Bugtraq mailing list archives
Re: Windows logoff bug possible security vulnerability and exploit.
From: Rage Coder <ragecoder () aim com>
Date: Sat, 27 Jan 2007 22:51:40 -0500
I have used te UPHC service, and it helps some. It does seem to reduce the frequency at which the problem occurs. However, I still have the problem with it. When I check the event viewer with UPHC installed, I get messages that it remaps the registry and some other stuff, but some processes from a previous logon continue to run under the account it was run as in the same 'session' as the current logon, and at times appear on the desktop as a window or in the system tray as an icon.
R.C. need4angel () hotmail com wrote:
Dear Rage Coder,I think this is a now problem, see Microsoft knowledge base article 837115:http://support.microsoft.com/kb/837115 Microsoft recommend to use "User Profile Hive Cleanup Service":http://www.microsoft.com/downloads/details.aspx?FamilyID=1B286E6D-8912-4E18-B570-42470E2F3582&displaylang=enCan you tel me of this helps solving your problem? Greetz Bart Rage Coder wrote:The problem only occurs at times. To reproduce the problem, I just use the computer normally, and at each logon check the event viewer and running processes to see if a profile unload failed. I don't have any special terminal software or other logon software installed.I find that if I wait for a little bit after logging off before logging on again, no running programs from the previous logon are present, but if I log on just after logging off, they will be if the profile unload fails. That still shouldn't be the case. My brother frequently goes on his account right after I go off; there shouldn't be a time limit to wait in order to prevent this.I noticed an interesting thing about XP and fast user switching which would likely stop this problem. When logging on, the first logged on user is given session ID 0, as shown in task manager, but if I 'switch' to another user, the user is given a different session ID. It seems that no two users are given the same session ID when using fast user switching. But when logging off all users and then back on, it is back to session 0. And if I just log on as a user, log off, and then on as another user without using the 'switch user', they both are session ID 0.The same thing happens when using classic logon and on 2003. All logons are given session ID 0. I did some reading in the platform SDK and some sites about stuff, and it seems that these sessions literally create an isolation. Messages sent from a process in one session ID are not visible to processes in another, windows created only appear on the desktop associated with that session of the process that created the window, etc.Ideally, running classic logon always as session 0 'should' work because ideally when logging of, the processes ran 'should' close, so the next user to log on would have nothing to access. But this does not appear to be the case at all times.A few moments ago I logged in as administrator to do some minor changes, and I ran EPIM to take some notes of things. When I logged of and back on as a regular using, 'explorer.exe', 'essentialpim.exe', 'seamonkey.exe' were still running as Administrator, event viewer showed the usual UserEnv messages, and EPIM appeared on the system tray. My guess is something like this happens:Logon Administrator : Session ID 0 Run EssentialPIM : Session ID 0 Do some stuffLogoff Administrator : Profile unload fails, a few programs continue runningLogon Normal User : Session ID 0 Explorer runs, and at startup broadcasts 'TaskbarCreated' messageAll processes in session 0 get this message, EPIM adds system tray icon like it is supposed toIf each logon, even in classic mode, is given a separate session ID as is done in fast user switching, this would not happen, even if the profile unload fails and the programs continue to run waiting for the profile to unload:Logon Administrator : Session ID 0 Run EssentialPIM : Session ID 0 Do some stuffLogoff Administrator : Profile unload fails, a few programs continue runningLogon Normal User : Session ID 1 Explorer runs, and at startup broadcasts 'TaskbarCreated' message All processes in session 1 get this message Programs that may continue to run in session 0 are isolatedIf I log on as administrator again, it would be ok to reuse session 0, but for a given boot, no two users should be assigned the same logon session ID. I.E. if I log on as Normal User again, it would be session 1, etc.This would not prevent a profile from failing to unload, and would not prevent the processes from continuing to run, but it will prevent a user from a later logon from accessing the processes in the current logon.
Current thread:
- Windows logoff bug possible security vulnerability and exploit. Rage Coder (Jan 17)
- Re: Windows logoff bug possible security vulnerability and exploit. 3APA3A (Jan 17)
- Re: Windows logoff bug possible security vulnerability and exploit. Rage Coder (Jan 18)
- <Possible follow-ups>
- Re: Windows logoff bug possible security vulnerability and exploit. Bart .... (Jan 23)
- Re: Windows logoff bug possible security vulnerability and exploit. Rage Coder (Jan 29)
- Re: Windows logoff bug possible security vulnerability and exploit. 3APA3A (Jan 17)