something that winsta.C checks for, but it's possibele that from the time it
|
|
// took to get here, a winstation was logged out from.
|
|
KdPrintEx((DPFLTR_TERMSRV_ID, DPFLTR_ERROR_LEVEL, "\t request aborted, winstation State should be Active or Disconnected, neither in this case. \n"));
|
|
*pResponse = 0;
|
|
ReleaseWinStation( pWinStation );
|
|
return( TRUE );
|
|
}
|
|
|
|
// if we have valid data, then set the msg dataBuffer to point to it
|
|
if ( fBufferHasValidData )
|
|
{
|
|
WMsg.u.bMsg.dataBuffer = rpcBuffer;
|
|
WMsg.u.bMsg.bufferSize = bufferSize;
|
|
}
|
|
|
|
/*
|
|
* send message to winstation
|
|
*/
|
|
rc = SendWinStationCommand( pWinStation, &WMsg, waitTime );
|
|
|
|
ReleaseWinStation( pWinStation );
|
|
|
|
if ( NT_SUCCESS( rc ) )
|
|
{
|
|
*pResponse = WMsg.u.bMsg.Response;
|
|
*lpdwRecipients = WMsg.u.bMsg.dwRecipients;
|
|
return (TRUE);
|
|
}
|
|
else
|
|
return ( FALSE );
|
|
|
|
}
|
|
|
|
|
|
/*****************************************************************************
|
|
*
|
|
* RpcWinStationSendWindowMessage
|
|
*
|
|
* Perform the the equivalent to SendMessage to a specific winstation as
|
|
* identified by the session ID. This is an exported function, at least used
|
|
* by the PNP manager to send a device change message (or any other window's message)
|
|
*
|
|
* Limitations:
|
|
* Caller must be system or Admin, and lparam can not be zero unless
|
|
* msg is WM_DEVICECHANGE
|
|
* Error checking is done on the clinet side (winsta\client\winsta.c)
|
|
*
|
|
* ENTRY:
|
|
* hServer
|
|
* this is a handle which identifies a Hydra server. For the local server, hServer
|
|
* should be set to SERVERNAME_CURRENT
|
|
* sessionID
|
|
* this idefntifies the hydra session to which message is being sent
|
|
* timeOut
|
|
* set this to the amount of time you are willing to wait to get a response
|
|
* from the specified winstation. Even though Window's SendMessage API
|
|
* is blocking, the call from this side MUST choose how long it is willing to
|
|
* wait for a response.
|
|
* hWnd
|
|
* This is the HWND of the target window in the specified session that
|
|
* a message will be sent to.
|
|
* Msg
|
|
* the window's message to send
|
|
* wParam
|
|
* first message param
|
|
* lParam
|
|
* second message parameter
|
|
* pResponse
|
|
* this is the response to the message sent, it depends on the type of message sent, see MSDN
|
|
*
|
|
*
|
|
* EXIT:
|
|
* TRUE if all went well , check presponse for the actual response to the send message
|
|
* FALSE if something went wrong, the value of pResponse is not altered.
|
|
*
|
|
* WARNINGs:
|
|
* since the RPC call never blocks, you need to specify a reasonable timeOut if you want to wait for
|
|
* a response. Please remember that since this message is being sent to all winstations, the timeOut value
|
|
* will be on per-winstation.
|
|
*
|
|
*
|
|
* Comments:
|
|
* For more info, please see MSDN for SendMessage()
|
|
*
|
|
****************************************************************************/
|
|
LONG
|
|
RpcWinStationSendWindowMessage(
|
|
HANDLE hServer,
|
|
ULONG sessionID,
|
|
ULONG waitTime,
|
|
ULONG hWnd, // handle of destination window
|
|
ULONG Msg, // message to send
|
|
WPARAM wParam, // first message parameter
|
|
LPARAM lParam, // second message parameter
|
|
PBYTE rpcBuffer,
|
|
ULONG bufferSize,
|
|
BOOLEAN fBufferHasValidData,
|
|
LONG *pResponse // reply to the message sent
|
|
)
|
|
{
|
|
PWINSTATION pWinStation=NULL;
|
|
WINSTATION_APIMSG WMsg;
|
|
OBJECT_ATTRIBUTES ObjA;
|
|
NTSTATUS Status;
|
|
LONG rc;
|
|
int i;
|
|
PVOID pData;
|
|
RPC_STATUS RpcStatus;
|
|
UINT LocalFlag;
|
|
|
|
if(!hServer)
|
|
{
|
|
return( FALSE );
|
|
}
|
|
|
|
// KdPrintEx((DPFLTR_TERMSRV_ID, DPFLTR_ERROR_LEVEL, "in RpcWinStationSendWindowMessage()\n"));
|
|
|
|
/*
|
|
* Impersonate the client
|
|
*/
|
|
RpcStatus = RpcImpersonateClient( NULL );
|
|
if( RpcStatus != RPC_S_OK ) {
|
|
KdPrintEx((DPFLTR_TERMSRV_ID, DPFLTR_ERROR_LEVEL, "\tNot impersonating! RpcStatus 0x%x\n",RpcStatus));
|
|
SetLastError(ERROR_CANNOT_IMPERSONATE );
|
|
return( FALSE );
|
|
}
|
|
|
|
//
|
|
// Inquire if local RPC call
|
|
//
|
|
RpcStatus = I_RpcBindingIsClientLocal(
|
|
0, // Active RPC call we are servicing
|
|
&LocalFlag
|
|
);
|
|
|
|
if( RpcStatus != RPC_S_OK ) {
|
|
KdPrintEx((DPFLTR_TERMSRV_ID, DPFLTR_ERROR_LEVEL, "\tI_RpcBindingIsClientLocal() failed : 0x%x\n",RpcStatus));
|
|
RpcRevertToSelf();
|
|
SetLastError(ERROR_ACCESS_DENIED);
|
|
return( FALSE );
|
|
}
|
|
|
|
if( !LocalFlag ) {
|
|
KdPrintEx((DPFLTR_TERMSRV_ID, DPFLTR_ERROR_LEVEL, "\tNot a local client call\n"));
|
|
RpcRevertToSelf();
|
|
return( FALSE );
|
|
}
|
|
|
|
// if the caller is system or admin, then let it thru, else, return
|
|
if( !(IsCallerSystem() | IsCallerAdmin() ) )
|
|
{
|
|
KdPrintEx((DPFLTR_TERMSRV_ID, DPFLTR_ERROR_LEVEL, "\tCaller must be system or admin \n"));
|
|
SetLastError(ERROR_ACCESS_DENIED);
|
|
RpcRevertToSelf();
|
|
return( FALSE );
|
|
}
|
|
|
|
//
|
|
// if we got this far, then client is admin or system
|
|
//
|
|
|
|
//
|
|
// done with the impersonation, we must have succeeded, otherwise, we would have exited above
|
|
//
|
|
RpcRevertToSelf();
|
|
|
|
|
|
/*
|
|
* Marshall in the [in] parameters
|
|
*
|
|
*/
|
|
|
|
WMsg.WaitForReply=TRUE;
|
|
WMsg.u.sMsg.hWnd = (HWND)LongToHandle( hWnd );
|
|
WMsg.u.sMsg.Msg = Msg;
|
|
WMsg.u.sMsg.wParam = wParam;
|
|
WMsg.u.sMsg.lParam = lParam;
|
|
WMsg.u.sMsg.dataBuffer = NULL;
|
|
WMsg.u.sMsg.bufferSize = 0;
|
|
WMsg.u.sMsg.Response = *pResponse;
|
|
|
|
WMsg.ApiNumber = SMWinStationSendWindowMessage ;
|
|
|
|
|
|
/*
|
|
* Find and lock client WinStation
|
|
*/
|
|
// KdPrintEx((DPFLTR_TERMSRV_ID, DPFLTR_ERROR_LEVEL, "in RpcWinStationSendWindowMessage() for essionID = %d \n", sessionID ));
|
|
pWinStation = FindWinStationById( sessionID, FALSE );
|
|
|
|
if ( pWinStation == NULL )
|
|
{
|
|
KdPrintEx((DPFLTR_TERMSRV_ID, DPFLTR_ERROR_LEVEL, "Winstation not found \n"));
|
|
return( FALSE );
|
|
}
|
|
|
|
if ( pWinStation->Flags & WSF_LISTEN )
|
|
{
|
|
// this is a "listen" winstation, not an interactive one
|
|
ReleaseWinStation( pWinStation );
|
|
return( FALSE ); // this is normal situation, not an error, but no caller of this func should send a message to this w/s
|
|
}
|
|
|
|
if ( !((pWinStation->State == State_Active) ||
|
|
(pWinStation->State == State_Disconnected) ) )
|
|
{
|
|
// This is something that winsta.C checks for, but it's possibele that from the time it
|
|
// took to get here, a winstation was logged out from.
|
|
KdPrintEx((DPFLTR_TERMSRV_ID, DPFLTR_ERROR_LEVEL, "\t request aborted, winstation State should be Active or Disconnected, neither in this case. \n"));
|
|
*pResponse = 0;
|
|
ReleaseWinStation( pWinStation );
|
|
return( TRUE );
|
|
}
|
|
|
|
// if we have valid data, then set the msg dataBuffer to point to it
|
|
if ( fBufferHasValidData )
|
|
{
|
|
WMsg.u.sMsg.dataBuffer = rpcBuffer;
|
|
WMsg.u.sMsg.bufferSize = bufferSize;
|
|
|
|
}
|
|
|
|
// KdPrintEx((DPFLTR_TERMSRV_ID, DPFLTR_ERROR_LEVEL, " dataBuffer = 0x%lx \n", WMsg.u.sMsg.dataBuffer ));
|
|
// KdPrintEx((DPFLTR_TERMSRV_ID, DPFLTR_ERROR_LEVEL, " bufferSize = %d \n", WMsg.u.sMsg.bufferSize ));
|
|
|
|
/*
|
|
* send message to winstation
|
|
*/
|
|
rc = SendWinStationCommand( pWinStation, &WMsg, waitTime );
|
|
|
|
ReleaseWinStation( pWinStation );
|
|
|
|
if ( NT_SUCCESS( rc ) )
|
|
{
|
|
*pResponse = WMsg.u.sMsg.Response;
|
|
return (TRUE);
|
|
}
|
|
else
|
|
return ( FALSE );
|
|
}
|
|
|
|
NTSTATUS
|
|
IsZeroterminateStringA(
|
|
PBYTE pString,
|
|
DWORD dwLength
|
|
)
|
|
{
|
|
NTSTATUS Status = STATUS_SUCCESS;
|
|
|
|
|
|
|
|
if ( (pString == NULL) || (memchr(pString, '\0', dwLength) == NULL)) {
|
|
Status = STATUS_INVALID_PARAMETER;
|
|
}
|
|
return Status;
|
|
|
|
}
|
|
|
|
NTSTATUS
|
|
IsZeroterminateStringW(
|
|
PWCHAR pwString,
|
|
DWORD dwLength
|
|
)
|
|
{
|
|
|
|
|
|
if (pwString == NULL) {
|
|
return STATUS_INVALID_PARAMETER;
|
|
}
|
|
for (; 0 < dwLength; ++pwString, --dwLength ) {
|
|
if (*pwString == (WCHAR)0) {
|
|
return STATUS_SUCCESS;
|
|
}
|
|
}
|
|
return STATUS_INVALID_PARAMETER;
|
|
|
|
|
|
}
|
|
|
|
|
|
/*****************************************************************************
|
|
* GetTextualSid()
|
|
* given a sid, return the text of that sid
|
|
*
|
|
* Params:
|
|
* [in] user sid binary
|
|
* [out] text of user sid stuffed in the buffer which was passed in by the caller
|
|
* [in] the size of buffer passed in.
|
|
*
|
|
* Return:
|
|
* TRUE if no errors.
|
|
*
|
|
******************************************************************************/
|
|
BOOL
|
|
GetTextualSid(
|
|
PSID pSid, // binary Sid
|
|
LPTSTR TextualSid, // buffer for Textual representaion of Sid
|
|
LPDWORD cchSidSize // required/provided TextualSid buffersize
|
|
)
|
|
{
|
|
PSID_IDENTIFIER_AUTHORITY psia;
|
|
DWORD dwSubAuthorities;
|
|
DWORD dwCounter;
|
|
DWORD cchSidCopy;
|
|
|
|
//
|
|
// test if Sid passed in is valid
|
|
//
|
|
if(!IsValidSid(pSid)) return FALSE;
|
|
|
|
// obtain SidIdentifierAuthority
|
|
psia = GetSidIdentifierAuthority(pSid);
|
|
|
|
// obtain sidsubauthority count
|
|
dwSubAuthorities = *GetSidSubAuthorityCount(pSid);
|
|
|
|
//
|
|
// compute approximate buffer length
|
|
// S-SID_REVISION- + identifierauthority- + subauthorities- + NULL
|
|
//
|
|
cchSidCopy = (15 + 12 + (12 * dwSubAuthorities) + 1) * sizeof(TCHAR);
|
|
|
|
//
|
|
// check provided buffer length.
