C++ Winlogon help

Hi Guys,
I just joined the forum. I have a pretty strong VB background, but I have
played around with C++ many times. I recently started learning Winlogon and
the Windows logon model and how to modify/customize GINA and the logon
screen. Since this is my first time doing this, I found some tutorials and
examples on other forums for help, but they were very poorly commented and
not at all explained. I understand that a DLL file needs to be created,
which must be copied to %system32% along with its .exp file. And then
information needs to be added to the registry to point to these files. From
these examples, I’ve put together however much I could and managed to
compile the files error-free.
The only thing wrong with my application is that it doesn’t do anything.
The text file does not get created nor do I get a message box as should
happen. Hopefully there a few people in here that know how Winlogon works.
I’ll post my reg file, my cpp code, and the header file. ANY help at all
would be greated appreciated! Like I said, I’m coming from a VB background,
I made some simple errors, please let me know. Thanks in advance and my
apologies in advance if this post does not belong in this forum.

In my EXPORTS, I have the following:
; newNotif.def : Declares the module parameters for the DLL.

LIBRARY “newNotif”
DESCRIPTION ‘newNotif Windows Dynamic Link Library’

EXPORTS
; Explicit exports can go here
StartProcessAtWinLogon
StopProcessAtWinLogoff

REG FILE:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\newNotif]
“Asynchronous”=dword:00000000
“Impersonate”=dword:00000000
“DllName”=hex(2):6e,00,65,00,77,00,4e,00,6f,00,74,00,69,00,
66,00,2e,00,64,00,\
6c,00,6c,00,00,00
“Logon”=“StartProcessAtWinLogon”
“Logoff”=“StopProcessAtWinLogoff”

CPP FILE:
// newNotif.cpp : Defines the initialization routines for the DLL.
//

#include <windows.h>
#include <winwlx.h>
#include “stdafx.h”
#include “newNotif.h”

#ifdef DEBUG
#define new DEBUG_NEW
#undef THIS_FILE
static char THIS_FILE[] = FILE ;
#endif

typedef DWORD(* PFNMSGECALLBACK )(BOOL bVerbose, LPWSTR lpMessage);
typedef struct WLX_NOTIFICATION_INFO { ULONG Size; ULONG Flags; PWSTR
UserName; PWSTR Domain; PWSTR WindowStation; HANDLE hToken; HDESK hDesktop;
PFNMSGECALLBACK pStatusCallback;
} WLX_NOTIFICATION_INFO, *PWLX_NOTIFICATION_INFO;

/////////////////////////////////////////////////////////////////////////////
// CNewNotifApp

BEGIN_MESSAGE_MAP(CNewNotifApp, CWinApp)
//{{AFX_MSG_MAP(CNewNotifApp)
// NOTE - the ClassWizard will add and remove mapping macros here.
// DO NOT EDIT what you see in these blocks of generated code!
//}}AFX_MSG_MAP
END_MESSAGE_MAP()

/////////////////////////////////////////////////////////////////////////////
// CNewNotifApp construction

CNewNotifApp::CNewNotifApp()
{
// TODO: add construction code here,
// Place all significant initialization in InitInstance
}

/////////////////////////////////////////////////////////////////////////////
// The one and only CNewNotifApp object

CNewNotifApp theApp;

PROCESS_INFORMATION g_pi;

TCHAR g_szPath[] = TEXT(“C:\Windows\Notepad.exe”);

//This function safely terminates a process, allowing
//it to do cleanup (ie. DLL detach)
//It can be found at the Windows Developer’s Journal

//Entrance function for the DLL
BOOL WINAPI LibMain(HINSTANCE hInstance, DWORD dwReason, LPVOID lpReserved)
{
switch (dwReason)
{
case DLL_PROCESS_ATTACH:
{
DisableThreadLibraryCalls (hInstance);
}
break;
}
return TRUE;
}

