? User logoff

[Aleksey Rechinsky]

Hello!

I should do some work at user logoff in my driver, but can't find any info
in DDK about logoff event. Does anybody knows how to receive "user logoff"
notification in kernel mode?

OS - Windows 2000 and later.

Thanks for any info.

Aleksey.

 

[Slava M. Usov]

Hello!

I should do some work at user logoff in my driver, but can't find any info
in DDK about logoff event. Does anybody knows how to receive "user logoff"
notification in kernel mode?

OS - Windows 2000 and later.

Thanks for any info.

Out of the box, you can't. The best you can have is "logon session
termination", but it will happen any time after the logoff. If you don't
have to do something exactly at logoff, then it should suffice.

If you have, then you can use "winlogon notification packages", and talk to
your driver from there.

But it's best not to depend on such things in a driver.

S

 

[Alexander Grigoriev]

Run a service which can receive logoff notifications. Have the service send
an IOCTL to the driver.

 

[Jeff Henkels]

This is especially easy on XP/2K3, where your service can receive a
SERVICE_CONTROL_SESSIONCHANGE notification; very useful for handling Fast
User Switching on XP.

 

[Ray Trent]

Another (slightly kludgey) way this can be accomplished (depending on
exactly what you want) is to run a user-mode application from the Run
key that just sits in the background and does nothing except notice the
appropriate termination messages, upon which it sends an IOCTL to you
driver. This is especially convenient if you happen to have any settings
you want to store in HKCU, since you already have to have a resident
program sitting around IOCTLing your driver so it can access the
registry in the context of a user thread...

 

[Maxim S. Shatskih]

Out of the box, you can't. The best you can have is "logon session

termination", but it will happen any time after the logoff. If you don't

"Logon session termination" is logoff, at least in terms of security log.

 

[Maxim S. Shatskih]

Why not rely on SeRegisterLogonSessionForTerminationNotification and treat
logon session termination as logoff? Advantage: no additional user code.
Drawback: cannot catch Fast User Switching.

 

[Kirk Ferdmann]

Another (slightly kludgey) way this can be accomplished (depending on
exactly what you want) is to run a user-mode application from the Run
key that just sits in the background and does nothing except notice the
appropriate termination messages, upon which it sends an IOCTL to you
driver. This is especially convenient if you happen to have any settings
you want to store in HKCU, since you already have to have a resident
program sitting around IOCTLing your driver so it can access the
registry in the context of a user thread...

Hmm not that kludgy at all. I think the best way to handle it is to perform
the cleaning inside IRP_MJ_CLEANUP. The user mode application is guaranteed
to die (of course if the driver does not block it forever) and the driver is
guaranteed to receive the IRP.

This way the application only needs to open a handle to the device.

This approach nicely scales to multi user scenario. Others here suggested NT
service - I would argue against it for this exactly reason.

-Kirk

 

[Alexander Grigoriev]

It all depends what's the purpose of the logoff notification, how reliable
it should be, etc. We don't know what's the OP goal.

 

[Slava M. Usov]

"Logon session termination" is logoff, at least in terms of security log.

Except that it may happen hours after the "logoff" in terms of Winlogon and
the human user. And sometimes you can have two logon sessions for a single
logon, one of which will terminate in milliseconds. The latter happens
fairly frequently on XP and 2K3.

Without knowing the requirements, it is hard to suggest anything. Winlogon
notifications might be the greatest common denominator.

S