WTSAPI32 question

[Michael C]

I'm writing a program that calls the Windows Terminal Services API
WTSEnumerateSessions. It works well for servers that I have "Query
Information" rights to, but for servers that I don't have those rights to it
takes up to 10 seconds to send a response. I'm testing with 70 servers
right now, and 700 seconds is way too long a delay. Is there any way to
speed up the responsiveness of the WTSEnumerateSessions function or to get
WTS session information w/o calling WTSEnumerateSessions? Maybe a way to
test if the currently logged in user has "Query information" rights
quickly -- before I call the WTSEnumerateSessions function?

Thanks,
Michael C.

 

[Arild Bakken]

I'm writing a program that calls the Windows Terminal Services API
WTSEnumerateSessions. It works well for servers that I have "Query
Information" rights to, but for servers that I don't have those rights to it
takes up to 10 seconds to send a response. I'm testing with 70 servers
right now, and 700 seconds is way too long a delay. Is there any way to
speed up the responsiveness of the WTSEnumerateSessions function or to get
WTS session information w/o calling WTSEnumerateSessions? Maybe a way to
test if the currently logged in user has "Query information" rights
quickly -- before I call the WTSEnumerateSessions function?

Thanks,
Michael C.

It sounds strange that it is the lack of user rights that causes that huge
delay. If you need to check if the user has the right, I guess the only
option is to read the securitydescriptor of the RDP protocol. It is stored
as a binary registry entry under:

HKLM\SYSTEM\CurrentControlSet\Control\Terminal
Server\WinStations\RDP-Tcp\Security

if it is set, or

HKLM\SYSTEM\CurrentControlSet\Control\Terminal
Server\WinStations\DefaultSecurity

if it is defaulted.

You'll need to read the bytes into memory and treat it as a selfrelative
securitydescriptor and parse the ACEs to see if the user has the required
rights. You could possible use the GetEffectiveRightsFromAcl() API to aid
you in the process. However, be aware that manipulating securitydescriptors
in C# can be very complex and I recommend writing a managed C++ extension to
do this operation.

Another thing though is that in order to read securitydescriptor the user
will need to be able to read the registry of that server - which he may or
may not have access to. This could lead to additional delay.

Another approach to the problem would be to use a threadpool and query the
servers in parrallell instead of in serial.


Arild

 

[Michael Co]

I thought it was odd too, but I've verified that Query Information
permissions are the issue. I modified the RDP-Tcp connection properties
on a Win2003 server to take away my Query Information rights and the
time went from less than half a second response time to about 8 seconds.
I replaced the Query Info rights and it went right back down to less
than half a sec. I also added and removed my login to/from the Remote
Desktop Users group on a couple of Win XP machines with similar results.
You're thinking along the same lines as me, that the answer would be
asynchronous processing via thread pool. I finally got that implemented
late last night (now takes less than 15 secs to query 70 servers); now I
just need to figure out how to update my UI from another class.

Thanks,
Michael C