Click here to Skip to main content
Click here to Skip to main content

Trap CtrlAltDel; Hide Application in Task List on Win2000/XP

, 27 Apr 2006
Rate this:
Please Sign up or sign in to vote.
CTaskKeyMgr is designed to demonstrate how to trap CtrlAltDel, and how to hide an application in the Task List on Win2000/XP.

Introduction

The CTaskKeyMgr class in the TrapKeys project is designed to demonstrate the functions mentioned in the title. It is a slight modification of the class CTaskKeyMgr which is part of the sample code of the MSDN article, TrapKeys. Two functions are added to show/hide applications in the task list and to enable/disable blocking of the Ctrl+Alt+Del key combination. It is designed for Windows 2000, but I found that it works on XP SP2 as well. For more information about blocking Ctrl+Alt+Del or hiding an application in the Task List on other Windows platforms, see Lock Windows Desktop by afeijao.

This version is still under development, in particular for multiple instances, debugging issues, and memory leaks.

Background Information

Information in this article mainly comes from the discussion "How to Trap Ctrl+Alt+Del Key Combination in Windows NT/2000/XP (without using GINA and keyboard driver technology)" in the CSDN forum (in Simplified Chinese).

I was working on an educational software that broadcasts screen actions from a teacher to a student, and some of my clients asked for the following features frequently:

"Is there any way to prevent the unexpected closing of your application by pressing the Ctrl+Alt+Del key combination and then end the program in the Task List? I don't want my students to close the teaching software and run games."

Note: Who has the right to kill the programs is controversial, and Raymond Chen has an excellent article on this topic (see here).

I posted this question to the forum on CSDN, and got tens of replies soon. Here are some ideas from the replies:

  1. Trap the Ctrl+Alt+Del key combination.
    1. Subclassing the Secure Attention Sequence (SAS) window and handling the Ctrl+Alt+Del hotkey combination in a subclassed WINPROC.
    2. Hooking the keyboard driver (I must admit that I know nothing about the Windows DDK, so I gave up this approach right at the beginning).
    3. Fooling the operating system into thinking the screen saver was running (only works on Win9x).
    4. Hooking GINA dynamically, or replacing the GINA DLLs (screen flashed when the desktop is switching).
  2. Hide the application in the task list.
    1. Run as a service by calling RegisterServiceProcess (only works on Win9x).
    2. Hook NtQuerySystemInformatoin (only works on Windows NT/2000/XP).
    3. Inject the exe into a process (not good for a large exe).
  3. Hook the OpenProcess and TerminateProcess (just an idea, anybody have a try?).

And this article is my approach after summarizing the discussion.

The Approach I Have Chosen

Note: I got some complaints about the lengthy code in the original Chinese article, so I cut them in this translation. The readers can still read the code in the Chinese article without downloading the source project.

The SAS window shows the default login dialog when it gets a WM_HOTKEY message with parameters indicating VK_DELETE and both the Ctrl and Alt key pressed down. This hotkey is registered by winlogon.exe during the system startup, so you have no way to register it yourself. However, you can subclass the SAS window and handle it before the SAS window dispatches it.

In order to subclass a window procedure in another process, you need to first acquire the necessary privileges (SE_DEBUG_NAME), and then inject some cute code into the process, and finally start a remote thread in it. Because the addresses of Windows API functions vary from process to process, you can not call virtually any API and thus can do almost nothing but simply load a DLL. The system will make the necessary function address adjustments, and the DLL will do the actual subclassing of the SAS window, which is on the WinLogon desktop, not the application desktop. (See Reference 1.)

The core part of this program is the function to be injected into the WinLogon process. It must be neat enough to avoid accessing anything in the current process except something surely existing in the target process, such as kernel Windows APIs, i.e. LoadLibrary. If the function is not optimized and nothing complicated is silently added by the compiler, you can get the "length" of your function correctly by calculating the offset to the next function. This enables "copying" a function to another process, and may be the reason why the debug version always fails.

If Terminal service is installed, and multiple users logged in, the program needs to decide which WinLogon process should be injected. This can be done by enumerating processes and looking for the current session ID and the executable path. This step can be safely removed if the program will not run under Windows 2000 Server or Windows XP with fast user switch.

Hide the application from being listed is a little easier: simply hook the somewhat reluctantly documented NtQuerySystemInformation API, and skip the desired processes when the system is looking up processes.

Using the code

Almost the same as TrapKeys. The following line will disable the Ctrl-Alt-Del key combo and hide the application in the task list:

CTaskKeyMgr::Disable(CTaskKeyMgr::TASKLIST| CTaskKeyMgr::CTRLALTDEL, TRUE);

Conclusion

Save all of your documents before debugging this code. If winlogon.exe crashes, and you choose to terminate winlogon.exe, your Windows will shutdown immediately. Your system will be revived after a reboot.

Please note that this class is using undocumented features of Windows. It may not work on future versions of Windows.

Any suggestions on how to improve it would be greatly appreciated.

Updates

  • 17 Apr 2006 - added remote execute detection, and removed the Windows 2000 check on start up.
  • 18 Sep 2005 - revised a bit.
  • 19 Apr 2003 - document translated from Chinese.
  • 11 Nov 2002 - document released on CSDN (Simplified Chinese).
  • 8 Nov 2002
    • Found debug problem (program always crashes when debugging).
    • Found network problem (can not access password protected network resource).
  • 30 Oct 2002 - second implementation using API hook and DLL injection.
  • 22 Oct 2002 - initial implementation using API hook and detours.
  • 21 Oct 2002 - first post on CSDN (Simplified Chinese).