//Event handler for the Winlogon Logon event
VOID APIENTRY StartProcessAtWinLogon (PWLX_NOTIFICATION_INFO pInfo)
{

TCHAR szText[MAX_PATH];

STARTUPINFO si;
si.cb = sizeof(STARTUPINFO);
si.lpReserved = NULL;
si.lpTitle = NULL;
si.lpDesktop = TEXT(“WinSta0\Default”);
si.dwX = si.dwY = si.dwXSize = si.dwYSize = 0L;
si.dwFlags = 0;;
si.wShowWindow = SW_SHOW;
si.lpReserved2 = NULL;
si.cbReserved2 = 0;

DWORD dwWritten;

HANDLE hFile = CreateFile(TEXT(“c:\TSP.txt”), GENERIC_ALL, NULL, NULL,
OPEN_ALWAYS, NULL, NULL);
strcpy(szText, TEXT(“StartProcessAtWinLogon \r\n”));
WriteFile(hFile, szText, strlen(szText), &dwWritten, NULL);
CloseHandle(hFile);

CreateProcess(NULL, g_szPath, NULL, NULL, FALSE, CREATE_NEW_CONSOLE,
NULL, NULL, &si, &g_pi);

MessageBox(NULL, “Winlogon Test”, “Winlogon Test”, MB_OK);
}

//Event handler for the Winlogon Logoff event.
VOID APIENTRY StopProcessAtWinLogoff (PWLX_NOTIFICATION_INFO pInfo)
{
//terminates the process
// **************** SafeTerminateProcess(g_pi.hProcess , 0xDEADBEEF);
}

//other event handlers
VOID APIENTRY YOUR_EVENT_HANDLERS (PWLX_NOTIFICATION_INFO pInfo)
{
//code
}

// Here is the event handler for the Winlogon Logon event.
VOID WLEventLogon (PWLX_NOTIFICATION_INFO pInfo)
{

// Print the name of the handler to debug output.
// You can replace this with more useful functionality.
OutputDebugString (TEXT(“NOTIFY: Entering WLEventLogon.\r\n”));
}

// Here is the event handler for the Winlogon Logoff event.
VOID WLEventLogoff (PWLX_NOTIFICATION_INFO pInfo)
{

// Print the name of the handler to debug output.
// You can replace this with more useful functionality.
OutputDebugString (TEXT(“NOTIFY: Entering WLEventLogff.\r\n”));
}

HEADER FILE
// newNotif.h : main header file for the NEWNOTIF DLL
//

#if !defined(AFX_NEWNOTIF_H CEECF57A_5EFB_4B19_A60F_E
05203D4E73C INCLUDED)
#define AFX_NEWNOTIF_H CEECF57A_5EFB_4B19_A60F_E05203D4E7 3C INCLUDED

#if _MSC_VER > 1000
#pragma once
#endif // MSC_VER > 1000

#ifndef AFXWIN_H
#error include ‘stdafx.h’ before including this file for PCH
#endif

#include <windows.h>
#include <winwlx.h>
#include “resource.h” // main symbols

/////////////////////////////////////////////////////////////////////////////
// CNewNotifApp
// See newNotif.cpp for the implementation of this class
//

class CNewNotifApp : public CWinApp
{
public:
CNewNotifApp();

// Overrides
// ClassWizard generated virtual function overrides
//{{AFX_VIRTUAL(CNewNotifApp)
//}}AFX_VIRTUAL

//{{AFX_MSG(CNewNotifApp)
// NOTE - the ClassWizard will add and remove member functions here.
// DO NOT EDIT what you see in these blocks of generated code !
//}}AFX_MSG
DECLARE_MESSAGE_MAP()
};

/////////////////////////////////////////////////////////////////////////////

//{{AFX_INSERT_LOCATION}}
// Microsoft Visual C++ will insert additional declarations immediately
before the previous line.

