Understanding Windows sessions

In the past, I had never understood the concept of a Windows session. I always felt that this concept was lacking. Now I understand it a little. Write down and make a memo. Simply put, after a user logs on to the Windows system, the system will assign a new session ID (SID) to the user whether the user logs on locally or remotely ). That is to say, the session is related to the user's login, and there is no session if there is no user login. Therefore, a session is a running environment after a user logs on. Let's look at what we say in reading a book first!

 

The Session Manager (\ windows \ system32 \ smss.exe) is the first user-mode process created in the system, the kernel mode system thread responsible for completing the initialization of the execution body and kernel creates the actual SMSs process in the final stage (This section is taken from: in-depth analysis of Windows operating system (version 4th) 80 pages ).

 

Windows supports multiple sessions. Therefore, session space contains global information for each session. Therefore, the session space is used to manage sessions. What does a session contain?

 

Sessions are composed of processes and other system objects (such as window stations, desktops, and Windows). They represent a user's workstation logon session. A session consists of the following parts:

1. Each session contains a separate win32k. sys

2. dedicated page feed pool area

3. Copying private Windows subsystems and login Processes

4. The mapped space in the system space, called the area of the session Space

(Refer to: in-depth analysis of Windows operating system (version 4th) page 414)

 

Now I compare sessions with processes and find some similarities between them:

1. All provide an execution environment

2. All have a private space

 

Processes provide a space and environment for internal execution threads, while sessions provide an execution space and environment for all internal processes. (This is my summary. I feel that the summary is very good, so that you can understand the concept of session)

 

X86 session space layout, for example: (I manually draw reference: in-depth analysis of Windows operating system (version 4th) 419 page)

That is to say, the size of the session space is 8 + 4 + 20 + 16 = 48 m by default.

Perform the following experiments on my machine:

Lkd>! Session
Sessions on machine: 1
Valid sessions: 0
Current session 0

It can be seen that there is only one session on my machine, because it is my machine and only I am logged on.

Call! Sprocess displays the address of the session data structure and the process in the session

Lkd>! Sprocess
Dumping session 0

_ Mm_session_space b85dc000 the address of the session space.
_ Mmsession b85dc15c
Process 8a11a268 sessionid: 0 CID: 028c peb: 7ffdf000 parentcid: 0190
Dirbase: 0aa00060 objecttable: e1b01120 handlecount: 346.
Image: csrss.exe

Process 8a2d0318 sessionid: 0 CID: 02a4 peb: 7ffdf000 parentcid: 0190
Dirbase: 0aa00080 objecttable: e18c70b0 handlecount: 581.
Image: winlogon.exe

Process 8a349da0 sessionid: 0 CID: 02d0 peb: 7ffda000 parentcid: 02a4
Dirbase: 0aa000a0 objecttable: e1e8da78 handlecount: 266.
Image: services.exe

.......

View the session structure now

Lkd> DT nt! _ Mm_session_space b85dc000
+ 0x000 referencecount: 0x15
+ 0x004 U: _ unnamed
+ 0x008 sessionid: 0
+ 0x00c sessionpagedirectoryindex: 0x18626
+ 0x010 globalvirtualaddress: 0xb85dc000 _ mm_session_space
+ 0x014 processlist: _ list_entry [0x8a11a31c-0x89b98c8c]
+ 0x01c nonpagedpoolbytes: 0
+ 0x020 pagedpoolbytes: 0
+ 0x024 nonpagedpoolallocations: 0
+ 0x028 pagedpoolallocations: 0
+ 0x02c nonpagablepages: 0x17
+ 0x030 committedpages: 0x5e4
+ 0x038 lastprocessswappedouttime: _ large_integer 0x0
+ 0x040 pagetables: 0x8a0bb3e8 _ Matrix
+ 0x044 pagedpoolmutex: _ fast_mutex
+ 0x064 pagedpoolstart: 0xb9800000
+ 0x068 pagedpoolend: 0xb9bfffff
+ 0x06c pagedpoolbasepvdf: 0xc0602e60 _ matrix te
+ 0x070 pagedpoolinfo: _ mm_paged_pool_info
+ 0x094 color: 0xba6
+ 0x098 processoutswapcount: 5
+ 0x09c imagelist: _ list_entry [0x8a355ea0-0x8a1de1e8]
+ 0x0a4 globalpteentry: 0xc05c2ee0 _ Matrix
+ 0x0a8 copyonwritecount: 0x13
+ 0x0ac sessionpoolallocationfailures: [4] 0
+ 0x0bc attachcount: 0
+ 0x0c0 attachevent: _ kevent
+ 0x0d0 lastprocess: (null)
+ 0x0d8 VM: _ mmsupport
+ 0x118 wsystemic: 0xbcc0003c _ mmwsystemic
+ 0x11c wslock: _ eresource
+ 0x154 wslistentry: _ list_entry [0x80561b58-0x80561b58]
+ 0x15c session: _ mmsession
+ 0x198 win32kdriverobject: _ driver_object
+ 0x240 workingsetlockowner: (null)
+ 0x244 pagedpool: _ pool_descriptor
+ 0x126c processreferencetosession: 43
+ 0x1270 localeid: 0x409

 

