凭据提供程序使用场景:CPUS_UNLOCK_WORKSTATION 从 Windows 10 中删除
Credential provider usage scenario: CPUS_UNLOCK_WORKSTATION removed from Windows 10
我正在开发自定义凭据提供程序,需要在运行时知道该场景是登录还是解锁会话。为此,我检查了 ICredentialProvider 接口的 CREDENTIAL_PROVIDER_USAGE_SCENARIO returned by the SetUsageScenario。
在 Windows 10 上,独立地,如果我在登录时或会话被锁定时,我总是将 CPUS_LOGON 作为使用场景,而在以前的 Windows 版本中,会话锁定时返回 CPUS_UNLOCK_WORKSTATION,登录时返回 CPUS_LOGON。
因此,似乎自 Windows 10 以来出现的更改未在 MSDN 上报告。
有没有其他方法检测使用场景是否为session locked?
您可以试试 SENS(系统事件通知服务)。这是 Microsoft 提供的通知服务。
https://msdn.microsoft.com/en-us/library/windows/desktop/cc185680(v=vs.85).aspx
logon/logoff 和屏幕 lock/unlock 通知有不同的事件。它使用 COM+ 接口。我不熟悉凭证提供者的要求,所以我不知道该服务是否会 运行 在您需要的范围内,或者事件到达的时间是否会满足您的需求,但您可以调查一下。
我目前正在调查相同的问题,在 Microsoft 更新文档之前可能会有解决方法。
虽然我仍然收到 CPUS_LOGON,但我们仍处于与锁定用户相同的会话中。通过使用函数WTSQuerySessionInformationW,您可以验证当前是否有用户登录到当前会话。从那里,您可以像在 CPUS_UNLOCK_WORKSTATION 使用场景中一样继续。
更新 (1/18/2016): 微软似乎终于更新了他们关于这个问题的文档。请参阅 CREDENTIAL_PROVIDER_USAGE_SCENARIO 文档中的以下摘录:
Starting in Windows 10, the CPUS_LOGON and CPUS_UNLOCK_WORKSTATION
user scenarios have been combined. This enables the system to support
multiple users logging into a machine without creating and switching
sessions unnecessarily. Any user on the machine can log into it once
it has been locked without needing to back out of a current session
and create a new one. Because of this, CPUS_LOGON can be used both for
logging onto a system or when a workstation is unlocked. However,
CPUS_LOGON cannot be used in all cases. Because of policy restrictions
imposed by various systems, sometimes it is necessary for the user
scenario to be CPUS_UNLOCK_WORKSTATION. Your credential provider
should be robust enough to create the appropriate credential structure
based on the scenario given to it. Windows will request the
appropriate user scenario based on the situation. Some of the factors
that impact whether or not a CPUS_UNLOCK_WORKSTATION scenario must be
used include the following. Note that this is just a subset of
possibilities.
- The operating system of the device.
- Whether this is a console or remote session.
- Group policies such as hiding entry points for fast user switching, or interactive logon that does not display the user's last name.
Credential providers that need to enumerate the
currently user logged into the system as the default tile can keep
track of the current user or leverage APIs such as
WTSQuerySessionInformation to obtain that information
如果您关闭快速用户关闭,您将在锁定时收到 CPUS_UNLOCK_WORKSTATION 消息。否则你只会收到 CPUS_LOGON。如果您使用 windows API 从代码调用手动锁定 PC 以锁定并打开快速用户切换,它将锁定发送 CPUS_UNLOCK_WORKSTATION 然后立即注销发送 CPUS_LOGON.I希望这会有所帮助,我没有 post 我自己的答案的声誉分数,所以我编辑了这条评论。
在所有答案中,Justin 的答案信息量更大,但没有人提供解决方法来正确恢复 Windows7 行为。 Scott 的回答提到关闭快速用户切换,但这关闭了 Windows7 中可用的功能,因此它不是一个合适的解决方法。在仔细阅读了所有可用的信息并进行了多次尝试后,我发现以下策略只允许以前登录的用户解锁机器,从而强制 LogonUI 框架发出 CPUS_UNLOCK_WORKSTATION 场景,但仍然允许快速用户切换:
Windows Registry Editor Version 5.00
; Computer Configuration -> Windows Settings -> Security Settings ->
; Local Policies -> Security Options "Interactive logon: Do not display last user name"
; Set to "Enabled": asks to unlock the machine only to currently logged user
; https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-display-last-user-name
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=dword:00000001
; Computer Configuration -> Administrative Templates -> Windows Components ->
; Windows Logon Options -> "Sign-in last interactive user automatically after a system-initiated restart"
; Set to "Enabled": Prevents last signed user to log in and lock automatically
; after a restart
; https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/winlogon-automatic-restart-sign-on--arso-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableAutomaticRestartSignOn"=dword:00000001
; Similar in bevahior to "dontdisplaylastusername" but also disables Fast User
; Switching, which was available in Windows7
; https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowslogon#windowslogon-hidefastuserswitching
;[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
;"HideFastUserSwitching"=dword:00000001
我正在开发自定义凭据提供程序,需要在运行时知道该场景是登录还是解锁会话。为此,我检查了 ICredentialProvider 接口的 CREDENTIAL_PROVIDER_USAGE_SCENARIO returned by the SetUsageScenario。
在 Windows 10 上,独立地,如果我在登录时或会话被锁定时,我总是将 CPUS_LOGON 作为使用场景,而在以前的 Windows 版本中,会话锁定时返回 CPUS_UNLOCK_WORKSTATION,登录时返回 CPUS_LOGON。
因此,似乎自 Windows 10 以来出现的更改未在 MSDN 上报告。
有没有其他方法检测使用场景是否为session locked?