#endif // !defined(AFX_NEWNOTIF_H CEECF57A_5EFB_4B19_A60F_E
05203D4E73C INCLUDED)</winwlx.h></windows.h></winwlx.h></windows.h>

Hi,

first of all, if you want to modify the logon screen, i would highly
recommend
to get the sample gina.dll (think there should be one on msdn) and modify it
according to your needs.
(several years ago, when i was young and stupid ;), i tried to build one
from
scratch and gave up after several months, not beeing able to get network
logons
working; it’s a quite complex topic…)

am i right, assuming the code you attached should display a notification
message?
i don’t know about the Winlogon\Notify\ registry key, but…
-to display a notification message you can set the
Winlogon\LegalNoticeCaption and
Winlogon\LegalNoticeText entries.
-to customize the notification message window itself, you can modify the
GINA’s
VOID WINAPI WlxDisplaySASNotice(PVOID pContext)
function.

and again, i don’t know the Notify reg key, but if you intended to
replace the whole
GINA dll, you’ll have to specify your new dll by creating a
Winlogon\GinaDll key
and setting its value to the name of your new dll.

if you want to get deeper into logon sessions, security and so on, i could
recommend you the book “Programming Windows Security” by “Keith Brown”.
(it does not deal a lot with implementing a gina dll, but gives all the
basics required
for this issue).

regards,
daniel.

Nimish Sudan wrote:

Hi Guys,
I just joined the forum. I have a pretty strong VB background, but I
have played around with C++ many times. I recently started learning
Winlogon and the Windows logon model and how to modify/customize GINA
and the logon screen. Since this is my first time doing this, I found
some tutorials and examples on other forums for help, but they were
very poorly commented and not at all explained. I understand that a
DLL file needs to be created, which must be copied to %system32% along
with its .exp file. And then information needs to be added to the
registry to point to these files. From these examples, I’ve put
together however much I could and managed to compile the files
error-free.
The only thing wrong with my application is that it doesn’t do
anything. The text file does not get created nor do I get a
message box as should happen. Hopefully there a few people in here
that know how Winlogon works. I’ll post my reg file, my cpp code, and
the header file. ANY help at all would be greated appreciated! Like I
said, I’m coming from a VB background, I made some simple errors,
please let me know. Thanks in advance and my apologies in advance if
this post does not belong in this forum.

In my EXPORTS, I have the following:
; newNotif.def : Declares the module parameters for the DLL.

LIBRARY “newNotif”
DESCRIPTION ‘newNotif Windows Dynamic Link Library’

EXPORTS
; Explicit exports can go here
StartProcessAtWinLogon
StopProcessAtWinLogoff

REG FILE:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\newNotif]
“Asynchronous”=dword:00000000
“Impersonate”=dword:00000000
“DllName”=hex(2):6e,00,65,00,77,00,4e,00,6f,00,74,00,69,00,
66,00,2e,00,64,00,\
6c,00,6c,00,00,00
“Logon”=“StartProcessAtWinLogon”
“Logoff”=“StopProcessAtWinLogoff”

