Win32 API provides only 1 function for locking workstation, named LockWorkstation. What does it do and how we can use it?

When a new session is started, smss.exe invokes winlogon.exe. It registers its process id in win32k.sys by calling RegisterLogonProcess. It has this prototype:

Functional code in win32k.sys for RegisterLogonProcess is very simple:

gpidLogon is a global variable in win32k.sys. So, only processes with SE_TCB_NAME can call it and only once per session (each session has its own instance of win32k.sys).

Later, when winlogon.exe continues its initialization, it creates a hidden window with ‘SAS window’ name and registers it handle using this function:

Its functional code is very simple again:

So only a logon process is allowed to set logon notify window. Let’s look what does LockWorkstation does:

Hmm… maybe there are some more messages we can post?

In next part I’ll show how winlogon.exe registers keyboard shortcuts and how we can use them