Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Part of my Sysinternals Primer: Gems presentation at TechEd last month covered the topics of terminal services sessions, window stations and desktops. To illustrate the concepts, I used a utility I wrote called TSSessions. As promised, I have attached that utility (with source) to this blog post.
TSSessions reports four sets of information:
- The TS session, window station and desktop on which the instance of TSSessions is running;
- The current user input desktop in the current session;
- Enumeration of all terminal services sessions, identifiying which is the console session;
- Enumeration of window stations and desktops in the current TS session. The security descriptors of these objects are included in the output in SDDL form. Run TSSessions with the -NoSD command option to omit the security descriptors from the output.
Try running TSSessions under the System account; e.g., with "PsExec -sid cmd.exe". The System account has visibility into more details than even a regular administrative account has. Also try running TSSessions remotely in session 0 (PsExec -s cmd.exe), as I demonstrate in the Sysinternals talk. Here's some sample TSSessions output from the System account's non-interactive window station in session 0:
This process/thread running in:
Session 0
WinSta Service-0x0-3e7$
Desktop Default
Current user input Desktop: Incorrect function. (Error # 1 = 0x00000001)
Terminal Sessions: 3
Console Session = 1
Session ID: 0
Window Station Name : Services
State : Disconnected
WTS User Name :
No Token
Session ID: 1
Window Station Name : Console
State : Active
WTS User Name : Aaron
Token Logon Session : 00000000:000666b6
Token Integrity Level: Medium
Session ID: 65536
Window Station Name : RDP-Tcp
State : Listen
WTS User Name :
Window stations in the current session:
WinSta: WinSta0
Flags: 0x00000001
SID: (No user)
Desktop: Default
SID: (No user)
Desktop: Disconnect
SID: (No user)
Desktop: Winlogon
SID: (No user)
WinSta: Service-0x0-3e7$
Flags: 0x00000000
SID: (No user)
EnumDesktops error, Access is denied. (Error # 5 = 0x00000005)
WinSta: Service-0x0-3e4$
Flags: Access is denied. (Error # 5 = 0x00000005)
SID: Access is denied. (Error # 5 = 0x00000005)
EnumDesktops error, Access is denied. (Error # 5 = 0x00000005)
WinSta: Service-0x0-3e5$
Flags: Access is denied. (Error # 5 = 0x00000005)
SID: Access is denied. (Error # 5 = 0x00000005)
EnumDesktops error, Access is denied. (Error # 5 = 0x00000005)