Trapping Ctrl-Alt-Del

Hi.

I am developing an application for kiosk-like computers. When user presses Ctrl-Alt-Del combination we want to trap this event and show our custom application dialog that will block desktop and allow other user to enter the system without logging out of the windows session. Previously it was done using GINA, but since Vista this does not work, so we need to do this via keyboard filter driver. I am completely new in driver development, please help me :slight_smile:

  1. The first problem: I do not have much information about how Windows itself detects Ctrl-Alt-Del combination. In KbFilter_ServiceCallback of kbfiltr I have key scan codes. But It looks like Windows uses virtual keys instead so if I try to filter based on scan codes this may work incorrectly if there is some sort of remapping (for instance RAlt ->AltGr). Am I correct on this assumption? If yes, then is it possible to translate scan code to virtual key in filter driver?

Also I don’t know whether Windows maintains some sort of state machine driven by keyboard events to detect Ctrl and Alt status when Del key make comes in? Or it asks keyboard driver to read the status from keyboard?

  1. I need to send commands to the driver from a service to turn on/off the trapping. kbfiltr sample creates raw PDO for each device so if there are two keyboards connected there will be two PDOs. I can send command to any of them to change driver’s global state (global variable that stores on/off state). But probably it is better to create just one control object as toaster filter sample does. What do you think?

  2. How can I get a handle to the process that sends DeviceIoControl so that if controlling user application crashes I could automatically disable the trapping?

Are you sure you need a custom application? Check what global policies you can set and if you can configure the system to do what you want. Run gpedit.msc

I do not believe it is possible to configure machine so that on Ctrl-Alt-Del desktop is locked allowing next user to login without changing windows session.

You can remove all “dangerous” options (Task Manager, Shutdown, Change password) from Ctrl-Alt-Del screen by global policies, leaving “switch user” and “lock”

Again, switching user in Windows sense is not acceptable. There are background applications that are running in the kiosk session which should not be shutdown. Anyway I am unfortunately not at position of defining what to do. I just given the task of writing this filter driver.

On 20-Sep-2011 08:39, xxxxx@yandex.ru wrote:

Again, switching user in Windows sense is not acceptable. There are background applications that are running in the kiosk session which should not be shutdown. Anyway I am unfortunately not at position of defining what to do. I just given the task of writing this filter driver.

Use Fast user switch? the apps in other session won’t be shut down.

And have a look at Win8 with its “Metro” apps screen. Looks very kiosk
friendly :slight_smile:

– pa

Switch user doesn’t mean “logoff”. If you want to be able to leave the kiosk session intact, while performing administration tasks, you can log in to a separate admin session.

And if you have background applications that should not be shut down, those should be made services.

Remember, that world exposed session is intrusted. You cannot assume that any app in it will be present.

It’s better to use existing OS provided tools, rather than kludge your add-on.

No, its not about administration. Its about ordinal kiosk users that comes to kiosk, looks necessary information and going away allowing other users to work with the kiosk. It is just different computer usage model. And no, we are not writing those background apps, they are not specific to our product so we cannot make them services. Microsoft itself implemented implemented similar solution http://technet.microsoft.com/en-us/library/hh273235(WinEmbedded.21).aspx allowing easily filter out Ctrl-Alt-Del. We would like to implement similar solution. Anyway thank you all for your feedback.

So is what you want the ability to block ctrl-alt-del from bringing up the option to log out, unless the user is an administrator?

-p

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@yandex.ru
Sent: Tuesday, September 20, 2011 12:17 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Trapping Ctrl-Alt-Del

No, its not about administration. Its about ordinal kiosk users that comes to kiosk, looks necessary information and going away allowing other users to work with the kiosk. It is just different computer usage model. And no, we are not writing those background apps, they are not specific to our product so we cannot make them services. Microsoft itself implemented implemented similar solution http://technet.microsoft.com/en-us/library/hh273235(WinEmbedded.21).aspx allowing easily filter out Ctrl-Alt-Del. We would like to implement similar solution. Anyway thank you all for your feedback.