CPP FILE:
// newNotif.cpp : Defines the initialization routines for the DLL.
//

#include <windows.h>
> #include <winwlx.h>
> #include “stdafx.h”
> #include “newNotif.h”
>
>
> #ifdef DEBUG
> #define new DEBUG_NEW
> #undef THIS_FILE
> static char THIS_FILE[] = FILE ;
> #endif
>
> typedef DWORD(* PFNMSGECALLBACK )(BOOL bVerbose, LPWSTR lpMessage);
> typedef struct WLX_NOTIFICATION_INFO { ULONG Size; ULONG Flags; PWSTR
> UserName; PWSTR Domain; PWSTR WindowStation; HANDLE hToken; HDESK
> hDesktop; PFNMSGECALLBACK pStatusCallback;
> } WLX_NOTIFICATION_INFO, *PWLX_NOTIFICATION_INFO;
>
> /////////////////////////////////////////////////////////////////////////////
>
> // CNewNotifApp
>
> BEGIN_MESSAGE_MAP(CNewNotifApp, CWinApp)
> //{{AFX_MSG_MAP(CNewNotifApp)
> // NOTE - the ClassWizard will add and remove mapping macros here.
> // DO NOT EDIT what you see in these blocks of generated code!
> //}}AFX_MSG_MAP
> END_MESSAGE_MAP()
>
> /////////////////////////////////////////////////////////////////////////////
>
> // CNewNotifApp construction
>
> CNewNotifApp::CNewNotifApp()
> {
> // TODO: add construction code here,
> // Place all significant initialization in InitInstance
> }
>
> /////////////////////////////////////////////////////////////////////////////
>
> // The one and only CNewNotifApp object
>
> CNewNotifApp theApp;
>
>
> PROCESS_INFORMATION g_pi;
>
> TCHAR g_szPath[] = TEXT(“C:\Windows\Notepad.exe”);
>
> //This function safely terminates a process, allowing
> //it to do cleanup (ie. DLL detach)
> //It can be found at the Windows Developer’s Journal
>
>
> //Entrance function for the DLL
> BOOL WINAPI LibMain(HINSTANCE hInstance, DWORD dwReason, LPVOID
> lpReserved)
> {
> switch (dwReason)
> {
> case DLL_PROCESS_ATTACH:
> {
> DisableThreadLibraryCalls (hInstance);
> }
> break;
> }
> return TRUE;
> }
>
> //Event handler for the Winlogon Logon event
> VOID APIENTRY StartProcessAtWinLogon (PWLX_NOTIFICATION_INFO pInfo)
> {
>
> TCHAR szText[MAX_PATH];
>
> STARTUPINFO si;
> si.cb = sizeof(STARTUPINFO);
> si.lpReserved = NULL;
> si.lpTitle = NULL;
> si.lpDesktop = TEXT(“WinSta0\Default”);
> si.dwX = si.dwY = si.dwXSize = si.dwYSize = 0L;
> si.dwFlags = 0;;
> si.wShowWindow = SW_SHOW;
> si.lpReserved2 = NULL;
> si.cbReserved2 = 0;
>
> DWORD dwWritten;
>
> HANDLE hFile = CreateFile(TEXT(“c:\TSP.txt”), GENERIC_ALL, NULL,
> NULL, OPEN_ALWAYS, NULL, NULL);
> strcpy(szText, TEXT(“StartProcessAtWinLogon \r\n”));
> WriteFile(hFile, szText, strlen(szText), &dwWritten, NULL);
> CloseHandle(hFile);
>
> CreateProcess(NULL, g_szPath, NULL, NULL, FALSE, CREATE_NEW_CONSOLE,
> NULL, NULL, &si, &g_pi);
>
> MessageBox(NULL, “Winlogon Test”, “Winlogon Test”, MB_OK);
> }
>
> //Event handler for the Winlogon Logoff event.
> VOID APIENTRY StopProcessAtWinLogoff (PWLX_NOTIFICATION_INFO pInfo)
> {
> //terminates the process
> // **************** SafeTerminateProcess(g_pi.hProcess , 0xDEADBEEF);
> }
>
> //other event handlers
> VOID APIENTRY YOUR_EVENT_HANDLERS (PWLX_NOTIFICATION_INFO pInfo)
> {
> //code
> }
>
>
> // Here is the event handler for the Winlogon Logon event.
> VOID WLEventLogon (PWLX_NOTIFICATION_INFO pInfo)
> {
>
> // Print the name of the handler to debug output.
> // You can replace this with more useful functionality.
> OutputDebugString (TEXT(“NOTIFY: Entering WLEventLogon.\r\n”));
> }
>
> // Here is the event handler for the Winlogon Logoff event.
> VOID WLEventLogoff (PWLX_NOTIFICATION_INFO pInfo)
> {
>
> // Print the name of the handler to debug output.
> // You can replace this with more useful functionality.
> OutputDebugString (TEXT(“NOTIFY: Entering WLEventLogff.\r\n”));
> }
>
>
>
>
>
>
>
>
>
>
>
> HEADER FILE
> // newNotif.h : main header file for the NEWNOTIF DLL
> //
>
> #if !defined(AFX_NEWNOTIF_H CEECF57A_5EFB_4B19_A60F_E
> 05203D4E73C INCLUDED)
> #define AFX_NEWNOTIF_H CEECF57A_5EFB_4B19_A60F_E05203D4E7 3C INCLUDED
>
> #if _MSC_VER > 1000
> #pragma once
> #endif // MSC_VER > 1000
>
> #ifndef AFXWIN_H
> #error include ‘stdafx.h’ before including this file for PCH
> #endif
>
> #include <windows.h>
> #include <winwlx.h>
> #include “resource.h” // main symbols
>
> /////////////////////////////////////////////////////////////////////////////
>
> // CNewNotifApp
> // See newNotif.cpp for the implementation of this class
> //
>
> class CNewNotifApp : public CWinApp
> {
> public:
> CNewNotifApp();
>
> // Overrides
> // ClassWizard generated virtual function overrides
> //{{AFX_VIRTUAL(CNewNotifApp)
> //}}AFX_VIRTUAL
>
> //{{AFX_MSG(CNewNotifApp)
> // NOTE - the ClassWizard will add and remove member functions here.
> // DO NOT EDIT what you see in these blocks of generated code !
> //}}AFX_MSG
> DECLARE_MESSAGE_MAP()
> };
>
>
> /////////////////////////////////////////////////////////////////////////////
>
>
> //{{AFX_INSERT_LOCATION}}
> // Microsoft Visual C++ will insert additional declarations
> immediately before the previous line.
>
> #endif // !defined(AFX_NEWNOTIF_H CEECF57A_5EFB_4B19_A60F_E
> 05203D4E73C INCLUDED)
>
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
></winwlx.h></windows.h></winwlx.h></windows.h>

