[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 982
  • Last Modified:

Detect Win Logoff from a Win Service

Visual C++ 6, ATL, Non-MFC.

I'm trying to detect a windows logoff from a service that's running under Local System Account.   I know how to do it from an application, but from a Windows service that isn't logged on as a specific user, I'm having trouble finding.
0
Chizl
Asked:
Chizl
  • 5
  • 4
1 Solution
 
jkrCommented:
Use a Winlogon Notification Package for that purpose: http://msdn2.microsoft.com/en-us/library/aa380545.aspx ("Winlogon Notification Packages")

The scoop is to export a set of functions that Winlogon calls for each logon/logoff event

// Here is the event handler for the Winlogon Logon event.
VOID WLEventLogon (PWLX_NOTIFICATION_INFO pInfo)
{

    // Print the name of the handler to debug output.
    // You can replace this with more useful functionality.
    OutputDebugString (TEXT("NOTIFY:  Entering WLEventLogon.\r\n"));
}

// Here is the event handler for the Winlogon Logoff event.
VOID WLEventLogoff (PWLX_NOTIFICATION_INFO pInfo)
{

    // Print the name of the handler to debug output.
    // You can replace this with more useful functionality.
    OutputDebugString (TEXT("NOTIFY:  Entering WLEventLogff.\r\n"));
}

(http://msdn2.microsoft.com/en-us/library/aa375405.aspx - "Event Handler Function Prototype")

and register them accordingly as described in http://msdn2.microsoft.com/en-us/library/aa379402.aspx ("Registry Entries")

See also http://msdn2.microsoft.com/en-us/library/aa374783.aspx ("Creating a Winlogon Notification Package") and http://msdn2.microsoft.com/en-us/library/aa379380.aspx ("Registering a Winlogon Notification Package")

0
 
ChizlAuthor Commented:
Damn..  I have to write a separate DLL to do this.   Is there no way to do this from within the service?   I really dont want to create a DLL to just handle events for shutdown.  Seems like a waist.
0
 
jkrCommented:
Such a DLL is quite easy to write, the above code pretty much covers it. Another "trick" that will work in that context is to call 'RegNotifyChangeKeyValue()' (http://msdn2.microsoft.com/en-us/library/ms724892.aspx) on 'HKEY_USERS' to receive a notification when a user's hive is unloaded.
0
Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

 
ChizlAuthor Commented:
I can create the DLL that wasnt the problem, the problem is creating another DLL that doesn little to nothing.   Just wondering if there is a way to monitor the same results within my application.

On your second note, I didnt quite understand.   I didnt read anywhere that registry changes when windows is get a logoff command from an application.   Are you saying it does?
0
 
jkrCommented:
Upon logon, every users' 'ntuser.dat' is loaded via 'RegLoadKey()' and mounted under 'HKEY_USERS'. Then a sybolic link named 'HKEY_CURRENT_USER' is created that points to that hive. When a user logs off, that hive is unloaded again, so monitoring these changes effectively will notify you about such events. See e.g. http://www.experts-exchange.com/Programming/Programming_Platforms/Win_Prog/Q_20788246.html where you will find code that lists the logged on users based on the entries under HKEY_USERS.
0
 
ChizlAuthor Commented:
I created the following code for the DLL.  I put the DLL in the Sys32 folder, added it to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\MyCompany

I have the following values:
Asynchronous = DW (0)
DllName = EX_SZ ("my_notify.dll")
Impersonate = DW (0)
Logoff = SZ ("WLEventLogoff")
Logon = SZ ("WLEventLogon")

With all this setup, I never get a log file written.   What am I missing?

[code]
// my_notify.cpp : Defines the entry point for the DLL application.
//

#include "stdafx.h"
#include <WinWlx.h>
#include <fstream>
using namespace std;
BOOL WINAPI LibMain(HINSTANCE hInstance, DWORD dwReason, LPVOID lpReserved)
{
    switch (dwReason)
    {
        case DLL_PROCESS_ATTACH:
        {
          DisableThreadLibraryCalls (hInstance);      
        }
        break;
    }
    return TRUE;
}

void WriteLog(char* buffer)
{
      long size = strlen(buffer);

      ofstream outfile ("c:\\notify.txt",ofstream::binary);
      outfile.write (buffer,size);
      outfile.close();
}

VOID APIENTRY WLEventLogoff (PWLX_NOTIFICATION_INFO pInfo)
{
    WriteLog("NOTIFY:  Entering WLEventLogff.\r\n");
}

VOID APIENTRY WLEventLogon (PWLX_NOTIFICATION_INFO pInfo)
{
    WriteLog("NOTIFY:  Entering WLEventLogon.\r\n");
}
[/code]
0
 
jkrCommented:
If you are using a file with a .cpp extension, make that

extern "C" VOID APIENTRY WLEventLogoff (PWLX_NOTIFICATION_INFO pInfo)
{
    WriteLog("NOTIFY:  Entering WLEventLogff.\r\n");
}

extern "C" VOID APIENTRY WLEventLogon (PWLX_NOTIFICATION_INFO pInfo)
{
    WriteLog("NOTIFY:  Entering WLEventLogon.\r\n");
}

to turn off C++ name mangling for the exported functions.
0
 
ChizlAuthor Commented:
I figured it out yesterday..  I did it a the old way..    Created me a DEF file and added it to the link..

Thanks for all your help.
0
 
ChizlAuthor Commented:
FYI:   extern "C" didnt work.     What did work is:

Created a .def file with this content:
## bof ##
EXPORTS
WLEventLogoff
WLEventLogon
## eof ##

Then in the compiler under Link | Project Options add the following:
/def:"myfile.def"

Recompile it and it works fine.
0

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now