Remko Weijnen's Blog (Remko's Blog)
About Virtualization, VDI, SBC, Application Compatibility and anything else I feel like
In part 1 I showed how winlogon.exe registers its process and main window handle.
In the SasCreate function, winlogon.exe registers hotkeys like this:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 | const MOD_SAS = $8000; RegisterHotKey(SasWindow, 0, MOD_SAS or MOD_CONTROL or MOD_ALT, VK_DELETE); {$IFDEF CHECKED_BUILD} RegisterHotKey(SasWindow, 1, MOD_ALT or MOD_CONTROL or MOD_SHIFT, VK_DELETE); // handler just calls NtShutdownSystem if EnableDesktopSwitching then RegisterHotKey(SasWindow, 2, MOD_ALT or MOD_CONTROL, VK_TAB); // handler switches default and winlogon desktops if WinlogonInfoLevelFlag then RegisterHotkey(SasWindow, 3, MOD_ALT or MOD_CONTROL or MOD_SHIFT, VK_TAB); // handler just calls DebugBreak {$ENDIF} RegisterHotKey(SasWindow, 4, MOD_CONTROL or MOD_SHIFT, VK_ESCAPE); // handler executes task manager {$IFDEF WINXP_OR_LATER} RegisterHotKey(SasWindow, 5, MOD_WIN, Byte('L'); // handler locks the workstation RegisterHotkey(SasWindow, 6, MOD_WIN, Byte('U'); // handler executes utilman on current desktop {$ENDIF} |
Did you notice the MOD_SAS constant? It’s an undocumented value which can be successfully used only by the logon process (read part 1). As you see, ANY hotkey combination can be used as SAS (Secure Attention Sequence) combination; a special behavior of SAS is that it enables input after a call of BlockInput, so it cannot be recorded or played back by Journal Hook and cannot be simulated with the SendInput API.
So, how we can use it? winlogon.exe runs on the secure Winlogon desktop. So we need to be running as system! At first, we need to find the target window. I do not want to bother with SetThreadDesktop, so we’ll just do a cycle in EnumDesktopWindows:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 | const SASWindowClass = 'SAS window class'; var WinlogonDesktopHandle : HDESK = 0; function FindSasWindowProc(Window : HWND; var SasWindow : HWND) : BOOL; stdcall; var WindowClassName : array [0..255] of char; begin; Result := True; if GetClassName(Window, WindowClassName, SizeOf(WindowClassName)) > 0 then begin if WindowClassName = SASWindowClass then begin SasWindow := Window; Result := False; end; end; end; procedure InitDesktop; begin WinlogonDesktopHandle := OpenDesktop('Winlogon', 0, false, DESKTOP_READOBJECTS or DESKTOP_ENUMERATE); Win32Check(WinlogonDesktopHandle <> 0); end; procedure DoneDesktop; begin CloseDesktop(WinlogonDesktopHandle); WinlogonDesktopHandle := 0; end; function GetSasWindowHandle : HWND; begin Result := 0; EnumDesktopWindows(WinlogonDesktopHandle, @FindSasWindowProc, Integer(@Result)); if Result = 0 then begin Writeln('Unable to find SAS window'); Abort; end; end; |
Now we can send the messages directly:
1 2 3 4 5 6 | const CAD_HOTKEY = 0; procedure PressCad; begin PostMessage(GetSasWindowHandle, WM_HOTKEY, CAD_HOTKEY, 0); end; |
Windows XP allows you even to unlock the workstation by sending a message:
1 2 3 4 | procedure UnlockWorkstation; begin PostMessage(GetSasWindowHandle, WM_LOGONNOTIFY, UNLOCK_WORKSTATION_WPARAM, 0); end; |
Windows 2000 cannot be unlocked this way for now. Maybe… later? 😉
Winstation Locker (2612 downloads )You can download the sample program with included sources. As a bonus, it allows remote execution on the target machine.
P.S. In Windows Vista and higher the logon mechanism has been changed to RPC interfaces, so this program will NOT work on these platforms.
