In the previous parts (part 1 part 2) i’ve described the theoretical part and implementation problems. So, now we can write the code:

1) In case we login the user, we just call LsaLogonUser to get the token:

2) In case we need to create a token, we call NtCreateToken. If there are no groups, we create a single group with the Primary SID in this group :

3) In case we want to use a “current” system token, we need to do some adjustments with it – we need to add the group with SE_GROUP_LOGON_ID flag to it:

4) Now we can create a buffer:

5) In case of x64 systems we need to copy the whole structure into 64 bit structure:

6) Now we need to open the pipe, send the WLX_SAS_TYPE_AUTHENTICATED SAS to Winlogon and write the data to the pipe:

7) So, the main procedure will look like this:

AutoLogonXP 1.0 (971)

Please note that this sample is free for non-commercial use only. If you require to use it, or it’s source code in your business projects, please send a request using contact form.