public void SessionChange(int SessionId, System.ServiceProcess.SessionChangeReason Reason, SessionProperties properties) { if (properties == null) { return; } if (Reason == System.ServiceProcess.SessionChangeReason.SessionLogoff) { UserInformation userInfo = properties.GetTrackedSingle <UserInformation>(); m_logger.DebugFormat("{1} SessionChange SessionLogoff for ID:{0}", SessionId, userInfo.Username); m_logger.InfoFormat("{3} {0} {1} {2}", userInfo.Description.Contains("pGina created pgSMB2"), userInfo.HasSID, properties.CREDUI, userInfo.Username); if (userInfo.Description.Contains("pGina created pgSMB2") && userInfo.HasSID && !properties.CREDUI) { try { Locker.TryEnterWriteLock(-1); RunningTasks.Add(userInfo.Username.ToLower(), true); } finally { Locker.ExitWriteLock(); } // add this plugin into PluginActivityInformation m_logger.DebugFormat("{1} properties.id:{0}", properties.Id, userInfo.Username); PluginActivityInformation notification = properties.GetTrackedSingle <PluginActivityInformation>(); foreach (Guid gui in notification.GetNotificationPlugins()) { m_logger.DebugFormat("{1} PluginActivityInformation Guid:{0}", gui, userInfo.Username); } m_logger.DebugFormat("{1} PluginActivityInformation add guid:{0}", PluginUuid, userInfo.Username); notification.AddNotificationResult(PluginUuid, new BooleanResult { Message = "", Success = false }); properties.AddTrackedSingle <PluginActivityInformation>(notification); foreach (Guid gui in notification.GetNotificationPlugins()) { m_logger.DebugFormat("{1} PluginActivityInformation Guid:{0}", gui, userInfo.Username); } Thread rem_smb = new Thread(() => cleanup(userInfo, SessionId, properties)); rem_smb.Start(); } else { m_logger.InfoFormat("{0} {1}. I'm not executing Notification stage", userInfo.Username, (properties.CREDUI) ? "has a program running in his context" : "is'nt a pGina created pgSMB2 user"); } } if (Reason == System.ServiceProcess.SessionChangeReason.SessionLogon) { UserInformation userInfo = properties.GetTrackedSingle <UserInformation>(); if (!userInfo.HasSID) { m_logger.InfoFormat("{1} SessionLogon Event denied for ID:{0}", SessionId, userInfo.Username); return; } m_logger.DebugFormat("{1} SessionChange SessionLogon for ID:{0}", SessionId, userInfo.Username); if (userInfo.Description.Contains("pGina created pgSMB2")) { Dictionary <string, string> settings = GetSettings(userInfo.Username, userInfo); if (!String.IsNullOrEmpty(settings["ScriptPath"])) { if (!Abstractions.WindowsApi.pInvokes.StartUserProcessInSession(SessionId, settings["ScriptPath"])) { m_logger.ErrorFormat("Can't run application {0}", settings["ScriptPath"]); Abstractions.WindowsApi.pInvokes.SendMessageToUser(SessionId, "Can't run application", String.Format("I'm unable to run your LoginScript\n{0}", settings["ScriptPath"])); } } IntPtr hToken = Abstractions.WindowsApi.pInvokes.GetUserToken(userInfo.Username, null, userInfo.Password); if (hToken != IntPtr.Zero) { string uprofile = Abstractions.WindowsApi.pInvokes.GetUserProfilePath(hToken); if (String.IsNullOrEmpty(uprofile)) { uprofile = Abstractions.WindowsApi.pInvokes.GetUserProfileDir(hToken); } Abstractions.WindowsApi.pInvokes.CloseHandle(hToken); m_logger.InfoFormat("add LocalProfilePath:[{0}]", uprofile); // the profile realy exists there, instead of assuming it will be created or changed during a login (temp profile[win error reading profile]) userInfo.LocalProfilePath = uprofile; properties.AddTrackedSingle <UserInformation>(userInfo); if ((uprofile.Contains(@"\TEMP") && !userInfo.Username.StartsWith("temp", StringComparison.CurrentCultureIgnoreCase)) || Abstractions.Windows.User.IsProfileTemp(userInfo.SID.ToString()) == true) { m_logger.InfoFormat("TEMP