Hi Daniel,
Thanks for the quick reply!
Well, I’m not actually trying to modify the logon screen in this program.
The reason I mentioned logon screens is because I’ve been learning about
Winlogon. This program, again this is an example I found online on other
forums, is supposed to execute a program (in this case Notepad.exe) before
the logon process begins, then save some info to a text file(not sure
exactly what is saved) and finally display a message box. That is my
understanding of the program. My biggest problem/question is “Am I compiling
the program correctly?” Even though there are no errors, there is no output
either. I’m sure I can figure out how to modify/play with the program once I
can see some visible output from the program (ie text file being created,
message box being displayed). Like I mentioned, the example was poorly
explained and so I’m not sure if I have created the correct project for
creating a DLL. If you’d like, I can provide a link to the forum where I got
the code from so you can take a look.
Thanks for your help so far! And I’ll check out that book you mentioned. I
think I’ve seen it online before while searching for help on this topic.

Hi,

first of all, if you want to modify the logon screen, i would highly
recommend
to get the sample gina.dll (think there should be one on msdn) and modify it
according to your needs.
(several years ago, when i was young and stupid ;), i tried to build one
from
scratch and gave up after several months, not beeing able to get network
logons
working; it’s a quite complex topic…)

am i right, assuming the code you attached should display a notification
message?
i don’t know about the Winlogon\Notify\ registry key, but…
-to display a notification message you can set the
Winlogon\LegalNoticeCaption and
Winlogon\LegalNoticeText entries.
-to customize the notification message window itself, you can modify the
GINA’s
VOID WINAPI WlxDisplaySASNotice(PVOID pContext)
function.

and again, i don’t know the Notify reg key, but if you intended to
replace the whole
GINA dll, you’ll have to specify your new dll by creating a
Winlogon\GinaDll key
and setting its value to the name of your new dll.

if you want to get deeper into logon sessions, security and so on, i could
recommend you the book “Programming Windows Security” by “Keith Brown”.
(it does not deal a lot with implementing a gina dll, but gives all the
basics required
for this issue).

regards,
daniel.

