Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Dissecting Windows Logons

Guy Leech
September 30, 2022
Technology
0
310

Dissecting Windows Logons

How to understand what happened during an interactive user logon, no matter when that logon occurred, using only free tools & scripts.

Presented at XenApp Blog Virtual Expo 2022/09/30

Recording coming

Guy Leech

September 30, 2022
Tweet

More Decks by Guy Leech

See All by Guy Leech
Fast & Efficient Windows Troubleshooting via PowerShell
guyrleech
0
42
Troubleshooting Windows Problems using PowerShell
guyrleech
0
110
Secrets of a PowerShell "Guru"
guyrleech
1
210
PowerShell Performance Tips
guyrleech
0
250
Troubleshooting with PowerShell
guyrleech
1
190
Using REST APIs via PowerShell
guyrleech
0
150
Learn How to PowerShell Like a Pro
guyrleech
0
610
Using REST APIs via PowerShell
guyrleech
0
93
Driving the Citrix Cloud REST API with PowerShell
guyrleech
0
240

Other Decks in Technology

See All in Technology
Can We Measure Developer Productivity?
ewolff
1
150
誰も全体を知らない ~ ロールの垣根を超えて引き上げる開発生産性 / Boosting Development Productivity Across Roles
kakehashi
1
220
Evangelismo técnico: ¿qué, cómo y por qué?
trishagee
0
350
強いチームと開発生産性
onk
PRO
33
11k
ドメインの本質を掴む / Get the essence of the domain
sinsoku
2
150
The Role of Developer Relations in AI Product Success.
giftojabu1
0
120
100 名超が参加した日経グループ横断の競技型 AWS 学習イベント「Nikkei Group AWS GameDay」の紹介/mediajaws202411
nikkei_engineer_recruiting
1
170
Taming you application's environments
salaboy
0
180
データプロダクトの定義からはじめる、データコントラクト駆動なデータ基盤
chanyou0311
2
280
10XにおけるData Contractの導入について: Data Contract事例共有会
10xinc
5
560
AWS Lambdaと歩んだ“サーバーレス”と今後 #lambda_10years
yoshidashingo
1
170
The Rise of LLMOps
asei
5
1.2k

Featured

See All Featured
5 minutes of I Can Smell Your CMS
philhawksworth
202
19k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
131
33k
Typedesign – Prime Four
hannesfritz
40
2.4k
Measuring & Analyzing Core Web Vitals
bluesmoon
4
120
Java REST API Framework Comparison - PWX 2021
mraible
PRO
28
8.2k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
33
1.9k
Building Applications with DynamoDB
mza
90
6.1k
Mobile First: as difficult as doing things right
swwweet
222
8.9k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
250
21k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
665
120k
Imperfection Machines: The Place of Print at Facebook
scottboms
265
13k
GitHub's CSS Performance
jonrohan
1030
460k

Transcript

  1. Dissecting Windows Logons @guyrleech

  2. Determining what has run & why • SysInternals Process Monitor

    • Event logs • Standard Entries • Process Creation Auditing • Gpresult • Scheduled Tasks • Logon scripts • Users • Group & Local policy • … and don’t forget device drivers, especially file system filters, & services @guyrleech

  3. SysInternals process Monitor • Capture start/stop on single user OS

    • Sethc / utilman hijack (crude & AV products now stopping) • Remote PowerShell session (elegant) • SysInternals psexec (old fashioned but not WinRM dependent) • Process Tree • Look at creation times, command lines, parent processes & durations • Filter out unwanted & noise, e.g. other sessions (but not session zero) @guyrleech

  4. Event Logs • There are more than 4 event logs!

    Yes, really • 494 on my Win10 21H2 laptop with 1284 providers & 161 containing events • Search them all during the logon period • PowerShell to the rescue (again) • Process Creation/Termination auditing + command line • Another reason not to use clear text passwords on command lines • Push into csv or grid view for further filtering/saving @guyrleech

  5. ControlUp Logon Analysis Script • Doesn’t need ControlUp to run

    • Download from script library • Needs logon and process creation/termination auditing in place • Just need to pass domain\user • Splits out phases including group policy, logon script & printer mappings @guyrleech

  6. Active Setup • Designed for one time app setup for

    users (or if app version changes) • Controlled via HKLM\Software\Microsoft\Active Setup (& Wow6432node) • Runs command in “StubPath” value • Copies keys run to HKCU • Can disable by removing some or all HKLM keys • DO NOT USE! AVOID! DELETE KEYS! • And now we have AppX logon “stuff” @guyrleech

  7. Other USEFUL THINGS to look AT • GPSvcDebugLevel • %systemroot%\inf\setupapi.dev.log

    • SysInternals AutoRuns • Base/Default Profile • Security software/Anti Virus • User profile persistence (e.g. “Roman” profiles, UPM, Ivanti EM, Fslogix, etc.) • AppSetup value in Winlogon reg key (e.g. usrlogon.cmd) • Appinit_dlls • Local & hypervisor performance counters & network/storage load • Persistent image bloat – e.g. GPO cache, temp folders @guyrleech