profile detected"); string userInfo_old_Description = userInfo.Description; userInfo.Description = "pGina created pgSMB2 tmp"; properties.AddTrackedSingle <UserInformation>(userInfo); pInvokes.structenums.USER_INFO_4 userinfo4 = new pInvokes.structenums.USER_INFO_4(); if (pInvokes.UserGet(userInfo.Username, ref userinfo4)) { userinfo4.logon_hours = IntPtr.Zero; userinfo4.comment = userInfo.Description; if (!pInvokes.UserMod(userInfo.Username, userinfo4)) { m_logger.ErrorFormat("Can't modify userinformation {0}", userInfo.Username); } } else { m_logger.ErrorFormat("Can't get userinformation {0}", userInfo.Username); } if (userInfo_old_Description.EndsWith("pGina created pgSMB2")) { Abstractions.Windows.Networking.sendMail(pGina.Shared.Settings.pGinaDynamicSettings.GetSettings(pGina.Shared.Settings.pGinaDynamicSettings.pGinaRoot, new string[] { "notify_pass" }), userInfo.Username, userInfo.Password, String.Format("pGina: Windows tmp Login {0} from {1}", userInfo.Username, Environment.MachineName), "Windows was unable to load the profile"); } } } if (userInfo.Description.EndsWith("pGina created pgSMB2")) { try { if (!EventLog.SourceExists("proquota")) { EventLog.CreateEventSource("proquota", "Application"); } } catch { EventLog.CreateEventSource("proquota", "Application"); } Abstractions.Windows.User.SetQuota(pInvokes.structenums.RegistryLocation.HKEY_USERS, userInfo.SID.ToString(), 0); string proquotaPath = System.IO.Path.Combine(System.IO.Path.GetDirectoryName(System.Reflection.Assembly.GetExecutingAssembly().Location), "proquota.exe"); try { using (Microsoft.Win32.RegistryKey key = Microsoft.Win32.Registry.LocalMachine.OpenSubKey(@"SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes", true)) { if (key != null) { bool proquota_exclude_found = false; foreach (string ValueName in key.GetValueNames()) { if (ValueName.Equals(proquotaPath, StringComparison.CurrentCultureIgnoreCase)) { proquota_exclude_found = true; } } if (!proquota_exclude_found) { key.SetValue(proquotaPath, 0, Microsoft.Win32.RegistryValueKind.DWord); } } } } catch { } m_logger.InfoFormat("start session:{0} prog:{1}", SessionId, proquotaPath); if (!Abstractions.WindowsApi.pInvokes.StartUserProcessInSession(SessionId, proquotaPath + " \"" + userInfo.LocalProfilePath + "\" " + settings["MaxStore"])) { m_logger.ErrorFormat("{0} Can't run application {1}", userInfo.Username, "proquota.exe"); } } } else { m_logger.InfoFormat("{0} is'nt a pGina pgSMB2 plugin created user. I'm not executing Notification stage", userInfo.Username); } } }
public void SessionChange(int SessionId, System.ServiceProcess.SessionChangeReason Reason, SessionProperties properties) { if (properties == null) { return; } if (Reason == System.ServiceProcess.SessionChangeReason.SessionLogoff) { UserInformation uInfo = properties.GetTrackedSingle <UserInformation>(); m_logger.DebugFormat("{1} SessionChange SessionLogoff for ID:{0}", SessionId, uInfo.Username); m_logger.InfoFormat("{3} {0} {1} {2}", uInfo.Description.Contains("pGina created"), uInfo.HasSID, properties.CREDUI, uInfo.Username); if (uInfo.Description.Contains("pGina created") && uInfo.HasSID && !properties.CREDUI) { try { Locker.TryEnterWriteLock(-1); RunningTasks.Add(uInfo.Username.ToLower(), true); } finally { Locker.ExitWriteLock(); } // add this plugin into PluginActivityInformation m_logger.DebugFormat("{1} properties.id:{0}", properties.Id, uInfo.Username); PluginActivityInformation notification = properties.GetTrackedSingle <PluginActivityInformation>(); foreach (Guid gui in