Get notified from logon and logoff

Question

I have to develop a program which runs on a local pc as a service an deliver couple of user status to a server. At the beginning I have to detect the user logon and logoff.

My idea was to use the ManagementEventWatcher class and to query the Win32_LogonSession to be notified if something changed.

My first test works well, here is the code part (This would executed as a thread from a service):

private readonly static WqlEventQuery qLgi = new WqlEventQuery("__InstanceCreationEvent", new TimeSpan(0, 0, 1), "TargetInstance ISA \"Win32_LogonSession\"");  public EventWatcherUser() { }  public void DoWork() {     ManagementEventWatcher eLgiWatcher = new ManagementEventWatcher(EventWatcherUser.qLgi);     eLgiWatcher.EventArrived += new EventArrivedEventHandler(HandleEvent);     eLgiWatcher.Start(); }  private void HandleEvent(object sender, EventArrivedEventArgs e) {     ManagementBaseObject f = (ManagementBaseObject)e.NewEvent["TargetInstance"];     using (StreamWriter fs = new StreamWriter("C:\\status.log", true))     {         fs.WriteLine(f.Properties["LogonId"].Value);     } } 

But I have some understanding problems and I’m not sure if this is the common way to solve that task.

1. If I query Win32_LogonSession I get several records which are associated to the same user. For example I get this IDs 7580798 and 7580829 and if I query

   ASSOCIATORS OF {Win32_LogonSession.LogonId=X} WHERE ResultClass=Win32_UserAccount

   I get the same record for different IDs. (Win32_UserAccount.Domain="PC-Name",Name="User1")

   Why are there several logon session with the same user? What is the common way to get the current signed in user? Or better how to get notified correctly by the login of a user?

2. I thought I could use the same way with __InstanceDeletionEvent to determine if a user is log off. But I guess if the event is raised, I cant query Win32_UserAccount for the username after that. I’m right?

I’m at the right direction or are there better ways? It would be awesome if you could help me!

Edit Is the WTSRegisterSessionNotification class the correct way? I don't know if it's possible, because in a service I haven't a window handler.

Answer 1

You could use the System Event Notification Service technology which is part of Windows. It has the ISensLogon2 interface that provides logon/logoff events (and other events such as remote session connections).

Here is a piece of code (a sample Console Application) that demonstrates how to do it. You can test it using a remote desktop session from another computer for example, this will trigger the SessionDisconnect, SessionReconnect events for example.

This code should support all versions of Windows from XP to Windows 8.

Add reference to the COM component named, COM+ 1.0 Admin Type Library aka COMAdmin.

Note Be sure to set the Embed Interop Types to 'False', otherwise you will get the following error: "Interop type 'COMAdminCatalogClass' cannot be embedded. Use the applicable interface instead."

Contrary to other articles you will find on the Internet about using this technology in .NET, it does not references the Sens.dll because ... it does not seem to exist on Windows 8 (I don't know why). However the technology seems supported and the SENS service is indeed installed and runs fine on Windows 8, so you just to need to declare the interfaces and guids manually (like in this sample), or reference an interop assembly created on an earlier version of Windows (it should work fine as the guids and various interfaces have not changed).

