Login/Register
How to programmatically interact with winlogon?
Asked Answered
c#winapiwinlogoncredential-providers
P

5

29

I have a Windows Service that I want to use to programmatically unlock the workstation, using the account username and password.

This article https://technet.microsoft.com/en-us/library/dn751047(v=ws.11).aspx explains the logon authentication workflow on Windows in the following image: authentication workflow

As seen above, on step 5, the user inputs the credentials into the Logon UI. What I want to achieve is to have the Windows Service input the credentials and have winlogon perform the login.

There is no winlogon API to achieve this. As seen in other questions, using winapi's LogonUser function successfully performs the authentication and returns a token, but it does not switch to the application desktop and the Logon UI remains on screen.

Most articles and SO answers hint towards credentials providers, but all credentials providers samples require user interaction with the Logon UI.

Update: I see some users haven't exactly understood the question and are proposing workarounds that are not useful for my case. The workflow that I'm trying to achieve is the following:

  1. Windows service starts on Windows boot (done).
  2. Same Windows service has a web service and accepts HTTP requests through an API (done).
  3. User provides credentials to the service through the API from another device (done).
  4. Provided credentials are used to log into the work station.
    4.1 Provided credentials are used to also unlock the work station in case of lock (WinKey + L).
  5. (Optional) The service exposes the Windows accounts via the API.
  6. (Optional) The user is able to specify to the service what account wants to use for login.

For now, I am interested in making steps 4 and 4.1.

Padlock answered 30/12, 2017 at 23:17 Comment(24)
I would hope this is not possible, seems like a terrible security hole if it is.Amanita
This would require changing the windows authentication mechanism. Look up GINA in MSDN. However, it would not be recommended to bypass or change the mechanism either. Having said that, a service to have log on rights should have that enabled in the policy, but not to instigate a win logon process - that would be a massive security glitch that would have sysadmins up in arms and pentesters laughing...Rupiah
I'm aware of GINA's capabilities, it's been deprecated from Windows Vista. It's been replaced by credential providers, and I don't think they cover this use case. Also, I definitely don't want a different win logon process. For security reasons, this has to be integrated with the existing winlogon.Padlock
@SoronelHaetir: Where, specifically, do you see a "terrible security hole"?Dissected
"programmatically unlock the workstation" - Could you elaborate why you want to do that? It smells a bit like an XY problem.Musgrove
I'm trying to unlock the computer through the Windows service. So either find a way to programatically interact with winlogon, or another way using the winapi LogonUser method and use the authentication token to switch to application desktop. Any other method is welcome, as long as it gets the service to successfully unlock the station.Padlock
The first security hole I see is that such a capability would require storing the credentials somehow, outside of winlogin.Amanita
Nobody said anything about storing the credentials. Credentials are provided to the Windows service by someone who knows them and the Windows service passes them further to winlogon.Padlock
@SoronelHaetir: That requirement is completely made up. It does not exist. And even if you were to store the password, this can still be done without compromising security. Uncounted passwords are stored in encrypted sections of web.config files, to allow web services access to secured database backends, for example.Dissected
Seems like a horrific thing to do actually... Why start an interactive logon session if there's no user present? How will you prevent the unlocked workstation being compromised by someone standing next to it? Most importantly,I'd really like to know why you're trying to achieve this as it seems like the wrong solution to any problem. That's before we get to the security model that prevents many services even interacting with the user desktop session.Gear
For anyone downvoting the question, can you please also give a real reason for this, aside from speculations? I'm not the only one trying to achieve this: #6975706 If it's done properly, it's not even by far a security hole.Padlock
Team viewer can logon to the desktop from a locked windows (Win+L), so I'm assuming it's possible. Maybe you could find out how they did it.Indonesia
Heard about that too, very interested in how they did it. But apparently some people here try to gain rep by burying the question.Padlock
I think the bigger question is why do you need the interactive process?Erythropoiesis
The answer is here, this is a duplicate: #32372527Caswell
Does it have to be the service that initiates this action? Can you not just create an account and set it to auto-logon?Devindevina
@JeremyThompson the question may be a duplicate, but the answer does not resolve the problem. It doesn't work if workstation has been locked (WinKey + L), it only works on boot. It also doesn't allow to select the user account, in case there are multiple user accounts.Padlock
@Devindevina I have updated the question with the scenario.Padlock
msdn.microsoft.com/en-us/library/windows/desktop/…Bayern
msdn.microsoft.com/en-us/library/windows/desktop/…Bayern
@Bayern GINA has been deprecated since Windows Vista.Padlock
@wonderdog see the second link for vista or later.Bayern
@Bayern Thank you for the reference, but as I stated in the initial answer, I think that credential providers are just a way to add additional credentials to be presented by the Logon UI. They are used in step 3 in the diagram, not in step 5. I have tried with credential providers for a few weeks and wasn't able to achieve this.Padlock
Just out of curiosity: what is the service going to do after the unlocking? What should happen if multiple users logged in and locked their desktops?Charleycharlie
F
3

