Shulou(Shulou.com)06/01 Report--

In this issue, the editor will bring you about the method of shielding the sequence of Ctrl+Esc keys in the XP system. The article is rich in content and analyzes and describes it from a professional point of view. I hope you can get something after reading this article.

For people who have used Windows, there are few people who don't know about the Ctrl+Alt+Del key combination, especially when using the often crashing Windows9x, which is an emergency exit provided specifically for system security.

In Windows 9x/Me systems, shielding Ctrl+Alt+Del and opening the key to various tasks are realized through the following methods:

BOOL bOldState

SystemParametersInfo (SPI_SETSCREENSAVERRUNNING, TRUE, & bOldState, 0)

The boss of MS thought this method was amateur, so he modified it in Windows NT/2000/XP. In these newer Windows versions, users log in using Winlogon and GINA--Graphical Identification and Authentication, which means graphical authentication, which is scary, isn't it? Actually, that's what happened. Winlogon is a part of Windows system, which provides interactive login support, and GINA is a DLL-- that Winlogon uses to achieve authentication. This DLL is msgina.dll. WlxInitialize and WlxActivateUserShell are the outputs. Of course, I don't know these two, and there are others. The former initializes itself, while the latter activates the user's shell. Windows uses this DLL to authenticate user names and passwords, but developers can use their own GINA instead of msgina.dll. For example, implement authentication mechanisms such as smart cards, retinal scanners, DNA checks, and so on, instead of entering user names and passwords. All the functions related to GINA are listed in the table below. One of them is WlxLoggedOnSAS, which Winlogon calls when the Ctrl+Alt+Del key is pressed.

(table 1) list of GINA functions description of table functions

WlxActivateUserShell activates the user shell

WlxDisplayLockedNotice allows GINA DLL to display lock information

WlxDisplaySASNotice Winlogon calls this function when no user is logged in

WlxDisplayStatusMessageWinlogon calls this function with a status message to display

WlxGetConsoleSwitchCredentials Winlogon calls this function to read the trust information of the currently logged in user and transparently passes them to the target session.

WlxGetStatusMessage Winlogon calls this function to get the current status information

WlxInitialize initializes GINA DLL for the specified window location

WlxIsLockOk verifies that the workstation locks up properly

WlxIslogoffOk verifies that logout is normal

The WlxLoggedOnSAS user has logged in and the workstation is not locked. If the SAS event is received at this time, Winlogon calls this function.

WlxLoggedOutSAS has no user login. If you receive a SAS event at this time, Winlogon will call this function.

Notify GINA DLL when WlxLogoff requests a logout operation

WlxNegotiate indicates whether GINA DLL can be used in the current version of Winlogon

After WlxNetworkProviderLoad loads the network service provider to collect identity and authentication information, Winlogon calls this function

WlxRemoveStatusMessage Winlogon calls this function to tell GINA DLL to stop displaying status information

WlxScreensaverNotify allows GINA to interact with screen saver operations

WlxShutdown calls this function by Winlogon before shutting down, allowing GINA to perform any shutdown task, such as exiting a smart card from the card reader

WlxStartApplication calls this function when the system needs to start the application in the context of the user

WlxWkstaLockedSAS when the workstation is locked, if a SAS is received, Winlogon calls this function

By default, GINA displays a login dialog box and the user enters a user name and password. So if you want to block Ctrl+Alt+Del, you can write a new MyGina.dll, which provides the interface to call msgina.dll 's function WlxLoggedOnSAS, thus implementing Ctrl+Alt+Del masking. Or write a keyboard driver to implement it.

Is blocking Ctrl+Alt+Del really as troublesome as mentioned above? Is there a better way? The answer is yes. So forget about GINA, you can fix this problem by using the operating system's policy settings. The way to do this is to go to the start menu, select run, and then enter "gpedit.msc" in the run dialog box to start the Windows system's Group Policy Editor. If you view "user configuration | Administrative templates | system | Login / Logout" in the left pane, it is not difficult to find the item "disable Task Manager" in the policy in the right pane.