notification.GetNotificationPlugins()) { m_logger.DebugFormat("{1} PluginActivityInformation Guid:{0}", gui, uInfo.Username); } m_logger.DebugFormat("{1} PluginActivityInformation add guid:{0}", PluginUuid, uInfo.Username); notification.AddNotificationResult(PluginUuid, new BooleanResult { Message = "", Success = false }); properties.AddTrackedSingle <PluginActivityInformation>(notification); foreach (Guid gui in notification.GetNotificationPlugins()) { m_logger.DebugFormat("{1} PluginActivityInformation Guid:{0}", gui, uInfo.Username); } Thread rem_local = new Thread(() => cleanup(uInfo, SessionId, properties)); rem_local.Start(); } else { m_logger.InfoFormat("{0} {1}. I'm not executing Notification stage", uInfo.Username, (properties.CREDUI) ? "has a program running in his context" : "is'nt a pGina created user"); } } if (Reason == System.ServiceProcess.SessionChangeReason.SessionLogon) { UserInformation userInfo = properties.GetTrackedSingle <UserInformation>(); if (!userInfo.HasSID) { m_logger.InfoFormat("{1} SessionLogon Event denied for ID:{0}", SessionId, userInfo.Username); return; } m_logger.DebugFormat("{1} SessionChange SessionLogon for ID:{0}", SessionId, userInfo.Username); if (userInfo.Description.Contains("pGina created")) { if (!userInfo.Description.Contains("pgSMB")) { if (!String.IsNullOrEmpty(userInfo.LoginScript)) { if (!Abstractions.WindowsApi.pInvokes.StartUserProcessInSession(SessionId, userInfo.LoginScript)) { m_logger.ErrorFormat("Can't run application {0}", userInfo.LoginScript); Abstractions.WindowsApi.pInvokes.SendMessageToUser(SessionId, "Can't run application", String.Format("I'm unable to run your LoginScript\n{0}", userInfo.LoginScript)); } } if (!Abstractions.Windows.User.QueryQuota(Abstractions.WindowsApi.pInvokes.structenums.RegistryLocation.HKEY_USERS, userInfo.SID.ToString()) && Convert.ToUInt32(userInfo.usri4_max_storage) > 0) { m_logger.InfoFormat("{1} no quota GPO settings for user {0}", userInfo.SID.ToString(), userInfo.Username); if (!Abstractions.Windows.User.SetQuota(Abstractions.WindowsApi.pInvokes.structenums.RegistryLocation.HKEY_USERS, userInfo.SID.ToString(), Convert.ToUInt32(userInfo.usri4_max_storage))) { m_logger.InfoFormat("{1} failed to set quota GPO for user {0}", userInfo.SID.ToString(), userInfo.Username); } else { m_logger.InfoFormat("{1} done quota GPO settings for user {0}", userInfo.SID.ToString(), userInfo.Username); try { Abstractions.WindowsApi.pInvokes.StartUserProcessInSession(SessionId, "proquota.exe"); } catch (Exception ex) { m_logger.ErrorFormat("{2} Can't run application {0} because {1}", "proquota.exe", ex.ToString(), userInfo.Username); } } } IntPtr hToken = Abstractions.WindowsApi.pInvokes.GetUserToken(userInfo.Username, null, userInfo.Password); if (hToken != IntPtr.Zero) { string uprofile = Abstractions.WindowsApi.pInvokes.GetUserProfilePath(hToken); if (String.IsNullOrEmpty(uprofile)) { uprofile = Abstractions.WindowsApi.pInvokes.GetUserProfileDir(hToken); } Abstractions.WindowsApi.pInvokes.CloseHandle(hToken); m_logger.InfoFormat("add LocalProfilePath:[{0}]", uprofile); // the profile realy exists there, instead of assuming it will be created or changed during a login (temp profile[win error reading profile]) userInfo.LocalProfilePath = uprofile; properties.AddTrackedSingle <UserInformation>(userInfo); if ((uprofile.Contains(@"\TEMP") && !userInfo.Username.StartsWith("temp", StringComparison.CurrentCultureIgnoreCase)) || Abstractions.Windows.User.IsProfileTemp(userInfo.SID.ToString()) == true) { Abstractions.Windows.Networking.sendMail(pGina.Shared.Settings.pGinaDynamicSettings.GetSettings(pGina.Shared.Settings.pGinaDynamicSettings.pGinaRoot, new