The official C structure of Microsoft is defined as follows:

typedef struct _MM_SESSION_SPACE{    //    // This is a pointer in global system address space, used to make various    // fields that can be referenced from any process visible from any process    // context.  This is for things like mutexes, WSL chains, etc.    //    struct _MM_SESSION_SPACE *GlobalVirtualAddress;    LONG ReferenceCount;    union    {        ULONG LongFlags;        MM_SESSION_SPACE_FLAGS Flags;    } u;    ULONG SessionId;    //    // This is the list of the processes in this group that have    // session space entries.    //    LIST_ENTRY ProcessList;    LARGE_INTEGER LastProcessSwappedOutTime;    //    // All the page tables for session space use this as their parent.    // Note that it's not really a page directory - it's really a page    // table page itself (the one used to map this very structure).    //    // This provides a reference to something that won't go away and    // is relevant regardless of which process within the session is current.    //    PFN_NUMBER SessionPageDirectoryIndex;    //    // This is the count of non paged allocations to support this session    // space.  This includes the session structure page table and data pages,    // WSL page table and data pages, session pool page table pages and session    // image page table pages.  These are all charged against    // MmResidentAvailable.    //    SIZE_T NonPageablePages;    //    // This is the count of pages in this session that have been charged against    // the systemwide commit.  This includes all the NonPageablePages plus the    // data pages they typically map.    //    SIZE_T CommittedPages;    //    // Start of session paged pool virtual space.    //    PVOID PagedPoolStart;    //    // Current end of pool virtual space. Can be extended to the    // end of the session space.    //    PVOID PagedPoolEnd;    //    // PTE pointers for pool.    //    PMMPTE PagedPoolBasePde;    ULONG Color;    LONG ResidentProcessCount;    ULONG SessionPoolAllocationFailures[4];    //    // This is the list of system images currently valid in    // this session space.  This information is in addition    // to the module global information in PsLoadedModuleList.    //    LIST_ENTRY ImageList;    LCID LocaleId;    //    // The count of "known attachers and the associated event.    //    ULONG AttachCount;    KEVENT AttachEvent;    PEPROCESS LastProcess;    //    // This is generally decremented in process delete (not clean) so that    // the session data page and mapping PTE can finally be freed when this    // reaches zero.  smss is the only process that decrements it in other    // places as smss never exits.    //    LONG ProcessReferenceToSession;    //    // This chain is in global system addresses (not session VAs) and can    // be walked from any system context, ie: for WSL trimming.    //    LIST_ENTRY WsListEntry;    //    // Session lookasides for fast pool allocation/freeing.    //    GENERAL_LOOKASIDE Lookaside[SESSION_POOL_SMALL_LISTS];    //    // Support for mapping system views into session space.  Each desktop    // allocates a 3MB heap and the global system view space is only 48M    // total.  This would limit us to only 20-30 users - rotating the    // system view space with each session removes this limitation.    //    MMSESSION Session;    //    // Session space paged pool support.    //    KGUARDED_MUTEX PagedPoolMutex;    MM_PAGED_POOL_INFO PagedPoolInfo;    //    // Working set information.    //    MMSUPPORT  Vm;    PMMWSLE    Wsle;    PDRIVER_UNLOAD Win32KDriverUnload;    //    // Pool descriptor for less than 1 page allocations.    //    POOL_DESCRIPTOR PagedPool;#if (_MI_PAGING_LEVELS >= 3)    //    // The page directory that maps session space is saved here so    // trimmers can attach.    //    MMPTE PageDirectory;#else    //    // The second level page tables that map session space are shared    // by all processes in the session.    //    PMMPTE PageTables;#endif#if defined (_WIN64)    //    // NT64 has enough virtual address space to support per-session special    // pool.    //    PMMPTE SpecialPoolFirstPte;    PMMPTE SpecialPoolLastPte;    PMMPTE NextPdeForSpecialPoolExpansion;    PMMPTE LastPdeForSpecialPoolExpansion;    PFN_NUMBER SpecialPagesInUse;#endif    LONG ImageLoadingCount;#if DBG    ULONG Debug[MM_SESS_COUNTER_MAX];    MM_SESSION_MEMORY_COUNTERS Debug2[MM_SESS_MEMORY_COUNTER_MAX];#endif} MM_SESSION_SPACE, *PMM_SESSION_SPACE;

View the memory usage of the session space and call it! VM 4 command

Lkd>! VM 4
.
.
.
Terminal Server memory usage by session:

Session paged pool maximum is 4096 K
Session view space maximum is 49152 K

Session ID 0 @ b85dc000:
Paged pool usage: 0 K
Commit usage: 6032 K

Now we know that after a user logs on to the system, all processes under the user belong to this session space. Sessionid exists in the peb of each process.

typedef struct _PEB{    BYTE Reserved1[2];    BYTE BeingDebugged;    BYTE Reserved2[1];    PVOID Reserved3[2];    PPEB_LDR_DATA Ldr;    PRTL_USER_PROCESS_PARAMETERS ProcessParameters;    BYTE Reserved4[104];    PVOID Reserved5[52];    PPS_POST_PROCESS_INIT_ROUTINE PostProcessInitRoutine;    BYTE Reserved6[128];    PVOID Reserved7[1];    ULONG SessionId;} PEB, *PPEB;

The last member of this structure is sessionid.

So here is a problem. How do processes in different sessions on the same machine communicate? Some APIs in Microsoft's msdn are very clear.
Let me give you an example. As described in createfilemapping msdn in http://msdn.microsoft.com/en-us/library/aa366537 (vs.85). aspx
If lpname is used, the range of "global \" or "Local \" is global.

 
I wrote it here today!