Jaa


TSSessions utility

Part of my Sysinternals Primer: Gems presentation at TechEd last month covered the topics of terminal services sessions, window stations and desktops.  To illustrate the concepts, I used a utility I wrote called TSSessions.  As promised, I have attached that utility (with source) to this blog post.

TSSessions reports four sets of information:

  • The TS session, window station and desktop on which the instance of TSSessions is running;
  • The current user input desktop in the current session;
  • Enumeration of all terminal services sessions, identifiying which is the console session;
  • Enumeration of window stations and desktops in the current TS session.  The security descriptors of these objects are included in the output in SDDL form.  Run TSSessions with the -NoSD command option to omit the security descriptors from the output.

Try running TSSessions under the System account; e.g., with "PsExec -sid cmd.exe".  The System account has visibility into more details than even a regular administrative account has.  Also try running TSSessions remotely in session 0 (PsExec -s cmd.exe), as I demonstrate in the Sysinternals talk.  Here's some sample TSSessions output from the System account's non-interactive window station in session 0:

This process/thread running in:
    Session 0
    WinSta Service-0x0-3e7$
    Desktop Default

Current user input Desktop: Incorrect function. (Error # 1 = 0x00000001)

Terminal Sessions: 3

    Console Session = 1

    Session ID: 0
        Window Station Name : Services
        State : Disconnected
        WTS User Name :
        No Token
    Session ID: 1
        Window Station Name : Console
        State : Active
        WTS User Name : Aaron
        Token Logon Session : 00000000:000666b6
        Token Integrity Level: Medium

    Session ID: 65536
        Window Station Name : RDP-Tcp
        State : Listen
        WTS User Name :

Window stations in the current session:

    WinSta: WinSta0
            Flags: 0x00000001
              SID: (No user)

       Desktop: Default
           SID: (No user)

       Desktop: Disconnect
           SID: (No user)

       Desktop: Winlogon
           SID: (No user)

    WinSta: Service-0x0-3e7$
            Flags: 0x00000000
              SID: (No user)

 EnumDesktops error, Access is denied. (Error # 5 = 0x00000005)

    WinSta: Service-0x0-3e4$
            Flags: Access is denied. (Error # 5 = 0x00000005)
              SID: Access is denied. (Error # 5 = 0x00000005)

 EnumDesktops error, Access is denied. (Error # 5 = 0x00000005)

    WinSta: Service-0x0-3e5$
            Flags: Access is denied. (Error # 5 = 0x00000005)
              SID: Access is denied. (Error # 5 = 0x00000005)

 EnumDesktops error, Access is denied. (Error # 5 = 0x00000005)

 

 

TSSessions.zip