Friday, 9 March 2012

Who logged on? Get the source IP of a windows session

I've been looking after a few servers in a virtual host that is stretched for resource.  I started to notice that merely by the fact of many people logging on to the servers (and forgetting to log off) resources were being taken up and slowing down the entire virtual infrastructure.  Each login would spin up a few more services on the server and slowly deprive the rest of resource.

qwinsta and rwinsta to the rescue!
Two tools that are built into windows and often overlooked are qwinsta and rwinsta.  qwinsta will query the server for all the sessions (active or disconnected) that are registered on the server.  rwinsta will allow you to reset a session (again active or disconnected) by the session's id.  These tools have been invaluable for me to see if there are any sessions on the servers and be able to clean off the disconnected sessions left open.

qwinsta /server:<server name>

And then you can use rwinsta using the ID to kill the session:

rwinsta /server:<server name> 1

Administrator, who are you?
This left me with another problem.  As you can see somebody logged on as the local Administrator account and then left the session open.  How can I get the source IP address for this disconnected session so that I can track down who done it?  Enter CAD_UtilPack.

The CAD_UtilPack (free version) is a rich tool set for doing all sorts of admin tasks.  Inside there is a tool called ENVTSCIP.  This tool can easily be configured on a server to log the IP of someone requesting a new TS session, perfect.

*Disclaimer: I don't think I have to say it, but what comes next is not supported and not even tested that well.  But I did get everything to work on my Windows Server 2008 R2 box.

Ok, well now we have the tools.  I'm going to log all the connections and qwinsta info to the file C:\temp\logons.txt, then I'll be able to look up a logon and correlation the qwinsta ID.

To do this, I need to:

  1. Create a script to run at windows logon
  2. Edit the registry to include my script
  3. Drop the logon script and the ENVTSCIP in  %SystemRoot% \System32\ directory
  4. Sit back and wait

So, this is my registry script (tslogon.reg):

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\Windows\\system32\\userinit.exe, C:\\Windows\\system32\\tslogon.cmd,"

The userinit.exe was already in the registry so I'm just appending the tslogon.cmd to what exists already.

Here is the script that runs at logon (tslogon.cmd):

%SystemRoot%\System32\envtscip.exe >> c:\temp\logons.txt
echo %DATE% %TIME% >> c:\temp\logons.txt
echo. >> c:\temp\logons.txt
qwinsta >> c:\temp\logons.txt
echo. >> c:\temp\logons.txt
echo. >> c:\temp\logons.txt

This script is going to run ENVTSCIP from the %SystemRoot%\System32\ directory, log the date and time, and finally log out the current qwinsta result.

Finally, I create a logons.txt file in the C:\temp\ directory and give write permissions to everyone (yes not the best idea, but this is only a first stab).

I see you...
This is now what I get logged when the local Administrator logs on:

09/03/2012 17:42:08.99 

 SESSIONNAME       USERNAME                 ID  STATE   TYPE        DEVICE 
 services                                    0  Disc                        
>rdp-tcp#0         Administrator             1  Active  rdpwd               
 console                                     3  Conn                        
 rdp-tcp                                 65536  Listen  

You can see that ENVTSCIP gives us the WTSClientAddress, and qwinsta gave us the session ID when the session was initiated.  From there I can do an nslookup on the IP and get the machine name of the user that made the session.

Yes! However, there is some set up here.  I scripted the install and it was pretty easy to roll out, but I'm still not convinced this is the right solution.  Anyone know of a better way?

No comments:

Post a Comment