At some point in the past (quite a while ago) I had read something that gave me the impression that (in the Windows OS) Sessions and Logon Sessions were not the same, but had not found any conclusive information on it. The other day the doubt came up again, and this time I came across this excellent answer in StackOverflow that finally sheds light on the subject, and yes, Sessions and Logon Sessions are different things.
As they mention there, in too many occasions Microsoft itself uses the terms arbitrarily, making it all pretty confusing. Reelaborating a bit what the guy says in his answer, we have:
Main Sessions. These are the Session 0 where the Windows Services run, and the other interactive sessions that you can open on one machine, either by login on the machine lying on your desktop (either being the initial user or by the fast switch user option) or by using remote desktops. These are the Sessions that have Windows Stations, Desktops and so on...
Logon Session. This is mainly a security concept. Everytime a user provides its credentials (by loging to the machine, calling CreateProcesAs from your code...) a Logon Session and a primary Access Token are created. The Access Token points to the Logon Session. Notice that when a process creates another process the child receives a copy of the parent's Access Token, that's how we end up with multiple access tokens that point to the same logon session.
If you launch ProcessExplorer and check the Security Tab in one Process properties, you'll see this:
I assume that information there comes from the Primary Access Token for that process. You can see there both the Session and the Logon Session. A Logon Session is associated to a Session. When you do a new interactive logon on a machine (directly, RD, Fast user switch), a new Session and a new Logon Session (associated to it) are created. If you set a Service to run under a certain user account, you'll see that when the service is started a new Logon Session is created and gets associated to Session 0.
If you do Run As as the same user twice to run 2 applications, each Run As will create a different Logon session and Access Token. Those Logon Sessions will be associated to the session from which you did the Run As
Running SysInternal's logonSessions.exe will show you all the logon sessions on your machine. If you run it with the -p option, you'll see all the processes running in that Logon Session.
To summarize: Each process runs with its own Primary Access Token. An Access Token is linked to a Logon Sessions, and we'll have many Processes/Access Tokens linked to a same Logon Session. A Logon Session is linked to a Session, and we'll have many Logon Sessions assigned to the same Session.
No comments:
Post a Comment