Taking advantage of the Winlogon notification package

Introduction

The Winlogon notification package is a DLL which exports functions that handle winlogon.exe events. These event messages between des lock, unlock, logoff, logon, startup, shutdown, startscreensaver, stopscreensaver, and startshell.

This article demonstrates how to use the Winlogon notification package as an alternative to NT services. the main benefits for doing this is better handling of user activities. in addition, the Winlogon notification package will be very lightweight and requires much less code then its NT service equivalent.

The steps

Creating a Winlogon notification package is very simple. just create a DLL with specific functions to run during the Winlogon event messages. to let winlogon.exe know about your DLL, simply add a few entries into the registry where appropriate. this method can be quite robust and versatile when combined with your services and applications.

Sample

This sample starts a Win32 application before the user logon. because the process is started by WinLogon, it is owned by the system account. users may not end the process through 'end task '. this is the exact way NT services behave. in this sample, the logoff notification will terminate the process. if the process needed to stay active,EndprocessatwinlogoffFunction shocould be removed. If we wanted the process to be owned by the user, we cocould useCreateprocessasuserDuring a startup notification instead of a logon notification.

Step 1 .)-The DLL

Collapse

 //  Sample. cpp  # Include  <Windows. h>  # Include   <Winwlx. h> Process_information g_pi; tchar g_szpath [] = _ T ( "  C: \ somepath \ execut.exe \ "arguments \"" ); //  This function safely terminates a process, allowing  //  It To do cleanup (ie. dll detach)  // It can be found at the windows developer's journal Safeterminateprocess (handle hprocess, uint uexitcode ); //  Entrance function for the DLL Bool winapi libmain (hinstance, DWORD dwreason, lpvoid lpreserved ){ Switch (Dwreason ){ Case Dll_process_attach: {disablethreadlibrarycals (hinstance );} Break ;} Return True ;} //  Event handler for the Winlogon logon event Void apientry startprocessatwinlogon (pwlx_icationication_info pinfo) {startupinfo Si; Si. cb =Sizeof (Startupinfo); Si. lpreserved = NULL; Si. lptitle = NULL; Si. lpdesktop = "  Winsta0 \ default" ; Si. dwx = Si. dwy = Si. dwxsize = Si. dwysize = 0l; Si. dwflags = 0 ; Si. wshowwindow = sw_show; Si. lpreserved2 = NULL; Si. cbreserved2 = 0 ; CreateProcess (null, g_szpath, null, null, false, create_new_console, null, null, & Si, & g_pi );} //  Event handler for the Winlogon logoff event. Void apientry stopprocessatwinlogoff (pwlx_icationication_info pinfo ){ //  Terminates the process Safeterminateprocess (g_pi.hprocess, 0 xdeadbeef );} //  Other event handlers Void apientry your_event_handlers (pwlx_notification_info pinfo ){ //  Code }...

Step 2 .)-The exports

The program hasn't exported any functions yet. We need to create. DefFile.

Sample. Def

 
Exportsstartprocessatwinlogonstopprocessatwinlogoff
 

 

Now add the following to your linkage options in vc6 and build.

 
/DEF:"Sample. Def"
 

If everything went well, the filesSample. dllAndSample. ExpWill be in your Output Folder. Move these to \ % ntroot % \ system32

Step 3 .)-The Registry

Add the following values and keys to the Registry. These values communicate to winlogon.exe and let it know which procedures to run during an event notification. Add as few or as your notification events as needed.

 
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon \ Policy \ nameofproject \ asynchronous REG_DWORD0\ Dllname REG_SZ nameofdll. dll \ impersonate REG_DWORD0\ Logon REG_SZ startprocessatwinlogon \ logoff REG_SZ stopprocessatwinlogoff \... REG_SZ nameoffunction
 

That's it! Now restart and winlogon.exe will launch your app.