Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Dissecting Windows Logons

Guy Leech
September 30, 2022

Dissecting Windows Logons

How to understand what happened during an interactive user logon, no matter when that logon occurred, using only free tools & scripts.

Presented at XenApp Blog Virtual Expo 2022/09/30

Recording coming

Guy Leech

September 30, 2022

More Decks by Guy Leech

Other Decks in Technology


  1. Determining what has run & why • SysInternals Process Monitor

    • Event logs • Standard Entries • Process Creation Auditing • Gpresult • Scheduled Tasks • Logon scripts • Users • Group & Local policy • … and don’t forget device drivers, especially file system filters, & services @guyrleech
  2. SysInternals process Monitor • Capture start/stop on single user OS

    • Sethc / utilman hijack (crude & AV products now stopping) • Remote PowerShell session (elegant) • SysInternals psexec (old fashioned but not WinRM dependent) • Process Tree • Look at creation times, command lines, parent processes & durations • Filter out unwanted & noise, e.g. other sessions (but not session zero) @guyrleech
  3. Event Logs • There are more than 4 event logs!

    Yes, really • 494 on my Win10 21H2 laptop with 1284 providers & 161 containing events • Search them all during the logon period • PowerShell to the rescue (again) • Process Creation/Termination auditing + command line • Another reason not to use clear text passwords on command lines • Push into csv or grid view for further filtering/saving @guyrleech
  4. ControlUp Logon Analysis Script • Doesn’t need ControlUp to run

    • Download from script library • Needs logon and process creation/termination auditing in place • Just need to pass domain\user • Splits out phases including group policy, logon script & printer mappings @guyrleech
  5. Active Setup • Designed for one time app setup for

    users (or if app version changes) • Controlled via HKLM\Software\Microsoft\Active Setup (& Wow6432node) • Runs command in “StubPath” value • Copies keys run to HKCU • Can disable by removing some or all HKLM keys • DO NOT USE! AVOID! DELETE KEYS! • And now we have AppX logon “stuff” @guyrleech
  6. Other USEFUL THINGS to look AT • GPSvcDebugLevel • %systemroot%\inf\setupapi.dev.log

    • SysInternals AutoRuns • Base/Default Profile • Security software/Anti Virus • User profile persistence (e.g. “Roman” profiles, UPM, Ivanti EM, Fslogix, etc.) • AppSetup value in Winlogon reg key (e.g. usrlogon.cmd) • Appinit_dlls • Local & hypervisor performance counters & network/storage load • Persistent image bloat – e.g. GPO cache, temp folders @guyrleech