LsaEnumerateLogonSessions error code

Hello! I have a Windows service which starts another application using CreateProcess. Thus, the application runs with SYSTEM privileges. This application calls LsaEnumerateLogonSessions, which returns the error code 8 (Not enough storage is available to process this command.). The service and the application are run under Windows 7 x64.ULONG luLogonSessionCount = 0; LUID *pLogonSessionList = NULL; NTSTATUS lNtStatus = LsaEnumerateLogonSessions( &luLogonSessionCount, &pLogonSessionList );
LsaNtStatusToWinError( lNtStatus ) returns 8. Does anyone know the cause of this? Thanks in advance!

No need to check. I think I known what's happening. I modified the application to display other information too. The SessionId for each occurence of MyAdminUser is different: it runs both in Session 0 and Session 1 and that's why it is shown twice. On Vista (I guess Window 7 too) I only have to skip counting the user running in Session 0. Thus, I get the correct number of interactive logged on users. As I have seen, on Windows XP there is no need for this trick. I consider this problem solved now. But there is something strange that happened while I was testing on my Vista machine: I had MyAdminUser and MyLimitedUser both logged on; my application showed 3 users (Session 0 (MyAdminUser), Session 1 (MyAdminUser), and Session 2 (MyLimitedUser)); I logged off from MyLimitedUser and immediately ran the application; it still showed 3 users; after almost minute, when I re-ran the application, it correctly showed 2 users: MyAdminUser (Session 0) and MyAdminUser (Session 1). What I am trying to say is that it showed 3 users for almost a minute... :confused: The strange thing is that I could not reproduce the problem. I tried to make it happen again, but I couldn't. I wonder why Windows needed so much time to update the number of interactive logged on users...

The LogonId data members are different, even though the UserName data member are the same...

I modified the application so that it displays also the user name. It's the same user...

I created a test application using LsaEnumerateLogonSessions and LsaGetLogonSessionData, which displays the number of interactive logged on users. It works fine on Windows XP, but it displays 2 interactive logged on users on Windows Vista, even though I have only one user: the Administrator. Can anyone tell me why this happens? Thanks!

Hello! Thanks for the reply! I would like to make a few comments regarding your version of GetValue... 1. You call InterlockedExchange64 with a_pi64Value as the first parameter, so the __int64 variable pointed by a_pi64Value gets 0. Then, you return the previous value of that __int64 variable which is certainly not the one we are interested in, m_i64Value. 2. GetValue returns a LONGLONG value, so we find ourselves in exactly the same situation from Question 2 (concerning the EAX and EDX registers)... Best regards!

Hello! Let's say we have the following:

class MyClass
{
public:
void SetValue( __int64 a_i64Value );
__int64 GetValue( void ) const;

private:
__int64 m_i64Value;
};

void MyClass::SetValue( __int64 a_i64Value )
{
m_i64Value = a_i64Value;
}

__int64 MyClass::GetValue( void ) const
{
return m_i64Value;
}

We also have two threads: ThreadA and ThreadB, each setting the value of m_i64Value to something different. Let's assume that ThreadA executes and SetValue is called. It writes 32 bits of m_i64Value, ThreadB executes, it calls SetValue which also writes 32 bits of m_i64Value, then ThreadA resumes and continues writing the other 32 bits of m_i64Value. Finally, ThreadB also writes the other half of m_i64Value. Eventually, m_i64Value contains garbage, invalid data. Question 1: Is this scenario valid? Can it happen on a 32 bit machine? Anyway, this can be solved using InterlockedExchange64, right? But let's suppose there is a ThreadC which needs to read that value, using the member function GetValue. When returning from GetValue, 32 bits of m_i64Value get written to EAX register and 32 bits to EDX. Question 2: What if 32 bits get written to EAX, ThreadB resumes and writes to m_i64Value and after that, ThreadC resumes and the other 32 bits (changed by ThreadB) go to EDX? Is this also a possibility on 32 bit machines? If yes, what is the best way to return such a value (__int64, in this example)? I guess one of the solutions could be this one:

void GetValue( __int64 *a_pi64Value )
{
if ( NULL != a_pi64Value )
{
InterlockedExchange64( *a_pi64Value, m_i64Value );
}
}

Question 3: But what if we still want to actually return the value and not copy it to the memory pointed by a_pi64Value? Can this be done somehow thread-safely and using the return instruction? Thanks in advance!