Group Policy Editor

Ctrl+Alt+Del can be blocked by setting this policy. If you want to do this by writing code, you must manipulate the following registry key:

HKCU\

Software\

Microsoft\

Windows\

CurrentVersion\

Policies\

System\ DisableTaskMgr = dword:1

After this setting, in Windows XP, if the user presses Ctrl+Alt+Del, an error dialog box will pop up

Note that it is assumed that the "Select login and logout options" setting managed by user accounts in the Control Panel enables the "use Welcome screen" item.

Otherwise, XP will use Windows's traditional login mode, requiring the user to enter an account name. And the behavior of the Ctrl+Alt+Del key combination is the same as the traditional behavior, and the setting of DisableTaskMgr in the registry only blocks or grays out the task manager button in the login / logout dialog box. Some people may ask, the documentation about the task manager is not clearly stated, so how do you know that DisableTaskMgr is used to disable the task manager? I'm telling you, I found it when I was using GPEDIT. GPEDIT is a very useful tool not only for editing policies, but also for discovering policies. With this tool, you can easily control many things about Windows, from permission access to whether to use the traditional look and feel of IE, from whether to display the Places Bar in the dialog box to whether to start the task manager with Ctrl+Alt+Del. In short, it can be used to configure hundreds of interface behaviors, so it is a tool that allows system administrators to extend three feet. Once you have found the strategy you are interested in, how do you know the corresponding registry location? There are two ways. The first is a more rude approach: output the registry to a .reg file before and after changing the policy, and then compare the differences. All policies are nothing more than the following four registry keys:

/ / user specified

HKEY_CURRENT_USER\ Software\ Policies

HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies

/ / Machine assignment

HKEY_LOCAL_MACHINE\ Software\ Policies

HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies

The second method is to go straight to the source of the information-check the administrative template file (.adm) that describes the policy. The following is the description of DisableTaskMgr in Windows XP's system.adm file: (Windows 2000 has a slightly different description of this. For details, please refer to the resource development kit of Windows 2000)

CATEGORY!! CADOptions

# if version > = 4

EXPLAIN!! CADOptions_Help

# endif

KEYNAME "Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ System"

POLICY!! DisableTaskMgr

# if version > = 4

SUPPORTED!! SUPPORTED_Win2k

# endif

EXPLAIN!! DisableTaskMgr_Help

VALUENAME "DisableTaskMgr"

END POLICY

; More Ctrl+Alt+Del policies here...

END CATEGORY; Ctrl+Alt+Del options

……

……

DisableTaskMgr_Help= prevents users from starting 'Task Manager' (Taskmgr.exe).\ n\ nIf this setting is enabled and the user attempts to start Task Manager, the system

A message is displayed explaining that a policy forbids this operation. \ n\ nTask Manager allows users to start or terminate programs, monitor computer performance, view and monitor all runs on the computer

Programs in (including system services), search for the execution file name of the program, and change the priority in which the program runs. "

DisableTaskMgr= Delete Task Manager

The above is a description of DisableTaskMgr.

It is in this description that KEYNAME and VALUENAME specify the key-value pair of the registry. With this approach, you can create administrative templates and policies for your applications, but editors that edit and browse .adm template files must support Unicode characters. Such as Notepad or WordPad and so on. In addition, using administrative template files, system administrators can use it to configure the policies they need for the entire organization-- which shows that this file plays an important role in the system! For more information about template management file formats, refer to the platform SDK. Finally, it is important to emphasize that DisableTaskMgr only disables the functionality of Ctrl+Alt+Del. Let's discuss how to capture its key sequence. To intercept Ctrl+Alt+Del, there are three options:

1. Write a GINA agent; this method will be introduced in a future article. In fact, this is the approach used in ac952_z_cn 's personal column, "how to shield CTRL + ALT+DEL under WINDOWS NT/2000."

2. Write a keyboard driver and the method used in the example program in this paper.

3. Replace the task manager program TaskMgr.exe with your own program.

For specific implementation details of shielding the Ctrl+Alt+Del solution, please refer to the example code in this article.

