Jump to content











Photo
- - - - -

RunAtWinlogon


  • Please log in to reply
5 replies to this topic

#1 joakim

joakim

    Silver Member

  • Team Reboot
  • 912 posts
  • Location:Bergen
  •  
    Norway

Posted 16 November 2012 - 09:19 AM

Posted Image

File Name: RunAtWinlogon
File Submitter: joakim
File Submitted: 14 Nov 2012
File Updated: 20 Nov 2012
File Category: Security

How to run a custom application at winlogon screen:

With this setup we will have cmd running as LocalSystem available with a hotkey when at the Logon UI. Use with great care.

In order to achieve this we need an application launched at system startup that can interact with the desktop named "winsta0\Winlogon", also called "secure desktop". Our application needs to be installed as a system service for this to work.


Service can be installed with this command:

sc create "RunAtWinlogonWrapper" start= "auto" binpath= "C:\Program Files (x86)\RunAtWinlogon\RunAtWinlogonWrapper.exe" DisplayName= "RunAtWinlogonWrapper" obj= "LocalSystem"

sc create "RunAtWinlogon" start= "demand" binpath= "C:\Program Files (x86)\RunAtWinlogon\RunAtWinlogon.exe" DisplayName= "RunAtWinlogon" obj= "LocalSystem"


Alternatively, in offline mode (ie WinPE for instance), merge this into local registry:

Windows Registry Editor Version 5.00



[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RunAtWinlogon]

"Type"=dword:00000010

"Start"=dword:00000003

"ErrorControl"=dword:00000001

"ImagePath"="C:\\Program Files (x86)\\RunAtWinlogon\\RunAtWinlogon.exe"

"DisplayName"="RunAtWinlogon"

"ObjectName"="LocalSystem"



[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RunAtWinlogonWrapper]

"Type"=dword:00000010

"Start"=dword:00000002

"ErrorControl"=dword:00000001

"ImagePath"="C:\\Program Files (x86)\\RunAtWinlogon\\RunAtWinlogonWrapper.exe"

"DisplayName"="RunAtWinlogonWrapper"

"ObjectName"="LocalSystem"


Change path to service/application accordingly. And remember the registry key path when mounted in offline mode would resolve to a given mountpoint and CurrentControlSet would not exist, like for instance HKEY_LOCAL_MACHINE\sys\ControlSet001\services\RunAtWinlogon would be correct in my case. The paths are not hard coded so it can be placed anywhere basically.
Since my application is written in AutoIt which does not respond well to Windows' Service Manager's control commands, it will terminate the service after a short while. I therefore, made a dummy service application that will just run its own life independently of the Service Manager's complaints. Also, since the service utilizes a hotkey to execute, it cannot be run as a standard Windows service (which runs in session 0 at the desktop Service-0x0-3e7$\default) because that simply will not ever receive the hotkey. For that reason we actually need a second service where the final application will be launched. That one too, will have to switch session and Window station/desktop, in order to reach the user trying to login at the Logon UI. The final service named RunAtWinlogon, reads a configuration file for what to run, and if hidden/visible.

The order of execution follows like this:
  • Windows service RunAtWinlogonWrapper does 1 thing and then stop. It starts an application named RunAtWinlogonExec.exe
  • RunAtWinlogonExec.exe executes an application named ServiceKick.exe which runs invisible in the background in the same session and desktop as Logon UI, and can understand the hotkey (shift+alt+j).
  • When hotkey is pressed, ServiceKick.exe will start the service named RunAtWinlogon.
  • The Windows service RunAtWinlogon will start an application that will read a configuration file from its current directory, and execute what is in there. Format of config file is "HiddenFlag?Command"
Example config for launching cmd.exe:

0?cmd.exe


Since it is not possible to retrive any feedback from the application/service at runtime to a console, it will write to a logfile in current directory.

Obviously this has some security issues, so use with care.

Has only been tested on Windows 7 x64. Should in theory run on anything of 32-bit/64-bit on NT6.x.

Some fun with it: ScreenCap2Gui
Simpel application to use with RunAtWinlogon. It just takes a screenshot and draw it across your screen. So at winlogon, you will not be able to login because you're just clicking at an image of the login screen. Not that much fun, just a little. Rename this app to ServiceKick.exe and place it in the same directory as RunAtWinlogon. Could be useful to rename the service RunAtWinlogonWrapper to _RunAtWinlogonWrapper so it starts a few moments earlier. If you login immediately, you may be too early for the application to do its job.

Click here to download this file

#2 homes32

homes32

    Gold Member

  • .script developer
  • 1021 posts
  • Location:Minnesota
  •  
    United States

Posted 16 November 2012 - 02:57 PM

cool stuff. thanks for sharing.

#3 joakim

joakim

    Silver Member

  • Team Reboot
  • 912 posts
  • Location:Bergen
  •  
    Norway

Posted 20 November 2012 - 10:45 PM

Added ScreenCap2Gui:
Simpel app to use with RunAtWinlogon. It just takes a screenshot and draw it across your screen. So at winlogon, you will not be able to login because you're just clicking at an image of the login screen. Not that much fun, just a little. Rename this app to ServiceKick.exe and place it in the same directory as RunAtWinlogon. Could be useful to rename the service RunAtWinlogonWrapper to _RunAtWinlogonWrapper so it starts a few moments earlier.

And don't ask for any practical use, because there isn't.

Edit: Hitting "Esc" on the keyboard will exit from the image.

#4 AceInfinity

AceInfinity

    Frequent Member

  • Team Reboot
  • 228 posts
  • Location:Canada
  • Interests:Windows Security, Programming, Customizing & Crash Dump Analysis.
  •  
    Canada

Posted 22 November 2012 - 05:04 AM

I can see how this may be useful in some cases with a specific hotkey, so long as, someone that you don't want to have access to this, doesn't know the hotkey, and isn't capable of figuring it out on their own.

Great stuff joakim :) I thouroughly enjoy reading your content.

~Ace

#5 DarkPhoeniX

DarkPhoeniX

    Frequent Member

  • Team Reboot
  • 452 posts
  • Location:In the middle of nowhere
  • Interests:Interesting Things
  •  
    South Africa

Posted 01 December 2012 - 10:46 PM

I like This
Might just have to use it sometime

#6 joakim

joakim

    Silver Member

  • Team Reboot
  • 912 posts
  • Location:Bergen
  •  
    Norway

Posted 16 December 2012 - 11:02 PM

Reading about password reset techniques lately, I thought I might explain that RunAtWinlogon obviously also can be used for such too. Had a Server 2012 x64 vm with forgotten password on and tried adding the service from WinPE. Worked fine:

 


 

runatwinlogon_server2012_zpse412e0a4.png

 

 

 

Just copy the files to the path specified in the registry entries posted earlier. Adjust CurrentControlSet with target (as specified in HKLM\SYSTEM\Select\Current) and SYSTEM with mountpoint of hive (for instance sys), and correct x64 filenames if applicable. I can see this being a bit complicated to setup so maybe it's about time to write an installer to automate an installation from WinPE..






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users