|
|
// If not large enough, indicate proper size and setlasterror
|
|
//
|
|
if(*cchSidSize < cchSidCopy) {
|
|
*cchSidSize = cchSidCopy;
|
|
SetLastError(ERROR_INSUFFICIENT_BUFFER);
|
|
return FALSE;
|
|
}
|
|
|
|
//
|
|
// prepare S-SID_REVISION-
|
|
//
|
|
cchSidCopy = wsprintf(TextualSid, TEXT("S-%lu-"), SID_REVISION );
|
|
|
|
//
|
|
// prepare SidIdentifierAuthority
|
|
//
|
|
if ( (psia->Value[0] != 0) || (psia->Value[1] != 0) ) {
|
|
cchSidCopy += wsprintf(TextualSid + cchSidCopy,
|
|
TEXT("0x%02hx%02hx%02hx%02hx%02hx%02hx"),
|
|
(USHORT)psia->Value[0],
|
|
(USHORT)psia->Value[1],
|
|
(USHORT)psia->Value[2],
|
|
(USHORT)psia->Value[3],
|
|
(USHORT)psia->Value[4],
|
|
(USHORT)psia->Value[5]);
|
|
} else {
|
|
cchSidCopy += wsprintf(TextualSid + cchSidCopy,
|
|
TEXT("%lu"),
|
|
(ULONG)(psia->Value[5] ) +
|
|
(ULONG)(psia->Value[4] << 8) +
|
|
(ULONG)(psia->Value[3] << 16) +
|
|
(ULONG)(psia->Value[2] << 24) );
|
|
}
|
|
|
|
//
|
|
// loop through SidSubAuthorities
|
|
//
|
|
for(dwCounter = 0 ; dwCounter < dwSubAuthorities ; dwCounter++) {
|
|
cchSidCopy += wsprintf(TextualSid + cchSidCopy, TEXT("-%lu"),
|
|
*GetSidSubAuthority(pSid, dwCounter) );
|
|
}
|
|
|
|
//
|
|
// tell the caller how many chars we provided, not including NULL
|
|
//
|
|
*cchSidSize = cchSidCopy;
|
|
|
|
return TRUE;
|
|
}
|
|
|
|
/*****************************************************************************
|
|
* RpcWinStationUpdateUserConfig()
|
|
* Called by notify when winlogon tells notify that shell startup is about to happen
|
|
* We open the user profile and get the policy data, and then override any data found
|
|
* in user's sessions's USERCONFIGW
|
|
*
|
|
* Params:
|
|
* [in] hServer,
|
|
* [in] ClientLogonId,
|
|
* [in] ClientProcessId,
|
|
* [in] UserToken,
|
|
* [in] pDomain,
|
|
* [in] DomainSize,
|
|
* [in] pUserName,
|
|
* [in] UserNameSize,
|
|
* [out] *pResult
|
|
*
|
|
* Return:
|
|
* TRUE if no errors, FALSE otherwise, see pResult for the NTSTATUS of the error
|
|
*
|
|
*
|
|
*
|
|
* *****************************************************************************/
|
|
BOOLEAN
|
|
RpcWinStationUpdateUserConfig(
|
|
HANDLE hServer,
|
|
DWORD ClientLogonId,
|
|
DWORD ClientProcessId,
|
|
DWORD UserToken,
|
|
DWORD *pResult
|
|
)
|
|
{
|
|
NTSTATUS Status = STATUS_SUCCESS;
|
|
ULONG Length;
|
|
DWORD rc = ERROR_SUCCESS;
|
|
ULONG Error;
|
|
USERCONFIGW *pTmpUserConfig;
|
|
POLICY_TS_USER userPolicy;
|
|
USERCONFIGW userPolicyData;
|
|
HANDLE NewToken;
|
|
|
|
PWINSTATION pWinStation;
|
|
OBJECT_ATTRIBUTES ObjA;
|
|
|
|
PTOKEN_USER pTokenInfo = NULL;
|
|
HANDLE hClientToken=NULL;
|
|
|
|
// @@@ make these dynamic later
|
|
TCHAR szSidText [MAX_PATH ];
|
|
DWORD sidTextSize = MAX_PATH;
|
|
|
|
|
|
if(!hServer)
|
|
{
|
|
*pResult = STATUS_UNSUCCESSFUL;
|
|
return( FALSE );
|
|
}
|
|
|
|
*pResult=0;
|
|
|
|
/*
|
|
* Make sure the caller is SYSTEM (WinLogon)
|
|
*/
|
|
Status = RpcCheckSystemClient( ClientLogonId );
|
|
if ( !NT_SUCCESS( Status ) ) {
|
|
*pResult = Status;
|
|
return( FALSE );
|
|
}
|
|
|
|
TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: WinStationUpdateUserConfig, LogonId=%d\n", ClientLogonId ));
|
|
|
|
/*
|
|
* Find and lock client WinStation
|
|
*/
|
|
pWinStation = FindWinStationById( ClientLogonId, FALSE );
|
|
if ( pWinStation == NULL )
|
|
{
|
|
Status = STATUS_CTX_WINSTATION_NOT_FOUND;
|
|
*pResult = Status;
|
|
return( FALSE );
|
|
}
|
|
|
|
/*
|
|
* Get a valid copy of the clients token handle
|
|
*/
|
|
Status = NtDuplicateObject( pWinStation->InitialCommandProcess,
|
|
(HANDLE)LongToHandle( UserToken ),
|
|
NtCurrentProcess(),
|
|
&hClientToken,
|
|
0, 0,
|
|
DUPLICATE_SAME_ACCESS |
|
|
DUPLICATE_SAME_ATTRIBUTES );
|
|
|
|
if ( !NT_SUCCESS( Status ) )
|
|
goto done;
|
|
|
|
/*
|
|
* Determine size needed for token info buffer and allocate it
|
|
*/
|
|
Status = NtQueryInformationToken ( hClientToken, TokenUser,
|
|
NULL, 0, &Length );
|
|
|
|
if ( Status != STATUS_BUFFER_TOO_SMALL )
|
|
{
|
|
goto done;
|
|
}
|
|
|
|
pTokenInfo = MemAlloc( Length );
|
|
if ( pTokenInfo == NULL )
|
|
{
|
|
Status = STATUS_NO_MEMORY;
|
|
goto done;
|
|
}
|
|
|
|
/*
|
|
* Query token information to get client user's SID
|
|
*/
|
|
Status = NtQueryInformationToken ( hClientToken, TokenUser,
|
|
pTokenInfo, Length, &Length );
|
|
if ( NT_SUCCESS( Status ) )
|
|
{
|
|
|
|
if ( GetTextualSid( pTokenInfo->User.Sid , szSidText, &sidTextSize ) )
|
|
{
|
|
|
|
// We now have the user SID
|
|
|
|
/*
|
|
* Get User policy from HKCU
|
|
*/
|
|
if ( RegGetUserPolicy( szSidText, &userPolicy, & userPolicyData ) )
|
|
{
|
|
// 4th param is NULL, since config data is already part of pWinstation
|
|
// due to the call into NotifyLogonWorker from Winlogon. We are now
|
|
// going to override data by any/all user group policy data.
|
|
MergeUserConfigData( pWinStation, &userPolicy, &userPolicyData, NULL );
|
|
}
|
|
// else we were not able to get user policy, so no merge was done.
|
|
|
|
}
|
|
}
|
|
|
|
done:
|
|
|
|
if (pTokenInfo )
|
|
{
|
|
MemFree( pTokenInfo );
|
|
}
|
|
|
|
if (hClientToken)
|
|
{
|
|
NtClose( hClientToken );
|
|
}
|
|
|
|
/*
|
|
* Start logon timers anyway, in case of any errors, we should still start the timers since
|
|
* some machine policy might have set them up.
|
|
*/
|
|
StartLogonTimers( pWinStation );
|
|
|
|
ReleaseWinStation( pWinStation );
|
|
|
|
TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: RpcWinStationUpdateUserConfig, Status=0x%x\n", Status ));
|
|
|
|
*pResult = Status ;
|
|
|
|
return( *pResult == STATUS_SUCCESS ? TRUE : FALSE );
|
|
}
|
|
|
|
BOOLEAN RpcWinStationUnRegisterNotificationEvent (
|
|
HANDLE hServer,
|
|
DWORD *pResult,
|
|
ULONG_PTR NotificationId,
|
|
ULONG SessionId
|
|
)
|
|
{
|
|
RPC_STATUS RpcStatus;
|
|
UINT LocalFlag;
|
|
|
|
if (pResult == NULL) {
|
|
return FALSE;
|
|
}
|
|
|
|
if(!hServer)
|
|
{
|
|
*pResult = STATUS_UNSUCCESSFUL;
|
|
return( FALSE );
|
|
}
|
|
|
|
//
|
|
// Calling this function from the remote machine, does not make sense, and
|
|
// we should not allow it.
|
|
//
|
|
RpcStatus = RpcImpersonateClient( NULL );
|
|
if( RpcStatus != RPC_S_OK ) {
|
|
|
|
DBGPRINT((" RpcImpersonateClient() failed : 0x%x\n",RpcStatus));
|
|
*pResult = STATUS_CANNOT_IMPERSONATE;
|
|
return( FALSE );
|
|
}
|
|
|
|
//
|
|
// Inquire if local RPC call
|
|
//
|
|
RpcStatus = I_RpcBindingIsClientLocal(
|
|
0, // Active RPC call we are servicing
|
|
&LocalFlag
|
|
);
|
|
|
|
if( RpcStatus != RPC_S_OK ) {
|
|
DBGPRINT((" I_RpcBindingIsClientLocal() failed : 0x%x\n",RpcStatus));
|
|
RpcRevertToSelf();
|
|
*pResult = STATUS_ACCESS_DENIED;
|
|
return( FALSE );
|
|
}
|
|
|
|
if( !LocalFlag ) {
|
|
DBGPRINT((" Not a local client call\n"));
|
|
*pResult = STATUS_ACCESS_DENIED;
|
|
RpcRevertToSelf();
|
|
return( FALSE );
|
|
}
|
|
else
|
|
{
|
|
ULONG ClientLogonId;
|
|
*pResult = RpcGetClientLogonId( &ClientLogonId );
|
|
if ( !NT_SUCCESS( *pResult ) ) {
|
|
RpcRevertToSelf();
|
|
return( FALSE );
|
|
}
|
|
|
|
if (ClientLogonId != SessionId)
|
|
{
|
|
RpcRevertToSelf();
|
|
*pResult = STATUS_INVALID_PARAMETER;
|
|
return FALSE;
|
|
}
|
|
}
|
|
|
|
//
|
|
// done with the impersonation, we must have succeeded, otherwise, we would have exited above
|
|
//
|
|
RpcRevertToSelf();
|
|
|
|
*pResult = UnRegisterConsoleNotification ( NotificationId, SessionId, WTS_EVENT_NOTIFICATION);
|
|
|
|
return (*pResult == STATUS_SUCCESS);
|
|
|
|
}
|
|
|
|
BOOLEAN RpcWinStationRegisterNotificationEvent (
|
|
HANDLE hServer,
|
|
DWORD *pResult,
|
|
ULONG_PTR *pNotificationId,
|
|
ULONG_PTR EventHandle, // handle of destination window
|
|
DWORD dwFlags,
|
|
DWORD dwMask,
|
|
ULONG SessionId,
|
|
ULONG ProcessId
|
|
|
|
)
|
|
{
|
|
RPC_STATUS RpcStatus;
|
|
UINT LocalFlag;
|
|
ULONG_PTR dupHandle;
|
|
HANDLE ClientProcessHandle = NULL;
|
|
OBJECT_ATTRIBUTES ObjectAttributes;
|
|
CLIENT_ID ClientId;
|
|
|
|
if (pResult == NULL) {
|
|
return FALSE;
|
|
}
|
|
|
|
if(!hServer)
|
|
{
|
|
*pResult = STATUS_UNSUCCESSFUL;
|
|
return( FALSE );
|
|
}
|
|
|
|
if (pNotificationId == NULL) {
|
|
*pResult = STATUS_INVALID_PARAMETER;
|
|
return FALSE;
|
|
}
|
|
|
|
if (!dwMask) {
|
|
*pResult = STATUS_INVALID_PARAMETER;
|
|
return FALSE;
|
|
}
|
|
|
|
//
|
|
// Calling this function from the remote machine, does not make sense, and
|
|
// we should not allow it.
|
|
//
|
|
RpcStatus = RpcImpersonateClient( NULL );
|
|
if( RpcStatus != RPC_S_OK ) {
|
|
|
|
DBGPRINT((" RpcImpersonateClient() failed : 0x%x\n",RpcStatus));
|
|
*pResult = STATUS_CANNOT_IMPERSONATE;
|
|
return( FALSE );
|
|
}
|
|
|
|
//
|
|
// Inquire if local RPC call
|
|
//
|
|
RpcStatus = I_RpcBindingIsClientLocal(
|
|
0, // Active RPC call we are servicing
|
|
&LocalFlag
|
|
);
|
|
|
|
if( RpcStatus != RPC_S_OK ) {
|
|
DBGPRINT((" I_RpcBindingIsClientLocal() failed : 0x%x\n",RpcStatus));
|
|
RpcRevertToSelf();
|
|
*pResult = STATUS_ACCESS_DENIED;
|
|
return( FALSE );
|
|
}
|
|
|
|
if( !LocalFlag ) {
|
|
DBGPRINT((" Not a local client call\n"));
|
|
*pResult = STATUS_ACCESS_DENIED;
|
|
RpcRevertToSelf();
|
|
return( FALSE );
|
|
}
|
|
else
|
|
{
|
|
ULONG ClientLogonId;
|
|
*pResult = RpcGetClientLogonId( &ClientLogonId );
|
|
if ( !NT_SUCCESS( *pResult ) ) {
|
|
RpcRevertToSelf();
|
|
return( FALSE );
|
|
}
|
|
|
|
if (ClientLogonId != SessionId)
|
|
{
|
|
RpcRevertToSelf();
|
|
*pResult = STATUS_INVALID_PARAMETER;
|
|
return( FALSE );
|
|
}
|
|
}
|
|
|
|
//
|
|
// get the client process handle.
|
|
// do this while client is impersonated, so that if client doesnt have access to the
|
|
// said process, we will fail the call.
|
|
//
|
|
ClientProcessHandle = OpenProcess( PROCESS_DUP_HANDLE, FALSE, ProcessId );
|
|
|
|
if (!ClientProcessHandle) {
|
|
|
|
*pResult = STATUS_ACCESS_DENIED;
|
|
RpcRevertToSelf();
|
|
return (FALSE);
|
|
|
|
}
|
|
|
|
//
|
|
// done with the impersonation, we must have succeeded, otherwise, we would have exited above
|
|
//
|
|
RpcRevertToSelf();
|
|
|
|
|
|
|
|
if (DuplicateHandle(
|
|
ClientProcessHandle,
|
|
(HANDLE)EventHandle,
|
|
GetCurrentProcess(),
|
|
(PHANDLE)&dupHandle,
|
|
0,
|
|
0,
|
|
DUPLICATE_SAME_ACCESS
|
|
)) {
|
|
|
|
*pResult = STATUS_SUCCESS;
|
|
|
|
} else {
|
|
|
|
*pResult = STATUS_INVALID_PARAMETER;
|
|
|
|
}
|
|
|
|
CloseHandle(ClientProcessHandle);
|
|
|
|
if ( NT_SUCCESS( *pResult ) ) {
|
|
|
|
dwFlags |= WTS_EVENT_NOTIFICATION;
|
|
dwFlags &= ~WTS_WINDOW_NOTIFICATION;
|
|
*pResult = RegisterConsoleNotification ( dupHandle, SessionId, dwFlags, dwMask );
|
|
|
|
|
|
if ( NT_SUCCESS( *pResult ) ) {
|
|
|
|
*pNotificationId = dupHandle;
|
|
|
|
} else {
|
|
|
|
CloseHandle((HANDLE)dupHandle);
|
|
}
|
|
}
|
|
|
|
return (*pResult == STATUS_SUCCESS);
|
|
|
|
}
|
|
|
|
BOOLEAN RpcWinStationRegisterConsoleNotification (
|
|
HANDLE hServer,
|
|
DWORD *pResult,
|
|
ULONG SessionId,
|
|
ULONG_PTR handle, // handle of destination window
|
|
DWORD dwFlags,
|
|
DWORD dwMask
|
|
)
|
|
{
|
|
|
|
RPC_STATUS RpcStatus;
|
|
UINT LocalFlag;
|
|
|
|
|
|
if (pResult == NULL) {
|
|
return FALSE;
|
|
}
|
|
|
|
if(!hServer)
|
|
{
|
|
*pResult = STATUS_UNSUCCESSFUL;
|
|
return( FALSE );
|
|
}
|
|
|
|
//
|
|
// Calling this function from the remote machine, does not make sense, and
|
|
// we should not allow it.
