Jump to content
gioma

Delphi 10.4 : Unlock Windows by call to Windows API

Recommended Posts

Hello,
I am creating a remote control program using the WebRTC.
I have a problem, however, when the user I am connected to locks the screen I cannot access the welcome screen. In fact, at that moment, it seems that the streaming of the desktop is interrupted, while the connection between the two clients remains active, so they can exchange messages.
Assuming the logged in user knows the access credentials, I'm looking for a way to re-login via the windows API and unlock the screen.
It's possible to do it?
I tried with LogonUser, but although the result is positive it does not unlock access.
Maybe I should try using PostMessage?

Share this post


Link to post

The login screen is an entirely different "desktop" (not to be confused with "Virtual desktops" which were introduced with Windows 10), much like an elevation prompt ("user account control").

 

An application that runs without administrative privileges cannot access that "secure desktop" the login screen is running on. You can, for example, also see this with other solutions like TeamViewer or AnyDesk: When they don't have administrative privileges and the user locks his account, they can't do anything.

Edited by Der schöne Günther
  • Like 1

Share this post


Link to post
3 minutes ago, Der schöne Günther said:

The login screen is an entirely different "desktop" (not to be confused with "Virtual desktops" which were introduced with Windows 10), much like an elevation prompt ("user account control").

 

An application that runs without administrative privileges cannot access that "secure desktop" the login screen is running on. You can, for example, also see this with other solutions like TeamViewer or AnyDesk: When they don't have administrative privileges and the user locks his account, they can't do anything.

My application not only has administrator privileges, but runs as a System user.

Share this post


Link to post
13 minutes ago, Der schöne Günther said:

I believe you will still have to get familiar with Windows Desktops:

Desktops - Win32 apps | Microsoft Docs

Thanks for the hint, I deepen the subject.👍
Of course it wouldn't be bad if someone had already solved it!
After all, the community is also useful for this.. 😋:classic_biggrin:

Share this post


Link to post
10 minutes ago, Wil van Antwerpen said:

There's no supported way to do what you want and that's a good thing.

What do you mean?

 

I don't want to bypass the windows login, but I would like to do it through a program controlled by a user who knows their login credentials.

Share this post


Link to post

I mean that the secure desktop cannot be programmatically controlled from another session and desktop.
This is a security measure in Windows and not even a system user can get around that.

  • Sad 1

Share this post


Link to post
18 minutes ago, Wil van Antwerpen said:

I mean that the secure desktop cannot be programmatically controlled from another session and desktop.
This is a security measure in Windows and not even a system user can get around that.

There are remote control programs that let you choose which session to open the connection in, how do they do it?

Share this post


Link to post

I still think you're just going to waste a lot of energy on fighting the system here, but OK, your choice.


You can enumerate the sessions for example: https://docs.microsoft.com/en-us/windows/win32/api/ntsecapi/nf-ntsecapi-lsaenumeratelogonsessions

You can determine the secure desktop using: https://stackoverflow.com/questions/4260878/openinputdesktop-to-determine-secure-login-desktop

Then there's WTSQueryUserToken to get a user's token and https://docs.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-impersonateloggedonuser?redirectedfrom=MSDN

to use that.


Good luck!

  • Like 1

Share this post


Link to post
Guest
3 hours ago, Wil van Antwerpen said:

I mean that the secure desktop cannot be programmatically controlled from another session and desktop.
This is a security measure in Windows and not even a system user can get around that.

I think there is another side of this, as there is a method and it is documented by Microsoft,

please refer to https://docs.microsoft.com/en-us/windows/win32/secauthn/winlogon-and-credential-providers

To read more about credential providers, also the dll or the plugin to be implemented known as GINA

https://docs.microsoft.com/en-us/windows/win32/secauthn/winlogon-and-gina

in the above link give extra attention to this

Quote

Interaction with Network Providers    You can configure a system to support zero or more network providers.

As this is way harder than how it looks, as accessing network and sockets in a very controlled and isolated dll will be hard to get it right and near impossible due the short documentation around it.

 

But as Wil, it is a good thing, as i only saw this in trojan and malicious software, also it would be very hard to implement in Delphi/Pascal , as most of its functionality are complex callbacks, and at any case or stage and on any sort of raise or unexpected response form your GINA the system will not joke about it and will perform a full reboot, also you can't debug that thing.

Share this post


Link to post

A credential provider might work, but you would implement that in C/C++ and then debug it via a remote debugger.
Doing that in delphi would be very very painful.

I think that a GINA DLL no longer works since Vista?

I haven't checked, but you probably also need to get a special agreement with Microsoft or I would expect at least a kernel mode signing certificate requirement for this type of thing.

Fun, but not for the faint of heart.

  • Thanks 1

Share this post


Link to post
On 3/26/2021 at 8:03 PM, Wil van Antwerpen said:

 

Fun, but not for the faint of heart.

:classic_laugh::classic_laugh:

 

ok, I understand the situation!

Thank you for the valuable insights, now I'll have some fun! : D

  • Like 1

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×