Entry point before winlogon.exe?

[Roberto Hofer]

Probably this isn´t the correct ng for my question, but I do not know
exactly if it is a XPe specific problem or not!

First of all, our task is to deliver a time based logon system. During
daylight there is standard windows logon using standard msgina. At
night security level increases and only fingerprint systems are
allowed to log on using our own gina. So here is the problem:

At which point at the boot process do I have a full Win32 API? I tried
a standard win32 console application and named it winlogon.exe, which
should set the correct gina entry into the registry depending on
daytime, and then calls the real renamed winlogon.exe.

Should be no problem I thought, because Winlogon in standard Windows
XP is started after the Win32 subsystem, but as a matter of fact it
is. System doesn´t even boot anymore, when I start my own renamed
win32 app at bootup, just a black screen. Is there any way how I can
get a hook before winlogon.exe is started and also have win32 api?

Thanks in advance for any clue!

Roberto Hofer

 

[KM]

Roberto,

I don't think you can remove/replace Winlogon.exe.
Win32 subsystem (CSRSS.exe) and Winlogon.exe are started by Session Manager ([HKLM\SYSTEM\CurrentControlSet\Control\Session
Manager\SubSystems]). The Session Manager also waits on CSRSS and Winlogon processes and crashes system if they are terminated.
Basically, ntoskrnl.exe launches both.

I don't really understand why you need to replace Winlogon? You mention that you "fingerprint system" is using its own gina. They
should be enotgh to implement your custom level of security.
If you won't to get rid of Winlogon you will need to base your image on kernel mode only.

You may also want to ask these question in microsoft.public.win32.programmer.kernel newsgroup.

 

[Roberto Hofer]

You may also want to ask these question in microsoft.public.win32.programmer.kernel newsgroup.

Done! Posted nearly the same question there!

I don't really understand why you need to replace Winlogon?

Well, it is not really an replacement and it isn´t necessary at all.
My Winlogon should just check daytime and depending on how late it is,
change the Registry entry, which gina is loaded. After that, the
normal winlogon is executed. So this is just a "man in the middle"
app, because I need to do some stuff, before winlogon is called. If
there is another way to get one of my win32 apps started before
winlogon, I am thankful for every clue. I just replaced it, because I
knew winlogon.exe is called! Thats all. But it seems as if win32 code
doesn´t work in this state of the boot process. Anyone, who can
confirm?

Best regards!

Roberto Hofer

 

[Slobodan Brcin \(eMVP\)]

Hi Roberto,

You have few different options depending on how low you want to go.

1. Write driver program.
2. Write program that uses native api.
3. Write win32 service.

Writing service should do the job for you, but things you do sound rather
crude.

Why don't you make simple pass for trough to all functions of msgina and
when you need your functions then you just use your custom functions
instead.

This should work. Your gina instead of msgina and when you need msgina just
make pass trough.

Does this make any sense?


Regards,
Slobodan

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Have an opinion on the effectiveness of Microsoft Embedded newsgroups? Tell
Microsoft!
https://www.windowsembeddedeval.com/community/newsgroups
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

microsoft.public.win32.programmer.kernel newsgroup.

 

[Roberto Hofer]

Yes, it did that way. Gina replaced and at least I have an (quite)
early entry point!

Thanks Slobodan!

Best regards!

Roberto Hofer