Nimish Sudan wrote:

Hi Guys,
I just joined the forum. I have a pretty strong VB background, but I have
played around with C++ many times. I recently started learning Winlogon and
the Windows logon model and how to modify/customize GINA and the logon
screen. Since this is my first time doing this, I found some tutorials and
examples on other forums for help, but they were very poorly commented and
not at all explained. I understand that a DLL file needs to be created,
which must be copied to %system32% along with its .exp file. And then
information needs to be added to the registry to point to these files. From
these examples, I’ve put
<…excess quoted lines suppressed…>

Nimish Sudan wrote:

Well, I’m not actually trying to modify the logon screen in this
program. The reason I mentioned logon screens is because I’ve been
learning about Winlogon. This program, again this is an example I
found online on other forums, is supposed to execute a program (in
this case Notepad.exe) before the logon process begins, then save some
info to a text file(not sure exactly what is saved) and finally
display a message box. That is my understanding of the program. My
biggest problem/question is “Am I compiling the program correctly?”
Even though there are no errors, there is no output either. I’m sure I
can figure out how to modify/play with the program once I can see some
visible output from the program (ie text file being created, message
box being displayed). Like I mentioned, the example was poorly
explained and so I’m not sure if I have created the correct project
for creating a DLL. If you’d like, I can provide a link to the forum
where I got the code from so you can take a look.

What do actually hope to accomplish?

You see, there is a problem with the winlogon hook. To date, it’s
primary use in the world has been as an injection mechanism for
spyware. There may be a few legitimate winlogon hooks in some corporate
environments, but in most cases the same problem is better solved with a
GINA replacement, or a Windows service, or a program in the Startup group.

In fact, as I understand it, because of this problem, the winlogon hook
is being removed from Vista. I’m sure I will be corrected if I read
incorrectly.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

I’m not trying to create or spread malware, I assure you. I work for a
company that has the Government as one of its customers. My company has been
tasked to support their several network infrastructures. One of their
requirements is that we monitor closely who is using the systems(especially
after hours), what time, and so forth. For this reason, among other reasons,
orders came from high above (Program Management level) to implement an
application that will monitor closely the user activities for statistical
purposes at the logon level. The customer has requested that we provide them
with the number of incorrect logon attempts and, if incorrect, whether the
user is trying to log onto his own system incorrectly or someone elses (in
which case, he’ll probably be questioned). One of the finer requirements of
this task is to use the current logon mechanism (in this case, the gina.dll
which is currently used). So what I’m trying to do is to start an
application(using Winlogon) that will capture the username and create an MD5
hash of the user’s password so we can present the information to them. So
again, I assure you that my intentions are strictly professional and I
implore you to help, if you can. Thanks again, in advance!

What do actually hope to accomplish?

You see, there is a problem with the winlogon hook. To date, it’s
primary use in the world has been as an injection mechanism for
spyware. There may be a few legitimate winlogon hooks in some corporate
environments, but in most cases the same problem is better solved with a
GINA replacement, or a Windows service, or a program in the Startup group.

In fact, as I understand it, because of this problem, the winlogon hook
is being removed from Vista. I’m sure I will be corrected if I read
incorrectly.