您可以试试 SENS(系统事件通知服务)。这是 Microsoft 提供的通知服务。
https://msdn.microsoft.com/en-us/library/windows/desktop/cc185680(v=vs.85).aspx
logon/logoff 和屏幕 lock/unlock 通知有不同的事件。它使用 COM+ 接口。我不熟悉凭证提供者的要求,所以我不知道该服务是否会 运行 在您需要的范围内,或者事件到达的时间是否会满足您的需求,但您可以调查一下。
我目前正在调查相同的问题,在 Microsoft 更新文档之前可能会有解决方法。
虽然我仍然收到 CPUS_LOGON,但我们仍处于与锁定用户相同的会话中。通过使用函数WTSQuerySessionInformationW,您可以验证当前是否有用户登录到当前会话。从那里,您可以像在 CPUS_UNLOCK_WORKSTATION 使用场景中一样继续。
更新 (1/18/2016): 微软似乎终于更新了他们关于这个问题的文档。请参阅 CREDENTIAL_PROVIDER_USAGE_SCENARIO 文档中的以下摘录:
Starting in Windows 10, the
CPUS_LOGONandCPUS_UNLOCK_WORKSTATIONuser scenarios have been combined. This enables the system to support multiple users logging into a machine without creating and switching sessions unnecessarily. Any user on the machine can log into it once it has been locked without needing to back out of a current session and create a new one. Because of this,CPUS_LOGONcan be used both for logging onto a system or when a workstation is unlocked. However,CPUS_LOGONcannot be used in all cases. Because of policy restrictions imposed by various systems, sometimes it is necessary for the user scenario to beCPUS_UNLOCK_WORKSTATION. Your credential provider should be robust enough to create the appropriate credential structure based on the scenario given to it. Windows will request the appropriate user scenario based on the situation. Some of the factors that impact whether or not aCPUS_UNLOCK_WORKSTATIONscenario must be used include the following. Note that this is just a subset of possibilities.
- The operating system of the device.
- Whether this is a console or remote session.
- Group policies such as hiding entry points for fast user switching, or interactive logon that does not display the user's last name.
Credential providers that need to enumerate the currently user logged into the system as the default tile can keep track of the current user or leverage APIs such as
WTSQuerySessionInformationto obtain that information
如果您关闭快速用户关闭,您将在锁定时收到 CPUS_UNLOCK_WORKSTATION 消息。否则你只会收到 CPUS_LOGON。如果您使用 windows API 从代码调用手动锁定 PC 以锁定并打开快速用户切换,它将锁定发送 CPUS_UNLOCK_WORKSTATION 然后立即注销发送 CPUS_LOGON.I希望这会有所帮助,我没有 post 我自己的答案的声誉分数,所以我编辑了这条评论。
在所有答案中,Justin 的答案信息量更大,但没有人提供解决方法来正确恢复 Windows7 行为。 Scott 的回答提到关闭快速用户切换,但这关闭了 Windows7 中可用的功能,因此它不是一个合适的解决方法。在仔细阅读了所有可用的信息并进行了多次尝试后,我发现以下策略只允许以前登录的用户解锁机器,从而强制 LogonUI 框架发出 CPUS_UNLOCK_WORKSTATION 场景,但仍然允许快速用户切换:
Windows Registry Editor Version 5.00
; Computer Configuration -> Windows Settings -> Security Settings ->
; Local Policies -> Security Options "Interactive logon: Do not display last user name"
; Set to "Enabled": asks to unlock the machine only to currently logged user
; https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-display-last-user-name
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=dword:00000001
; Computer Configuration -> Administrative Templates -> Windows Components ->
; Windows Logon Options -> "Sign-in last interactive user automatically after a system-initiated restart"
; Set to "Enabled": Prevents last signed user to log in and lock automatically
; after a restart
; https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/winlogon-automatic-restart-sign-on--arso-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableAutomaticRestartSignOn"=dword:00000001
; Similar in bevahior to "dontdisplaylastusername" but also disables Fast User
; Switching, which was available in Windows7
; https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowslogon#windowslogon-hidefastuserswitching
;[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
;"HideFastUserSwitching"=dword:00000001