string[] { "notify_pass" }), userInfo.Username, userInfo.Password, String.Format("pGina: Windows tmp Login {0} from {1}", userInfo.Username, Environment.MachineName), "Windows was unable to load the profile"); } } } if (userInfo.PasswordEXPcntr.Ticks > 0) { Abstractions.WindowsApi.pInvokes.SendMessageToUser(SessionId, "Password expiration warning", String.Format("Your password will expire in {0} days {1} hours {2} minutes", userInfo.PasswordEXPcntr.Days, userInfo.PasswordEXPcntr.Hours, userInfo.PasswordEXPcntr.Minutes)); } } else { m_logger.InfoFormat("{0} {1}. I'm not executing Notification stage", userInfo.Username, (userInfo.Description.Contains("pgSMB")) ? "was created by pgSMB" : "is'nt a pGina created user"); } } }
public void SessionChange(int SessionId, System.ServiceProcess.SessionChangeReason Reason, SessionProperties properties) { if (properties == null) { return; } if (Reason == System.ServiceProcess.SessionChangeReason.SessionLogoff) { UserInformation userInfo = properties.GetTrackedSingle <UserInformation>(); if (userInfo.Description.Contains("pGina created") && userInfo.HasSID && !properties.CREDUI) { try { Locker.TryEnterWriteLock(-1); RunningTasks.Add(userInfo.Username.ToLower(), true); } finally { Locker.ExitWriteLock(); } // add this plugin into PluginActivityInformation m_logger.DebugFormat("{1} properties.id:{0}", properties.Id, userInfo.Username); PluginActivityInformation notification = properties.GetTrackedSingle <PluginActivityInformation>(); foreach (Guid gui in notification.GetNotificationPlugins()) { m_logger.DebugFormat("{1} PluginActivityInformation Guid:{0}", gui, userInfo.Username); } m_logger.DebugFormat("{1} PluginActivityInformation add guid:{0}", PluginUuid, userInfo.Username); notification.AddNotificationResult(PluginUuid, new BooleanResult { Message = "", Success = false }); properties.AddTrackedSingle <PluginActivityInformation>(notification); foreach (Guid gui in notification.GetNotificationPlugins()) { m_logger.DebugFormat("{1} PluginActivityInformation Guid:{0}", gui, userInfo.Username); } } } if (Reason == System.ServiceProcess.SessionChangeReason.SessionLogon || Reason == System.ServiceProcess.SessionChangeReason.SessionLogoff) { UserInformation userInfo = properties.GetTrackedSingle <UserInformation>(); if (userInfo.Description.Contains("pGina created")) { Dictionary <string, List <notify> > settings = GetSettings(userInfo); List <notify> notification_sys = new List <notify>(); try { notification_sys = settings["notification_sys"]; } catch { } List <notify> notification_usr = new List <notify>(); try { notification_usr = settings["notification_usr"]; } catch { } string authe = GetAuthenticationPluginResults(properties); string autho = GetAuthorizationResults(properties); string gateway = GetGatewayResults(properties); foreach (notify line in notification_sys) { if (Reason == System.ServiceProcess.SessionChangeReason.SessionLogon && line.logon) { if (!Run(userInfo.SessionID, line.script, userInfo, line.pwd, true, authe, autho, gateway)) { m_logger.InfoFormat("failed to run:{0}", line.script); } } } foreach (notify line in notification_usr) { if (Reason == System.ServiceProcess.SessionChangeReason.SessionLogon && line.logon) { if (!Run(userInfo.SessionID, line.script, userInfo, line.pwd, false, authe, autho, gateway)) { m_logger.InfoFormat("failed to run:{0}", line.script); } } } if (Reason == System.ServiceProcess.SessionChangeReason.SessionLogoff) { Thread rem_smb = new Thread(() => cleanup(userInfo, SessionId, properties, notification_sys, notification_usr, Reason, authe, autho, gateway)); rem_smb.Start(); } } } }