Just while passing... But isn't there, among Microsoft's samples, a credential provider that takes asynchronous input? I've certainly written one that logs on a user who scans an acceptable fingerprint no matter what tile is displayed. To me, this means that interaction with LogonUI need be no more than implicit, but perhaps I'm missing something.

But perhaps I'm not. Though I don't doubt the intention is that the asynchronous input will come from a user acting on hardware, as with scanning a finger, I don't recall this as a rule. If it's not, then you may have your programmatic option in the form of presenting the credentials as if they've been collected asynchronously - not from a device that's obviously attached to the computer but from your side-channel of HTTP with who knows what.

So, can you have a credential provider listen for RPC from your service for notification of credentials that your service has collected via its side-channel? Or have your service listen for RPC from your credential provider to ask what credentials are available yet? I mightn't be surprised if one direction is closed off - for security, even - but I'd have thought one or other can be made to work.

Whether you should want to do any of this, I don't want to get into.

Fashion answered 16/1, 2018 at 22:7 Comment(0)
M
1

Not that i condone doing this, but just giving you a solution to the problem. And it isn't programmatically interacting with the WinLogon process. It is programmatically working around it.

Use Windows Autologin property. And reboot to change to that user. Note this does involve storing the Password in the registry, in clear text.

Specifically set these regkeys

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoAdminLogin HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultUserName HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultPassword

* Edit *

Helps with 4. Doesn't help with 4.1. Unless you wanna reboot to unlock which i doubt.

Another alternative which sounds promising \ worth investigating is mentioned on an older question https://mcmap.net/q/502829/-unlock-windows-programmatically

Mernamero answered 15/1, 2018 at 11:46 Comment(1)
Doesn't help with 4.1 which is actually more important than 4 since user behavior usually consists in performing unlocking more often than logging in. This solution also further kills perspectives for steps 5 and 6.Padlock
I
0

I had almost the same requirements for a selenium based framework that I am building. Long story short, I needed to run an application in the windows station of a user (WinSTA0) - which meant that a user had to be logged in a VM.

I have already made a project with a credentials manager and used this to achieve the following workflow:

  • Start a VM, copy components with Powershell
  • Install CredManager, reboot VM
  • Cred manager creates a random user, saves it in a database
  • Logs in with that user
  • User has autostart in registry an application and the application starts a webserver that can be contacted to spin selenium sessions

If I understand your requirements correctly, you will need to create a Credentials Manager that will expose a server (http, named-pipes, etc) to be contacted with the credentials to autologin - no need to spend time on UI here. Use the Advice method under your ITestWindowsCredentialProvider implementation to start your server and the UnAdvice to stop it.

I would suggest the following to help you get there:

  • Use an external logging service (like app-insights) to get feedback of your service and ease debugging
  • Use a VM as good practice cause a critical failure in Winlogon will render the computer useless.
  • Use try catch on the higher level on all your methods at COM component implementation to swallow exception to save winlogon crashes

Also, for the bigger picture, you will have to have in mind that all those processes have different access (and lifetime for COM components) to windows stations, desktops and run as different users. I do not think however that this will be relevant for you much.

You can find the base credentials manager code here: https://github.com/phaetto/windows-credentials-provider

Ineffable answered 2/3, 2018 at 12:2 Comment(0)
S
0

You task is to implement a credential provider interfaces and at the point where your service receive credentials they can be easily forwarded to LogonUI - look at this answer.

The goal is to implement default tile which can pack these credentials.

My own credential provider also has an auto logon/unlock behaviour in some use cases.

Smile answered 10/10, 2018 at 8:25 Comment(0)
P
-7

Pro-grammatically bypassing/logging in on a user's behalf is scary with regards to cyber security.

I'm not sure what you are trying to do, but why not deploy a run task to do the work using a service account on the machine instead?

You can configure it to run even when the user is not logged in on a specified time/event. If that doesn't work for you, could you describe your scenario a little more?

Peeples answered 8/1, 2018 at 20:1 Comment(1)
I already have the service that runs in background. Its purpose is to unlock the station, there's nothing else it needs to do.Padlock

© 2022 - 2024 — McMap. All rights reserved.