1

I'm trying to make a Winlogon notification service that receive the logon message and then copies ntuser.dat (registry) from a central location (like roaming profile do) and when logoffs, reverts this (copy ntuser.dat to central location). I already made the service and it receives the SENS message, but I think SENS messages are received AFTER ntuser.dat is loaded; so I receive a "file in use message" trying to interact with ntuser.dat. I think SENS is not the way to do this, but the old hklm\xxx\x\x\winlogon\notify way is not working on windows vista and UP. So I'm lost here.

How can I do a service or DLL to stop logon process until I move the ntuser.dat to the user profile?

Thanks in advance.

After a lot of research (The documentation is very old and outdated) I understood why the SENS (System Event Notification Service) does not work for this task.

The SENS service is one layer below the notification services of Winlogon, in fact, the SENS itself is a service registered to Winlogon to receive notifications, and then, the SENS informs all the services that implement this second layer COM interfaces about changes in the states of the sessions such as Logon, Logoff, etc.

The user profile service (ProfSvc) is also a service that, like SENS, receives notifications from Winlogon and is responsible for executing the policies and movements of the NTUSER.DAT and other issues related to the registry and the user profile.

Investigating a little more, I found that there is a registry key that controls the behavior of these services:

HKLM \ System \ CurrectControlSet \ Control \ Winlogon \ Notifications \ Configurations

And the order about how to load or call this services its on:

HKLM \ System \ CurrectControlSet \ Control \ Winlogon \ Notifications \ Configurations \ Default

Under this Key are some REG_SZ with the possible events, like: Logon, Logoff, EndShell, Unlock, etc and the content its a comma separated string with the name of the service to load in order to notify.

I make a service and add the registry keys, and can get winlogon to try to call my service, but the Logon process was stopped with an error like this:

Event ID: 6001 Description: The winlogon notification subscriber failed a notification event.

Event ID: 6004 Description: The winlogon notification subscriber failed a critical notification event.

I dont know what to answer or what COM objects to implement to receive the event and answer...

My service its already executing before profile service, so if i can answer to Winlogon, i managed to solve a Custom Roaming Profile Service for Windows.

Anybody?

Gonzalo Araújo C
  • 11
  • 1
  • 4
  • Are you talking about [this](https://learn.microsoft.com/en-us/windows/desktop/secauthn/event-handler-function-prototype) one? – Alexander Jun 10 '19 at 10:09

1 Answers1

0

Have a look at HandlerEx function of the services.

One of control events is SERVICE_CONTROL_SESSIONCHANGE.

If dwControl is SERVICE_CONTROL_SESSIONCHANGE, this parameter can be one of the values specified in the wParam parameter of the WM_WTSSESSION_CHANGE message.

its parameter dwEventType wil be one of WTS_SESSION_LOGON and WTS_SESSION_LOGOFF (as described here and here)

Alexander
  • 1,232
  • 1
  • 15
  • 24
  • but it's still the same problem, WTS_SESSION_LOGON is under TermSrv (Which is the remote desktop library) ... I need to be able to make a "Winlogon Notification Subscriber" type library just like SENS, GPClient, SessionEnv, TermSrv, etc... – Gonzalo Araújo C Oct 23 '20 at 18:17