|
|
//
|
|
RpcStatus = RpcImpersonateClient( NULL );
|
|
if( RpcStatus != RPC_S_OK ) {
|
|
DBGPRINT((" RpcImpersonateClient() failed : 0x%x\n",RpcStatus));
|
|
*pResult = STATUS_CANNOT_IMPERSONATE;
|
|
return( FALSE );
|
|
}
|
|
|
|
//
|
|
// Inquire if local RPC call
|
|
//
|
|
RpcStatus = I_RpcBindingIsClientLocal(
|
|
0, // Active RPC call we are servicing
|
|
&LocalFlag
|
|
);
|
|
|
|
if( RpcStatus != RPC_S_OK ) {
|
|
DBGPRINT((" I_RpcBindingIsClientLocal() failed : 0x%x\n",RpcStatus));
|
|
RpcRevertToSelf();
|
|
*pResult = STATUS_ACCESS_DENIED;
|
|
return( FALSE );
|
|
}
|
|
|
|
if( !LocalFlag ) {
|
|
DBGPRINT((" Not a local client call\n"));
|
|
*pResult = STATUS_ACCESS_DENIED;
|
|
RpcRevertToSelf();
|
|
return( FALSE );
|
|
}
|
|
|
|
{
|
|
ULONG ClientLogonId;
|
|
*pResult = RpcGetClientLogonId( &ClientLogonId );
|
|
if ( !NT_SUCCESS( *pResult ) ) {
|
|
RpcRevertToSelf();
|
|
return( FALSE );
|
|
}
|
|
|
|
if (ClientLogonId != SessionId)
|
|
{
|
|
RpcRevertToSelf();
|
|
*pResult = STATUS_INVALID_PARAMETER;
|
|
return( FALSE );
|
|
}
|
|
}
|
|
|
|
//
|
|
// done with the impersonation, we must have succeeded, otherwise, we would have exited above
|
|
//
|
|
RpcRevertToSelf();
|
|
|
|
|
|
// BUGBUG : MakarP, can we check if the calling process owns this hWnd ?
|
|
// using GetWindowThreadProcessId ? Does it work across the sessions ?
|
|
|
|
dwFlags &= ~WTS_EVENT_NOTIFICATION;
|
|
dwFlags |= WTS_WINDOW_NOTIFICATION;
|
|
*pResult = RegisterConsoleNotification ( handle, SessionId, dwFlags, dwMask );
|
|
return (*pResult == STATUS_SUCCESS);
|
|
}
|
|
|
|
BOOLEAN RpcWinStationUnRegisterConsoleNotification (
|
|
HANDLE hServer,
|
|
DWORD *pResult,
|
|
ULONG SessionId,
|
|
ULONG hWnd // handle of destination window
|
|
)
|
|
{
|
|
RPC_STATUS RpcStatus;
|
|
UINT LocalFlag;
|
|
|
|
if (pResult == NULL) {
|
|
return FALSE;
|
|
}
|
|
|
|
if(!hServer)
|
|
{
|
|
*pResult = STATUS_UNSUCCESSFUL;
|
|
return( FALSE );
|
|
}
|
|
|
|
//
|
|
// Calling this function from the remote machine, does not make sense, and
|
|
// we should not allow it.
|
|
//
|
|
RpcStatus = RpcImpersonateClient( NULL );
|
|
if( RpcStatus != RPC_S_OK ) {
|
|
DBGPRINT((" RpcImpersonateClient() failed : 0x%x\n",RpcStatus));
|
|
*pResult = STATUS_CANNOT_IMPERSONATE;
|
|
return( FALSE );
|
|
}
|
|
|
|
//
|
|
// Inquire if local RPC call
|
|
//
|
|
RpcStatus = I_RpcBindingIsClientLocal(
|
|
0, // Active RPC call we are servicing
|
|
&LocalFlag
|
|
);
|
|
|
|
if( RpcStatus != RPC_S_OK ) {
|
|
DBGPRINT((" I_RpcBindingIsClientLocal() failed : 0x%x\n",RpcStatus));
|
|
RpcRevertToSelf();
|
|
*pResult = STATUS_ACCESS_DENIED;
|
|
return( FALSE );
|
|
}
|
|
|
|
if( !LocalFlag ) {
|
|
DBGPRINT((" Not a local client call\n"));
|
|
*pResult = STATUS_ACCESS_DENIED;
|
|
RpcRevertToSelf();
|
|
return( FALSE );
|
|
}
|
|
|
|
{
|
|
ULONG ClientLogonId;
|
|
*pResult = RpcGetClientLogonId( &ClientLogonId );
|
|
if ( !NT_SUCCESS( *pResult ) ) {
|
|
RpcRevertToSelf();
|
|
return( FALSE );
|
|
}
|
|
|
|
if (ClientLogonId != SessionId)
|
|
{
|
|
RpcRevertToSelf();
|
|
*pResult = STATUS_INVALID_PARAMETER;
|
|
return( FALSE );
|
|
}
|
|
}
|
|
|
|
//
|
|
// done with the impersonation, we must have succeeded, otherwise, we would have exited above
|
|
//
|
|
RpcRevertToSelf();
|
|
|
|
|
|
// BUGBUG : MakarP, can we check if the calling process owns this hWnd ?
|
|
// using GetWindowThreadProcessId ? Does it work across the sessions ?
|
|
|
|
*pResult = UnRegisterConsoleNotification ( hWnd, SessionId, WTS_WINDOW_NOTIFICATION);
|
|
|
|
return (*pResult == STATUS_SUCCESS);
|
|
}
|
|
|
|
|
|
|
|
BOOLEAN RpcWinStationIsHelpAssistantSession (
|
|
HANDLE hServer,
|
|
DWORD *pResult, // function status
|
|
ULONG SessionId // user logon id
|
|
)
|
|
/*++
|
|
|
|
RpcWinStationIsSessionHelpAssistantSession returns if a
|
|
given session is created by Salem HelpAssistant account.
|
|
|
|
Parameters:
|
|
|
|
hServer : Handle to server, unused, just to match all
|
|
other RPC function.
|
|
SessionId : User session ID.
|
|
|
|
Returns:
|
|
|
|
TRUE/FALSE
|
|
|
|
--*/
|
|
{
|
|
RPC_STATUS RpcStatus;
|
|
UINT LocalFlag;
|
|
PWINSTATION pWinStation=NULL;
|
|
BOOLEAN bReturn;
|
|
BOOL bValidHelpSession;
|
|
|
|
if(!hServer)
|
|
{
|
|
*pResult = STATUS_UNSUCCESSFUL;
|
|
return( FALSE );
|
|
}
|
|
|
|
*pResult=0;
|
|
|
|
//
|
|
// Do we need to check system or only LPC call?
|
|
//
|
|
|
|
//
|
|
// Find and lock client WinStation
|
|
//
|
|
pWinStation = FindWinStationById( SessionId, FALSE );
|
|
if ( pWinStation == NULL )
|
|
{
|
|
*pResult = STATUS_CTX_WINSTATION_NOT_FOUND;
|
|
return( FALSE );
|
|
}
|
|
|
|
bReturn = (BOOLEAN)TSIsSessionHelpSession( pWinStation, &bValidHelpSession );
|
|
|
|
if( TRUE == bReturn )
|
|
{
|
|
if( FALSE == bValidHelpSession )
|
|
{
|
|
*pResult = STATUS_WRONG_PASSWORD;
|
|
}
|
|
}
|
|
|
|
ReleaseWinStation( pWinStation );
|
|
return bReturn;
|
|
}
|
|
|
|
BOOLEAN RpcRemoteAssistancePrepareSystemRestore (
|
|
HANDLE hServer,
|
|
DWORD *pResult // function status
|
|
)
|
|
/*++
|
|
|
|
Prepare TermSrv/Salem for system restore.
|
|
|
|
Parameters:
|
|
|
|
hServer : Handle to server, unused, just to match all
|
|
other RPC function.
|
|
pResult : Pointer to DWORD to receive status of function.
|
|
|
|
Returns:
|
|
|
|
TRUE/FALSE
|
|
|
|
--*/
|
|
{
|
|
BOOLEAN bReturn = TRUE;
|
|
RPC_STATUS RpcStatus;
|
|
BOOL LocalFlag;
|
|
HRESULT hRes;
|
|
|
|
if (pResult == NULL) {
|
|
return FALSE;
|
|
}
|
|
|
|
if(!hServer)
|
|
{
|
|
*pResult = STATUS_UNSUCCESSFUL;
|
|
return( FALSE );
|
|
}
|
|
|
|
//
|
|
// Calling this function from the remote machine, does not make sense, and
|
|
// we should not allow it.
|
|
//
|
|
RpcStatus = RpcImpersonateClient( NULL );
|
|
if( RpcStatus != RPC_S_OK ) {
|
|
DBGPRINT((" RpcImpersonateClient() failed : 0x%x\n",RpcStatus));
|
|
*pResult = ERROR_CANNOT_IMPERSONATE;
|
|
return( FALSE );
|
|
}
|
|
|
|
//
|
|
// Allow ony local admin to invoke this call.
|
|
//
|
|
if( !IsCallerAdmin() ) {
|
|
RpcRevertToSelf();
|
|
*pResult = ERROR_ACCESS_DENIED;
|
|
return (FALSE);
|
|
}
|
|
|
|
//
|
|
// Inquire if local RPC call
|
|
//
|
|
RpcStatus = I_RpcBindingIsClientLocal(
|
|
0, // Active RPC call we are servicing
|
|
&LocalFlag
|
|
);
|
|
|
|
if( RpcStatus != RPC_S_OK ) {
|
|
DBGPRINT((" I_RpcBindingIsClientLocal() failed : 0x%x\n",RpcStatus));
|
|
RpcRevertToSelf();
|
|
*pResult = ERROR_ACCESS_DENIED;
|
|
return( FALSE );
|
|
}
|
|
|
|
if( !LocalFlag ) {
|
|
DBGPRINT((" Not a local client call\n"));
|
|
*pResult = ERROR_ACCESS_DENIED;
|
|
RpcRevertToSelf();
|
|
return( FALSE );
|
|
}
|
|
|
|
//
|
|
// done with the impersonation, we must have succeeded, otherwise, we would have exited above
|
|
//
|
|
RpcRevertToSelf();
|
|
|
|
*pResult=0;
|
|
|
|
hRes = TSRemoteAssistancePrepareSystemRestore();
|
|
if( S_OK != hRes ) {
|
|
bReturn = FALSE;
|
|
*pResult = hRes;
|
|
}
|
|
|
|
return bReturn;
|
|
}
|
|
|
|
|
|
/*
|
|
* RpcWinStationGetMachinePolicy
|
|
*
|
|
* Return (a copye of ) the machine policy to the caller
|
|
*
|
|
* Parameters:
|
|
*
|
|
* hServer : Handle to server, unused, just to match all
|
|
* other RPC function.
|
|
*
|
|
* pointer to the policy struct
|
|
*
|
|
* size of the policy struct.
|
|
*
|
|
*/
|
|
BOOLEAN
|
|
RpcWinStationGetMachinePolicy(
|
|
SERVER_HANDLE hServer,
|
|
PBYTE pPolicy,
|
|
ULONG bufferSize )
|
|
{
|
|
if(!hServer)
|
|
{
|
|
return( FALSE );
|
|
}
|
|
|
|
if (pPolicy == NULL) {
|
|
return FALSE;
|
|
}
|
|
// Check if BufferSize if big enough
|
|
if (bufferSize < sizeof(POLICY_TS_MACHINE)) {
|
|
return FALSE;
|
|
}
|
|
RtlCopyMemory( pPolicy , & g_MachinePolicy, sizeof( POLICY_TS_MACHINE ) );
|
|
return TRUE;
|
|
}
|
|
|
|
/*++
|
|
|
|
RpcWinStationUpdateClientCachedCredentials is used to store the ACTUAL credentials
|
|
used to log on by a client. This is stored in WINSTATION struct which is later
|
|
on used to notify the client about the logon credentials. This API is called
|
|
from MSGINA.
|
|
|
|
Parameters:
|
|
|
|
ClientLogonId : Logon Id of the new session opened by the client
|
|
|
|
pDomian, pUserName : Credentials used by the client to log on
|
|
|
|
Returns:
|
|
|
|
TRUE if the call succeeded in updating the credentials.
|
|
|
|
--*/
|
|
|
|
BOOLEAN
|
|
RpcWinStationUpdateClientCachedCredentials(
|
|
HANDLE hServer,
|
|
DWORD *pResult,
|
|
DWORD ClientLogonId,
|
|
ULONG_PTR ClientProcessId,
|
|
PWCHAR pDomain,
|
|
DWORD DomainSize,
|
|
PWCHAR pUserName,
|
|
DWORD UserNameSize,
|
|
BOOLEAN fSmartCard
|
|
)
|
|
{
|
|
NTSTATUS Status;
|
|
|
|
if(!hServer)
|
|
{
|
|
*pResult = STATUS_UNSUCCESSFUL;
|
|
return( FALSE );
|
|
}
|
|
|
|
/*
|
|
* Do some buffer validation
|
|
*/
|
|
*pResult = IsZeroterminateStringW(pUserName, UserNameSize );
|
|
if (*pResult != STATUS_SUCCESS) {
|
|
return FALSE;
|
|
}
|
|
*pResult = IsZeroterminateStringW(pDomain, DomainSize );
|
|
if (*pResult != STATUS_SUCCESS) {
|
|
return FALSE;
|
|
}
|
|
|
|
/*
|
|
* Make sure the caller is SYSTEM (WinLogon)
|
|
*/
|
|
Status = RpcCheckSystemClient( ClientLogonId );
|
|
if ( !NT_SUCCESS( Status ) ) {
|
|
*pResult = Status;
|
|
return( FALSE );
|
|
}
|
|
|
|
*pResult = WinStationUpdateClientCachedCredentialsWorker(
|
|
ClientLogonId,
|
|
ClientProcessId,
|
|
pDomain,
|
|
DomainSize,
|
|
pUserName,
|
|
UserNameSize,
|
|
fSmartCard
|
|
);
|
|
|
|
return( *pResult == STATUS_SUCCESS ? TRUE : FALSE );
|
|
}
|
|
|
|
/*****************************************************************************
|
|
* WinStationUpdateClientCachedCredentialsWorker
|
|
*
|
|
* Worker function for RPCWinStationUpdateClientCachedCredentials
|
|
****************************************************************************/
|
|
NTSTATUS WinStationUpdateClientCachedCredentialsWorker(
|
|
DWORD ClientLogonId,
|
|
ULONG_PTR ClientProcessId,
|
|
PWCHAR pDomain,
|
|
DWORD DomainSize,
|
|
PWCHAR pUserName,
|
|
DWORD UserNameSize,
|
|
BOOLEAN fSmartCard)
|
|
{
|
|
|
|
PWINSTATION pWinStation;
|
|
ULONG Length;
|
|
NTSTATUS Status = STATUS_SUCCESS;
|
|
|
|
TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: WinStationUpdateClientCachedCredentialsWorker, LogonId=%d\n", ClientLogonId ));
|
|
|
|
if ( ShutdownInProgress ) {
|
|
return ( STATUS_CTX_WINSTATION_ACCESS_DENIED );
|
|
}
|
|
|
|
/*
|
|
* Find and lock client WinStation
|
|
*/
|
|
pWinStation = FindWinStationById( ClientLogonId, FALSE );
|
|
if ( pWinStation == NULL ) {
|
|
Status = STATUS_CTX_WINSTATION_NOT_FOUND;
|
|
goto done;
|
|
}
|
|
|
|
/*
|
|
* Do not do anything if the session is not connected. The processing in this API assumes we are connected and have a
|
|
* valid stack.
