Part of my Sysinternals Primer: Gems presentation at TechEd last month covered the topics of terminal services sessions, window stations and desktops.  To illustrate the concepts, I used a utility I wrote called TSSessions.  As promised, I have attached that utility (with source) to this blog post.

TSSessions reports four sets of information:

  • The TS session, window station and desktop on which the instance of TSSessions is running;
  • The current user input desktop in the current session;
  • Enumeration of all terminal services sessions, identifiying which is the console session;
  • Enumeration of window stations and desktops in the current TS session.  The security descriptors of these objects are included in the output in SDDL form.  Run TSSessions with the -NoSD command option to omit the security descriptors from the output.

Try running TSSessions under the System account; e.g., with "PsExec -sid cmd.exe".  The System account has visibility into more details than even a regular administrative account has.  Also try running TSSessions remotely in session 0 (PsExec -s cmd.exe), as I demonstrate in the Sysinternals talk.  Here's some sample TSSessions output from the System account's non-interactive window station in session 0:

This process/thread running in:
    Session  0
    WinSta   Service-0x0-3e7$
    Desktop  Default

Current user input Desktop:  Incorrect function. (Error # 1 = 0x00000001)

Terminal Sessions:  3

    Console Session = 1

    Session ID: 0
        Window Station Name  : Services
        State                : Disconnected
        WTS User Name        :
        No Token
    Session ID: 1
        Window Station Name  : Console
        State                : Active
        WTS User Name        : Aaron
        Token Logon Session  : 00000000:000666b6
        Token Integrity Level: Medium

    Session ID: 65536
        Window Station Name  : RDP-Tcp
        State                : Listen
        WTS User Name        :

Window stations in the current session:

    WinSta:  WinSta0
            Flags:  0x00000001
              SID:  (No user)

       Desktop:  Default
           SID:  (No user)

       Desktop:  Disconnect
           SID:  (No user)

       Desktop:  Winlogon
           SID:  (No user)

    WinSta:  Service-0x0-3e7$
            Flags:  0x00000000
              SID:  (No user)

 EnumDesktops error, Access is denied. (Error # 5 = 0x00000005)

    WinSta:  Service-0x0-3e4$
            Flags:  Access is denied. (Error # 5 = 0x00000005)
              SID:  Access is denied. (Error # 5 = 0x00000005)

 EnumDesktops error, Access is denied. (Error # 5 = 0x00000005)

    WinSta:  Service-0x0-3e5$
            Flags:  Access is denied. (Error # 5 = 0x00000005)
              SID:  Access is denied. (Error # 5 = 0x00000005)

 EnumDesktops error, Access is denied. (Error # 5 = 0x00000005)