|
Siimulate Ctrl-Alt-Del in Vista, Windows 7 and Windows Server
2008 (written by Jose Pascoa)
Simulating Ctrl-Alt-Del in code has always been a nightmare
for developers, namely for logins with remote access software or
other scenarios.
I never figured out the reason Microsoft hides and undocuments
the procedure.
For Windows XP and older releases all the way down to Windows NT
3.51 a solution has been found and spreaded all over the
internet. I don't know who discover it, but it works pretty
well.
Then enters Windows Vista. The old procedure ceased to work.
Microsoft announced that would provide a C library called SASLIB
for people requesting it from a certain email address. In most
cases, requests deserved no reply from Microsoft, I was one of
those cases! I don't know what was their selection criteria, but
I have legal software and I don't live in a country for which
export restrictions are enforced.
Given that state of affairs, a couple of years ago I made some
investigation on my own by analyzing the import table of OSK.EXE.
This is an utility bundled with Windows, intended to provide
some functionality for users with limited mobility, and it can
produce Ctrl-Alt-Del through the virtual keyboard.
I found a mysterious function called WmsgSendMessage exported by
a not less mysterious WMsgAPI.dll. I experimented a bit with
that function, but at the time was unable to unveil a few
details and had to give up due to time constraints.
Actually, I was on the right track. WmsgSendMessage works by
invoking the client RPC mechanism lodged inside WMsgAPI.dll.
Your application only needs to have the TcbPrivilege, i.e the
privilege to Act as Part of the Operating System. LocalSystem
services already have that privilege, and have it enabled by
default. The local security policy of the computer needs also be
configured to allow services to produce Ctrl-Alt-Del (or
Security Attention Sequence, SAS, as Microsoft calls it), but
this can be done on the spot by changing a simple Registry value
before the SAS request.
Very easy, too easy indeed, here is the prototype of the
function:
typedef DWORD (WINAPI* lpfnWmsgSendMessage)(DWORD dwSessionId,
UINT magicNumber, WPARAM pid, LPARAM lParam);
The magicNumber is 0x208 (there are a few other magic numbers in
this function but this one is what we want)
The pid (process id) can be left to zero.
The fourth parameter is just a LONG_PTR to a LONG_PTR
initialized to NULL.
Note that the first parameter is the session where you want the
Ctrl-Alt-Del to be issued. You can issue a Ctrl-Alt-Del from the
console to any Terminal Services session and you can as well
issue it from any Terminal Services session to another session
including the console! Yes, this is amazing.
With the release of Windows 7 and Windows Server 2008R2,
Microsoft shipped a SAS.DLL that can be used to simulate
Ctrl-Alt-Del from a LocalSystem service. Windows Vista and
Windows Server 2008 do not have it but you can get it through
the Windows 7 SDK. With SAS.DLL you can only produce
Ctrl-Alt-Del to the session you are in (fair enough in most
cases, but you can not statically link it inside your
executable).
There is another way to produce Ctrl-Alt-Del, it is called
AsUser, here you don't need to launch a LocalSystem service to
issue the Ctrl-Alt-Del. On the other hand, the application needs
to be signed with authenticode, needs to have a manifest with
the uiAccess attribute of the requestedExecutionLevel element
set to true, UAC must be turned on, needs to be lodged in a
secure folder (like Program Files or System32) and the local
security policy must be configured to allow applications to
simulate a SAS. Five conditions, but not too much of an
inconvenience, nowadays most serious developers already sign
their software, it is easy as well to set to true the uiAccess
of the manifest and most users already install applications in
the Program Files folder and keep UAC turned on (at least with
Windows 7 and above). The local security policy can be set
directly in the Registry if the application is elevated,
otherwise launch Gpedit.msc and under Computer Configuration |
Administrative Templates | Windows Components | Windows Logon
Options | Disable or enable software Secure Attention Sequence
set it to Ease of Access Applications or to Services and Ease of
Access Applications.
Understanding what WmsgSendMessage does is relatively easy, when
we take for granted that WMsgAPI.dll is a black box that just
performs what we want. However, producing Ctrl-Alt-Del as AsUser
does not make use of the WmsgSendMessage function at all. Then
it becomes more difficult, and not a lot of developers are
comfortable with RPC, this alone explains why no one ever found
the way until now.
In this case, there is no System Dll ready to perform the work
for us, as there is when we call WmsgSendMessage from a
LocalSystem account.
We do need a RPC client able to send the correct message to
rpcrt4.dll (this is sort of middleman that interprets and
dispatches RPC requests to the correct handler). The message
itself is very simple, it does not even contains Identity
Authentication. Even simple, finding it was not easy at all
because there is no oicf MIDL decompilers and all the inner RPC
workings are largely undocumented or confusing. The best
explanation ever written about how it all works is now 11 years
old, it appeared in the Microsoft System Journal of January 1999
but is still available in the internet.
While lots of people reverse engineer the Windows internals, and
some write books and end getting nice jobs at Microsoft, I have
not actually done any reverse engineering. I have just observed,
experimented and produced my own solution!
Now, it is important to state this question: Can you guarantee
that your solution will work on any future Service Pack or new
Windows Release?
The answer is: No, but WmsgSendMessage and other APIs, even if
not documented are being commonly used by OSK.EXE, SAS.DLL and
other software distributed by Microsoft to produce Ctrl-Alt-Del.
I believe the core functionality will remain for a long time.
However, Microsoft may remove the capability to produce
Ctrl-Alt-Del to different Terminal Server sessions.
Either way, I flagged that my library can only produce
Ctrl-Alt-Del within Windows Major Version 6 (i.e Vista, 7, 2008
and 2008R2).
I am making available a complete package, completely free, with
easy integration sample source code (actually, there is only one
function call that needs to be integrated) in C++ and Delphi.
The package includes DLLs for 32-bit and 64-bit applications,
which allow you to use the functionality in any application you
develop; it includes also signed demo standalone applications
and signed demo applications making use of the DLLs, compiled
both as 32-bit and 64-bit. I just do not include the source code
of the Ctrl-Alt-Del library itself, but you can purchase the
full source code for a modest fee.
The project is developed in VS 2010 C++ (no MFC). I have also
part of the source code in Delphi (the part of issuing CAD from a Local Service).
Download the
FREE AW_SAS (AW_SASLIB.ZIP)
|