|
|
*/
|
|
if ((ClientLogonId != 0) && ((pWinStation->State != State_Connected) || pWinStation->StateFlags & WSF_ST_IN_DISCONNECT)) {
|
|
Status = STATUS_CTX_CLOSE_PENDING;
|
|
ReleaseWinStation( pWinStation );
|
|
goto done;
|
|
}
|
|
|
|
/*
|
|
* Upper level code has verified that this RPC
|
|
* is coming from a local client with SYSTEM access.
|
|
*
|
|
* We should be able to trust the ClientProcessId from
|
|
* SYSTEM code.
|
|
*/
|
|
|
|
/*
|
|
* Ensure this is WinLogon calling
|
|
*/
|
|
if ( (HANDLE)(ULONG_PTR)ClientProcessId != pWinStation->InitialCommandProcessId ) {
|
|
ReleaseWinStation( pWinStation );
|
|
goto done;
|
|
}
|
|
|
|
/*
|
|
* Save User Name and Domain Name which we will later use to send Notification to the Client
|
|
*/
|
|
pWinStation->pNewNotificationCredentials = MemAlloc(sizeof(CLIENTNOTIFICATIONCREDENTIALS));
|
|
if (pWinStation->pNewNotificationCredentials == NULL) {
|
|
Status = STATUS_NO_MEMORY ;
|
|
ReleaseWinStation( pWinStation );
|
|
goto done ;
|
|
}
|
|
|
|
// pDomain and pUserName are sent from Winlogon - these cannot exceed the size of the pWinstation buffers
|
|
// because of the restrictions in the credentials lengths imposed by winlogon
|
|
// But anyway check for their length and truncate them if they are more than the length of pWinstation buffers
|
|
|
|
if ( wcslen(pDomain) > EXTENDED_DOMAIN_LEN ) {
|
|
pDomain[EXTENDED_DOMAIN_LEN] = L'\0';
|
|
}
|
|
|
|
if ( wcslen(pUserName) > EXTENDED_USERNAME_LEN ) {
|
|
pUserName[EXTENDED_USERNAME_LEN] = L'\0';
|
|
}
|
|
|
|
wcscpy( pWinStation->pNewNotificationCredentials->Domain, pDomain);
|
|
wcscpy( pWinStation->pNewNotificationCredentials->UserName, pUserName);
|
|
pWinStation->fSmartCardLogon = fSmartCard;
|
|
|
|
/*
|
|
* Release the winstation lock
|
|
*/
|
|
ReleaseWinStation( pWinStation );
|
|
|
|
done:
|
|
/*
|
|
* Save return status in API message
|
|
*/
|
|
TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: WinStationUpdateClientCachedCredentialsWorker, Status=0x%x\n", Status ));
|
|
return Status;
|
|
|
|
}
|
|
|
|
/*++
|
|
|
|
RpcWinStationFUSCanRemoteUserDisconnect - this API is used in a FUS Scenario
|
|
when there is someone at the console and another user tries to open a remote
|
|
session. This API askes the local user if it is ok to disconnect his/her session
|
|
and allow the remote user to connect.
|
|
|
|
Parameters:
|
|
|
|
TargetLogonId : Session ID which is being requested for connection
|
|
|
|
ClientLogonId : Session ID of the temperory new session
|
|
|
|
pDomain : Domain Name of the user who is trying to connect from remote
|
|
|
|
pUserName : UserName of the user who is trying to connect from remote
|
|
|
|
|
|
Returns:
|
|
|
|
TRUE - The local user has agreed to connect the remote user - so this user's session
|
|
will be disconnected
|
|
|
|
FALSE - Local user does not allow the remote user to connect
|
|
|
|
--*/
|
|
|
|
BOOLEAN
|
|
RpcWinStationFUSCanRemoteUserDisconnect(
|
|
HANDLE hServer,
|
|
DWORD *pResult,
|
|
DWORD TargetLogonId,
|
|
DWORD ClientLogonId,
|
|
ULONG_PTR ClientProcessId,
|
|
PWCHAR pDomain,
|
|
DWORD DomainSize,
|
|
PWCHAR pUserName,
|
|
DWORD UserNameSize
|
|
)
|
|
{
|
|
NTSTATUS Status;
|
|
|
|
if(!hServer)
|
|
{
|
|
*pResult = STATUS_UNSUCCESSFUL;
|
|
return( FALSE );
|
|
}
|
|
|
|
/*
|
|
* Do some buffer validation
|
|
*/
|
|
*pResult = IsZeroterminateStringW(pUserName, UserNameSize );
|
|
if (*pResult != STATUS_SUCCESS) {
|
|
return FALSE;
|
|
}
|
|
*pResult = IsZeroterminateStringW(pDomain, DomainSize );
|
|
if (*pResult != STATUS_SUCCESS) {
|
|
return FALSE;
|
|
}
|
|
|
|
/*
|
|
* Make sure the caller is SYSTEM (WinLogon)
|
|
*/
|
|
Status = RpcCheckSystemClient( ClientLogonId );
|
|
if ( !NT_SUCCESS( Status ) ) {
|
|
*pResult = Status;
|
|
return( FALSE );
|
|
}
|
|
|
|
*pResult = WinStationFUSCanRemoteUserDisconnectWorker(
|
|
TargetLogonId,
|
|
ClientLogonId,
|
|
ClientProcessId,
|
|
pDomain,
|
|
DomainSize,
|
|
pUserName,
|
|
UserNameSize
|
|
);
|
|
|
|
return( *pResult == STATUS_SUCCESS ? TRUE : FALSE );
|
|
}
|
|
|
|
/*****************************************************************************
|
|
* WinStationFUSCanRemoteUserDisconnectWorker
|
|
*
|
|
* Worker function for WinStationFUSCanRemoteUserDisconnect
|
|
****************************************************************************/
|
|
NTSTATUS WinStationFUSCanRemoteUserDisconnectWorker(
|
|
DWORD TargetLogonId,
|
|
DWORD ClientLogonId,
|
|
ULONG_PTR ClientProcessId,
|
|
PWCHAR pDomain,
|
|
DWORD DomainSize,
|
|
PWCHAR pUserName,
|
|
DWORD UserNameSize)
|
|
{
|
|
|
|
PWINSTATION pTargetWinStation, pClientWinStation;
|
|
ULONG Length;
|
|
NTSTATUS Status = STATUS_SUCCESS;
|
|
NTSTATUS MessageDelieveryStatus;
|
|
|
|
WINSTATION_APIMSG msg;
|
|
ULONG DisconnectResponse;
|
|
OBJECT_ATTRIBUTES ObjA;
|
|
|
|
WCHAR *szDomain = NULL;
|
|
WCHAR *szUserName = NULL;
|
|
|
|
TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: WinStationFUSCanRemoteUserDisconnect, LogonId=%d\n", ClientLogonId ));
|
|
|
|
if ( ShutdownInProgress ) {
|
|
return ( STATUS_CTX_WINSTATION_ACCESS_DENIED );
|
|
}
|
|
|
|
/*
|
|
* Find and lock client WinStation
|
|
*/
|
|
pClientWinStation = FindWinStationById( ClientLogonId, FALSE );
|
|
if ( pClientWinStation == NULL ) {
|
|
Status = STATUS_CTX_WINSTATION_NOT_FOUND;
|
|
goto done;
|
|
}
|
|
|
|
/*
|
|
* Do not do anything if the session is not connected. The processing in this API assumes we are connected and have a
|
|
* valid stack.
|
|
*/
|
|
if ((ClientLogonId != 0) && ((pClientWinStation->State != State_Connected) || pClientWinStation->StateFlags & WSF_ST_IN_DISCONNECT)) {
|
|
Status = STATUS_CTX_CLOSE_PENDING;
|
|
ReleaseWinStation(pClientWinStation);
|
|
goto done;
|
|
}
|
|
|
|
/*
|
|
* Upper level code has verified that this RPC
|
|
* is coming from a local client with SYSTEM access.
|
|
*
|
|
* We should be able to trust the ClientProcessId from
|
|
* SYSTEM code.
|
|
*/
|
|
|
|
/*
|
|
* Ensure this is WinLogon calling
|
|
*/
|
|
if ( (HANDLE)(ULONG_PTR)ClientProcessId != pClientWinStation->InitialCommandProcessId ) {
|
|
ReleaseWinStation(pClientWinStation);
|
|
goto done;
|
|
}
|
|
|
|
/*
|
|
* Client WinStation is not needed anymore, so release that lock
|
|
*/
|
|
ReleaseWinStation(pClientWinStation);
|
|
|
|
/*
|
|
* Find and lock target WinStation
|
|
*/
|
|
pTargetWinStation = FindWinStationById( TargetLogonId, FALSE );
|
|
if ( pTargetWinStation == NULL ) {
|
|
Status = STATUS_CTX_WINSTATION_NOT_FOUND;
|
|
goto done;
|
|
}
|
|
|
|
// Allocate the strings needed to display the Popup MessageBox
|
|
if ((szDomain = LocalAlloc(LMEM_FIXED, MAX_STRING_BYTES * sizeof(WCHAR))) == NULL) {
|
|
Status = STATUS_NO_MEMORY ;
|
|
goto done;
|
|
}
|
|
|
|
if ((szUserName = LocalAlloc(LMEM_FIXED, MAX_STRING_BYTES * sizeof(WCHAR))) == NULL) {
|
|
Status = STATUS_NO_MEMORY ;
|
|
goto done;
|
|
}
|
|
|
|
memcpy(szDomain, pDomain, (DomainSize) * sizeof(WCHAR));
|
|
szDomain[DomainSize] = L'\0';
|
|
|
|
memcpy(szUserName, pUserName, (UserNameSize) * sizeof(WCHAR));
|
|
szUserName[UserNameSize] = L'\0';
|
|
|
|
/*
|
|
* Create wait event
|
|
*/
|
|
InitializeObjectAttributes( &ObjA, NULL, 0, NULL, NULL );
|
|
Status = NtCreateEvent( &msg.u.LoadStringMessage.hEvent, EVENT_ALL_ACCESS, &ObjA,
|
|
NotificationEvent, FALSE );
|
|
if ( !NT_SUCCESS(Status) ) {
|
|
ReleaseWinStation(pTargetWinStation);
|
|
goto done;
|
|
}
|
|
|
|
/*
|
|
* Send message and wait for reply
|
|
*/
|
|
msg.u.LoadStringMessage.TitleId = REMOTE_DISCONNECT_TITLE_ID;
|
|
msg.u.LoadStringMessage.MessageId = REMOTE_DISCONNECT_MESSAGE_ID;
|
|
msg.u.LoadStringMessage.Style = MB_YESNO | MB_DEFBUTTON1 | MB_ICONQUESTION;
|
|
msg.u.LoadStringMessage.Timeout = 20;
|
|
msg.u.LoadStringMessage.DoNotWait = FALSE;
|
|
msg.u.LoadStringMessage.pResponse = &DisconnectResponse;
|
|
msg.u.LoadStringMessage.pDomain = szDomain;
|
|
msg.u.LoadStringMessage.DomainSize = (ULONG) (DomainSize * sizeof(WCHAR));
|
|
msg.u.LoadStringMessage.pUserName = szUserName;
|
|
msg.u.LoadStringMessage.UserNameSize = (ULONG)(UserNameSize * sizeof(WCHAR));
|
|
msg.u.LoadStringMessage.pStatus = &MessageDelieveryStatus;
|
|
|
|
|
|
msg.ApiNumber = SMWinStationDoLoadStringNMessage;
|
|
|
|
/*
|
|
* Initialize response to IDTIMEOUT
|
|
*/
|
|
DisconnectResponse = IDTIMEOUT;
|
|
|
|
/*
|
|
* Tell the WinStation to display the message box
|
|
*/
|
|
Status = SendWinStationCommand( pTargetWinStation, &msg, 0 );
|
|
|
|
/*
|
|
* Wait for response
|
|
*/
|
|
if ( Status == STATUS_SUCCESS ) {
|
|
TRACE((hTrace,TC_ICASRV,TT_API1, "WinStationSendMessage: wait for response\n" ));
|
|
UnlockWinStation( pTargetWinStation );
|
|
Status = NtWaitForSingleObject( msg.u.LoadStringMessage.hEvent, FALSE, NULL );
|
|
if ( !RelockWinStation( pTargetWinStation ) ) {
|
|
Status = STATUS_CTX_CLOSE_PENDING;
|
|
}
|
|
else {
|
|
Status = MessageDelieveryStatus;
|
|
}
|
|
|
|
TRACE((hTrace,TC_ICASRV,TT_API1, "WinStationSendMessage: got response %u\n", DisconnectResponse ));
|
|
NtClose( msg.u.LoadStringMessage.hEvent );
|
|
} else {
|
|
/* close the event in case of SendWinStationCommand failure */
|
|
NtClose( msg.u.LoadStringMessage.hEvent );
|
|
}
|
|
|
|
if (Status == STATUS_SUCCESS && DisconnectResponse == IDNO) {
|
|
Status = STATUS_CTX_WINSTATION_ACCESS_DENIED;
|
|
}
|
|
|
|
/*
|
|
* Release the target winstation lock
|
|
*/
|
|
ReleaseWinStation( pTargetWinStation );
|
|
|
|
done:
|
|
/*
|
|
* Do some memory cleanup
|
|
*/
|
|
if (szDomain != NULL) {
|
|
LocalFree(szDomain);
|
|
szDomain = NULL;
|
|
}
|
|
|
|
if (szUserName != NULL) {
|
|
LocalFree(szUserName);
|
|
szUserName = NULL;
|
|
}
|
|
|
|
/*
|
|
* Save return status in API message
|
|
*/
|
|
TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: WinStationFUSCanRemoteUserDisconnectWorker, Status=0x%x\n", Status ));
|
|
return Status;
|
|
|
|
}
|
|
|
|
/*++
|
|
|
|
RPCWinStationCheckLoopBack checks for loopback during connections. This API
|
|
is called from Winlogon.