Known Issues

WinLogon will always fail to load the debug version of the remote DLL. (Debug and Release modes in Visual C++ are very different...)

WinLogon will fail to load the injected DLL if it is located on a remote resource, because WinLogon is owned by the SYSTEM user, and the application is usually running under a different user context.

Don't use /Gs (Control Stack Checking Calls) switch for Link.exe when compiling the inject function. The switch inserts a stack probe in function bodies, and so inserts references to the current process. A stack probe is a sequence of code that the compiler inserts into every function call.

License

This code is provided "as is" with no expressed or implied warranty.

You may use this code in a commercial product with or without acknowledgement. However, you may not sell this code or any modification of this code, this includes commercial libraries and anything else for profit.

Reference

  1. MSDN. CtrlAltDel hotkey registration information.
  2. Programming Applications for Microsoft Windows (Jeffrey Richter): API hooking information.
  3. TrapKeys: MSDN Home > MSDN Magazine > September 2002 > C++ Q&A: Typename, Disabling Keys in Windows XP with TrapKeys.
  4. WTSAPI: MSDN Home > MSDN Magazine > June 2002 > Windows XP: Escape from DLL Hell with Custom Debugging and Utilities: Windows Terminal Service topics.
  5. Lock Windows Desktop by afeijao.
  6. Extending Task Manager with DLL Injection by rocky_pulley.

Special Thanks

CSDN Members (listed with ID (nickname)):

  • slwqw / BAB_FANS (a hue and cry of The four excellent head constables).
  • nevergrief (lonely knight).
  • jennyvenus (his nickname is in Chinese and is too complex for my poor English).
  • kingzai (studying C#).
  • microran2000 (no nickname).

License

This article has no explicit license attached to it but may contain usage terms in the article text or the download files themselves. If in doubt please contact the author via the discussion board below.

A list of licenses authors might use can be found here

About the Author

Sheng Jiang 蒋晟

United States United States
JIANG,Sheng, a Microsoft Most Valuable Professional in Visual C++ since 2004, is a student at Austin Community College. He is active in Visual C++ forums, blogs and newsgroups, such as CSDN, Netease, Joycode and Microsoft forums and newsgroups. He prefer plays computer games (espacially RTS ones) in his spare time.
 
www.jiangsheng.net

Comments and Discussions

 
GeneralMy vote of 4 Pinmemberwindexale16-Jun-13 23:30 
Questioncool Pinmemberxuanli4-Jun-13 1:28 
QuestionDoes this work on Windows 7? Pinmemberphamtran120-Sep-11 12:28 
AnswerRe: Does this work on Windows 7? PinmemberSheng Jiang 蒋晟13-Sep-13 10:52 
GeneralMy vote of 5 Pinmemberc4th0d326-Jul-11 11:46 
GeneralHooking WH_CALLWNDPROC may sometimes crash other applications PinmemberAnt0nK7-Apr-11 8:08 
GeneralMy vote of 1 Pinmemberdata4use13-Apr-10 8:06 
GeneralRELEASE version crashes, not able to find CTaskKeyMgr Pinmemberevanssthomas15-Sep-09 21:50 
QuestionHow To Use??? PinmemberAamu5-Nov-07 4:46 
GeneralNot Downloading PinmemberSubhash Karemore7-Aug-07 1:08 
GeneralRe: Not Downloading PinmemberJIANG, Sheng[MVP]7-Aug-07 3:46 
GeneralRe: Not Downloading PinmemberJasonRooks28-Sep-07 10:24 
Generalbug report ; Just hang up my explorer.exe when hide applicaiton in task list. Pinmemberjsdkts26-Jun-07 20:19 
GeneralVista PinmemberNewNetCoder22-Mar-07 8:39 
GeneralAccess is Denied PinmemberTamonash Gupta22-Jan-07 17:13 
GeneralRe: Access is Denied PinmemberJIANG, Sheng[MVP]22-Jan-07 18:41 
NewsHide Application in tasklist Doesn't work for Process Explorer Pinmembersingersinger17-Jan-07 20:27 
GeneralBUG in Hiding Process PinmemberMirikos11-Jan-07 4:10 
GeneralThe CAD Blocking method in this article is not supported by Windows Vista PinmemberJIANG, Sheng[MVP]13-Nov-06 11:53 
GeneralRe: The CAD Blocking method in this article is not supported by Windows Vista PinmemberGreco30-Nov-06 1:03 
GeneralTrapKeys crashed in notebooks PinmemberCleyton Messias24-Oct-06 8:23 
GeneralHide process in 9x/NT in Visual Basic Pinmembermods_312-Sep-06 14:24 
GeneralHookNtQuerySystemInformation crash with explorer.exe [modified] PinmemberRioDejaneiro21-Aug-06 19:06 
GeneralRe: HookNtQuerySystemInformation crash with explorer.exe Pinmemberaftcast31-Aug-06 23:58 
Generalvirus warning PinmemberRedZenBird7-Aug-06 7:42 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

| Advertise | Privacy | Mobile
Web01 | 2.8.140721.1 | Last Updated 27 Apr 2006
Article Copyright 2003 by Sheng Jiang 蒋晟
Everything else Copyright © CodeProject, 1999-2014
Terms of Service
Layout: fixed | fluid