Let's solve the problem of shielding task switch key sequences, including Alt+Tab, Ctrl+Esc, Alt+Esc, VK_LWIN/VK_RWIN, and the taskbar. In the early days of Window 3.1s, the way to deal with this problem was through WM_SYSKEYDOWN. During the period of Windows 9x, this article mentioned a way to deal with this problem earlier, using SPI_SETSCREENSAVERRUNNING. But in the era of Windows NT 4.0 (SP3 +), Windows 2000 and Windows XP, this problem has been handled differently, and a low-level keyboard driver hook must be written. Don't be afraid, because it's not very difficult to implement this hook. How to implement this keyboard hook is described below in this article. Generally speaking, the system-level hook must be a DLL. The following is a source code snippet (TaskKeyHook.dll) of a keyboard hook DLL provided with this article:

Header file

/

/ / TaskKeyHook.h

/ /

# define DLLIMPORT _ _ declspec (dllimport)

DLLIMPORT BOOL DisableTaskKeys (BOOL bEnable, BOOL bBeep)

DLLIMPORT BOOL AreTaskKeysDisabled ()

Implementation file

/

/ / TaskKeyHook.cpp

/ /

# define _ WIN32_WINNT 0x0500 / / for KBDLLHOOKSTRUCT

# include / / MFC core and standard components

# define DLLEXPORT _ _ declspec (dllexport)

/

/ / App (DLL) object

/ /

Class CTaskKeyHookDll: public CWinApp {

Public:

CTaskKeyHookDll () {}

~ CTaskKeyHookDll () {}

} MyDll

/ / /

/ / the following code indicates that this part is shared among all instances of this DLL

/ / low-level keyboard hooks must be system-level hooks

/ /

# pragma data_seg (".mydata")

HHOOK g_hHookKbdLL = NULL; / / hook handle

BOOL g_bBeep = FALSE; / / Beep when an illegal key is pressed

# pragma data_seg ()

# pragma comment (linker, "/ SECTION:.mydata,RWS") / / tell the linker to establish a data sharing segment

/ /

/ / low-level keyboard hook

/ / intercept task conversion key: return directly without passing

/ /

LRESULT CALLBACK MyTaskKeyHookLL (int nCode, WPARAM wp, LPARAM lp)

{

KBDLLHOOKSTRUCT * pkh = (KBDLLHOOKSTRUCT *) lp

If (nCode==HC_ACTION) {

BOOL bCtrlKeyDown =

GetAsyncKeyState (VK_CONTROL) > > ((sizeof (SHORT) * 8)-1)

If ((pkh- > vkCode==VK_ESCAPE & & bCtrlKeyDown) | | / / Ctrl+Esc

/ / Alt+TAB

(pkh- > vkCode==VK_TAB & & pkh- > flags & LLKHF_ALTDOWN) | |

/ / Alt+Esc

(pkh- > vkCode==VK_ESCAPE & & pkh- > flags & LLKHF_ALTDOWN) | |

(pkh- > vkCode==VK_LWIN | | pkh- > vkCode==VK_RWIN)) {/ / start menu

If (g_bBeep & & (wp==WM_SYSKEYDOWN | | wp==WM_KEYDOWN))

MessageBeep (0); / / Beep

Return 1; / / No longer pass to CallNextHookEx, return directly

}

}

Return CallNextHookEx (g_hHookKbdLL, nCode, wp, lp)

}

/ / /

/ / do you want to block the sequence of task keys-that is, is the keyboard hook installed?

/ Note: it is assumed that no other hooks do the same thing.

/ /

DLLEXPORT BOOL AreTaskKeysDisabled ()

{

Return g_hHookKbdLL! = NULL

}

/ / /

/ / Shield task key: install low-level keyboard structure

/ / returns whether to block the flag (TRUE/FALSE)

/ /

DLLEXPORT BOOL DisableTaskKeys (BOOL bDisable, BOOL bBeep)

{

If (bDisable) {

If (! g_hHookKbdLL) {

G_hHookKbdLL = SetWindowsHookEx (WH_KEYBOARD_LL

MyTaskKeyHookLL, MyDll.m_hInstance, 0)

}

} else if (g_hHookKbdLL! = NULL) {

UnhookWindowsHookEx (g_hHookKbdLL)

G_hHookKbdLL = NULL

}

G_bBeep = bBeep

Return AreTaskKeysDisabled ()

}

TaskKeyHook outputs two functions: DisableTaskKeys and AreTaskKeysDisabled. The former installs the WH_KEYBOARD_LL hook; the latter determines whether the hook is installed. The idea of this keyboard hook is to intercept Alt+Tab,Ctrl+Esc,Alt+Esc and the Windows key VK_LWIN/VK_RWIN, which will be described in detail in a moment. When the hook encounters these keys, it returns directly to the caller rather than passing the processing to the CallNextHookEx.

LRESULT CALLBACK MyTaskKeyHookLL (...)

{

If (/ * Task key *)

Return 1; / / return immediately

Return CallNextHookEx (...)

}

Most of the implementations of TaskKeyHook are simple. There is only one trick used: using # pragma data_seg to name segments containing full data, and using # pragma comment (linker...) Tell the linker to make this segment a shared segment. Please refer to the source code for implementation details. The example program (TrapKeys.exe) attached to this article brings together the above functions for masking keyboard keystrokes, in addition to disabling the taskbar. Because now that the task switch key is disabled, generally speaking, it is necessary to disable the taskbar, otherwise there is no point in disabling the task switch key. The specific ways to disable the taskbar are as follows:

HWND hwnd = FindWindow ("Shell_traywnd", NULL); / / find the taskbar

EnableWindow (hwnd, FALSE); / / disable the taskbar

Figure 4 shows the running screen of the example program:

Fig. 4 screen of TrapKeys program running

The following is the implementation code of the TrapKeys program:

/ / /

/ / TrapKeys.cpp

/ /

# include "stdafx.h"

# include "resource.h"

# include "StatLink.h"

# include "TaskKeyMgr.h"

/

/ / main dialog box

/ /

Class CMyDialog: public CDialog {

Public:

CMyDialog (CWnd* pParent = NULL): CDialog (IDD_MYDIALOG, pParent) {}

Protected:

HICON m_hIcon

CStaticLink m_wndLink1

CStaticLink m_wndLink2

CStaticLink m_wndLink3

Virtual BOOL OnInitDialog ()

/ / Command / update processing of UI

Afx_msg void OnDisableTaskMgr ()

Afx_msg void OnDisableTaskKeys ()

Afx_msg void OnDisableTaskbar ()

Afx_msg void OnUpdateDisableTaskMgr (CCmdUI* pCmdUI)

Afx_msg void OnUpdateDisableTaskKeys (CCmdUI* pCmdUI)

Afx_msg void OnUpdateDisableTaskbar (CCmdUI* pCmdUI)

Afx_msg LRESULT OnKickIdle (WPARAM,LPARAM)

DECLARE_MESSAGE_MAP ()

}

/ / /

/ / the standard MFC dialog applies the class code.

/ /

Class CMyApp: public CWinApp {

Public:

Virtual BOOL InitInstance () {

/ / initialize app: run the dialog box

CMyDialog dlg

M_pMainWnd = & dlg

Dlg.DoModal ()

Return FALSE

}

Virtual int ExitInstance () {

/ / for the sake of the whole, restore all disabled items when you exit the program

CTaskKeyMgr::Disable (CTaskKeyMgr::ALL, FALSE)

Return 0

}

} theApp

BEGIN_MESSAGE_MAP (CMyDialog, CDialog)

ON_COMMAND (IDC_DISABLE_TASKKEYS,OnDisableTaskKeys)

ON_COMMAND (IDC_DISABLE_TASKBAR, OnDisableTaskbar)

ON_COMMAND (IDC_DISABLE_TASKMGR, OnDisableTaskMgr)