|
|
|
|
Parameters:
|
|
|
|
ClientSessionId : Session ID from where the TS Client was started
|
|
|
|
TargetLogonId : Session ID to which we are trying to connect
|
|
|
|
pTargetServerName : Name of the Server we are trying to connect to
|
|
|
|
Returns:
|
|
|
|
TRUE if there is a loopBack, FALSE otherwise
|
|
|
|
--*/
|
|
|
|
BOOLEAN
|
|
RpcWinStationCheckLoopBack(
|
|
HANDLE hServer,
|
|
DWORD *pResult,
|
|
DWORD ClientSessionId,
|
|
DWORD TargetLogonId,
|
|
PWCHAR pTargetServerName,
|
|
DWORD NameSize
|
|
)
|
|
{
|
|
|
|
NTSTATUS Status;
|
|
|
|
if(!hServer)
|
|
{
|
|
*pResult = STATUS_UNSUCCESSFUL;
|
|
return( FALSE );
|
|
}
|
|
|
|
/*
|
|
* Do some buffer validation
|
|
*/
|
|
*pResult = IsZeroterminateStringW(pTargetServerName, NameSize );
|
|
if (*pResult != STATUS_SUCCESS) {
|
|
return FALSE;
|
|
}
|
|
|
|
*pResult = WinStationCheckLoopBackWorker(
|
|
TargetLogonId,
|
|
ClientSessionId,
|
|
pTargetServerName,
|
|
NameSize
|
|
);
|
|
|
|
// NOTE - If Worker function returns STATUS_SUCCESS that means there is no loopback, so return FALSE
|
|
return( *pResult == STATUS_SUCCESS ? FALSE : TRUE );
|
|
}
|
|
|
|
/*****************************************************************************
|
|
* WinStationCheckLoopBackWorker
|
|
*
|
|
* Worker function for RPCWinStationCheckLoopBack
|
|
****************************************************************************/
|
|
NTSTATUS WinStationCheckLoopBackWorker(
|
|
DWORD TargetLogonId,
|
|
DWORD ClientSessionId,
|
|
PWCHAR pTargetServerName,
|
|
DWORD NameSize)
|
|
{
|
|
PWINSTATION pWinStation;
|
|
ULONG Length;
|
|
NTSTATUS Status = STATUS_SUCCESS;
|
|
|
|
TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: WinStationCheckLoopBackWorker, ClientSessionId=%d, TargetLogonId = %d\n", ClientSessionId, TargetLogonId ));
|
|
|
|
if ( ShutdownInProgress ) {
|
|
return ( STATUS_CTX_WINSTATION_ACCESS_DENIED );
|
|
}
|
|
|
|
// Do the actual processing to call the CheckLoopBack routine here
|
|
// Use the _CheckShadowLoop function which already detects for a loop during Shadowing
|
|
|
|
Status = _CheckShadowLoop(ClientSessionId, pTargetServerName, TargetLogonId);
|
|
|
|
TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: WinStationCheckLoopBackWorker, Status=0x%x\n", Status ));
|
|
return Status;
|
|
|
|
}
|
|
|
|
/*******************************************************************************
|
|
* RpcConnectCallBack
|
|
*
|
|
* Initiate connect back to TS client. For Whistler, this is Salem only call.
|
|
*
|
|
*
|
|
* Returns :
|
|
* TRUE --
|
|
* FALSE -- The operation failed. Extended error status is available
|
|
* using GetLastError.
|
|
******************************************************************************/
|
|
BOOLEAN
|
|
RpcConnectCallback(
|
|
HANDLE hServer, // needed?
|
|
DWORD *pResult,
|
|
DWORD Timeout,
|
|
ULONG AddressType, // should be one of the TDI_ADDRESS_TYPE_XXX
|
|
PBYTE pAddress, // should be one of the TDI_ADDRESS_XXX
|
|
ULONG AddressLength
|
|
)
|
|
{
|
|
NTSTATUS Status;
|
|
RPC_STATUS RpcStatus;
|
|
ICA_STACK_ADDRESS StackAddress;
|
|
PICA_STACK_ADDRESS pStackAddress = &StackAddress;
|
|
PTDI_ADDRESS_IP pTargetIpAddress;
|
|
|
|
if(!hServer)
|
|
{
|
|
*pResult = STATUS_UNSUCCESSFUL;
|
|
return( FALSE );
|
|
}
|
|
|
|
TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: RpcConnectCallBack" ));
|
|
|
|
if( ShutdownInProgress )
|
|
{
|
|
*pResult = STATUS_SYSTEM_SHUTDOWN;
|
|
return FALSE;
|
|
}
|
|
|
|
//
|
|
// We only support IPV4 address, Need to modify tdtcp.sys to support IPv6
|
|
//
|
|
if( AddressType != TDI_ADDRESS_TYPE_IP )
|
|
{
|
|
*pResult = STATUS_NOT_SUPPORTED;
|
|
return FALSE;
|
|
}
|
|
|
|
//
|
|
// Extra checking, making sure we gets everything.
|
|
//
|
|
if( AddressLength != TDI_ADDRESS_LENGTH_IP )
|
|
{
|
|
*pResult = STATUS_INVALID_PARAMETER;
|
|
return FALSE;
|
|
}
|
|
|
|
ZeroMemory( &StackAddress , sizeof( ICA_STACK_ADDRESS ) );
|
|
|
|
//
|
|
// ??? What other security we want to apply here
|
|
//
|
|
|
|
/*
|
|
* Impersonate the client
|
|
*/
|
|
RpcStatus = RpcImpersonateClient( NULL );
|
|
if( RpcStatus != RPC_S_OK ) {
|
|
KdPrintEx((DPFLTR_TERMSRV_ID, DPFLTR_ERROR_LEVEL, "TERMSRV: RpcWinStationShadowStop: Not impersonating! RpcStatus 0x%x\n",RpcStatus));
|
|
Status = STATUS_CANNOT_IMPERSONATE;
|
|
goto done;
|
|
}
|
|
|
|
//
|
|
// For Whistler, this call is Salem rdshost.exe only, rdshost.exe is kick off by helpctr
|
|
// running under system context.
|
|
//
|
|
if( !IsCallerSystem() ) {
|
|
|
|
#if DISABLESECURITYCHECKS
|
|
|
|
//
|
|
// Private testing only, allowing administrator to make this call.
|
|
//
|
|
if( !IsCallerAdmin() ) {
|
|
RpcRevertToSelf();
|
|
Status = STATUS_ACCESS_DENIED;
|
|
goto done;
|
|
}
|
|
#else
|
|
|
|
RpcRevertToSelf();
|
|
Status = STATUS_ACCESS_DENIED;
|
|
goto done;
|
|
|
|
#endif
|
|
|
|
}
|
|
|
|
RpcRevertToSelf();
|
|
|
|
|
|
//
|
|
// winsta.h, byte 0, 1, family, 2-n address.
|
|
//
|
|
*(PUSHORT)pStackAddress = (USHORT)AddressType;
|
|
if ( AddressLength <= (sizeof(ICA_STACK_ADDRESS) - 2) ) {
|
|
//
|
|
// Refer to TDI_ADDRESS_IP, last 8 char is not use.
|
|
// Adding a timeout to pass into TD will require changes to ICA_STACK_ADDRESS
|
|
// too risky for Whister but needed on next.
|
|
//
|
|
pTargetIpAddress = (PTDI_ADDRESS_IP)pAddress;
|
|
RtlCopyMemory( &(pTargetIpAddress->sin_zero[0]), &Timeout, sizeof(Timeout) );
|
|
|
|
RtlCopyMemory( &((PCHAR)pStackAddress)[2], pAddress, AddressLength );
|
|
} else {
|
|
Status = STATUS_INVALID_PARAMETER;
|
|
goto done;
|
|
}
|
|
|
|
#if DBG
|
|
{
|
|
PULONG pData = (PULONG)pStackAddress;
|
|
PTDI_ADDRESS_IP pIpAddress = (PTDI_ADDRESS_IP)&((PCHAR)pStackAddress)[2];
|
|
|
|
DbgPrint(
|
|
"TERMSRV: Connect API: address port %u address 0x%x (%u.%u.%u.%u)\n",
|
|
ntohs(pIpAddress->sin_port),
|
|
pIpAddress->in_addr,
|
|
(pIpAddress->in_addr & 0xff000000) >> 24,
|
|
(pIpAddress->in_addr & 0x00ff0000) >> 16,
|
|
(pIpAddress->in_addr & 0x0000ff00) >> 8,
|
|
(pIpAddress->in_addr & 0x000000ff)
|
|
);
|
|
}
|
|
#endif
|
|
|
|
Status = TransferConnectionToIdleWinStation( NULL, // no listen winstation
|
|
NULL, // no Endpoint,
|
|
0, // EndpointLength,
|
|
&StackAddress );
|
|
|
|
done:
|
|
|
|
*pResult = Status;
|
|
|
|
return( NT_SUCCESS(*pResult) ? TRUE : FALSE );
|
|
}
|
|
|
|
//*************************************************************
|
|
//
|
|
// IsGinaVersionCurrent()
|
|
//
|
|
// Purpose: Loads the gina DLL and negotiates the version number
|
|
//
|
|
// Parameters: NONE
|
|
//
|
|
// Return: TRUE if gina is of current version
|
|
// FALSE if version of gina is not current
|
|
// or in case of any error
|
|
//
|
|
//*************************************************************
|
|
|
|
BOOL
|
|
IsGinaVersionCurrent()
|
|
{
|
|
HMODULE hGina = NULL;
|
|
LPWSTR wszGinaName = NULL;
|
|
PWLX_NEGOTIATE pWlxNegotiate = NULL;
|
|
DWORD dwGinaLevel = 0;
|
|
BOOL bResult = FALSE;
|
|
|
|
wszGinaName = (LPWSTR) LocalAlloc(LPTR,(MAX_PATH+1)*sizeof(WCHAR));
|
|
|
|
if(!wszGinaName)
|
|
{
|
|
//
|
|
//Not enough memory
|
|
//
|
|
return FALSE;
|
|
}
|
|
|
|
GetProfileStringW(
|
|
L"WINLOGON",
|
|
L"GinaDll",
|
|
L"msgina.dll",
|
|
wszGinaName,
|
|
MAX_PATH);
|
|
|
|
|
|
if(!_wcsicmp(L"msgina.dll",wszGinaName))
|
|
{
|
|
//
|
|
//If it is "msgina.dll",
|
|
//assume that it is a Windows native gina.
|
|
//
|
|
LocalFree(wszGinaName);
|
|
return TRUE;
|
|
}
|
|
|
|
//
|
|
//Load gina
|
|
//if we cannot load gina, assume that it is incompatible
|
|
//with TS
|
|
//
|
|
hGina = LoadLibraryW(wszGinaName);
|
|
|
|
if (hGina)
|
|
{
|
|
//
|
|
// Get the "WlxNegotiate" function pointer
|
|
//
|
|
pWlxNegotiate = (PWLX_NEGOTIATE) GetProcAddress(hGina, WLX_NEGOTIATE_NAME);
|
|
|
|
if (pWlxNegotiate)
|
|
{
|
|
//
|
|
// Negotiate a version number with the gina
|
|
//
|
|
|
|
if ( pWlxNegotiate(WLX_CURRENT_VERSION, &dwGinaLevel) &&
|
|
(dwGinaLevel == WLX_CURRENT_VERSION) )
|
|
{
|
|
bResult = TRUE;
|
|
}
|
|
|
|
}
|
|
|
|
FreeLibrary(hGina);
|
|
}
|
|
|
|
LocalFree(wszGinaName);
|
|
return bResult;
|
|
}
|
|
|
|
/*++
|
|
|
|
RPCWinStationNotifyDisconnectPipe notifies session 0 Winlogon to disconnect from the autologon named pipe
|
|
|
|
Parameters:
|
|
|
|
ClientSessionId : Session ID of the calling process
|
|
|
|
ClientProcessId : Process ID of the calling process
|
|
|
|
|
|
Returns:
|
|
|
|
TRUE if notification is successful, FALSE otherwise
|
|
|
|
--*/
|
|
|
|
BOOLEAN
|
|
RpcWinStationNotifyDisconnectPipe(
|
|
HANDLE hServer,
|
|
DWORD *pResult,
|
|
DWORD ClientLogonId,
|
|
ULONG_PTR ClientProcessId
|
|
)
|
|
{
|
|
|
|
NTSTATUS Status;
|
|
|
|
if(!hServer)
|
|
{
|
|
*pResult = STATUS_UNSUCCESSFUL;
|
|
return( FALSE );
|
|
}
|
|
|
|
/*
|
|
* Make sure the caller is SYSTEM (WinLogon)
|
|
*/
|
|
Status = RpcCheckSystemClient( ClientLogonId );
|
|
if ( !NT_SUCCESS( Status ) ) {
|
|
*pResult = Status;
|
|
return( FALSE );
|
|
}
|
|
|
|
|
|
*pResult = WinStationNotifyDisconnectPipeWorker(
|
|
ClientLogonId,
|
|
ClientProcessId
|
|
);
|
|
|
|
return( *pResult == STATUS_SUCCESS ? TRUE : FALSE );
|
|
}
|
|
|
|
/*****************************************************************************
|
|
* WinStationNotifyDisconnectPipeWorker
|
|
*
|
|
* Worker function for RpcWinstationNotifyDisconnectPipe
|
|
****************************************************************************/
|
|
NTSTATUS WinStationNotifyDisconnectPipeWorker(
|
|
DWORD ClientLogonId,
|
|
ULONG_PTR ClientProcessId
|
|
)
|
|
|
|
{
|
|
PWINSTATION pWinStation, pTargetWinStation;
|
|
ULONG Length;
|
|
NTSTATUS Status = STATUS_SUCCESS;
|
|
WINSTATION_APIMSG DisconnectPipeMsg;
|
|
DWORD SessionZeroLogonId = 0;
|
|
|
|
TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: WinStationNotifyDisconnectPipeWorker, ClientLogonId=%d \n", ClientLogonId));
|
|
|
|
if ( ShutdownInProgress ) {
|
|
return ( STATUS_CTX_WINSTATION_ACCESS_DENIED );
|
|
}
|
|
|
|
/*
|
|
* Find and lock client WinStation
|
|
*/
|
|
pWinStation = FindWinStationById( ClientLogonId, FALSE );
|
|
if ( pWinStation == NULL ) {
|
|
Status = STATUS_CTX_WINSTATION_NOT_FOUND;
|
|
goto done;
|
|
}
|
|
|
|
/*
|
|
* Upper level code has verified that this RPC
|
|
* is coming from a local client with SYSTEM access.
|
|
*
|
|
* We should be able to trust the ClientProcessId from
|
|
* SYSTEM code.
|
|
*/
|
|
|
|
/*
|
|
* Ensure this is WinLogon calling
|
|
*/
|
|
if ( (HANDLE)(ULONG_PTR)ClientProcessId != pWinStation->InitialCommandProcessId ) {
|
|
Status = STATUS_ACCESS_DENIED;
|
|
ReleaseWinStation( pWinStation );
|
|
goto done;
|
|
}
|
|
|
|
ReleaseWinStation(pWinStation);
|
|
|
|
/*
|
|
* Send the Notification to disconnect the autologon Pipe to Winlogon in session 0
|
|
*/
|
|
pTargetWinStation = FindWinStationById( SessionZeroLogonId, FALSE );
|
|
if ( pTargetWinStation == NULL ) {
|
|
Status = STATUS_CTX_WINSTATION_NOT_FOUND;
|
|
goto done;
|
|
}
|
|
|
|
DisconnectPipeMsg.ApiNumber = SMWinStationNotify;
|
|
DisconnectPipeMsg.WaitForReply = FALSE;
|
|
DisconnectPipeMsg.u.DoNotify.NotifyEvent = WinStation_Notify_DisconnectPipe;
|
|
Status = SendWinStationCommand( pTargetWinStation, &DisconnectPipeMsg, 0 );
|
|
|
|
/*
|
|
* Release the winstation lock
|
|
*/
|
|
ReleaseWinStation( pTargetWinStation );
|
|
|
|
done:
|
|
/*
|
|
* Save return status in API message
|
|
*/
|
|
TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: WinstationNotifyDisconnectPipeWorker, Status=0x%x\n", Status ));
|
|
return Status;
|
|
|
|
}
|
|
|
|
|
|
/*++
|
|
|
|
RpcWinstationSessionInitialized informs termsrv that winlogon has created the window station and desktop for this session
|
|
|
|
Parameters:
|
|
|
|
ClientSessionId : Session ID of the calling process
|
|
|
|
ClientProcessId : Process ID of the calling process
|
|
|
|
|
|
Returns:
|
|
|
|
TRUE if everything went well. FALSE otherwise
|
|
|
|
--*/
|
|
|
|
BOOLEAN
|
|
RpcWinStationSessionInitialized(
|
|
HANDLE hServer,
|
|
DWORD *pResult,
|
|
DWORD ClientLogonId,
|
|
ULONG_PTR ClientProcessId
|
|
)
|
|
{
|
|
|
|
NTSTATUS Status;
|
|
|
|
if(!hServer)
|
|
{
|
|
*pResult = STATUS_UNSUCCESSFUL;
|
|
return( FALSE );
|
|
}
|
|
|
|
/*
|
|
* Make sure the caller is SYSTEM (WinLogon)
|
|
*/
|
|
Status = RpcCheckSystemClient( ClientLogonId );
|
|
if ( !NT_SUCCESS( Status ) ) {
|
|
*pResult = Status;
|
|
return( FALSE );
|
|
}
|
|
|
|
|
|
*pResult = WinStationSessionInitializedWorker(
|
|
ClientLogonId,
|
|
ClientProcessId
|
|
);
|
|
|
|
return( *pResult == STATUS_SUCCESS ? TRUE : FALSE );
|
|
}
|
|
|
|
/*****************************************************************************
|
|
* WinStationSessionInitializedWorker
|
|
*
|
|
* Worker function for RpcWinstationSessionInitialized
|
|
****************************************************************************/
|
|
NTSTATUS WinStationSessionInitializedWorker(
|
|
DWORD ClientLogonId,
|
|
ULONG_PTR ClientProcessId
|
|
)
|
|
|
|
{
|
|
PWINSTATION pWinStation;
|
|
NTSTATUS Status = STATUS_SUCCESS;
|
|
|
|
TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: WinStationSessionInitializedWorker, ClientLogonId=%d \n", ClientLogonId));
|
|
|
|
if ( ShutdownInProgress ) {
|
|
return ( STATUS_CTX_WINSTATION_ACCESS_DENIED );
|
|
}
|
|
|
|
/*
|
|
* Find and lock client WinStation
|
|
*/
|
|
pWinStation = FindWinStationById( ClientLogonId, FALSE );
|
|
if ( pWinStation == NULL ) {
|
|
Status = STATUS_CTX_WINSTATION_NOT_FOUND;
|
|
goto done;
|
|
}
|
|
|
|
/*
|
|
* Ensure this is WinLogon calling
|
|
*/
|
|
if ( (HANDLE)(ULONG_PTR)ClientProcessId != pWinStation->InitialCommandProcessId ) {
|
|
Status = STATUS_ACCESS_DENIED;
|
|
ReleaseWinStation( pWinStation );
|
|
goto done;
|
|
}
|
|
|
|
// Set the Event to indicate Session is initialized
|
|
if (pWinStation->SessionInitializedEvent) {
|
|
SetEvent(pWinStation->SessionInitializedEvent);
|
|
}
|
|
|
|
ReleaseWinStation(pWinStation);
|
|
|
|
done:
|
|
/*
|
|
* Save return status in API message
|
|
*/
|
|
TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: WinstationSessionInitializedWorker, Status=0x%x\n", Status ));
|
|
return Status;
|
|
|
|
}
|
|
|
|
/*******************************************************************************
|
|
* RpcWinStationAutoReconnect
|
|
*
|
|
* Does atomic autoreconnection policy work
|
|
*
|
|
* ENTRY:
|
|
* IN hServer - RPC caller handle - API restricted to local use
|
|
* OUT pResult - Result code in NTSTATUS format with information class set
|
|
* IN LogonId - Session to autoreconnect
|
|
* IN flags - extra options (currently unused)
|
|
*
|
|
* EXIT:
|
|
* STATUS_SUCCESS - if we successfully autoreconnected
|
|
* STATUS_CTX_WINSTATION_BUSY - if session is already disconnected, or busy
|
|
* STATUS_ACCESS_DENIED - if the target winstation was not found
|
|
* or if the autoreconnection check failed
|
|
* STATUS_NOT_FOUND - autoreconnect info was not specified
|
|
******************************************************************************/
|
|
BOOLEAN
|
|
RpcWinStationAutoReconnect(
|
|
SERVER_HANDLE hServer,
|
|
DWORD *pResult,
|
|
DWORD LogonId,
|
|
DWORD flags
|
|
)
|
|
{
|
|
RPC_STATUS RpcStatus;
|
|
UINT LocalFlag = 0;
|
|
NTSTATUS Status = STATUS_UNSUCCESSFUL;
|
|
PWINSTATION pSourceWinStation = NULL;
|
|
PWINSTATION pTargetWinStation = NULL;
|
|
TS_AUTORECONNECTINFO autoReconnectInfo;
|
|
BYTE abClientRandom[512];
|
|
LONG cbClientRandomLen = 0;
|
|
ULONG BytesGot = 0;
|
|
DWORD SourceID;
|
|
DWORD TargetID;
|
|
|
|
if(!hServer)
|
|
{
|
|
*pResult = STATUS_UNSUCCESSFUL;
|
|
return( FALSE );
|
|
}
|
|
|
|
TRACE((hTrace,TC_ICASRV,TT_API2,"RPC RpcWinStationAutoReconnect for %d\n",
|
|
LogonId));
|
|
|
|
//
|
|
// Only allow system caller for security reasons
|
|
//
|
|
|
|
RpcStatus = RpcImpersonateClient(NULL);
|
|
if (RpcStatus != RPC_S_OK) {
|
|
Status = STATUS_UNSUCCESSFUL;
|
|
goto rpcaccessdenied;
|
|
}
|
|
|
|
//
|
|
// Check for System caller
|
|
//
|
|
if (!IsCallerSystem()) {
|
|
RpcRevertToSelf();
|
|
Status = STATUS_ACCESS_DENIED;
|
|
goto rpcaccessdenied;
|
|
}
|
|
RpcRevertToSelf();
|
|
|
|
|
|
//
|
|
// Only allow local access for security reasons
|
|
//
|
|
RpcStatus = I_RpcBindingIsClientLocal(
|
|
0, // Active RPC call we are servicing
|
|
&LocalFlag
|
|
);
|
|
|
|
if( RpcStatus != RPC_S_OK ) {
|
|
KdPrintEx((DPFLTR_TERMSRV_ID, DPFLTR_ERROR_LEVEL,
|
|
"TERMSRV: RpcWinStationAutoReconnect:" \
|
|
"I_RpcBindingIsClientLocal() failed: 0x%x\n", RpcStatus));
|
|
Status = STATUS_UNSUCCESSFUL;
|
|
goto rpcaccessdenied;
|
|
}
|
|
|
|
//
|
|
// Do the check for local access
|
|
//
|
|
if (!LocalFlag) {
|
|
Status = (DWORD)STATUS_INVALID_PARAMETER;
|
|
goto rpcaccessdenied;
|
|
}
|
|
|
|
pSourceWinStation = FindWinStationById( LogonId, FALSE);
|
|
if (pSourceWinStation == NULL) {
|
|
|
|
TRACE((hTrace,TC_ICASRV,TT_ERROR,
|
|
"RpcWinStationAutoReconnect source session not found: %d\n",
|
|
LogonId));
|
|
|
|
Status = STATUS_ACCESS_DENIED;
|
|
goto badconnectsource;
|
|
}
|
|
|
|
if (pSourceWinStation->Terminating ||
|
|
pSourceWinStation->StateFlags & WSF_ST_WINSTATIONTERMINATE ||
|
|
!pSourceWinStation->WinStationName[0]) {
|
|
|
|
TRACE((hTrace,TC_ICASRV,TT_ERROR,
|
|
"RpcWinStationAutoReconnect source session disconnected %d\n",
|
|
LogonId));
|
|
|
|
Status = STATUS_ACCESS_DENIED;
|
|
goto badconnectsource;
|
|
}
|
|
|
|
if (pSourceWinStation->Flags) {
|
|
Status = STATUS_CTX_WINSTATION_BUSY;
|
|
goto badconnectsource;
|
|
}
|
|
|
|
//
|
|
// Check if Winstation logons are disabled and prevent ARC from
|
|
// happening in this case. Bug#532238
|
|
//
|
|
if (GetProfileInt(APPLICATION_NAME, WINSTATIONS_DISABLED, 0) == 1) {
|
|
|
|
//
|
|
// Fail the ARC and tell the client
|
|
//
|
|
Status = STATUS_ACCESS_DENIED;
|
|
pSourceWinStation->pWsx->pWsxSendAutoReconnectStatus(
|
|
pSourceWinStation->pWsxContext,
|
|
0,
|
|
FALSE); //stack lock held
|
|
|
|
ReleaseWinStation(pSourceWinStation);
|
|
pSourceWinStation = NULL;
|
|
goto done;
|
|
}
|
|
|
|
|
|
//
|
|
// Get the client autoreconnect info
|
|
//
|
|
if (pSourceWinStation->pWsx &&
|
|
pSourceWinStation->pWsx->pWsxEscape) {
|
|
Status = pSourceWinStation->pWsx->pWsxEscape(
|
|
pSourceWinStation->pWsxContext,
|
|
GET_CS_AUTORECONNECT_INFO,
|
|
NULL,
|
|
0,
|
|
&autoReconnectInfo,
|
|
sizeof(autoReconnectInfo),
|
|
&BytesGot);
|
|
}
|
|
TRACE((hTrace,TC_ICASRV,TT_API3,
|
|
"RpcWinStationAutoReconnect get GET_CS_AUTORECONNECT_INFO: 0x%x\n",
|
|
Status));
|
|
|
|
if (0 == BytesGot ) {
|
|
|
|
//
|
|
// Skip the rest of the processing if we didn't get any arc info
|
|
//
|
|
|
|
//
|
|
// This is not strictly an error condition, the client could have
|
|
// just not sent up any autoreconnect info
|
|
//
|
|
|
|
Status = STATUS_NOT_FOUND;
|
|
goto badconnectsource;
|
|
}
|
|
|
|
//
|
|
// Get the client random
|
|
//
|
|
if (NT_SUCCESS(Status)) {
|
|
if (pSourceWinStation->pWsx &&
|
|
pSourceWinStation->pWsx->pWsxEscape) {
|
|
Status = pSourceWinStation->pWsx->pWsxEscape(
|
|
pSourceWinStation->pWsxContext,
|
|
GET_CLIENT_RANDOM,
|
|
NULL,
|
|
0,
|
|
&abClientRandom,
|
|
sizeof(abClientRandom),
|
|
&BytesGot);
|
|
|
|
TRACE((hTrace,TC_ICASRV,TT_API3,
|
|
"RpcWinStationAutoReconnect get GET_CLIENT_RANDOM: 0x%x\n",
|
|
Status));
|
|
|
|
}
|
|
}
|
|
|
|
//
|
|
// Source winstation locked here
|
|
// Target not set yet
|
|
//
|
|
|
|
if (NT_SUCCESS(Status)) {
|
|
|
|
cbClientRandomLen = BytesGot;
|
|
|
|
//
|
|
// Flag the winstation as part of the autoreconnection
|
|
// to prevent a race where it might be reconnected somewhere
|
|
// else while we unlock it
|
|
//
|
|
pSourceWinStation->Flags |= WSF_AUTORECONNECTING;
|
|
SourceID = pSourceWinStation->LogonId;
|
|
|
|
//
|
|
// Unlock the winstation because we are about to try to
|
|
// lock the target winstation
|
|
//
|
|
UnlockWinStation(pSourceWinStation);
|
|
|
|
//
|
|
// Use the autoreconnect info to find the target winstation
|
|
// Returns a LOCKED winstation on success
|
|
//
|
|
pTargetWinStation = GetWinStationFromArcInfo(
|
|
(PBYTE)abClientRandom,
|
|
cbClientRandomLen,
|
|
(PTS_AUTORECONNECTINFO)&autoReconnectInfo
|
|
);
|
|
|
|
if (pTargetWinStation) {
|
|
|
|
//
|
|
// Check if the target is busy or if AutoReconnect is disallowed
|
|
//
|
|
if (pTargetWinStation->Flags || pTargetWinStation->fDisallowAutoReconnect) {
|
|
|
|
if (pTargetWinStation->fDisallowAutoReconnect) {
|
|
Status = STATUS_ACCESS_DENIED;
|
|
} else {
|
|
Status = STATUS_CTX_WINSTATION_BUSY;
|
|
}
|
|
|
|
ReleaseWinStation(pTargetWinStation);
|
|
pTargetWinStation = NULL;
|
|
|
|
RelockWinStation(pSourceWinStation);
|
|
|
|
//
|
|
// Tell the client that ARC failed
|
|
//
|
|
if (pSourceWinStation->pWsx &&
|
|
pSourceWinStation->pWsx->pWsxSendAutoReconnectStatus) {
|
|
|
|
pSourceWinStation->pWsx->pWsxSendAutoReconnectStatus(
|
|
pSourceWinStation->pWsxContext,
|
|
0,
|
|
FALSE); //stack lock held
|
|
}
|
|
|
|