class Program {     static SensEvents SensEvents { get; set; }      static void Main(string[] args)     {         SensEvents = new SensEvents();         SensEvents.LogonEvent += OnSensLogonEvent;         Console.WriteLine("Waiting for events. Press [ENTER] to stop.");         Console.ReadLine();     }      static void OnSensLogonEvent(object sender, SensLogonEventArgs e)     {         Console.WriteLine("Type:" + e.Type + ", UserName:" + e.UserName + ", SessionId:" + e.SessionId);     } }  public sealed class SensEvents {     private static readonly Guid SENSGUID_EVENTCLASS_LOGON2 = new Guid("d5978650-5b9f-11d1-8dd2-00aa004abd5e");     private Sink _sink;      public event EventHandler<SensLogonEventArgs> LogonEvent;      public SensEvents()     {         _sink = new Sink(this);         COMAdminCatalogClass catalog = new COMAdminCatalogClass(); // need a reference to COMAdmin          // we just need a transient subscription, for the lifetime of our application         ICatalogCollection subscriptions = (ICatalogCollection)catalog.GetCollection("TransientSubscriptions");          ICatalogObject subscription = (ICatalogObject)subscriptions.Add();         subscription.set_Value("EventCLSID", SENSGUID_EVENTCLASS_LOGON2.ToString("B"));         subscription.set_Value("SubscriberInterface", _sink);         // NOTE: we don't specify a method name, so all methods may be called         subscriptions.SaveChanges();     }      private void OnLogonEvent(SensLogonEventType type, string bstrUserName, uint dwSessionId)     {         EventHandler<SensLogonEventArgs> handler = LogonEvent;         if (handler != null)         {             handler(this, new SensLogonEventArgs(type, bstrUserName, dwSessionId));         }     }      private class Sink : ISensLogon2     {         private SensEvents _events;          public Sink(SensEvents events)         {             _events = events;         }          public void Logon(string bstrUserName, uint dwSessionId)         {             _events.OnLogonEvent(SensLogonEventType.Logon, bstrUserName, dwSessionId);         }          public void Logoff(string bstrUserName, uint dwSessionId)         {             _events.OnLogonEvent(SensLogonEventType.Logoff, bstrUserName, dwSessionId);         }          public void SessionDisconnect(string bstrUserName, uint dwSessionId)         {             _events.OnLogonEvent(SensLogonEventType.SessionDisconnect, bstrUserName, dwSessionId);         }          public void SessionReconnect(string bstrUserName, uint dwSessionId)         {             _events.OnLogonEvent(SensLogonEventType.SessionReconnect, bstrUserName, dwSessionId);         }          public void PostShell(string bstrUserName, uint dwSessionId)         {             _events.OnLogonEvent(SensLogonEventType.PostShell, bstrUserName, dwSessionId);         }     }      [ComImport, Guid("D597BAB4-5B9F-11D1-8DD2-00AA004ABD5E")]     private interface ISensLogon2     {         void Logon([MarshalAs(UnmanagedType.BStr)] string bstrUserName, uint dwSessionId);         void Logoff([In, MarshalAs(UnmanagedType.BStr)] string bstrUserName, uint dwSessionId);         void SessionDisconnect([In, MarshalAs(UnmanagedType.BStr)] string bstrUserName, uint dwSessionId);         void SessionReconnect([In, MarshalAs(UnmanagedType.BStr)] string bstrUserName, uint dwSessionId);         void PostShell([In, MarshalAs(UnmanagedType.BStr)] string bstrUserName, uint dwSessionId);     } }  public class SensLogonEventArgs : EventArgs {     public SensLogonEventArgs(SensLogonEventType type, string userName, uint sessionId)     {         Type = type;         UserName = userName;         SessionId = sessionId;     }      public string UserName { get; private set; }     public uint SessionId { get; private set; }     public SensLogonEventType Type { get; private set; } }  public enum SensLogonEventType {     Logon,     Logoff,     SessionDisconnect,     SessionReconnect,     PostShell } 

Note: Ensure that Visual Studio is running with administrator priviledges by right-clicking your Visual Studio shortcut and clicking run as administrator, otherwise an System.UnauthorizedAccessException will be thrown when the program is run.

Answer 2

Since you are on a service, you can get session change events directly.

You can register yourself to receive the SERVICE_CONTROL_SESSIONCHANGE event. In particular, you will want to look for the WTS_SESSION_LOGON and WTS_SESSION_LOGOFF reasons.

For details and links to the relevant MSDN docs, check this answer I wrote just yesterday.

In C# it is even easier, as ServiceBase already wraps the service control routine and exposes the event as an overridable OnSessionChange method for you. See MSDN docs for ServiceBase, and do not forget to set the CanHandleSessionChangeEvent property to true to enable the execution of this method.

What you get back when the framework calls your OnSessionChange override is a SessionChangeDescription Structure with a reason (logoff, logon, ...) and a session ID you can use to obtain information, for example, on the user logging on/off (see the link to my prev answer for details)

EDIT: sample code

 public class SimpleService : ServiceBase {     ...     public SimpleService()     {         CanPauseAndContinue = true;         CanHandleSessionChangeEvent = true;         ServiceName = "SimpleService";     }      protected override void OnSessionChange(SessionChangeDescription changeDescription)     {         EventLog.WriteEntry("SimpleService.OnSessionChange", DateTime.Now.ToLongTimeString() +             " - Session change notice received: " +             changeDescription.Reason.ToString() + "  Session ID: " +              changeDescription.SessionId.ToString());           switch (changeDescription.Reason)         {             case SessionChangeReason.SessionLogon:                 EventLog.WriteEntry("SimpleService.OnSessionChange: Logon");                 break;              case SessionChangeReason.SessionLogoff:                        EventLog.WriteEntry("SimpleService.OnSessionChange Logoff");                  break;            ...         }