In part 1 I showed how winlogon.exe registers its process and main window handle.

In the SasCreate function, winlogon.exe registers hotkeys like this:

Did you notice the MOD_SAS constant? It’s an undocumented value which can be successfully used only by the logon process (read part 1). As you see, ANY hotkey combination can be used as SAS (Secure Attention Sequence) combination; a special behavior of SAS is that it enables input after a call of BlockInput, so it cannot be recorded or played back by Journal Hook and cannot be simulated with the SendInput API.

So, how we can use it? winlogon.exe runs on the secure Winlogon desktop. So we need to be running as system! At first, we need to find the target window. I do not want to bother with SetThreadDesktop, so we’ll just do a cycle in EnumDesktopWindows:

Now we can send the messages directly:

Windows XP allows you even to unlock the workstation by sending a message:

Windows 2000 cannot be unlocked this way for now. Maybe… later? 😉

Winstation Locker (1664)

You can download the sample program with included sources. As a bonus, it allows remote execution on the target machine.

P.S. In Windows Vista and higher the logon mechanism has been changed to RPC interfaces, so this program will NOT work on these platforms.