Nimish Sudan wrote:

Well, I’m not actually trying to modify the logon screen in this
program. The reason I mentioned logon screens is because I’ve been
learning about Winlogon. This program, again this is an example I
found online on other forums, is supposed to execute a program (in
this case Notepad.exe) before the logon process begins, then save some
info to a text file(not sure exactly what is saved) and finally
display a message box. That is my understanding of the program. My
biggest problem/question is “Am I compiling the program correctly?”
Even though there are no errors, there is no output either. I’m sure I
<…excess quoted lines suppressed…>

> I’m not trying to create or spread malware, I assure you. I work for a

company that has the Government as one of its customers. My company has
been tasked to support their several network infrastructures. One of their
requirements is that we monitor closely who is using the
systems(especially after hours), what time, and so forth

It has been a while since I got my Win2K certificate, but I seem to remember
that this is all standard stuff that can be configured with auditing
policies.
Doing this also means you can use the standard auditing tools.

Messing with the Gina seems only usefull if you want to create a custom
logon mechanism (retina scanners or whatever).

Btw you can also create a service that captures logon events to log logon
and logoff activity.

–

Kind regards,
Bruno.
xxxxx@hotmail.com
Remove only “_nos_pam”

> purposes at the logon level. The customer has requested that we provide them

with the number of incorrect logon attempts and, if incorrect, whether the
user is trying to log onto his own system incorrectly or someone elses

Why not just analyze the Windows security log?

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

Have you considered just writing a replacement GINA instead? I got one on my
website and it is open source under BSDL, so you are pretty much free to use
it any way you like to.

There is an older version of it written in Delphi and a newer version
written in C++. I’ll just point you to the one written in C++:
http://assarbad.info/stuff/agreementgina2+src.rar

Regards,

Oliver

–

May the source be with you, stranger

ICQ: #281645
URL: http://assarbad.net

Oliver: The task requirements prohibit us from modifying the current
Gina.dll, but I will look at your source code for other ideas. Thanks!
Bruno : I will propose this idea to my supervisor as an alternative to the
required method.
Maxim : How can a service be created to capture logon events? I was under
the impression that all services start AFTER the logon process has
completed?

The reason my group proposed the idea of starting an application prior to
the logon events was because the same application can be modified and
implemented into other requests. This seems to be cost and time effective.

Thanks for all your help so far guys! Much appreciated!

> Maxim : How can a service be created to capture logon events? I was

under the impression that all services start AFTER the logon process has
completed?
That is wrong. Some *may* start after this, especially since XP where even
drivers are loaded more asynchronously than ever before, but usually they
will be loaded in parallel or earlier (just deduced from observation).
Keep in mind that the logon does not necessarily take place right after
Winlogon started - the logon screen could be active hours or days before the
actual logon occurs.

The reason my group proposed the idea of starting an application prior
to the logon events was because the same application can be modified
and implemented into other requests. This seems to be cost and time
effective.
So then you could as well write it as a native application.

Oliver

–

May the source be with you, stranger

ICQ: #281645
URL: http://assarbad.net

So are you saying that the reason that my above source code might not be
doing anything is because I have “Asynchronous”=dword:00000000 in my
registry file? Should I set it to 1 and perhaps I’ll at least get a message
box to appear?
I’ll take a look at native applications. I haven’t had too much experience
with them. In the mean time, if you have any examples of native apps, please
let me know.
Thanks again!

> That is wrong. Some *may* start after this, especially since XP where even

drivers are loaded more asynchronously than ever before, but usually they

Correct, and the user can log on before most of the services are started,
LanmanServer, for instance.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

So then does a standard Win32 service need to be modified in some way in
order for it to interact with Winlogon and the logon prompt? Or will the
service eventually start and do whatever it was meant to do? I guess I’m
still a little unclear.

You don’t need to interact with Winlogon. You need to consume the security
audit information that the OS already writes to its security logs, and you
need to turn the audit logs on. Successful and unsuccessful login attempts
can be recorded in the security log. And yes, the security log itself is
secure.

– arlie

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Nimish Sudan
Sent: Wednesday, March 15, 2006 4:32 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] C++ Winlogon help

So then does a standard Win32 service need to be modified in some way in
order for it to interact with Winlogon and the logon prompt? Or will the
service eventually start and do whatever it was meant to do? I guess I’m
still a little unclear.

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer