Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 08-26-2013, 05:05
TmC TmC is offline
VIP
 
Join Date: Aug 2004
Posts: 328
Rept. Given: 1
Rept. Rcvd 15 Times in 9 Posts
Thanks Given: 2
Thanks Rcvd at 22 Times in 16 Posts
TmC Reputation: 15
CTRL + ALT + DEL Disable

Hi everyone,
long time no post, but going from university to work has been hard.

Today I'm asking some hints to solve a problem with an application I am currently developing:

I am actually working on an application that will be installed in a museum environment.
This program will run on a machine that is not an embedded machine, but has to work like a normal PC, with keyboard and mouse.
When the application is started, by personnel intervention, the application runs full-screen and will be used by visitors.

This requires some security measures, like disabling with all means, the possibility that the user could use the pc other than the application itself. I have thus disabled with hooking code all special OS codes that could let user exit or minimize the program and use the pc. (ALT+F4, ALT+TAB, WIN KEY, CTRL+SHIFT+ESC etc etc).

This works great EXCEPT for CTRL+ALT+DEL.

Doing some internet researches pointed that CTRL+ALT+DEL is a SAS sequence and can't be trapped by programs since it is a security feature and so it can't be disabled.

In Windows, CTRL+ALT+DEL wakes up the login screen, giving the user the possibility to reboot, shut-down, start the task manager (Killing the application) and so on...

The problem is mainly that the PC needs to have a keyboard connected to it so anyone can hit the SAS sequence and go into the PC.

So here is the question: how can I disable CTRL+ALT+CANC only when the application is run and restore the normal behaviour when the pc is used as a normal PC by the personnel?

Is really the only option left to write a filter driver that checks if Application.exe is running and filters silently any CTRL+ALT+DEL requests?

Thanks in advance.
Reply With Quote
  #2  
Old 08-26-2013, 05:12
mr.exodia mr.exodia is offline
Retired Moderator
 
Join Date: Nov 2011
Posts: 784
Rept. Given: 492
Rept. Rcvd 1,122 Times in 305 Posts
Thanks Given: 90
Thanks Rcvd at 711 Times in 333 Posts
mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299
point ctrl+alt+delete directly to task manager and disable task manager using windows management window (gpedit.msc)

edit: about personnel, just add a secret hotkey that pops up a little window with password

http://support.microsoft.com/kb/555480

Last edited by mr.exodia; 08-26-2013 at 05:19. Reason: read whole question
Reply With Quote
  #3  
Old 08-26-2013, 18:29
wilson bibe wilson bibe is offline
VIP
 
Join Date: Nov 2012
Posts: 492
Rept. Given: 489
Rept. Rcvd 439 Times in 180 Posts
Thanks Given: 853
Thanks Rcvd at 176 Times in 112 Posts
wilson bibe Reputation: 400-499 wilson bibe Reputation: 400-499 wilson bibe Reputation: 400-499 wilson bibe Reputation: 400-499 wilson bibe Reputation: 400-499
If I understood you, Try this, works on X86, for X64 you need make chages in the code.
Attached Files
File Type: rar Source+Compiled.rar (4.9 KB, 41 views)
Reply With Quote
  #4  
Old 08-26-2013, 21:58
athapa athapa is offline
Friend
 
Join Date: Jul 2013
Posts: 24
Rept. Given: 4
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 6
Thanks Rcvd at 4 Times in 3 Posts
athapa Reputation: 1
If you want to enable/disable what you see in the screen after pressing ctrl+alt+del only when your application is running then you'll need to make changes in registry similar to what the policy editor would do.

So basically you'd update the registry when your app starts and reset those values back when your app is closing.

For example if you want to disable task manager from CAD screen then you application can change this registry value

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = 1

DisableLockWorkstation = 1 in the same location will disable lock screen

DisableChangePassword = 1 will disable users from changing password

There are other registry values you can change to remove "switch user", "log off" and so on.

Search for the utility "Tweak Ctrl+Alt+Del Options Tool v1.0". The registry keys are encrypted in that app but you can probably figure that out.

If you can't find that utility then let me know.
Reply With Quote
  #5  
Old 08-26-2013, 22:04
athapa athapa is offline
Friend
 
Join Date: Jul 2013
Posts: 24
Rept. Given: 4
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 6
Thanks Rcvd at 4 Times in 3 Posts
athapa Reputation: 1
Wilson,

I tried the one you posted, it disables task manager only from the list and you also need to run the exe as an admin. This could be a good place for Tmc to add more registry keys if he need to do that in vb6.

Regards,
athapa
Reply With Quote
  #6  
Old 08-30-2013, 15:20
2late 2late is offline
Friend
 
Join Date: Nov 2003
Posts: 50
Rept. Given: 5
Rept. Rcvd 6 Times in 3 Posts
Thanks Given: 16
Thanks Rcvd at 12 Times in 10 Posts
2late Reputation: 6
The simple method illustrated at the link below disables keyboard scancodes in the Registry

_http://www.northcode.com/blog.php/2007/07/25/Securing-Windows-For-Use-As-A-Kiosk

The admin can take over the PC via mstsc /consol (Remote Desktop Protocol), or can restore the original Registry key.

Another option is to tweak msgina.dll that handles login/logout etc.
Reply With Quote
  #7  
Old 08-30-2013, 20:38
TmC TmC is offline
VIP
 
Join Date: Aug 2004
Posts: 328
Rept. Given: 1
Rept. Rcvd 15 Times in 9 Posts
Thanks Given: 2
Thanks Rcvd at 22 Times in 16 Posts
TmC Reputation: 15
Thanks for the replies.

I have read that in Windows 7 embedded, the keyboard filter can be enabled, but in Windows 7 plain version this service does not exist.

Some time ago, I read some tutorials to enable or disable some Windows hidden features, copying some lines from the embedded edition to the desired edition cat/ini files.

Do you believe that it is possibile to do that with Windows 7?
Reply With Quote
  #8  
Old 08-30-2013, 20:52
mr.exodia mr.exodia is offline
Retired Moderator
 
Join Date: Nov 2011
Posts: 784
Rept. Given: 492
Rept. Rcvd 1,122 Times in 305 Posts
Thanks Given: 90
Thanks Rcvd at 711 Times in 333 Posts
mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299
I actually don't think there is an OS portable version of code that disabled CTRL+ALT+DEL, you might be able to write a system driver that hooks the code that calls the logon screen though.

Microsoft provides windows features to disable CTRL+ALT+DEL, what's so bad about that?
Reply With Quote
  #9  
Old 08-30-2013, 21:19
TmC TmC is offline
VIP
 
Join Date: Aug 2004
Posts: 328
Rept. Given: 1
Rept. Rcvd 15 Times in 9 Posts
Thanks Given: 2
Thanks Rcvd at 22 Times in 16 Posts
TmC Reputation: 15
Absolutely nothing, the only concern I have is that pointing ctrl+alt+del to task manager and disabling task manager, raises a Messagebox saying "task manager has been disabled by system administrator".

Doing that, my application loses focus and i fear that in this case ALT+TAB might work.
Reply With Quote
  #10  
Old 08-31-2013, 02:21
mr.exodia mr.exodia is offline
Retired Moderator
 
Join Date: Nov 2011
Posts: 784
Rept. Given: 492
Rept. Rcvd 1,122 Times in 305 Posts
Thanks Given: 90
Thanks Rcvd at 711 Times in 333 Posts
mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299
hmm, that's indeed a problem...

you could point ctrl+alt+del to the task manager and from there hook CreateProcess to kill it even before it started. Another way would be to simply rename taskmgr to taskmgr_ or something like that. This could be done every time your museum shell is started... Even another solution would be to inject a custom DLL into every process (using this registry trick you see in some malware) that just checks if a mutex or something similar exists and then kills taskmgr when your museum shell does not give the green light.

Hope there is an idea you like..
Reply With Quote
  #11  
Old 08-31-2013, 02:50
|roe |roe is offline
Friend
 
Join Date: Jun 2011
Location: Saturn V, towards the heaven
Posts: 50
Rept. Given: 193
Rept. Rcvd 24 Times in 17 Posts
Thanks Given: 2
Thanks Rcvd at 6 Times in 5 Posts
|roe Reputation: 24
Maybe also creating a dedicated user so UAC intervenes? However if users can get full control, I am not sure, but you can hit the inappriopiate person that knows to bypass UAC itself.

So far, creating a limited account and using the Administrator account to disable all of these should do the job. Don't know however, how you can not popup to not loose focus.

If it was a touchscreen like these PoS systems we see, would have been easier, however, in this case, some Malwares as already stated may provide a clue how to disable it, the only problem is the popup maybe.

The rest is complicated/complex and writing a driver (as suggested) for W$ can crash the whole system if is not written properly.
Reply With Quote
  #12  
Old 08-31-2013, 18:38
TmC TmC is offline
VIP
 
Join Date: Aug 2004
Posts: 328
Rept. Given: 1
Rept. Rcvd 15 Times in 9 Posts
Thanks Given: 2
Thanks Rcvd at 22 Times in 16 Posts
TmC Reputation: 15
Quote:
Originally Posted by mr.exodia View Post
Another way would be to simply rename taskmgr to taskmgr_ or something like that.
I think this is impossible, because taskmgr.exe is a system protected file and Windows auto-restores it if it senses its absence. I might disable that system protection but it's a dead-man option.

