I'm building a device driver for Windows (WDM driver, 32 bit), and I need to detect the creation and the closure of the terminal sessions.
I know how to obtain the session ID of the caller process (ZwQueryInformationProcess with the ProcessSessionInformation flag). I'm also intercepting the event of the graphics driver load/unload into the session (by intercepting ZwSetSystemInformation with SystemLoadImage / SystemUnLoadImage).
And I hoped that session creation/closure event will be followed by the call to ZwSetSystemInformation with the SystemCreateSession / SystemDeleteSession flags. But unfortunately this doesn't happen. So far I didn't find a good indication of the session creation/closure.
SystemCreateSession and SystemDeleteSession aren't used anymore. I haven't done much investigation into this, but take a look at when the 0x80 flag is set in the ProcessFlags passed to NtCreateUserProcess. It may be related to the creation of CSR for each session.