ON_UPDATE_COMMAND_UI (IDC_DISABLE_TASKKEYS, OnUpdateDisableTaskKeys)

ON_UPDATE_COMMAND_UI (IDC_DISABLE_TASKBAR, OnUpdateDisableTaskbar)

ON_UPDATE_COMMAND_UI (IDC_DISABLE_TASKMGR, OnUpdateDisableTaskMgr)

ON_MESSAGE (WM_KICKIDLE,OnKickIdle)

END_MESSAGE_MAP ()

/ / /

/ / initialization dialog box: subclassed hyperlink handle planting icon

/ /

BOOL CMyDialog::OnInitDialog ()

{

CDialog::OnInitDialog ()

/ / initialize the hyperlink

M_wndLink1.SubclassDlgItem (IDC_EMAIL,this)

M_wndLink2.SubclassDlgItem (IDC_VCKBASEURL,this)

M_wndLink3.SubclassDlgItem (IDC_VCKBASELINK,this)

/ / set the dialog box icon yourself. MFC does not set it for dialog applications

M_hIcon = AfxGetApp ()-> LoadIcon (IDR_MAINFRAME)

SetIcon (m_hIcon, TRUE); / / hit the icon

SetIcon (m_hIcon, FALSE); / / small icon

Return TRUE

}

/ / /

/ / Command / UI update processing: writing these things should be easy.

Void CMyDialog::OnDisableTaskKeys ()

{

CTaskKeyMgr::Disable (CTaskKeyMgr::TASKKEYS

! CTaskKeyMgr::AreTaskKeysDisabled (), TRUE); / / buzzing

}

Void CMyDialog::OnUpdateDisableTaskKeys (CCmdUI* pCmdUI)

{

PCmdUI- > SetCheck (CTaskKeyMgr::AreTaskKeysDisabled ())

}

Void CMyDialog::OnDisableTaskbar ()

{

CTaskKeyMgr::Disable (CTaskKeyMgr::TASKBAR

! CTaskKeyMgr::IsTaskBarDisabled ()

}

Void CMyDialog::OnUpdateDisableTaskbar (CCmdUI* pCmdUI)

{

PCmdUI- > SetCheck (CTaskKeyMgr::IsTaskBarDisabled ())

}

Void CMyDialog::OnDisableTaskMgr ()

{

CTaskKeyMgr::Disable (CTaskKeyMgr::TASKMGR

! CTaskKeyMgr::IsTaskMgrDisabled ()

}

Void CMyDialog::OnUpdateDisableTaskMgr (CCmdUI* pCmdUI)

{

PCmdUI- > SetCheck (CTaskKeyMgr::IsTaskMgrDisabled ())

}

/ / /

/ / this is necessary for ON_UPDATE_COMMAND_UI to work properly.

/ /

LRESULT CMyDialog::OnKickIdle (WPARAM wp, LPARAM lCount)

{

UpdateDialogControls (this, TRUE)

Return 0

}

Although the taskbar is disabled by the above method, there is another organ that has not been dealt with, that is, pressing the Windows key still pops up the start menu. Obviously, the taskbar does not check whether it is enabled before processing VK_LWIN. In general, if a window is blocked, it will no longer process user input in that window-this is what Disable means. This is usually achieved naturally when you call EnableWindow (FALSE). But the code that handles VK_LWIN/VK_RWIN keys will never check the taskbar's enabled / disabled status. In this regard, the treatment of this article is still the use of keyboard hooks. Modify the TaskKeyHook implementation to increase the capture of the Windows key. Nothing happens when you press the start menu button. I hope I didn't miss the other buttons. If any reader finds that any key is missing, please contact me to add it to the keyboard hook. For simplicity, I encapsulated all disabled functions in the class CTaskKeyMgr. The following is the definition of this class, click the implementation file:

TaskKeyMgr

/ /

/ / TaskKeyMgr.h

/ /

# pragma once

# include "TaskKeyHook.h"

/

/ / use this class to disable task keys, task managers, or taskbars.

