Introduction
The Winlogon Notification Package is a DLL which exports functions that handle Winlogon.exe events. These event messages includes lock, unlock, logoff, logon, startup, shutdown, startscreensaver, stopscreensaver, and startshell.
This article demonstrates how to use the Winlogon Notification Package as an alternative to NT Services. The main benefits for doing this is better handling of user activities. In addition, the Winlogon Notification Package will be very lightweight and requires much less code then its NT service equivalent.
The Steps
Creating a Winlogon Notification package is very simple. Just create a DLL with specific functions to run during the Winlogon event messages. To let Winlogon.exe know about your DLL, simply add a few entries into the registry where appropriate. This method can be quite robust and versatile when combined with your services and applications.
Sample
This sample starts a WIN32 application before the user logon. Because the process is started by Winlogon, it is owned by the system account. Users may not end the process through 'End Task'. This is the exact way NT services behave. In this sample, the logoff notification will terminate the process. If the process needed to stay active, the EndProcessAtWinlogoff function should be removed. If we wanted the process to be owned by the user, we could use CreateProcessAsUser during a startup notification instead of a logon notification.
Step 1.) - the dll
Collapse //sample.cpp#include#include PROCESS_INFORMATION g_pi;TCHAR g_szPath[] = _T("c:\somepath\execut.exe \"arguments\"");//This function safely terminates a process, allowing//it to do cleanup (ie. DLL detach)//It can be found at the Windows Developer's JournalSafeTerminateProcess(HANDLE hProcess, UINT uExitCode);//Entrance function for the DLLBOOL WINAPI LibMain(HINSTANCE hInstance, DWORD dwReason, LPVOID lpReserved){switch (dwReason){case DLL_PROCESS_ATTACH:{DisableThreadLibraryCalls (hInstance);}break;}return TRUE;}//Event handler for the Winlogon Logon eventVOID APIENTRY StartProcessAtWinLogon (PWLX_NOTIFICATION_INFO pInfo){STARTUPINFO si;si.cb = sizeof(STARTUPINFO);si.lpReserved = NULL;si.lpTitle = NULL;si.lpDesktop = "WinSta0\\Default";si.dwX = si.dwY = si.dwXSize = si.dwYSize = 0L;si.dwFlags = 0;;si.wShowWindow = SW_SHOW;si.lpReserved2 = NULL;si.cbReserved2 = 0;CreateProcess(NULL, g_szPath, NULL, NULL, FALSE, CREATE_NEW_CONSOLE,NULL, NULL, &si, &g_pi);}//Event handler for the Winlogon Logoff event.VOID APIENTRY StopProcessAtWinLogoff (PWLX_NOTIFICATION_INFO pInfo){//terminates the process SafeTerminateProcess(g_pi.hProcess, 0xDEADBEEF);}//other event handlersVOID APIENTRY YOUR_EVENT_HANDLERS (PWLX_NOTIFICATION_INFO pInfo){//code}...
Step 2.) - the exports
The program hasn't exported any functions yet. We need to create a .def file.
sample.def
EXPORTSStartProcessAtWinLogonStopProcessAtWinLogoff
Now add the following to your linkage options in VC6 and build.
/def: "sample.def"
If everything went well, the files sample.dll and sample.exp will be in your output folder. Move these to \%NTROOT%\system32
Step 3.) - the registry
Add the following values and keys to the registry. These values communicate to Winlogon.exe and let it know which procedures to run during an event notification. Add as few or as many notification events as needed.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NameOfProject\Asynchronous REG_DWORD 0\Dllname REG_SZ NameOfDll.dll\Impersonate REG_DWORD 0\Logon REG_SZ StartProcessAtWinLogon\Logoff REG_SZ StopProcessAtWinLogoff\... REG_SZ NameOfFunction
That's it! Now restart and Winlogon.exe will launch your app.