Clever Geek Handbook

I don't see an obvious alternative to Windows service?

I am working on a little software that targets some special Windows based kiosks. It listens for certain keystrokes / commands with the driver, intercepts them and performs certain actions.

At that point I have a Proof of Concept working great. I can run it as a console app in the background, or I can also create it as a windows service. The Windows service is really efficient and works well, but a colleague hinted that it would be nice to be able to perform tasks based on which user's application / window is active - something I cannot do (legally) from Windows because it cannot list custom applications.

The obvious solution would be to just run it in the background - no drama except that these kiosks use a custom Windows shell (deploy using Group Policy). Because of this, the normal Explorer launch keys are not initialized. I don't understand now how to make my software autostart in this scenario?

Alternatively, if anyone has a workaround for listing active windows and such for a specific user from a Windows service, I would be interested. NB: I don't need to do anything on the desktop, just read the data.

+3


source to share


2 answers


Windows Vista and up will prevent the service from interacting with desktop applications at all, which is part of the new OS security approach. I have something similar (in spirit) that I developed for an app system that lists windows looking for a specific legacy app and then sends some messages to it (all of this is so much over the board, and another way to automate the creaky old Appendix). I just run it as a system tray app when people log in using Group Policy. But I don't have a custom Windows shell problem that you seem to be running into. Good luck!

So userinit ( HKLM\Software\Microsoft\Windows NT\Current Version\Winlogon\

) is probably not a particularly bad place to do this, but there should be an alternative or two. It's actually a bit silly (if you ask me) how many places Autorun has appeared in Windows over the years.

Mostly copied from http://www.bleepingcomputer.com/tutorials/windows-program-automatic-startup-locations/ with an update or two. I figured it might be convenient here too, and who knows what will stay online forever (or not)?

Other autorun locations include the following:

Boot device drivers

Hardware.

  HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services

Windows does some cleaning and then starts Winlogon, which starts the Service Control Manager, which starts the services and drivers.

Services

The SCM starts services and drivers marked with a start value of 2.

  HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services

RunServicesOnce

  HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

RunServices

HKLM /.../ RunOnce records will not start until they run out.

  HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices

** A login prompt is displayed, the user is logged in, then automatic processing occurs.

Notify launches programs in response to events including logon, logoff, startup, shutdown, startscreensaver, stopscreensaver. Malicious programs often use this key to launch.

  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

UserInit specifies programs to run immediately after user logs in, accepts a comma separated list of programs. Userinit.exe loads your profile by default. A shared key is also used to exploit malware.

  HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

Shell contains a comma list of programs that userinit.exe launches. The default shell is explorer.exe. Programs are launched first in HKCU, then in HKLM.

  HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
  HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

** The rest of Autostart locations are being processed now ...



RunOnce (HKLM) . Primarily intended for installers that removed the OS after the first start, if this path is preceded by an exclamation mark (!), Otherwise it will be removed before the program starts. These programs run synchronously in undefined order, so they must be populated before the HKLM /.../ Run, HKCU /.../ Run, HKCU /.../ RunOnce and Startup folders can be loaded. These keys are ignored when booting in safe mode.

  HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
  HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

Run The most common startup locations for standard programs to run automatically are ignored in safe mode unless prefixed with an asterisk (*).

  HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Boot folder (all users)

Win7 and up %ProgramData%\Microsoft\Windows\Start Menu

Win XP / 2K C:\Documents and Settings\All Users\Start Menu\Programs\Startup

Boot folder (for user)

Win7 and up %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

Win XP / 2K %USERPROFILE%\Start Menu\Programs\Startup

RunOnce (HKCU) , intended primarily for installers, has the same semantics as the HKLM RunOnce key (above).

  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

Run explorer is typically used to run programs according to a configuration policy.

  HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

Load key is deprecated, usually not used.

  HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\load

AppInit_DLLs , this registry value contains a list of DLLs that will be loaded when user32.dll is loaded. Many programs load user32.dll, so everything listed here is loaded into all of these programs. Used by malware.

  HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows

ShellServiceObjectDelayLoad is similar to Run, but points to the registered CLSID value of InProcServer. The files listed under this key are automatically loaded by Explorer when you start your computer at the start of the startup process.

  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad

SharedTaskScheduler The files listed here start automatically when Windows starts.

  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler

Other potential startup locations depending on the OS:

  • C: \ autoexec.bat
  • C: \ config.sys 3.% WINDIR% \ wininit.ini - Typically used by installers to run a file once and then uninstall.
  • % WINDIR% \ Winstart.bat
  • % WINDIR% \ win.ini - [windows] "load"
  • % WINDIR% \ win.ini - [windows] "run"
  • % WINDIR% \ system.ini - [boot] "shell"
  • % WINDIR% \ system.ini - [boot] "scrnsave.exe"
  • % WINDIR% \ dosstart.bat - Used in Win95 or 98 when you select "Restart in MS-DOS Mode" from the shutdown menu.
  • % WINDIR% \ system \ autoexec.nt
  • % WINDIR% \ system \ config.nt
+2


source


I have the end result I want by adding my application to the UserInit registry key:

HKLM \ Software \ Microsoft \ Windows NT \ Current Version \ Winlogon \

Userinit c: \ windows \ system32 \ userinit.exe, c: \ myapp \ myapp.exe



This works great, but looks incredibly hacky and I would love the alternatives.

0


source






More articles:


All Articles