How do you lock an NT 4.0 Workstation from a program?

How do you lock an NT 4.0 Workstation from a program?

Post by Dale Witysh » Sat, 13 Dec 1997 04:00:00



Hi,

Sorry cross-posting but if I new where exactly to
post I would probably already have the answer ;-)

How does one lock the desktop of an NT 4.0 workstation through the API?

i.e. emulate the CTL-ALT-DEL, ALT-W key sequence.

I have seen a VB shareware program called locknow that both invokes the
screen saver and locks the workstaion.  And am wondering how to do the latter.

In fact I would appreciate it if someone could explain how password protected
screen-savers work in windows nt.  I suspect it is not the saver that locks
the workstation but nt itself.  I think this is so because configuring screen
saver "foo" to be password protected and then executing foo.scr does indeed
start the screen save but doesn't seem to lock the workstation.

Any tips, suggestion or pointers would be greatly appreciated.

Thanks in advance.

Dale Wityshyn

 
 
 

How do you lock an NT 4.0 Workstation from a program?

Post by Jason Shanno » Sat, 13 Dec 1997 04:00:00



>Hi,

>Sorry cross-posting but if I new where exactly to
>post I would probably already have the answer ;-)

>How does one lock the desktop of an NT 4.0 workstation through the API?

I don't think you can, unless you write your own NT security authority using
the MSGINA APIs.

However, you can achieve something similar by creating a new desktop
containing a dialog which could prompt for a password. The following code
creates and activates a new desktop (NT only) - you would need to add some
dialog creation/handling code to it.

Key-sequences like ALT-TAB, CTRL-ESC, etc. will *NOT* work when the desktop
is active unless you choose to handle them. The secure attention
CTRL-ALT-DEL sequence WILL work and the usual screen will appear enabling
logoff/shutdown & password changing, but not Task Manager.

I don't know what access tokens you require (if any) to run the following,
but it definitely works from an administrator account.

#define STRICT
#include <windows.h>
#include <stdio.h>

int
main()
{
  HDESK hDesk = CreateDesktop(
    "Lockit",
    0, 0, 0,
    DESKTOP_CREATEMENU |
    DESKTOP_CREATEWINDOW |
    DESKTOP_ENUMERATE |
    DESKTOP_HOOKCONTROL |
    DESKTOP_READOBJECTS |
    DESKTOP_SWITCHDESKTOP |
    DESKTOP_WRITEOBJECTS,
    0);
  if (hDesk)
    {
      printf("hDesk: %08x\n", hDesk);
      BOOL bSuccess = SwitchDesktop(hDesk);
      if (!bSuccess)
        printf("sderr %08x\n", GetLastError());
      Sleep(10000);
      CloseHandle(hDesk);
    }
  else
    printf("can't create desktop\n");
  return 0;

Quote:}

--
Jason Shannon

 
 
 

How do you lock an NT 4.0 Workstation from a program?

Post by Dale Witysh » Sat, 13 Dec 1997 04:00:00



Thanks Jason,

I will play around with this and see where it takes me.

But, I am pretty sure that this can be done.  The person who wrote the
shareware I referred to in my previous post seems to have figured it out.

I am just guessing, but I think he is doing it through SendMessage.

I found the string SendMessageH in his VB executable.  Of course it may
be there for an entirely different reason.

Thanks again.

Dale.

p.s.  I couldn't get mail to you, can't seem to resolve digitivity.com.


>>Hi,

>>Sorry cross-posting but if I new where exactly to
>>post I would probably already have the answer ;-)

>>How does one lock the desktop of an NT 4.0 workstation through the API?

>I don't think you can, unless you write your own NT security authority using
>the MSGINA APIs.

>However, you can achieve something similar by creating a new desktop
>containing a dialog which could prompt for a password. The following code
>creates and activates a new desktop (NT only) - you would need to add some
>dialog creation/handling code to it.

>Key-sequences like ALT-TAB, CTRL-ESC, etc. will *NOT* work when the desktop
>is active unless you choose to handle them. The secure attention
>CTRL-ALT-DEL sequence WILL work and the usual screen will appear enabling
>logoff/shutdown & password changing, but not Task Manager.

>I don't know what access tokens you require (if any) to run the following,
>but it definitely works from an administrator account.

>[nifty code snippet removed ]
>--
>Jason Shannon

 
 
 

How do you lock an NT 4.0 Workstation from a program?

Post by Aaron J Margosi » Sun, 14 Dec 1997 04:00:00


[Newsgroups trimmed; replying by e-mail also]

The only way to lock the workstation from the application level is to turn
screen saver password protection on and then start the screen saver.
Password protection can be set by setting the following string value to
"1":
        HKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaverIsSecure

Here's the easiest way to start the screen saver:

        SendMessage( GetDesktopWindow(), WM_SYSCOMMAND, SC_SCREENSAVE, 0 ) ;

Of course, you have to have a screen saver selected for this to work.

You are correct:  NT is entirely responsible for screen saver password
protection.  Big contrast with Win95, where the screen saver executable is
responsible for prompting the user and validating the password (although
unlike Win 3.1, Win95 at least provides APIs to do the work and provide a
common interface.)

HTH


> Hi,

> Sorry cross-posting but if I new where exactly to
> post I would probably already have the answer ;-)

> How does one lock the desktop of an NT 4.0 workstation through the API?

> i.e. emulate the CTL-ALT-DEL, ALT-W key sequence.

> I have seen a VB shareware program called locknow that both invokes the
> screen saver and locks the workstaion.  And am wondering how to do the latter.

> In fact I would appreciate it if someone could explain how password protected
> screen-savers work in windows nt.  I suspect it is not the saver that locks
> the workstation but nt itself.  I think this is so because configuring screen
> saver "foo" to be password protected and then executing foo.scr does indeed
> start the screen save but doesn't seem to lock the workstation.

> Any tips, suggestion or pointers would be greatly appreciated.

> Thanks in advance.

> Dale Wityshyn


-- Aaron
---------------------
Aaron J Margosis

ScrnSaveSwitch/Plus - Screen Saver Control Utility:
http://www.ssswitch.com
 
 
 

How do you lock an NT 4.0 Workstation from a program?

Post by Aaron J Margosi » Sun, 14 Dec 1997 04:00:00


One other important point:  password protection is not invoked at all if
you launch the screen saver directly; e.g.,

        ssmyst.scr /s

This is why you never need to enter a password when previewing screen
savers on NT.  Password protection is invoked only when the OS starts the
screen saver, either from a timeout or a SC_SCREENSAVE command.


> [Newsgroups trimmed; replying by e-mail also]

> The only way to lock the workstation from the application level is to turn
> screen saver password protection on and then start the screen saver.
> Password protection can be set by setting the following string value to
> "1":
>         HKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaverIsSecure

> Here's the easiest way to start the screen saver:

>         SendMessage( GetDesktopWindow(), WM_SYSCOMMAND, SC_SCREENSAVE, 0 ) ;

> Of course, you have to have a screen saver selected for this to work.

> You are correct:  NT is entirely responsible for screen saver password
> protection.  Big contrast with Win95, where the screen saver executable is
> responsible for prompting the user and validating the password (although
> unlike Win 3.1, Win95 at least provides APIs to do the work and provide a
> common interface.)

> HTH


> > Hi,

> > Sorry cross-posting but if I new where exactly to
> > post I would probably already have the answer ;-)

> > How does one lock the desktop of an NT 4.0 workstation through the API?

> > i.e. emulate the CTL-ALT-DEL, ALT-W key sequence.

> > I have seen a VB shareware program called locknow that both invokes the
> > screen saver and locks the workstaion.  And am wondering how to do the latter.

> > In fact I would appreciate it if someone could explain how password protected
> > screen-savers work in windows nt.  I suspect it is not the saver that locks
> > the workstation but nt itself.  I think this is so because configuring screen
> > saver "foo" to be password protected and then executing foo.scr does indeed
> > start the screen save but doesn't seem to lock the workstation.

> > Any tips, suggestion or pointers would be greatly appreciated.

> > Thanks in advance.

> > Dale Wityshyn

> -- Aaron
> ---------------------
> Aaron J Margosis

> ScrnSaveSwitch/Plus - Screen Saver Control Utility:
> http://www.ssswitch.com

-- Aaron
---------------------
Aaron J Margosis

ScrnSaveSwitch/Plus - Screen Saver Control Utility:
http://www.ssswitch.com
 
 
 

How do you lock an NT 4.0 Workstation from a program?

Post by Vincent Fati » Mon, 15 Dec 1997 04:00:00




Quote:>How does one lock the desktop of an NT 4.0 workstation through the API?

As Aaron Margosis suggested, the following does it (and leaves the
"ScreenSaverIsSecure" registry setting as it was previously). If you
can't build it, try the following URL for a copy of the (Intel) EXE
(22,528 bytes):

        ftp://barnyard.syr.edu/pub/vefatica/locknow.exe

Note: It seems to take 2-4 seconds after the screensaver is activated
for the "lock" to take effect.

/* LOCKNOW.CPP */
#include <windows.h>

int WINAPI WinMain (HINSTANCE hInstance, HINSTANCE hPrevInstance,
        PSTR szCmdLine, int iCmdShow)

{
        HKEY RegKey;
        char YES[] = "1", NO[] = "0", CurrentSetting[2];
        DWORD CSsize = 2;
        BOOL ResetToZero = FALSE;

        RegOpenKeyEx(HKEY_CURRENT_USER, "Control Panel\\Desktop",
                0, KEY_QUERY_VALUE | KEY_SET_VALUE, &RegKey);

        RegQueryValueEx(RegKey, "ScreenSaverIsSecure", NULL, NULL,
                (LPBYTE) &CurrentSetting, &CSsize);

        if ( !strcmp(CurrentSetting, "0") ) {
                RegSetValueEx(RegKey, "ScreenSaverIsSecure", 0,
                        REG_SZ, (LPBYTE) YES, 2);
                ResetToZero = TRUE;
        }

        SendMessage( GetDesktopWindow(), WM_SYSCOMMAND,
                SC_SCREENSAVE, 0 );

        if ( ResetToZero ) {
                RegSetValueEx(RegKey, "ScreenSaverIsSecure", 0,
                        REG_SZ, (LPBYTE) NO, 2);
        }

        RegCloseKey(RegKey);
        return 0;

Quote:}

/* LOCKNOW.CPP */

 - Vince
___
   Vincent Fatica
   Syracuse University Mathematics

   http://barnyard.syr.edu/~vefatica/

 
 
 

How do you lock an NT 4.0 Workstation from a program?

Post by Dale Wityshy » Wed, 17 Dec 1997 04:00:00


Hi Vincent,

Thanks for the info.  The program you sent works fine from a console
window.

However I am trying to launch the screen saver automatically at a
predetermined time.

I use the at command as follows:

at 16:00 /interactive  d:\work\lockscreen\debug\lockscreen.exe

(note: the screen saver is configured with password protection unchecked)

When the time occurs the screen saver is indeed invoked, however the
password protection
is not enabled.  It works fine if the password protected option is checked
beforehand.

Any idea why this is so?

Thanks again.

Dale Wityshyn





> >How does one lock the desktop of an NT 4.0 workstation through the API?

> As Aaron Margosis suggested, the following does it (and leaves the
> "ScreenSaverIsSecure" registry setting as it was previously). If you
> can't build it, try the following URL for a copy of the (Intel) EXE
> (22,528 bytes):

>    ftp://barnyard.syr.edu/pub/vefatica/locknow.exe

> Note: It seems to take 2-4 seconds after the screensaver is activated
> for the "lock" to take effect.

> /* LOCKNOW.CPP */
> #include <windows.h>

> int WINAPI WinMain (HINSTANCE hInstance, HINSTANCE hPrevInstance,
>    PSTR szCmdLine, int iCmdShow)

> {
>    HKEY RegKey;
>    char YES[] = "1", NO[] = "0", CurrentSetting[2];
>    DWORD CSsize = 2;
>    BOOL ResetToZero = FALSE;

>    RegOpenKeyEx(HKEY_CURRENT_USER, "Control Panel\\Desktop",
>            0, KEY_QUERY_VALUE | KEY_SET_VALUE, &RegKey);

>    RegQueryValueEx(RegKey, "ScreenSaverIsSecure", NULL, NULL,
>            (LPBYTE) &CurrentSetting, &CSsize);

>    if ( !strcmp(CurrentSetting, "0") ) {
>            RegSetValueEx(RegKey, "ScreenSaverIsSecure", 0,
>                    REG_SZ, (LPBYTE) YES, 2);
>            ResetToZero = TRUE;
>    }

>    SendMessage( GetDesktopWindow(), WM_SYSCOMMAND,
>            SC_SCREENSAVE, 0 );

>    if ( ResetToZero ) {
>            RegSetValueEx(RegKey, "ScreenSaverIsSecure", 0,
>                    REG_SZ, (LPBYTE) NO, 2);
>    }

>    RegCloseKey(RegKey);
>    return 0;
> }
> /* LOCKNOW.CPP */

>  - Vince
> ___
>    Vincent Fatica
>    Syracuse University Mathematics

>    http://barnyard.syr.edu/~vefatica/

 
 
 

How do you lock an NT 4.0 Workstation from a program?

Post by Vincent Fati » Thu, 18 Dec 1997 04:00:00


On Tue, 16 Dec 1997 19:27:48 -0800, "Dale Wityshyn"


>Thanks for the info.  The program you sent works fine from a console
>window.

>at 16:00 /interactive  d:\work\lockscreen\debug\lockscreen.exe

>(note: the screen saver is configured with password protection unchecked)

>When the time occurs the screen saver is indeed invoked, however the
>password protection
>is not enabled.  It works fine if the password protected option is checked
>beforehand.

Yes, you seem to be right. My guess is (perhaps someone more "in the
know" will clarify) that because "at" is running on some account
("system" probably) other that that of the logged in user, the Reg*
calls (all of which succeed) are not accessing the same registry key
(in HKEY_CURRENT_USER) that the kernel checks for
"ScreenSaverIsSecure" when activating the screensaver. I don't know
how to fix it, maybe schedule yet another program which uses
CreateProcessAsUser() to start "locknow". You could try having "at"
run on Administrator's account, giving administrator a secure
screensaver, but that might*up other things.

It's an interesting question.

 - Vince
___
   Vincent Fatica
   Syracuse University Mathematics

   http://www.veryComputer.com/~vefatica/

 
 
 

How do you lock an NT 4.0 Workstation from a program?

Post by Vincent Fati » Thu, 18 Dec 1997 04:00:00


>On Tue, 16 Dec 1997 19:27:48 -0800, "Dale Wityshyn"

>>Thanks for the info.  The program you sent works fine from a console
>>window.

>>at 16:00 /interactive  d:\work\lockscreen\debug\lockscreen.exe

>>(note: the screen saver is configured with password protection unchecked)

>>When the time occurs the screen saver is indeed invoked, however the
>>password protection
>>is not enabled.  It works fine if the password protected option is checked
>>beforehand.

Yes, I checked. When run by "at" (here) the Reg*(HKEY_CURRENT_USER)
calls which attempt to read and possibly (momentarily) set
"ScreenSaverIsSecure" are actually accessing the
HKEY_USERS\.DEFAULT\Control Panel\Desktop key, which is apparently
what the "system" account uses (the ScreenSaverIsSecure setting there
is manipulated). Is seems, however, that the kernel, in starting the
screensaver is checking the settings for the user actually logged in.
Or maybe, the workstation IS REALLY LOCKED but only for the moment
that the system account is "logged on".

Hmmm ... ? Still an interesting question!

 - Vince
___
   Vincent Fatica
   Syracuse University Mathematics

   http://barnyard.syr.edu/~vefatica/

 
 
 

How do you lock an NT 4.0 Workstation from a program?

Post by Dale Wityshy » Thu, 18 Dec 1997 04:00:00


Hi Vincent,

I have found a (not very satisfactory) workaround to this.

If I configure the Schedule service to "Log On As" the same
user that is logged onto the workstation, it works fine with
the at command.

I am wondering if it is possible to have the program discover
who is actually logged on and modify that particular registry
entry.  Surely that is possible?

Perhaps a service which invoke a password protected screen
saver at certain times and disables it at others?

Hmm.  I guess I've got some reading to do...

I think that maybe this thread has wound a little too deep and
perhaps the question should be reworded and reposted.

Any suggestions?

Dale Wityshyn



> >On Tue, 16 Dec 1997 19:27:48 -0800, "Dale Wityshyn"

> >>Thanks for the info.  The program you sent works fine from a console
> >>window.

> >>at 16:00 /interactive  d:\work\lockscreen\debug\lockscreen.exe

> >>(note: the screen saver is configured with password protection
unchecked)

> >>When the time occurs the screen saver is indeed invoked, however the
> >>password protection
> >>is not enabled.  It works fine if the password protected option is
checked
> >>beforehand.

> Yes, I checked. When run by "at" (here) the Reg*(HKEY_CURRENT_USER)
> calls which attempt to read and possibly (momentarily) set
> "ScreenSaverIsSecure" are actually accessing the
> HKEY_USERS\.DEFAULT\Control Panel\Desktop key, which is apparently
> what the "system" account uses (the ScreenSaverIsSecure setting there
> is manipulated). Is seems, however, that the kernel, in starting the
> screensaver is checking the settings for the user actually logged in.
> Or maybe, the workstation IS REALLY LOCKED but only for the moment
> that the system account is "logged on".

> Hmmm ... ? Still an interesting question!

>  - Vince
> ___
>    Vincent Fatica
>    Syracuse University Mathematics

>    http://barnyard.syr.edu/~vefatica/

 
 
 

How do you lock an NT 4.0 Workstation from a program?

Post by Vincent Fati » Fri, 19 Dec 1997 04:00:00


On Wed, 17 Dec 1997 22:14:01 -0800, "Dale Wityshyn"


>I am wondering if it is possible to have the program discover
>who is actually logged on and modify that particular registry
>entry.  Surely that is possible?

I doubt NT would allow that.

Quote:>Perhaps a service which invoke a password protected screen
>saver at certain times and disables it at others?

As long as the service runs on the desired account (with
ScreenSaverIsSecure = 1).

Quote:>Hmm.  I guess I've got some reading to do...

Why now forget about "at" and surround locknow's routine with an
infinite loop which checks the time, locks the WKS if the time is
right, and otherwise sleeps a lot. For example (LOCKAT, untested):

while ( TRUE ) {
        for ( int i = 1 ; i < __argc ; i++ ) {
                if ( !strncmp(__argv[i], ctime(time(NULL))+11, 5) ) {
                        /* DO THE LOCKING HERE */
                        break;
                }
        }
        Sleep(59000);

Quote:}

and use the syntax:     lockat hh:mm hh:mm hh:mm ...

Just leave it running.

Quote:>I think that maybe this thread has wound a little too deep and
>perhaps the question should be reworded and reposted.

It is an interesting question. I'll try later to condense it.

 - Vince
___
   Vincent Fatica
   Syracuse University Mathematics

   http://barnyard.syr.edu/~vefatica/