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

We want to implement something like lightweight sessions on top of single windows session running on kiosk computer. When use presses ctrl-alt-del we want activate our application that will block computer desktop and show dialog allowing other user to authenticate and use the same session (with some customizations that our app does for the new authenticated user).

Basically you want to reinvent sessions. Good luck.

-p

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@yandex.ru
Sent: Tuesday, September 20, 2011 12:44 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Trapping Ctrl-Alt-Del

We want to implement something like lightweight sessions on top of single windows session running on kiosk computer. When use presses ctrl-alt-del we want activate our application that will block computer desktop and show dialog allowing other user to authenticate and use the same session (with some customizations that our app does for the new authenticated user).


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Thank you, Peter.

You didn’t need to do that even back in XP. You even less need to do this now. That might’ve been necessary in Win2000, because it didn’t have fast user switching (miltiple sessions).

I recommend you go back to your management and explain it to them, rather than being a slave to bad design decisions.

Though even without fast user switching capability, there was RunAs feature in Win2000. Why you needed something else, is beyond me.

I’m also very curious about the possibility to intercept such a combination in the class upper filter driver. Can anyone here answer this question? Thanks.

Alex, I can give you one reason why fast switching will not work. Customers do not use Active Directory and integrated windows authentication to manage there users. They use LDAP or database server against which we authenticate. Probably there are other reasons that I am not aware about.

Anyway I see trapping SAS seems to be religious topic and I see no point in continuing discussion.

On 21-Sep-2011 12:57, xxxxx@hotmail.com wrote:

I’m also very curious about the possibility to intercept such a combination in the class upper filter driver. Can anyone here answer this question? Thanks.

VMware can do this somehow.

–pa

You are in a common trap. The trap is: there is a problem. Someone who
has no idea what is going on says “We can fix that if only we…” and
poses an infeasible solution. Then people like you jump into these groups
and start asking questions of “how do I do X?” when X is not the correct
solution to the problem. The correct approach is to say “I have problem
Y; what is the right way to solve it?” and see what falls out. There
might be a correct solution that is already present, but you are precluded
from asking it because you are forced to ask the wrong question by having
been given the wrong instructions, being told HOW to solve a problem
instead of being given a problem to solve.

I don’t know the answer, but I am reasonably certain this approach is not
the correct one.
joe

Again, switching user in Windows sense is not acceptable. There are
background applications that are running in the kiosk session which should
not be shutdown. Anyway I am unfortunately not at position of defining
what to do. I just given the task of writing this filter driver.


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

On 9/22/2011 3:50 AM, xxxxx@flounder.com wrote:

You are in a common trap. The trap is: there is a problem. Someone who
has no idea what is going on says “We can fix that if only we…” and
poses an infeasible solution. Then people like you jump into these groups
and start asking questions of “how do I do X?” when X is not the correct
solution to the problem.

+1

IIRC, Peter had a good comment about this some time ago.

Bonus snark: “Hey, it’s a kiosk solution, let’s just physically remove
the CTL, ALT and DEL keys.” :wink:

Pavel: “VMware can do this somehow.”

Elaborate, please. Vmware running on Windows host? Or vmware host for Windows guest?

On 22-Sep-2011 16:30, xxxxx@broadcom.com wrote:

Pavel: “VMware can do this somehow.”

Elaborate, please. Vmware running on Windows host? Or vmware host for Windows guest?

On the host. If you have noticed, recent Vmware versions have
option for low level keyboard hooking
(Options->General-> Use Enhanced virtual keyboard).

From Workstation 7.1 help file:
“This feature provides an alternative method for the way a Windows host
system ordinarily processes keyboard input. It processes raw keyboard
input as soon as possible, bypassing Windows keystroke processing and
any malware that’s not already at a lower layer.
If you use this feature, when you press Ctrl+Alt+Delete, the guest
system only, rather than both guest and host, acts on the command.”

Regards,
– pa