Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Dissecting Windows Logons

Guy Leech
September 30, 2022
Technology
0
340

Dissecting Windows Logons

How to understand what happened during an interactive user logon, no matter when that logon occurred, using only free tools & scripts.

Presented at XenApp Blog Virtual Expo 2022/09/30

Recording coming

Guy Leech

September 30, 2022
Tweet

More Decks by Guy Leech

See All by Guy Leech
Fast & Efficient Windows Troubleshooting via PowerShell
guyrleech
0
67
Troubleshooting Windows Problems using PowerShell
guyrleech
0
130
Secrets of a PowerShell "Guru"
guyrleech
1
260
PowerShell Performance Tips
guyrleech
0
280
Troubleshooting with PowerShell
guyrleech
1
220
Using REST APIs via PowerShell
guyrleech
0
170
Learn How to PowerShell Like a Pro
guyrleech
0
740
Using REST APIs via PowerShell
guyrleech
0
100
Driving the Citrix Cloud REST API with PowerShell
guyrleech
0
250

Other Decks in Technology

See All in Technology
Creating Awesome Change in SmartNews
martin_lover
1
200
20250328_RubyKaigiで出会い鯛_____RubyKaigiから始まったはじめてのOSSコントリビュート.pdf
mterada1228
0
490
LINEギフトのLINEミニアプリアクセシビリティ改善事例
lycorptech_jp
PRO
0
350
テキスト解析で見る PyCon APAC 2025 セッション&スピーカートレンド分析
negi111111
0
270
チームビルディング「脅威モデリング」ワークショップ
koheiyoshikawa
0
190
AIと開発者の共創: エージェント時代におけるAIフレンドリーなDevOpsの実践
bicstone
1
200
.mdc駆動ナレッジマネジメント/.mdc-driven knowledge management
yodakeisuke
24
10k
DETR手法の変遷と最新動向(CVPR2025)
tenten0727
2
870
LLM とプロンプトエンジニアリング/チューターをビルドする / LLM, Prompt Engineering and Building Tutors
ks91
PRO
1
200
AI Agentを「期待通り」に動かすために:設計アプローチの模索と現在地
kworkdev
PRO
2
300
「ラベルにとらわれない」エンジニアでいること/Be an engineer beyond labels
kaonavi
0
240
Amazon S3 Tables + Amazon Athena / Apache Iceberg
okaru
0
220

Featured

See All Featured
A Tale of Four Properties
chriscoyier
158
23k
Fashionably flexible responsive web design (full day workshop)
malarkey
407
66k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
30
2.3k
Improving Core Web Vitals using Speculation Rules API
sergeychernyshev
13
650
Principles of Awesome APIs and How to Build Them.
keavy
126
17k
Rebuilding a faster, lazier Slack
samanthasiow
80
8.9k
Why Our Code Smells
bkeepers
PRO
336
57k
Save Time (by Creating Custom Rails Generators)
garrettdimon
PRO
31
1.1k
Java REST API Framework Comparison - PWX 2021
mraible
30
8.5k
Code Review Best Practice
trishagee
67
18k
Put a Button on it: Removing Barriers to Going Fast.
kastner
60
3.8k
How to train your dragon (web standard)
notwaldorf
91
6k

Transcript

  1. Dissecting Windows Logons @guyrleech

  2. Determining what has run & why • SysInternals Process Monitor

    • Event logs • Standard Entries • Process Creation Auditing • Gpresult • Scheduled Tasks • Logon scripts • Users • Group & Local policy • … and don’t forget device drivers, especially file system filters, & services @guyrleech

  3. SysInternals process Monitor • Capture start/stop on single user OS

    • Sethc / utilman hijack (crude & AV products now stopping) • Remote PowerShell session (elegant) • SysInternals psexec (old fashioned but not WinRM dependent) • Process Tree • Look at creation times, command lines, parent processes & durations • Filter out unwanted & noise, e.g. other sessions (but not session zero) @guyrleech

  4. Event Logs • There are more than 4 event logs!

    Yes, really • 494 on my Win10 21H2 laptop with 1284 providers & 161 containing events • Search them all during the logon period • PowerShell to the rescue (again) • Process Creation/Termination auditing + command line • Another reason not to use clear text passwords on command lines • Push into csv or grid view for further filtering/saving @guyrleech

  5. ControlUp Logon Analysis Script • Doesn’t need ControlUp to run

    • Download from script library • Needs logon and process creation/termination auditing in place • Just need to pass domain\user • Splits out phases including group policy, logon script & printer mappings @guyrleech

  6. Active Setup • Designed for one time app setup for

    users (or if app version changes) • Controlled via HKLM\Software\Microsoft\Active Setup (& Wow6432node) • Runs command in “StubPath” value • Copies keys run to HKCU • Can disable by removing some or all HKLM keys • DO NOT USE! AVOID! DELETE KEYS! • And now we have AppX logon “stuff” @guyrleech

  7. Other USEFUL THINGS to look AT • GPSvcDebugLevel • %systemroot%\inf\setupapi.dev.log

    • SysInternals AutoRuns • Base/Default Profile • Security software/Anti Virus • User profile persistence (e.g. “Roman” profiles, UPM, Ivanti EM, Fslogix, etc.) • AppSetup value in Winlogon reg key (e.g. usrlogon.cmd) • Appinit_dlls • Local & hypervisor performance counters & network/storage load • Persistent image bloat – e.g. GPO cache, temp folders @guyrleech