Читаем Windows® Internals, Sixth Edition, Part 1 полностью

As long as at least one token exists with a given logon session LUID, Windows considers the logon session to be active. You can use the LogonSessions tool from Sysinternals, which uses the LsaEnumerateLogonSessions function (documented in the Windows SDK) to list the active logon sessions:C:\>logonsessions Logonsesions v1.21 Copyright (C) 2004-2010 Bryce Cogswell and Mark Russinovich Sysinternals - wwww.sysinternals.com [0] Logon session 00000000:000003e7: User name: KERNELS\LAPT8$ Auth package: NTLM Logon type: (none) Session: 0 Sid: S-1-5-18 Logon time: 2012-01-16 22:03:38 Logon server: DNS Domain: UPN: [1] Logon session 00000000:0000cf19: User name: Auth package: NTLM Logon type: (none) Session: 0 Sid: (none) Logon time: 2012-01-16 22:03:38 Logon server: DNS Domain: UPN: [2] Logon session 00000000:000003e4: User name: KERNELS\LAPT8$ Auth package: Negotiate Logon type: Service Session: 0 Sid: S-1-5-20 Logon time: 2012-01-16 22:03:40 Logon server: DNS Domain: UPN: [3] Logon session 00000000:000003e5: User name: NT AUTHORITY\LOCAL SERVICE Auth package: Negotiate Logon type: Service Session: 0 Sid: S-1-5-19 Logon time: 2012-01-16 22:03:40 Logon server: DNS Domain: UPN: [4] Logon session 00000000:00021ed2: User name: NT AUTHORITY\ANONYMOUS LOGON Auth package: NTLM Logon type: Network Session: 0 Sid: S-1-5-7 Logon time: 2012-01-16 22:03:46 Logon server: DNS Domain: UPN: [5] Logon session 00000000:000882c2: User name: LAPT8\jeh Auth package: NTLM Logon type: Interactive Session: 1 Sid: S-1-5-21-1488595123-1430011218-1163345924-1000 Logon time: 2012-01-17 01:34:46 Logon server: LAPT8 DNS Domain: UPN: [6] Logon session 00000000:000882e3: User name: LAPT8\jeh Auth package: NTLM Logon type: Interactive Session: 1 Sid: S-1-5-21-1488595123-1430011218-1163345924-1000 Logon time: 2012-01-17 01:34:46 Logon server: LAPT8 DNS Domain: UPN:

Information reported for a session includes the SID and name of the user associated with the session, as well as the session’s authentication package and logon time. Note that the Negotiate authentication package, seen in logon session 2 in the preceding output, will attempt to authenticate via Kerberos or NTLM, depending on which is most appropriate for the authentication request.

The LUID for a session is displayed on the “Logon Session” line of each session block, and using the Handle utility (also from Sysinternals), you can find the tokens that represent a particular logon session. For example, to find the tokens for logon session 5 in the example output just shown, you could enter this command:C:\Windows\system32>handle -a 882c2 Handle v3.46 Copyright (C) 1997-2011 Mark Russinovich Sysinternals - www.sysinternals.com System pid: 4 type: Directory D60: \Sessions\0\DosDevices\00000000-000882c2 winlogon.exe pid: 440 type: Event DC: \BaseNamedObjects\00000000000882c2_WlballoonSmartCardUnlockNotificationEventName winlogon.exe pid: 440 type: Event E4: \BaseNamedObjects\00000000000882c2_WlballoonKerberosNotificationEventName winlogon.exe pid: 440 type: Event 1D4: \BaseNamedObjects\00000000000882c2_WlballoonAlternateCredsNotificationEventName lsass.exe pid: 492 type: Token 508: LAPT8\jeh:882c2 lsass.exe pid: 492 type: Token 634: LAPT8\jeh:882c2 svchost.exe pid: 892 type: Token 7C4: LAPT8\jeh:882c2 svchost.exe pid: 960 type: Token E70: LAPT8\jeh:882c2 svchost.exe pid: 960 type: Token 1034: LAPT8\jeh:882c2 svchost.exe pid: 960 type: Token 1194: LAPT8\jeh:882c2 svchost.exe pid: 960 type: Token 1384: LAPT8\jeh:882c2