check if user logged on win2k

[martijnberntsen]

I've made a service, but now I want to check if a user has logged on, and if not, increase a variable. then I shut down windows is not logged on for 15 minutes.

the problem is, how to check if a user has logged in on win2k as a service?

thanks in advance.

[cilu]

You can periodically check if Explore.exe process is running. If not, no user is logged.

[golanshahar]

also you can take a look at:

• ::NetWkstaUserGetInfo(..)
• ::NetWkstaUserEnum(..)

Cheers

[Igor Vartanov]

also you can take a look at:

• ::NetWkstaUserGetInfo(..)
• ::NetWkstaUserEnum(..)

Cheers

Bad guess. This functions have no relation to interactively logged user information.

2 martijnberntsen:
You may consider Winlogon Notification Packages.

Another way is to inspect registry for HKEY_USERS\S-1-5-21-xxx. In case user is logged on, his key is loaded to registry. Though this is true for network sessions as well.

[golanshahar]

Bad guess.This functions have no relation to interactively logged user information.

not according to MSDN!

::NetWkstaUserGetInfo(...)

level
[in] Specifies the information level of the data.
0 - Return the name of the user currently logged on to the workstation. The bufptr parameter points to a WKSTA_USER_INFO_0 structure.

WKSTA_USER_INFO_0

The WKSTA_USER_INFO_0 structure contains the name of the user on a specified workstation

OP asked:

...now I want to check if a user has logged on,...

this fucntion will return the name of the logged on user (if there is one)...

maybe i missing someting here....enlighten me then...

Cheers

[cilu]

Another way is to inspect registry for HKEY_USERS\S-1-5-21-xxx. In case user is logged on, his key is loaded to registry. Though this is true for network sessions as well.

So you're saying that whenever a user is logged there is a key S-1-5-21-xxx there? Why S-1-5-21? I have

S-1-5-18
S-1-5-19
S-1-5-19_Classes
S-1-5-20
S-1-5-20_Classes
S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx
S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx_Classes

Can you elaborate a bit on this?

[Igor Vartanov]

not according to MSDN!

oops! Yes, sure you're right... I'm sorry. My response was quite reflex.

maybe i missing someting here....enlighten me then...

One thing. Any NetXxxx function call fails always under LocalSystem account. To get workstation user info the service must run any user account permitted for networking. It might be quite a constraint. It's easier to check if any shell process is running. Or even to find ouf if Wksta0\Default desktop is created.

2 cilu: BTW explorer.exe not the only shell permitted on Windows.

The shell name may be obtained from HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell value.

[Igor Vartanov]

So you're saying that whenever a user is logged there is a key S-1-5-21-xxx there? Why S-1-5-21? I have

S-1-5-18
S-1-5-19
S-1-5-19_Classes
S-1-5-20
S-1-5-20_Classes
S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx
S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx_Classes

Can you elaborate a bit on this?

Sure.

See WinNT.h

Local System S-1-5-18
Local Service S-1-5-19
Network Service S-1-5-20

(NT non-unique IDs) S-1-5-0x15-... (NT Domain Sids)

(Built-in domain) S-1-5-0x20

As you can see I forgot buil-in domain accounts - local Administrator for example. Thanks, cilu!

BTW xxx_Classes node holds user's COM class information. It is mapped to HKEY_CURRENT_USER\Software\Classes.

[Sef]

You can find all interactive users on the system by enumerating all processes and looking for SECURITY_INTERACTIVE_RID in each process' access token (among the group SIDs). You can then grab the corresponding (interactive) user SID for that app and ultimately collect all unique interactive users. Narrowing things down to the person who actually logged on at the desktop may not be as simple however (I'd have to take a look). In any case, these are non-trivial issues for the uninitiated.