How to detect session creation/termination in the WDM driver?

Question

I'm building a device driver for Windows (WDM driver, 32 bit), and I need to detect the creation and the closure of the terminal sessions.

I know how to obtain the session ID of the caller process (ZwQueryInformationProcess with the ProcessSessionInformation flag). I'm also intercepting the event of the graphics driver load/unload into the session (by intercepting ZwSetSystemInformation with SystemLoadImage / SystemUnLoadImage).

And I hoped that session creation/closure event will be followed by the call to ZwSetSystemInformation with the SystemCreateSession / SystemDeleteSession flags. But unfortunately this doesn't happen. So far I didn't find a good indication of the session creation/closure.

score 1 · Accepted Answer · answered Jul 20 '11 at 03:33

SystemCreateSession and SystemDeleteSession aren't used anymore. I haven't done much investigation into this, but take a look at when the 0x80 flag is set in the ProcessFlags passed to NtCreateUserProcess. It may be related to the creation of CSR for each session.

How to detect session creation/termination in the WDM driver?

1 Answers1