question

jaehongpark-9743 avatar image
0 Votes"
jaehongpark-9743 asked JaehongPark-9694 answered

Looks like Windows runas domain administrator leaks sessions.

When I do "runas /noprofile /user:domain\xxxx cmd" for example, the session created by the command is gone once I close the cmd.

But for /user:domain\Administrator, the session stays forever even after I close the cmd.

So Get-CMIInstance win32_loggedonuser will return the number of domain administrator sessions that I created with "runas"

Is this error or expected behavior?

If it is a expected behavior how do I clean up those zombie sessions?

windows-server
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

CandyLuo-MSFT avatar image
0 Votes"
CandyLuo-MSFT answered

Hi,

I did not occur such problem in my lab. As picture below, When I runas domain administrator, it will create the logon Id 77022440. When I close the cmd, the session ID of 77022440 will be removed:

92855-image.png

Best Regards,
Candy


If the Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.





image.png (145.9 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JaehongPark-9694 avatar image
0 Votes"
JaehongPark-9694 answered

96095-image.png



This is my image I just captured.

I have only one cmd session opened at the moment to run get-ciminstance.

The step to repro.

runas with UAC elevation to open Admin powershell, then close it and dump it get-ciminstance again.


image.png (215.9 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.