Please consider donating something (even a small amount is ok) to support this site and my work:
Filed under: Delphi, Programming
Profile
Top Posts
- Query Active Directory from Excel
- RNS 510 Startup Logo–My thoughts
- Adding a hidden Exchange mailbox to Outlook
- How rdp passwords are encrypted
- Get Actual CPU Clock Speed with PowerShell
- ClickOnce Applications in Enterprise Environments
- VW RNS 510 Navigation Startup Pictures
- Unattended Installation of IBM System i Access for Windows
- Reading physical memory size from the registry
- Show Client IP Address when using NetScaler as a Reverse Proxy
Recent Comments
Featured Downloads
- AClientFix (13595 downloads )
- AddPrinter2.zip (12854 downloads )
- AdProps (12379 downloads )
- AdSample1 (11432 downloads )
- AMD Radeon Crimson ReLive (23796 downloads )
- Atheros Driver (34019 downloads )
- AutoLogonXP 1.0 (11404 downloads )
- CDZA (9560 downloads )
- ChDrvLetter.zip (11217 downloads )
- ChDrvLetter.zip (14356 downloads )
Blogroll
- Andrew Morgan
- Arnout’s blog
- Assa’s Blog
- Barry Schiffer
- Delphi Praxis
- Ingmar Verheij
- Jedi Api Blog
- Jedi API Library
- Jeroen Tielen
- Kees Baggerman
Categories
- .NET (4)
- Active Directory (28)
- Altiris (36)
- App-V (1)
- Apple (5)
- Application Compatibility (11)
- Automotive (5)
- AWS (1)
- BootCamp (1)
- C# (6)
- C++ (2)
- Citrix (87)
- Delphi (61)
- Embedded (4)
- Exchange (16)
- General (71)
- iPhone (5)
- Java (8)
- Linux (1)
- Lync (2)
- NetScaler (1)
- Oracle (4)
- Other (1)
- Packaging (19)
- PowerShell (56)
- Programming (79)
- Quest (1)
- RES (7)
- script (22)
- ShareFile (1)
- SQL Server (10)
- Strange Error (3)
- Terminal Server (68)
- ThinApp (3)
- ThinKiosk (1)
- Ubuntu (1)
- Unattended Installation (19)
- Uncategorized (51)
- UWP (2)
- Vista (37)
- Visual Studio (1)
- VMWare (26)
- Windows 10 (2)
- Windows 2003 (30)
- Windows 2008 (37)
- Windows 2008 R2 (16)
- Windows 2012 (2)
- Windows 7 (30)
- Windows 8 (4)
- Windows Internals (12)
- Windows XP (16)
Archives
- February 2023 (1)
- October 2022 (3)
- July 2022 (1)
- June 2022 (2)
- October 2019 (1)
- March 2018 (1)
- January 2018 (4)
- December 2017 (3)
- April 2017 (1)
- March 2017 (5)
- February 2017 (4)
- May 2016 (3)
- March 2016 (1)
- October 2015 (2)
- September 2015 (1)
- January 2015 (1)
- August 2014 (1)
- July 2014 (8)
- May 2014 (1)
- November 2013 (1)
- October 2013 (2)
- September 2013 (3)
- August 2013 (4)
- June 2013 (2)
- May 2013 (3)
- April 2013 (5)
- March 2013 (5)
- February 2013 (1)
- January 2013 (5)
- December 2012 (9)
- November 2012 (3)
- October 2012 (3)
- August 2012 (4)
- July 2012 (2)
- June 2012 (1)
- May 2012 (6)
- March 2012 (13)
- February 2012 (12)
- January 2012 (9)
- December 2011 (9)
- November 2011 (4)
- October 2011 (5)
- September 2011 (10)
- August 2011 (10)
- July 2011 (2)
- June 2011 (8)
- May 2011 (12)
- April 2011 (4)
- March 2011 (14)
- February 2011 (8)
- January 2011 (32)
- December 2010 (23)
- November 2010 (19)
- October 2010 (10)
- September 2010 (6)
- August 2010 (1)
- July 2010 (1)
- June 2010 (6)
- March 2010 (7)
- February 2010 (3)
- December 2009 (3)
- November 2009 (11)
- September 2009 (2)
- July 2009 (1)
- June 2009 (5)
- May 2009 (1)
- April 2009 (2)
- March 2009 (3)
- February 2009 (6)
- January 2009 (3)
- December 2008 (8)
- November 2008 (5)
- October 2008 (3)
- September 2008 (3)
- August 2008 (3)
- June 2008 (6)
- May 2008 (2)
- April 2008 (3)
- March 2008 (5)
- January 2008 (3)
- December 2007 (3)
- November 2007 (13)
- October 2007 (10)
7 Responses for "Locking a workstation – part 2"
[…] next part i’ll show how winlogon.exe registers keyboard shortcuts and how we can use […]
Guys where can I get SrvUnit.pas ?
SrvUnit.pas is not in a public for now. I’ve sent it to you via email
Hello,
I would like to get the srvunit.pas as well and how much shouls I pay for a licence? and for Vista version SAS library?
thanks in advance.
daNIL: could you please send me a copy of SrvUnit.pas? thank you very much!
Can you send me SrvUnit.pas?
Very Thanks.
[…] eine einfache Tastenkombination, die von Windows auch nur mit RegisterHotKey (siehe diesen Blog) registriert. Wer zuerst kommt, der mahlt zuerst! MS hat jedoch einige Hürden dazu noch eingebaut. […]
Leave a reply