pSourceWinStation->Flags &= ~WSF_AUTORECONNECTING;
|
|
ReleaseWinStation(pSourceWinStation);
|
|
|
|
goto done;
|
|
}
|
|
|
|
//
|
|
// Success! We found a winstation to autoreconnect to
|
|
// flag it and unlock it so we can make the connect call
|
|
//
|
|
TargetID = pTargetWinStation->LogonId;
|
|
pTargetWinStation->Flags |= WSF_AUTORECONNECTING;
|
|
UnlockWinStation(pTargetWinStation);
|
|
|
|
}
|
|
else {
|
|
|
|
TRACE((hTrace,TC_ICASRV,TT_ERROR,
|
|
"TERMSRV: GetWinStationFromArcInfo failed\n"));
|
|
|
|
//
|
|
// Relock the source and cancel the autoreconnect flag
|
|
//
|
|
if (RelockWinStation(pSourceWinStation)) {
|
|
|
|
//
|
|
// Tell the client that ARC failed
|
|
//
|
|
if (pSourceWinStation->pWsx &&
|
|
pSourceWinStation->pWsx->pWsxSendAutoReconnectStatus) {
|
|
|
|
Status = pSourceWinStation->pWsx->pWsxSendAutoReconnectStatus(
|
|
pSourceWinStation->pWsxContext,
|
|
0,
|
|
FALSE); //stack lock held
|
|
}
|
|
}
|
|
else {
|
|
//
|
|
// This is a failure path anyway so it doesn't
|
|
// matter if the winstation was deleted. It just means
|
|
// we can't send status to the client
|
|
//
|
|
}
|
|
|
|
pSourceWinStation->Flags &= ~WSF_AUTORECONNECTING;
|
|
ReleaseWinStation(pSourceWinStation);
|
|
pSourceWinStation = NULL;
|
|
|
|
Status = STATUS_ACCESS_DENIED;
|
|
|
|
goto done;
|
|
}
|
|
}
|
|
else {
|
|
goto badconnectsource;
|
|
}
|
|
|
|
//
|
|
// At this point neither winstation is locked
|
|
//
|
|
|
|
if (NT_SUCCESS(Status)) {
|
|
|
|
ASSERT(pTargetWinStation);
|
|
|
|
//
|
|
// Trigger an autoreconnection from Source->Target
|
|
//
|
|
TRACE((hTrace,TC_ICASRV,TT_API1,
|
|
"RpcWinStationAutoReconnect doing ARC from %d to %d\n",
|
|
SourceID, TargetID));
|
|
|
|
//
|
|
// Do the reconnection
|
|
//
|
|
// The autoreconnect flag allows the connect worker to properly
|
|
// handle the WSF_AUTORECONNECTING flag whose purpose is to
|
|
// prevent a race where the sessions could be reconnected while
|
|
// the winstations are unlocked
|
|
//
|
|
Status = WinStationConnectWorker(
|
|
LOGONID_CURRENT,
|
|
TargetID,
|
|
SourceID,
|
|
NULL,
|
|
0,
|
|
TRUE,
|
|
TRUE //flag that this is an autoreconnection
|
|
);
|
|
|
|
//
|
|
// Relock and then release the source
|
|
//
|
|
if (!RelockWinStation(pSourceWinStation)) {
|
|
Status = STATUS_CTX_WINSTATION_NOT_FOUND;
|
|
}
|
|
pSourceWinStation->Flags &= ~WSF_AUTORECONNECTING;
|
|
ReleaseWinStation(pSourceWinStation);
|
|
pSourceWinStation = NULL;
|
|
|
|
//
|
|
// Relock and then release the target
|
|
//
|
|
if (!RelockWinStation(pTargetWinStation)) {
|
|
Status = STATUS_CTX_WINSTATION_NOT_FOUND;
|
|
}
|
|
pTargetWinStation->Flags &= ~WSF_AUTORECONNECTING;
|
|
ReleaseWinStation(pTargetWinStation);
|
|
pTargetWinStation = NULL;
|
|
|
|
|
|
TRACE((hTrace,TC_ICASRV,TT_API1,
|
|
"RpcWinStationAutoReconnect ARC ConnectWorker result: 0x%x\n",
|
|
Status));
|
|
|
|
if (NT_SUCCESS(Status)) {
|
|
|
|
//
|
|
// Call succeeded AND we autoreconnected
|
|
//
|
|
TRACE((hTrace,TC_ICASRV,TT_API1,
|
|
"RpcWinStationAutoReconnect ARC Succeeded\n"));
|
|
}
|
|
|
|
}
|
|
goto done;
|
|
|
|
badconnectsource:
|
|
if (pSourceWinStation) {
|
|
ReleaseWinStation(pSourceWinStation);
|
|
}
|
|
rpcaccessdenied:
|
|
done:
|
|
*pResult = Status;
|
|
|
|
return NT_SUCCESS(Status);
|
|
}
|
|
|
|
#ifdef DBG
|
|
void PrintClientInfo()
|
|
{
|
|
RPC_STATUS status;
|
|
RPC_CALL_ATTRIBUTES CallAttributes;
|
|
|
|
TRACE((hTrace,TC_ICASRV,TT_API4,"TERMSRV: -|--------------------------------------------|-\n"));
|
|
|
|
memset(&CallAttributes, 0, sizeof(CallAttributes));
|
|
CallAttributes.Version = RPC_CALL_ATTRIBUTES_VERSION;
|
|
CallAttributes.Flags = RPC_QUERY_SERVER_PRINCIPAL_NAME | RPC_QUERY_CLIENT_PRINCIPAL_NAME;
|
|
|
|
RpcServerInqCallAttributes(NULL, &CallAttributes);
|
|
|
|
if(CallAttributes.ServerPrincipalNameBufferLength)
|
|
{
|
|
CallAttributes.ServerPrincipalName = (WCHAR*)LocalAlloc(LPTR,
|
|
CallAttributes.ServerPrincipalNameBufferLength);
|
|
if(!CallAttributes.ServerPrincipalName)
|
|
{
|
|
TRACE((hTrace,TC_ICASRV,TT_API4,"TERMSRV: PrintClientInfo failed - no memory\n"));
|
|
goto done;
|
|
}
|
|
}
|
|
|
|
if(CallAttributes.ClientPrincipalNameBufferLength)
|
|
{
|
|
CallAttributes.ClientPrincipalName = (WCHAR*)LocalAlloc(LPTR,
|
|
CallAttributes.ClientPrincipalNameBufferLength);
|
|
if(!CallAttributes.ClientPrincipalName)
|
|
{
|
|
TRACE((hTrace,TC_ICASRV,TT_API4,"TERMSRV: PrintClientInfo failed - no memory\n"));
|
|
goto done;
|
|
}
|
|
}
|
|
|
|
status = RpcServerInqCallAttributes(NULL, &CallAttributes);
|
|
|
|
if(status != RPC_S_OK)
|
|
{
|
|
TRACE((hTrace,TC_ICASRV,TT_API4,"TERMSRV: RpcServerInqCallAttributes failed - %d\n", status));
|
|
return ;
|
|
}
|
|
|
|
if(CallAttributes.ServerPrincipalName)
|
|
{
|
|
TRACE((hTrace,TC_ICASRV,TT_API4,"TERMSRV: Server SPN: %ws\n", CallAttributes.ServerPrincipalName));
|
|
}
|
|
|
|
if(CallAttributes.ClientPrincipalName)
|
|
{
|
|
TRACE((hTrace,TC_ICASRV,TT_API4,"TERMSRV: Client SPN: %ws\n", CallAttributes.ClientPrincipalName));
|
|
}
|
|
|
|
switch(CallAttributes.AuthenticationLevel)
|
|
{
|
|
case RPC_C_AUTHN_LEVEL_DEFAULT:
|
|
TRACE((hTrace,TC_ICASRV,TT_API4,"TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_DEFAULT\n"));
|
|
break;
|
|
case RPC_C_AUTHN_LEVEL_NONE:
|
|
TRACE((hTrace,TC_ICASRV,TT_API4,"TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_NONE\n"));
|
|
break;
|
|
case RPC_C_AUTHN_LEVEL_CONNECT:
|
|
TRACE((hTrace,TC_ICASRV,TT_API4,"TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_CONNECT\n"));
|
|
break;
|
|
case RPC_C_AUTHN_LEVEL_CALL:
|
|
TRACE((hTrace,TC_ICASRV,TT_API4,"TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_CALL\n"));
|
|
break;
|
|
case RPC_C_AUTHN_LEVEL_PKT:
|
|
TRACE((hTrace,TC_ICASRV,TT_API4,"TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT\n"));
|
|
break;
|
|
case RPC_C_AUTHN_LEVEL_PKT_INTEGRITY:
|
|
TRACE((hTrace,TC_ICASRV,TT_API4,"TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_INTEGRITY\n"));
|
|
break;
|
|
case RPC_C_AUTHN_LEVEL_PKT_PRIVACY:
|
|
TRACE((hTrace,TC_ICASRV,TT_API4,"TERMSRV: Authentication level: RPC_C_AUTHN_LEVEL_PKT_PRIVACY\n"));
|
|
break;
|
|
default:
|
|
TRACE((hTrace,TC_ICASRV,TT_API4,"TERMSRV: Authentication level: UNKNOWN!!!\n"));
|
|
break;
|
|
}
|
|
|
|
switch(CallAttributes.AuthenticationService)
|
|
{
|
|
case RPC_C_AUTHN_NONE:
|
|
TRACE((hTrace,TC_ICASRV,TT_API4,"TERMSRV: Authentication service: RPC_C_AUTHN_NONE\n"));
|
|
break;
|
|
case RPC_C_AUTHN_DCE_PRIVATE:
|
|
TRACE((hTrace,TC_ICASRV,TT_API4,"TERMSRV: Authentication service: RPC_C_AUTHN_DCE_PRIVATE\n"));
|
|
break;
|
|
case RPC_C_AUTHN_DCE_PUBLIC:
|
|
TRACE((hTrace,TC_ICASRV,TT_API4,"TERMSRV: Authentication service: RPC_C_AUTHN_DCE_PUBLIC\n"));
|
|
break;
|
|
case RPC_C_AUTHN_DEC_PUBLIC:
|
|
TRACE((hTrace,TC_ICASRV,TT_API4,"TERMSRV: Authentication service: RPC_C_AUTHN_DEC_PUBLIC\n"));
|
|
break;
|
|
case RPC_C_AUTHN_GSS_NEGOTIATE:
|
|
TRACE((hTrace,TC_ICASRV,TT_API4,"TERMSRV: Authentication service: RPC_C_AUTHN_GSS_NEGOTIATE\n"));
|
|
break;
|
|
case RPC_C_AUTHN_WINNT:
|
|
TRACE((hTrace,TC_ICASRV,TT_API4,"TERMSRV: Authentication service: RPC_C_AUTHN_WINNT\n"));
|
|
break;
|
|
case RPC_C_AUTHN_GSS_SCHANNEL:
|
|
TRACE((hTrace,TC_ICASRV,TT_API4,"TERMSRV: Authentication service: RPC_C_AUTHN_GSS_SCHANNEL\n"));
|
|
break;
|
|
case RPC_C_AUTHN_GSS_KERBEROS:
|
|
TRACE((hTrace,TC_ICASRV,TT_API4,"TERMSRV: Authentication service: RPC_C_AUTHN_GSS_KERBEROS\n"));
|
|
break;
|
|
case RPC_C_AUTHN_DPA:
|
|
TRACE((hTrace,TC_ICASRV,TT_API4,"TERMSRV: Authentication service: RPC_C_AUTHN_DPA\n"));
|
|
break;
|
|
case RPC_C_AUTHN_MSN:
|
|
TRACE((hTrace,TC_ICASRV,TT_API4,"TERMSRV: Authentication service: RPC_C_AUTHN_MSN\n"));
|
|
break;
|
|
case RPC_C_AUTHN_DIGEST:
|
|
TRACE((hTrace,TC_ICASRV,TT_API4,"TERMSRV: Authentication service: RPC_C_AUTHN_DIGEST\n"));
|
|
break;
|
|
case RPC_C_AUTHN_MQ:
|
|
TRACE((hTrace,TC_ICASRV,TT_API4,"TERMSRV: Authentication service: RPC_C_AUTHN_MQ\n"));
|
|
break;
|
|
case RPC_C_AUTHN_DEFAULT:
|
|
TRACE((hTrace,TC_ICASRV,TT_API4,"TERMSRV: Authentication service: RPC_C_AUTHN_DEFAULT\n"));
|
|
break;
|
|
default:
|
|
TRACE((hTrace,TC_ICASRV,TT_API4,"TERMSRV: Authentication service: UNKNOWN!!!\n"));
|
|
break;
|
|
}
|
|
|
|
done:
|
|
if(CallAttributes.ServerPrincipalName)
|
|
{
|
|
LocalFree(CallAttributes.ServerPrincipalName);
|
|
}
|
|
if(CallAttributes.ClientPrincipalName)
|
|
{
|
|
LocalFree(CallAttributes.ClientPrincipalName);
|
|
}
|
|
|
|
TRACE((hTrace,TC_ICASRV,TT_API4,"TERMSRV: -|--------------------------------------------|-\n"));
|
|
}
|
|
#endif //DBG
|
|
|
|
RPC_STATUS __stdcall
|
|
RpcSecurityCallback(
|
|
IN RPC_IF_HANDLE Interface,
|
|
IN void *Context)
|
|
{
|
|
RPC_STATUS status;
|
|
WCHAR *szStringBinding = NULL;
|
|
WCHAR *szProtSeq = NULL;
|
|
RPC_CALL_ATTRIBUTES CallAttributes; // this maps to RPC_CALL_ATTRIBUTES_V1
|
|
BOOL bUsingLPC;
|
|
BOOL bUsingNP;
|
|
|
|
#ifdef DBG
|
|
//To enable tracing, set these registry values:
|
|
//HKLM\System\CurrentControlSet\Control\TerminalServer:
|
|
//TraceEnable=(dword)0x8
|
|
//TraceClass=(dword)0x1
|
|
//TraceDebugger=(dword)0x1
|
|
PrintClientInfo();
|
|
#endif //DBG
|
|
|
|
status = RpcBindingToStringBinding(Context, &szStringBinding);
|
|
if(status != RPC_S_OK)
|
|
{
|
|
TRACE((hTrace,TC_ICASRV,TT_ERROR,"TERMSRV: RpcBindingToStringBinding failed - %d\n", status));
|
|
return ERROR_ACCESS_DENIED;
|
|
}
|
|
|
|
|
|
|
|
status = RpcStringBindingParse(szStringBinding,
|
|
NULL, &szProtSeq, NULL, NULL, NULL);
|
|
if(status != RPC_S_OK)
|
|
{
|
|
TRACE((hTrace,TC_ICASRV,TT_ERROR,"TERMSRV: RpcStringBindingParse failed - %d\n", status));
|
|
RpcStringFree(&szStringBinding);
|
|
return ERROR_ACCESS_DENIED;
|
|
}
|
|
|
|
RpcStringFree(&szStringBinding);
|
|
|
|
bUsingLPC = (!_wcsicmp(szProtSeq, L"ncalrpc"));
|
|
bUsingNP = (!_wcsicmp(szProtSeq, L"ncacn_np"));
|
|
|
|
if(!bUsingLPC && !bUsingNP)
|
|
{
|
|
TRACE((hTrace,TC_ICASRV,TT_ERROR,"TERMSRV: Client is neither using named pipe nor LPC!\n"));
|
|
RpcStringFree(&szProtSeq);
|
|
return ERROR_ACCESS_DENIED;
|
|
}
|
|
|
|
RpcStringFree(&szProtSeq);
|
|
|
|
memset(&CallAttributes, 0, sizeof(CallAttributes));
|
|
CallAttributes.Version = RPC_CALL_ATTRIBUTES_VERSION;
|
|
CallAttributes.Flags = 0;
|
|
|
|
status = RpcServerInqCallAttributes(Context, &CallAttributes);
|
|
|
|
if(status == RPC_S_BINDING_HAS_NO_AUTH && !g_MachinePolicy.fEncryptRPCTraffic)
|
|
{
|
|
//User must be authenticated at least on a transport level,
|
|
//even when we are not in "Secure" mode.