/ / call Disable with the appropriate flag, such as: CTaskMgrKeys::Disable (CTaskMgrKeys::ALL)

/ /

Class CTaskKeyMgr {

Public:

Enum {

TASKMGR = 0x01, / / disable Task Manager (Ctrl+Alt+Del)

TASKKEYS = 0x02, / / disable task conversion key (Alt-TAB, etc)

TASKBAR = 0x04, / / disable the taskbar

ALL=0xFFFF / / disable everything L

}

Static void Disable (DWORD dwItem,BOOL bDisable,BOOL bBeep=FALSE)

Static BOOL IsTaskMgrDisabled ()

Static BOOL IsTaskBarDisabled ()

Static BOOL AreTaskKeysDisabled () {

Return:: AreTaskKeysDisabled (); / / call DLL

}

}

CPP implementation

/

/ / TaskKeyMgr.cpp

/ /

# include "StdAfx.h"

# include "TaskKeyMgr.h"

# define HKCU HKEY_CURRENT_USER

/ / Registry key-value pair used to disable the Task Manager policy

LPCTSTR KEY_DisableTaskMgr =

"Software\ Microsoft\\ Windows\\ CurrentVersion\\ Policies\\ System"

LPCTSTR VAL_DisableTaskMgr = "DisableTaskMgr"

/ / /

/ / disable related task keys

/ /

/ / dwFlags = indicates what is disabled

/ / bDisable = disable to (TRUE), otherwise enable (FALSE)

/ / bBeep = whether pressing illegal keys beeps (for task keys)

/ /

Void CTaskKeyMgr::Disable (DWORD dwFlags, BOOL bDisable, BOOL bBeep)

{

/ / Task Manager (Ctrl+Alt+Del)

If (dwFlags & TASKMGR) {

HKEY hk

If (RegOpenKey (HKCU, KEY_DisableTaskMgr,&hk)! = ERROR_SUCCESS)

RegCreateKey (HKCU, KEY_DisableTaskMgr, & hk)

If (bDisable) {/ / disable Task Manager (disable TM): set policy = 1

DWORD val=1

RegSetValueEx (hk, VAL_DisableTaskMgr, NULL

REG_DWORD, (BYTE*) & val, sizeof (val))

} else {/ / enable Task Manager (enable TM)

RegDeleteValue (hk,VAL_DisableTaskMgr)

}

}

/ / Task key (Alt-TAB etc)

If (dwFlags & TASKKEYS)

:: DisableTaskKeys (bDisable,bBeep); / / install keyboard hook

/ / taskbar

If (dwFlags & TASKBAR) {

HWND hwnd = FindWindow ("Shell_traywnd", NULL)

EnableWindow (hwnd,! bDisable)

}

}

BOOL CTaskKeyMgr::IsTaskBarDisabled ()

{

HWND hwnd = FindWindow ("Shell_traywnd", NULL)

Return IsWindow (hwnd)?! IsWindowEnabled (hwnd): TRUE

}

BOOL CTaskKeyMgr::IsTaskMgrDisabled ()

{

HKEY hk

If (RegOpenKey (HKCU, KEY_DisableTaskMgr, & hk)! = ERROR_SUCCESS)

Return FALSE; / / does not have this key, can not be disabled

DWORD val=0

DWORD len=4

Return RegQueryValueEx (hk, VAL_DisableTaskMgr

NULL, NULL, (BYTE*) & val, & len) = = ERROR_SUCCESS & & val==1

}

The functions in this class are static; in fact, CTaskKeyMgr is exactly a namespace. You can use it as much as you like in your own program. For example, disable the task conversion button and taskbar, but do not disable Ctrl+Alt+Del:

CTaskKeyMgr::Disable (CTaskKeyMgr::TASKKEYS |

CTaskKeyMgr::TASKBAR, TRUE)

This is the method of shielding the sequence of Ctrl+Esc keys in the XP system shared by the editor. If you happen to have similar doubts, you might as well refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.