Accessing Winlogon desktop?
Graham Calladine
I want to put a message window which is under my control on this
desktop. (not a message box with MB_SERVICE_NOTIFICATION)
I have tried writing to dacl but I still access denigned when I try to open
the winlogon desktop.
Grey
tim.perkins
running under the context of the system. If you can write a service you can
call this to get a messagebox on the desktop. (These functions are based on the
SDK sample of a service. Causes a message box to appear on winlogon desktop
every few seconds. If the code is a little rushed and messy (gotos et all) it's
because I was just trying to prove I could do it when I wrote it.).
Beyond this you can use CreateRemoteThread to inject dll code for a messagebox
into the winlogon.exe process (whoa boy)
which is a little more complex.
Richter's Advanced Windows will help you on that route.
Cheers,
Tim Perkins Systems Support Group
DWORD MessageProc(LPVOID lpParam)
{
HDESK hDesktop = NULL, hCurDesktop = NULL;
HWINSTA hWinsta = NULL, hCurWinsta = NULL;
DWORD dwAnswer;
while(1)
{
dwAnswer = WaitForSingleObject(hServerStopEvent, 1000); //wait period
if(dwAnswer != WAIT_TIMEOUT)//Our service is being stopped. Get out of the
loop
break;
hCurWinsta = GetProcessWindowStation();
if(hCurWinsta == NULL)
goto exit;
hCurDesktop = GetThreadDesktop(GetCurrentThreadId());
if(hCurDesktop == NULL)
goto exit;
hWinsta = OpenWindowStation("winsta0", FALSE,
WINSTA_ACCESSCLIPBOARD |
WINSTA_ACCESSGLOBALATOMS |
WINSTA_CREATEDESKTOP |
WINSTA_ENUMDESKTOPS |
WINSTA_ENUMERATE |
WINSTA_EXITWINDOWS |
WINSTA_READATTRIBUTES |
WINSTA_READSCREEN |
WINSTA_WRITEATTRIBUTES);
if(hWinsta == NULL)
goto exit;
if(!SetProcessWindowStation(hWinsta))
goto exit;
hDesktop = OpenDesktop( /*We got to open the old desktop again */
TEXT("Winlogon"), // name of the desktop to open
0, // flags to control interaction with other
// applications
FALSE, // specifies whether returned handle is
// inheritable
DESKTOP_CREATEMENU |// specifies access of returned handle
DESKTOP_CREATEWINDOW |
DESKTOP_ENUMERATE |
DESKTOP_HOOKCONTROL |
DESKTOP_JOURNALPLAYBACK |
DESKTOP_JOURNALRECORD |
DESKTOP_READOBJECTS |
DESKTOP_SWITCHDESKTOP |
DESKTOP_WRITEOBJECTS);
if(hDesktop == NULL)
goto exit;
if(!SetThreadDesktop(hDesktop))
goto exit;
dwAnswer = MessageBoxA(NULL, "Sample Message", "Sample Service Proc",
MB_YESNO);
if(dwAnswer = IDNO)
{
MessageBoxA(NULL, "Stopping MessageBox loop then", "Goodbye.",
MB_OK);
}
exit:
if(hCurWinsta)
{
SetProcessWindowStation(hCurWinsta);
if(hCurDesktop)
{
SetThreadDesktop(hCurDesktop);
CloseDesktop(hCurDesktop);
}
CloseWindowStation(hCurWinsta);
}
if(hWinsta)
CloseWindowStation(hWinsta);
if(hDesktop)
CloseDesktop(hDesktop);
if(dwAnswer == IDNO) //Answer from the MessageBox breaking our loop
break;
}
return 0;
}
VOID ServiceStart (DWORD dwArgc, LPTSTR *lpszArgv)
{
HANDLE hMyThread;
HANDLE hEvents[2] = {NULL, NULL};
DWORD dwThrID;
DWORD dwWait;
// report the status to the service control manager.
//
if (!ReportStatusToSCMgr(
SERVICE_START_PENDING, // service state
NO_ERROR, // exit code
3000)) // wait hint
goto cleanup;
// create the event object. The control handler function signals
// this event when it receives the "stop" control code.
//
hServerStopEvent = CreateEvent(
NULL, // no security attributes
TRUE, // manual reset event
FALSE, // not-signalled
NULL); // no name
if ( hServerStopEvent == NULL)
goto cleanup;
hEvents[0] = hServerStopEvent;
// report the status to the service control manager.
//
if (!ReportStatusToSCMgr(
SERVICE_START_PENDING, // service state
NO_ERROR, // exit code
3000)) // wait hint
goto cleanup;
hMyThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)&MessageProc,
NULL, 0, &dwThrID);
if ( hMyThread == NULL)
goto cleanup;
hEvents[1] = hMyThread;
// report the status to the service control manager.
//
////////////////////////////////////////////////////////
//
// Service is now running, perform work until shutdown
//
if (!ReportStatusToSCMgr(
SERVICE_RUNNING, // service state
NO_ERROR, // exit code
0)) // wait hint
goto cleanup;
while ( 1 )
{
dwWait = WaitForMultipleObjects( 2, hEvents, FALSE, INFINITE );
break; // or server stop signaled
}
cleanup:
if (hServerStopEvent)
CloseHandle(hServerStopEvent);
if (hMyThread)
CloseHandle(hEvents[1]);
}
//
// FUNCTION: ServiceStop
//
// PURPOSE: Stops the service
//
// PARAMETERS:
// none
//
// RETURN VALUE:
// none
//
// COMMENTS:
// If a ServiceStop procedure is going to
// take longer than 3 seconds to execute,
// it should spawn a thread to execute the
// stop code, and return. Otherwise, the
// ServiceControlManager will believe that
// the service has stopped responding.
//
VOID ServiceStop()
{
if ( hServerStopEvent )
SetEvent(hServerStopEvent);