$theTitle=wp_title(" - ", false); if($theTitle != "") { ?>
About Virtualization, VDI, SBC, Application Compatibility and anything else I feel like
In part 1 I showed how winlogon.exe registers its process and main window handle.
In the SasCreate function, winlogon.exe registers hotkeys like this:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 | const MOD_SAS = $8000; RegisterHotKey(SasWindow, 0, MOD_SAS or MOD_CONTROL or MOD_ALT, VK_DELETE); {$IFDEF CHECKED_BUILD} RegisterHotKey(SasWindow, 1, MOD_ALT or MOD_CONTROL or MOD_SHIFT, VK_DELETE); // handler just calls NtShutdownSystem if EnableDesktopSwitching then RegisterHotKey(SasWindow, 2, MOD_ALT or MOD_CONTROL, VK_TAB); // handler switches default and winlogon desktops if WinlogonInfoLevelFlag then RegisterHotkey(SasWindow, 3, MOD_ALT or MOD_CONTROL or MOD_SHIFT, VK_TAB); // handler just calls DebugBreak {$ENDIF} RegisterHotKey(SasWindow, 4, MOD_CONTROL or MOD_SHIFT, VK_ESCAPE); // handler executes task manager {$IFDEF WINXP_OR_LATER} RegisterHotKey(SasWindow, 5, MOD_WIN, Byte('L'); // handler locks the workstation RegisterHotkey(SasWindow, 6, MOD_WIN, Byte('U'); // handler executes utilman on current desktop {$ENDIF} |
Did you notice the MOD_SAS constant? It’s an undocumented value which can be successfully used only by the logon process (read part 1). As you see, ANY hotkey combination can be used as SAS (Secure Attention Sequence) combination; a special behavior of SAS is that it enables input after a call of BlockInput, so it cannot be recorded or played back by Journal Hook and cannot be simulated with the SendInput API.
So, how we can use it? winlogon.exe runs on the secure Winlogon desktop. So we need to be running as system! At first, we need to find the target window. I do not want to bother with SetThreadDesktop, so we’ll just do a cycle in EnumDesktopWindows:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 | const SASWindowClass = 'SAS window class'; var WinlogonDesktopHandle : HDESK = 0; function FindSasWindowProc(Window : HWND; var SasWindow : HWND) : BOOL; stdcall; var WindowClassName : array [0..255] of char; begin; Result := True; if GetClassName(Window, WindowClassName, SizeOf(WindowClassName)) > 0 then begin if WindowClassName = SASWindowClass then begin SasWindow := Window; Result := False; end; end; end; procedure InitDesktop; begin WinlogonDesktopHandle := OpenDesktop('Winlogon', 0, false, DESKTOP_READOBJECTS or DESKTOP_ENUMERATE); Win32Check(WinlogonDesktopHandle <> 0); end; procedure DoneDesktop; begin CloseDesktop(WinlogonDesktopHandle); WinlogonDesktopHandle := 0; end; function GetSasWindowHandle : HWND; begin Result := 0; EnumDesktopWindows(WinlogonDesktopHandle, @FindSasWindowProc, Integer(@Result)); if Result = 0 then begin Writeln('Unable to find SAS window'); Abort; end; end; |
Now we can send the messages directly:
1 2 3 4 5 6 | const CAD_HOTKEY = 0; procedure PressCad; begin PostMessage(GetSasWindowHandle, WM_HOTKEY, CAD_HOTKEY, 0); end; |
Windows XP allows you even to unlock the workstation by sending a message:
1 2 3 4 | procedure UnlockWorkstation; begin PostMessage(GetSasWindowHandle, WM_LOGONNOTIFY, UNLOCK_WORKSTATION_WPARAM, 0); end; |
Windows 2000 cannot be unlocked this way for now. Maybe… later? 😉
Winstation Locker (2612 downloads )You can download the sample program with included sources. As a bonus, it allows remote execution on the target machine.
P.S. In Windows Vista and higher the logon mechanism has been changed to RPC interfaces, so this program will NOT work on these platforms.
7 Responses for "Locking a workstation – part 2"
[…] next part i’ll show how winlogon.exe registers keyboard shortcuts and how we can use […]
Guys where can I get SrvUnit.pas ?
SrvUnit.pas is not in a public for now. I’ve sent it to you via email
Hello,
I would like to get the srvunit.pas as well and how much shouls I pay for a licence? and for Vista version SAS library?
thanks in advance.
daNIL: could you please send me a copy of SrvUnit.pas? thank you very much!
Can you send me SrvUnit.pas?
Very Thanks.
[…] eine einfache Tastenkombination, die von Windows auch nur mit RegisterHotKey (siehe diesen Blog) registriert. Wer zuerst kommt, der mahlt zuerst! MS hat jedoch einige Hürden dazu noch eingebaut. […]
Leave a reply