|
|
status = RpcImpersonateClient(NULL);
|
|
if(status != RPC_S_OK)
|
|
{
|
|
TRACE((hTrace,TC_ICASRV,TT_ERROR,"TERMSRV: Cannot impersonate client: %d\n",status));
|
|
return ERROR_ACCESS_DENIED;
|
|
}
|
|
|
|
//No anonymous calls are allowed.
|
|
if(IsCallerAnonymous())
|
|
{
|
|
TRACE((hTrace,TC_ICASRV,TT_ERROR,"TERMSRV: Caller is ANONYMOUS!\n"));
|
|
RpcRevertToSelf();
|
|
return ERROR_ACCESS_DENIED;
|
|
}
|
|
|
|
RpcRevertToSelf();
|
|
|
|
//We are not in "Secure" mode. Nothing more to check out.
|
|
return RPC_S_OK;
|
|
}
|
|
|
|
if(status != RPC_S_OK)
|
|
{
|
|
TRACE((hTrace,TC_ICASRV,TT_ERROR,"TERMSRV: RpcServerInqCallAttributes failed - %d\n", status));
|
|
return ERROR_ACCESS_DENIED;
|
|
}
|
|
|
|
if(g_MachinePolicy.fEncryptRPCTraffic)
|
|
{
|
|
//Check authentication level only when we in "Secure" mode.
|
|
if(CallAttributes.AuthenticationLevel != RPC_C_AUTHN_LEVEL_PKT_PRIVACY)
|
|
{
|
|
TRACE((hTrace,TC_ICASRV,TT_ERROR,"TERMSRV: AuthLevel != RPC_C_AUTHN_LEVEL_PKT_PRIVACY\n"));
|
|
return ERROR_ACCESS_DENIED;
|
|
}
|
|
}
|
|
|
|
if(CallAttributes.NullSession != 0)
|
|
{
|
|
TRACE((hTrace,TC_ICASRV,TT_ERROR,"TERMSRV: NULL SESSION!\n"));
|
|
return ERROR_ACCESS_DENIED;
|
|
}
|
|
|
|
return RPC_S_OK;
|
|
}
|
|
|
|
RPC_STATUS
|
|
RegisterRPCInterface(
|
|
BOOL bReregister)
|
|
{
|
|
RPC_STATUS Status;
|
|
static BOOL bRunSecure = FALSE;
|
|
WCHAR *szDefaultSPN = NULL;
|
|
|
|
TRACE((hTrace,TC_ICASRV,TT_API4,"TERMSRV: IN RegisterRPCInterface Reregister=%d OldSecure= %d Secure=%d\n",bReregister, bRunSecure, g_MachinePolicy.fEncryptRPCTraffic));
|
|
|
|
if(bReregister)
|
|
{
|
|
if( bRunSecure == g_MachinePolicy.fEncryptRPCTraffic )
|
|
{
|
|
return RPC_S_OK;
|
|
}
|
|
|
|
}
|
|
else
|
|
{
|
|
Status = RpcServerInqDefaultPrincName(RPC_C_AUTHN_GSS_NEGOTIATE, &szDefaultSPN);
|
|
if( Status != RPC_S_OK )
|
|
{
|
|
TRACE((hTrace,TC_ICASRV,TT_ERROR,"TERMSRV: Error %d RpcServerInqDefaultPrincName\n",Status));
|
|
return( Status );
|
|
}
|
|
|
|
Status = RpcServerRegisterAuthInfo(
|
|
szDefaultSPN, // service SPN,
|
|
RPC_C_AUTHN_GSS_NEGOTIATE,
|
|
NULL,
|
|
NULL );
|
|
if (szDefaultSPN) {
|
|
RpcStringFree(&szDefaultSPN);
|
|
}
|
|
|
|
if( Status != RPC_S_OK )
|
|
{
|
|
TRACE((hTrace,TC_ICASRV,TT_ERROR,"TERMSRV: Error %d RpcServerRegisterAuthInfo\n",Status));
|
|
return( Status );
|
|
}
|
|
|
|
TRACE((hTrace,TC_ICASRV,TT_API4,"TERMSRV: RpcServerRegisterAuthInfo OK!\n"));
|
|
}
|
|
|
|
bRunSecure = g_MachinePolicy.fEncryptRPCTraffic;
|
|
|
|
|
|
// Register our interface handle
|
|
Status = RpcServerRegisterIfEx(
|
|
IcaApi_ServerIfHandle,
|
|
NULL,
|
|
NULL,
|
|
bRunSecure ? RPC_IF_ALLOW_SECURE_ONLY : RPC_IF_ALLOW_CALLBACKS_WITH_NO_AUTH,
|
|
RPC_C_LISTEN_MAX_CALLS_DEFAULT,
|
|
&RpcSecurityCallback);
|
|
|
|
if( Status != RPC_S_OK )
|
|
{
|
|
TRACE((hTrace,TC_ICASRV,TT_ERROR,"TERMSRV: Error %d RpcServerRegisterIf\n",Status));
|
|
return( Status );
|
|
}
|
|
|
|
TRACE((hTrace,TC_ICASRV,TT_API4,"TERMSRV: RpcServerRegisterIfEx OK!\n"));
|
|
return( Status );
|
|
}
|
|
|
|
/*++
|
|
|
|
RpcWinStationCheckAccess - find out if a User has a specific access to a WinStation
|
|
|
|
Parameters:
|
|
|
|
ClientLogonId : Session ID of the calling process
|
|
UserToken : Token of the User whose access needs to be determined
|
|
TargetLogonId : Target Session Id against whom we should verify Access
|
|
AccessMask : Desired Access - eg. WINSTATION_LOGON
|
|
|
|
Returns:
|
|
|
|
TRUE if User has required Access. FALSE otherwise
|
|
|
|
--*/
|
|
|
|
BOOLEAN
|
|
RpcWinStationCheckAccess(
|
|
HANDLE hServer,
|
|
DWORD *pResult,
|
|
ULONG ClientLogonId,
|
|
DWORD UserToken,
|
|
ULONG TargetLogonId,
|
|
ULONG AccessMask
|
|
)
|
|
{
|
|
|
|
NTSTATUS Status;
|
|
|
|
if(!hServer) {
|
|
*pResult = STATUS_UNSUCCESSFUL;
|
|
return( FALSE );
|
|
}
|
|
|
|
/*
|
|
* Make sure the caller is SYSTEM
|
|
*/
|
|
Status = RpcCheckSystemClient( ClientLogonId );
|
|
if ( !NT_SUCCESS( Status ) ) {
|
|
*pResult = Status;
|
|
return( FALSE );
|
|
}
|
|
|
|
|
|
*pResult = WinStationCheckAccessWorker(
|
|
ClientLogonId,
|
|
UserToken,
|
|
TargetLogonId,
|
|
AccessMask
|
|
);
|
|
|
|
return( *pResult == STATUS_SUCCESS ? TRUE : FALSE );
|
|
}
|
|
|
|
/*****************************************************************************
|
|
* WinStationCheckAccessWorker
|
|
*
|
|
* Worker function for RpcWinStationCheckAccess
|
|
****************************************************************************/
|
|
NTSTATUS WinStationCheckAccessWorker(
|
|
ULONG ClientLogonId,
|
|
DWORD UserToken,
|
|
ULONG TargetLogonId,
|
|
ULONG AccessMask
|
|
)
|
|
|
|
{
|
|
PWINSTATION pWinStation, pClientWinStation;
|
|
NTSTATUS Status = STATUS_SUCCESS;
|
|
HANDLE ClientToken, NewToken, ImpersonationToken;
|
|
SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService;
|
|
OBJECT_ATTRIBUTES ObjA;
|
|
BOOL bAccessCheckOk = FALSE;
|
|
|
|
TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: WinStationCheckAccessWorker, ClientLogonId=%d \n", ClientLogonId));
|
|
|
|
if ( ShutdownInProgress ) {
|
|
return ( STATUS_CTX_WINSTATION_ACCESS_DENIED );
|
|
}
|
|
|
|
pClientWinStation = FindWinStationById( ClientLogonId, FALSE );
|
|
if ( pClientWinStation == NULL ) {
|
|
Status = STATUS_CTX_WINSTATION_NOT_FOUND;
|
|
goto done;
|
|
}
|
|
|
|
/*
|
|
* Get a valid copy of the clients token handle
|
|
*/
|
|
Status = NtDuplicateObject( pClientWinStation->InitialCommandProcess,
|
|
(HANDLE)LongToHandle( UserToken ),
|
|
NtCurrentProcess(),
|
|
&ClientToken,
|
|
0, 0,
|
|
DUPLICATE_SAME_ACCESS |
|
|
DUPLICATE_SAME_ATTRIBUTES );
|
|
|
|
if (Status != STATUS_SUCCESS) {
|
|
ReleaseWinStation(pClientWinStation);
|
|
goto done;
|
|
}
|
|
|
|
ReleaseWinStation(pClientWinStation);
|
|
|
|
/*
|
|
* ClientToken is a primary token - create an impersonation token
|
|
* version of it so we can set it on our thread
|
|
*/
|
|
InitializeObjectAttributes( &ObjA, NULL, 0L, NULL, NULL );
|
|
|
|
SecurityQualityOfService.Length = sizeof(SECURITY_QUALITY_OF_SERVICE);
|
|
SecurityQualityOfService.ImpersonationLevel = SecurityImpersonation;
|
|
SecurityQualityOfService.ContextTrackingMode = SECURITY_DYNAMIC_TRACKING;
|
|
SecurityQualityOfService.EffectiveOnly = FALSE;
|
|
|
|
ObjA.SecurityQualityOfService = &SecurityQualityOfService;
|
|
|
|
Status = NtDuplicateToken( ClientToken,
|
|
TOKEN_IMPERSONATE,
|
|
&ObjA,
|
|
FALSE,
|
|
TokenImpersonation,
|
|
&ImpersonationToken );
|
|
if (Status != STATUS_SUCCESS) {
|
|
NtClose(ClientToken);
|
|
goto done;
|
|
}
|
|
|
|
/*
|
|
* Impersonate the client
|
|
*/
|
|
Status = NtSetInformationThread( NtCurrentThread(),
|
|
ThreadImpersonationToken,
|
|
(PVOID)&ImpersonationToken,
|
|
(ULONG)sizeof(HANDLE) );
|
|
if ( Status != STATUS_SUCCESS ) {
|
|
goto CloseTokens;
|
|
}
|
|
|
|
/*
|
|
* Find and lock Target WinStation
|
|
*/
|
|
pWinStation = FindWinStationById( TargetLogonId, FALSE );
|
|
if ( pWinStation == NULL ) {
|
|
Status = STATUS_CTX_WINSTATION_NOT_FOUND;
|
|
goto CloseTokens;
|
|
}
|
|
|
|
Status = RpcCheckClientAccess(pWinStation, AccessMask, TRUE);
|
|
|
|
/*
|
|
* Revert back to our threads default token.
|
|
*/
|
|
NewToken = NULL;
|
|
NtSetInformationThread( NtCurrentThread(),
|
|
ThreadImpersonationToken,
|
|
(PVOID)&NewToken,
|
|
(ULONG)sizeof(HANDLE) );
|
|
|
|
ReleaseWinStation(pWinStation);
|
|
|
|
CloseTokens:
|
|
NtClose(ImpersonationToken);
|
|
NtClose(ClientToken);
|
|
|
|
done:
|
|
/*
|
|
* Save return status in API message
|
|
*/
|
|
TRACE((hTrace,TC_ICASRV,TT_API1, "TERMSRV: WinStationCheckAccess, Status=0x%x\n", Status ));
|
|
return Status;
|
|
|
|
}
|
|
|
|
/*****************************************************************************
|
|
* RpcWinStationOpenSessionDirectory
|
|
Ping SD to see if it can accept RPC call
|
|
|
|
Params:
|
|
hServer: not used
|
|
pszServerName: SD server name
|
|
Return:
|
|
ERROR_SUCCESS if SD can accept RPC call
|
|
otherwise NT error code is returned
|
|
****************************************************************************/
|
|
BOOLEAN RpcWinStationOpenSessionDirectory(
|
|
HANDLE hServer,
|
|
DWORD *pResult,
|
|
PWCHAR pszServerName)
|
|
{
|
|
RPC_STATUS RpcStatus;
|
|
DWORD SessDirError;
|
|
|
|
if(!hServer || !pszServerName || !*pszServerName)
|
|
{
|
|
*pResult = STATUS_INVALID_PARAMETER;
|
|
goto Exit;
|
|
}
|
|
|
|
if ( ShutdownInProgress )
|
|
{
|
|
*pResult = STATUS_CTX_WINSTATION_ACCESS_DENIED;
|
|
goto Exit;
|
|
}
|
|
|
|
// TS can only participate in session directory if it is in
|
|
// app. server mode and is ADS SKU
|
|
if( g_bPersonalTS || !g_fAppCompat || !g_bAdvancedServer )
|
|
{
|
|
*pResult = STATUS_UNSUCCESSFUL;
|
|
goto Exit;
|
|
}
|
|
|
|
// Impersonate client and only allow service and admin to call
|
|
RpcStatus = RpcImpersonateClient( NULL );
|
|
if( RpcStatus != RPC_S_OK )
|
|
{
|
|
*pResult = STATUS_CANNOT_IMPERSONATE;
|
|
goto Exit;
|
|
}
|
|
|
|
if ( !(IsCallerSystem() || IsCallerAdmin()) )
|
|
{
|
|
*pResult = STATUS_ACCESS_DENIED;
|
|
RpcRevertToSelf();
|
|
goto Exit;
|
|
}
|
|
RpcRevertToSelf();
|
|
|
|
SessDirError = SessDirOpenSessionDirectory( pszServerName );
|
|
*pResult = WinStationWinerrorToNtStatus( SessDirError );
|
|
Exit:
|
|
|
|
return(*pResult == STATUS_SUCCESS ? TRUE : FALSE);
|
|
}
|