One option I am actually considering is to write a custom touch-screen keyboard, leaving the actual hardware keyboard in a locker.

This would solve the keyboard problem but it would complicate a bit the program usability.

I think I should accurately think about advantages or disadvantages and chose the less worse option.
Reply With Quote
  #13  
Old 08-31-2013, 19:54
mr.exodia mr.exodia is offline
Retired Moderator
 
Join Date: Nov 2011
Posts: 784
Rept. Given: 492
Rept. Rcvd 1,122 Times in 305 Posts
Thanks Given: 90
Thanks Rcvd at 711 Times in 333 Posts
mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299
I found a solution that is clean and only requires modification of a few registry keys on program installation to work... The solution that works on my pc (after binding CTRL+ALT+DEL to taskmgr.exe) is this:

Just add the DLL to your AppInit_DLLs and task manager will only open if you created the mutex named "green_light"
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs for 32 bit taskmgr.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs for 64 bit taskmgr.exe

Attached source + dlls, fully tested and working on Win7 Ultimate x64.

edit: you might wanna read some topics about AppInit_DLLs if you're planning to run your software on Windows 8. Here it requires you to set some other registry keys as well. also added a small mutex tool so you can test it without writing much stuff
Attached Files
File Type: rar taskmgr_disable.rar (43.4 KB, 17 views)
File Type: rar MutexTool.rar (5.1 KB, 10 views)

Last edited by mr.exodia; 08-31-2013 at 20:00. Reason: added attachment
Reply With Quote
The Following User Says Thank You to mr.exodia For This Useful Post:
niculaita (07-04-2021)
  #14  
Old 08-31-2013, 23:35
ontryit ontryit is offline
Friend
 
Join Date: Nov 2011
Posts: 172
Rept. Given: 127
Rept. Rcvd 17 Times in 14 Posts
Thanks Given: 411
Thanks Rcvd at 70 Times in 43 Posts
ontryit Reputation: 17
TmC: On WinXP you can disable ctrl+alt+del keys with hooking SAS/MSGINA, i was done it success in delphi. But on OS above XP, there is no more SAS Window and i still looking for a proper way to disable the keys without using "scancode" by editing registry. Btw, what language your code with?

[sorry my English]
Reply With Quote
  #15  
Old 09-01-2013, 04:49
wilson bibe wilson bibe is offline
VIP
 
Join Date: Nov 2012
Posts: 492
Rept. Given: 489
Rept. Rcvd 439 Times in 180 Posts
Thanks Given: 853
Thanks Rcvd at 176 Times in 112 Posts
wilson bibe Reputation: 400-499 wilson bibe Reputation: 400-499 wilson bibe Reputation: 400-499 wilson bibe Reputation: 400-499 wilson bibe Reputation: 400-499
Private Type NOTIFYICONDATA
cbSize As Long
hWnd As Long
uId As Long
uFlags As Long
ucallbackMessage As Long
hIcon As Long
szTip As String * 64
End Type
Private Const NIM_DELETE = &H2
Private Declare Function Shell_NotifyIcon Lib "shell32" Alias "Shell_NotifyIconA" (ByVal dwMessage As Long, pnid As NOTIFYICONDATA) As Boolean
Private Declare Function FindWindow Lib "user32" Alias "FindWindowA" (ByVal lpClassName As String, ByVal lpWindowName As String) As Long

Private Sub Form_Load()
Dim tskWin As Long
Dim t As NOTIFYICONDATA
Shell "taskmgr.exe", vbHide
Do Until tskWin <> 0
tskWin = FindWindow("#32770", "the name of window of takmager.exe in your language")
Loop
t.hWnd = tskWin
Shell_NotifyIcon NIM_DELETE, t
End Sub

Create an .dll file with this code, call it by inserting a code in the code cave of your app, work in all the files that I develope to sell when I need to lock the sequence crtl+alt+del.
*you don't need admin previlegies to run it
**translate this code to the language that you used in your app
BR
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How to disable VM detection? te$ter General Discussion 3 05-16-2015 17:06
Origins of Ctrl-Alt-Del Anticode General Discussion 0 04-17-2005 20:16
Why?the kb is disable 3boy General Discussion 1 09-03-2003 20:22


All times are GMT +8. The time now is 16:25.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )