Re: Windows logoff bug possible security vulnerability and exploit.

[Rage Coder <ragecoder () aim com>]

I have used te UPHC service, and it helps some.  It does seem to reduce 
the frequency at which the problem occurs.  However, I still have the 
problem with it.  When I check the event viewer with UPHC installed,  I 
get messages that it remaps the registry and some other stuff, but some 
processes from a previous logon continue to run under the account it was 
run as in the same 'session' as the current logon, and at times appear 
on the desktop as a window or in the system tray as an icon.

R.C.



need4angel () hotmail com wrote:
> Dear Rage Coder,
>
> I think this is a now problem, see Microsoft knowledge base article 
> 837115:
> http://support.microsoft.com/kb/837115
>
> Microsoft recommend to use "User Profile Hive Cleanup Service":
> http://www.microsoft.com/downloads/details.aspx?FamilyID=1B286E6D-8912-4E18-B570-42470E2F3582&displaylang=en 
>
>
> Can you tel me of this helps solving your problem?
>
> Greetz
> Bart
>
> Rage Coder wrote:
> > The problem only occurs at times.  To reproduce the problem, I just 
> > use the computer normally, and at each logon check the event viewer 
> > and running processes to see if a profile unload failed.  I don't 
> > have any special terminal software or other logon software installed.
> >
> > I find that if I wait for a little bit after logging off before 
> > logging on again, no running programs from the previous logon are 
> > present, but if I log on just after logging off, they will be if the 
> > profile unload fails.  That still shouldn't be the case.  My brother 
> > frequently goes on his account right after I go off; there shouldn't 
> > be a time limit to wait in order to prevent this.
> >
> > I noticed an interesting thing about XP and fast user switching which 
> > would likely stop this problem.  When logging on, the first logged on 
> > user is given session ID 0, as shown in task manager, but if I 
> > 'switch' to another user, the user is given a different session ID.  
> > It seems that no two users are given the same session ID when using 
> > fast user switching. But when logging off all users and then back on, 
> > it is back to session 0.  And if I just log on as a user, log off, 
> > and then on as another user without using the 'switch user', they 
> > both are session ID 0.
> >
> > The same thing happens when using classic logon and on 2003.  All 
> > logons are given session ID 0.  I did some reading in the platform 
> > SDK and some sites about stuff, and it seems that these sessions 
> > literally create an isolation.  Messages sent from a process in one 
> > session ID are not visible to processes in another, windows created 
> > only appear on the desktop associated with that session of the 
> > process that created the window, etc.
> >
> > Ideally, running classic logon always as session 0 'should' work 
> > because ideally when logging of, the processes ran 'should' close, so 
> > the next user to log on would have nothing to access.  But this does 
> > not appear to be the case at all times.
> >
> > A few moments ago I logged in as administrator to do some minor 
> > changes, and I ran EPIM to take some notes of things.  When I logged 
> > of and back on as a regular using, 'explorer.exe', 
> > 'essentialpim.exe', 'seamonkey.exe' were still running as 
> > Administrator, event viewer showed the usual UserEnv messages, and 
> > EPIM appeared on the system tray.  My guess is something like this 
> > happens:
> >
> > Logon Administrator : Session ID 0
> > Run EssentialPIM : Session ID 0
> > Do some stuff
> > Logoff Administrator : Profile unload fails, a few programs continue 
> > running
> > Logon Normal User : Session ID 0
> > Explorer runs, and at startup broadcasts 'TaskbarCreated' message
> > All processes in session 0 get this message, EPIM adds system tray 
> > icon like it is supposed to
> >
> > If each logon, even in classic mode, is given a separate session ID 
> > as is done in fast user switching, this would not happen, even if the 
> > profile unload fails and the programs continue to run waiting for the 
> > profile to unload:
> >
> > Logon Administrator : Session ID 0
> > Run EssentialPIM : Session ID 0
> > Do some stuff
> > Logoff Administrator : Profile unload fails, a few programs continue 
> > running
> > Logon Normal User : Session ID 1
> > Explorer runs, and at startup broadcasts 'TaskbarCreated' message
> > All processes in session 1 get this message
> > Programs that may continue to run in session 0 are isolated
> >
> > If I log on as administrator again, it would be ok to reuse session 
> > 0, but for a given boot, no two users should be assigned the same 
> > logon session ID.  I.E.  if I log on as Normal User again, it would 
> > be session 1,  etc.
> >
> > This would not prevent a profile from failing to unload, and would 
> > not prevent the processes from continuing to run, but it will prevent 
> > a user from a later logon from accessing the processes in the current 
> > logon.