I think this is what I have been looking for. Thanks a lot!

Single computer. Anyway, I that NetUserEnum does the job.

Hello! There are LsaEnumerateLogonSessions and LsaGetLogonSessionData functions which can be used to get information about the logon sessions. But is there a way to enumerate the users that are NOT logged on? Thanks in advance!

Hello! When opening the Property Pages of a project in Visual Studio 2005/2008, the configuration and platform are set by default to the Active ones. For example: Active(Release) and Active(Win32). Is there any possibility to set the All Configurations and All Platforms options by default in those two combo-boxes? What I mean is that I would like not the set them manually to All Configurations and All Platforms everytime I open the Property Pages of a project, but have them instead set by default. Thanks in advance!

Hello! If I define a type, MyClass, for example, and do the following: MyClass *pObj = new MyClass; void *pv = pObj; I know that I must NOT do something like this: delete pv; because the destructor pObj->MyClass::~MyClass() will NOT be called. But why does the destructor get called when I delete pObj; because the operator delete function gets a void * as parameter. Isn't it the same problem? I mean, how does the operator delete function "know" that pObj converted to void * is actually a MyClass object? Thanks in advance!

Hello! I have a Win32 application and I would like to retrieve the command line arguments passed to another application. I'm actually trying to get the command line arguments used to start each instance of svchost.exe. Is there an API for this or do I have to implement a complex machanism? I thought of OpenProcess and different "query process information" functions after that but I could not find any solution... Can anyone help? Thanks in advance!

At the second question I forgot to mention that the application I want to communicate with is not created by me. So it's impossible for me to modify it. I'm searching for a solution involving the modification of the driver only...

Hello! I have a few questions concerning drivers. I don't know if this is the right board to post this kind of problems but here they are: 1. I want to create a keyboard filter driver. Is there any method that can ensure no other filter driver (keylogger) will attach to the keyboard driver (between the keyboard driver and my filter driver) ? 2. I want to create another filter driver that will be installed nearest to a specified application (so that no other filter driver can get between this filter driver and the application). If this is possible, could anyone help me with a few links to documentation involving this kind of issues? 3. Is there any API which I can use to check whether a driver is digitally signed? Thanks in advance!

modified on Tuesday, January 29, 2008 4:50:54 PM

I guess you are refering to WH_DEBUG. I read the documentation for SetWindowsHookEx again and this seems to be the type of hook I was looking for...

modified on Monday, January 21, 2008 10:18:12 AM

Hello! Is there any API that I can use in my application in order to detect at some moment that another application is trying to install a Windows hook (SetWindowsHookEx) ? Thanks in advance!

Hello! I have an application that runs under the SYSTEM account (it's a Windows service). Is there any possibility that I can make the service run under a limited user account? (I want to make the application access the network resources; running under SYSTEM forbiddens me to do that) I must mention that I cannot afford to restart the SYSTEM application or create another process from it, that runs under that limited user account. So, what I want is to make the service appear like running under the limited user account, on-the-fly, if I am permited to say it this way... I've already tried ImpersonateLoggedOnUser(), but the application still runs under SYSTEM and I cannot connect to a proxy server this way. Can anyone help? Thanks in advance!

Hello! I have a problem authenticating to an ISA 2006 proxy server using WinHTTP (actually it's a WinHTTP based library, but this doesn't really matter). The proxy has the Digest authentication scheme. I am able to authenticate to the proxy server if I try doing this from within a simple Win32 Console Application. But when I try authenticating from within a Windows service, it just won't work. I copy/pasted the source code from the test application to this service. I know that the service will never succeed in authenticating to this proxy service, because it runs as SYSTEM, but it doesn't work even if I use the impersonation (ImpersonateLoggedOnUser() etc.) It works perfectly when the proxy has the Basic authentication scheme set, but when I change it to Digest, I find myself unauthorized to access it... Can anyone help? Thanks in advance!

What code? :confused: