File Submitter: joakim
File Submitted: 14 Nov 2012
File Updated: 20 Nov 2012
File Category: Security
How to run a custom application at winlogon screen:
With this setup we will have cmd running as LocalSystem available with a hotkey when at the Logon UI. Use with great care.
In order to achieve this we need an application launched at system startup that can interact with the desktop named "winsta0\Winlogon", also called "secure desktop". Our application needs to be installed as a system service for this to work.
Service can be installed with this command:
sc create "RunAtWinlogonWrapper" start= "auto" binpath= "C:\Program Files (x86)\RunAtWinlogon\RunAtWinlogonWrapper.exe" DisplayName= "RunAtWinlogonWrapper" obj= "LocalSystem" sc create "RunAtWinlogon" start= "demand" binpath= "C:\Program Files (x86)\RunAtWinlogon\RunAtWinlogon.exe" DisplayName= "RunAtWinlogon" obj= "LocalSystem"
Alternatively, in offline mode (ie WinPE for instance), merge this into local registry:
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RunAtWinlogon] "Type"=dword:00000010 "Start"=dword:00000003 "ErrorControl"=dword:00000001 "ImagePath"="C:\\Program Files (x86)\\RunAtWinlogon\\RunAtWinlogon.exe" "DisplayName"="RunAtWinlogon" "ObjectName"="LocalSystem" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RunAtWinlogonWrapper] "Type"=dword:00000010 "Start"=dword:00000002 "ErrorControl"=dword:00000001 "ImagePath"="C:\\Program Files (x86)\\RunAtWinlogon\\RunAtWinlogonWrapper.exe" "DisplayName"="RunAtWinlogonWrapper" "ObjectName"="LocalSystem"
Change path to service/application accordingly. And remember the registry key path when mounted in offline mode would resolve to a given mountpoint and CurrentControlSet would not exist, like for instance HKEY_LOCAL_MACHINE\sys\ControlSet001\services\RunAtWinlogon would be correct in my case. The paths are not hard coded so it can be placed anywhere basically.
Since my application is written in AutoIt which does not respond well to Windows' Service Manager's control commands, it will terminate the service after a short while. I therefore, made a dummy service application that will just run its own life independently of the Service Manager's complaints. Also, since the service utilizes a hotkey to execute, it cannot be run as a standard Windows service (which runs in session 0 at the desktop Service-0x0-3e7$\default) because that simply will not ever receive the hotkey. For that reason we actually need a second service where the final application will be launched. That one too, will have to switch session and Window station/desktop, in order to reach the user trying to login at the Logon UI. The final service named RunAtWinlogon, reads a configuration file for what to run, and if hidden/visible.
The order of execution follows like this:
- Windows service RunAtWinlogonWrapper does 1 thing and then stop. It starts an application named RunAtWinlogonExec.exe
- RunAtWinlogonExec.exe executes an application named ServiceKick.exe which runs invisible in the background in the same session and desktop as Logon UI, and can understand the hotkey (shift+alt+j).
- When hotkey is pressed, ServiceKick.exe will start the service named RunAtWinlogon.
- The Windows service RunAtWinlogon will start an application that will read a configuration file from its current directory, and execute what is in there. Format of config file is "HiddenFlag?Command"
0?cmd.exe
Since it is not possible to retrive any feedback from the application/service at runtime to a console, it will write to a logfile in current directory.
Obviously this has some security issues, so use with care.
Has only been tested on Windows 7 x64. Should in theory run on anything of 32-bit/64-bit on NT6.x.
Some fun with it: ScreenCap2Gui
Simpel application to use with RunAtWinlogon. It just takes a screenshot and draw it across your screen. So at winlogon, you will not be able to login because you're just clicking at an image of the login screen. Not that much fun, just a little. Rename this app to ServiceKick.exe and place it in the same directory as RunAtWinlogon. Could be useful to rename the service RunAtWinlogonWrapper to _RunAtWinlogonWrapper so it starts a few moments earlier. If you login immediately, you may be too early for the application to do its job.
Click here to download this file
I thouroughly enjoy reading your content.
