Taking Advantage of the Winlogon Notification Package

Introduction

The Winlogon Notification Package is a DLL which exports functions that handle Winlogon.exe events. These event messages includes lock, unlock, logoff, logon, startup, shutdown, startscreensaver, stopscreensaver, and startshell.

This article demonstrates how to use the Winlogon Notification Package as an alternative to NT Services. The main benefits for doing this is better handling of user activities. In addition, the Winlogon Notification Package will be very lightweight and requires much less code then its NT service equivalent.

The Steps

Creating a Winlogon Notification package is very simple. Just create a DLL with specific functions to run during the Winlogon event messages. To let Winlogon.exe know about your DLL, simply add a few entries into the registry where appropriate. This method can be quite robust and versatile when combined with your services and applications.

Sample

This sample starts a WIN32 application before the user logon. Because the process is started by Winlogon, it is owned by the system account. Users may not end the process through 'End Task'. This is the exact way NT services behave. In this sample, the logoff notification will terminate the process. If the process needed to stay active, the EndProcessAtWinlogoff function should be removed. If we wanted the process to be owned by the user, we could use CreateProcessAsUser during a startup notification instead of a logon notification.

Step 1.) - the dll

//sample.cpp

#include <windows.h>
#include <Winwlx.h>

PROCESS_INFORMATION g_pi;
TCHAR g_szPath[] = _T("c:\somepath\execut.exe \"arguments\"");

//This function safely terminates a process, allowing
//it to do cleanup (ie. DLL detach)
//It can be found at the Windows Developer's Journal
SafeTerminateProcess(HANDLE hProcess, UINT uExitCode);   

//Entrance function for the DLL
BOOL WINAPI LibMain(HINSTANCE hInstance, DWORD dwReason, LPVOID lpReserved)
{
    switch (dwReason)
    {
        case DLL_PROCESS_ATTACH:
        {
	    DisableThreadLibraryCalls (hInstance);	
        }
        break;
    }
    return TRUE;
}

//Event handler for the Winlogon Logon event
VOID APIENTRY StartProcessAtWinLogon (PWLX_NOTIFICATION_INFO pInfo)
{
    STARTUPINFO si;
    si.cb = sizeof(STARTUPINFO); 
    si.lpReserved = NULL; 
    si.lpTitle = NULL; 
    si.lpDesktop = "WinSta0\\Default"; 
    si.dwX = si.dwY = si.dwXSize = si.dwYSize = 0L; 
    si.dwFlags = 0;; 
    si.wShowWindow = SW_SHOW; 
    si.lpReserved2 = NULL; 
    si.cbReserved2 = 0; 
				
    CreateProcess(NULL, g_szPath, NULL, NULL, FALSE, CREATE_NEW_CONSOLE,
                  NULL, NULL, &si, &g_pi);
}

//Event handler for the Winlogon Logoff event.
VOID APIENTRY StopProcessAtWinLogoff (PWLX_NOTIFICATION_INFO pInfo)
{
    //terminates the process
    SafeTerminateProcess(g_pi.hProcess, 0xDEADBEEF);  
}

//other event handlers
VOID APIENTRY YOUR_EVENT_HANDLERS (PWLX_NOTIFICATION_INFO pInfo)
{
    //code
}

...

Step 2.) - the exports

The program hasn't exported any functions yet. We need to create a .def file.

sample.def

EXPORTS
StartProcessAtWinLogon
StopProcessAtWinLogoff

Now add the following to your linkage options in VC6 and build.

/def: "sample.def"

If everything went well, the files sample.dll and sample.exp will be in your output folder. Move these to \%NTROOT%\system32

Step 3.) - the registry

Add the following values and keys to the registry. These values communicate to Winlogon.exe and let it know which procedures to run during an event notification. Add as few or as many notification events as needed.

HKEY_LOCAL_MACHINE
    \Software
        \Microsoft
            \Windows NT
                \CurrentVersion
                    \Winlogon
                        \Notify
                            \NameOfProject
                                \Asynchronous  REG_DWORD  0
                                \Dllname       REG_SZ     NameOfDll.dll
                                \Impersonate   REG_DWORD  0
                                \Logon         REG_SZ     StartProcessAtWinLogon
                                \Logoff        REG_SZ     StopProcessAtWinLogoff
                                \...           REG_SZ     NameOfFunction

That's it! Now restart and Winlogon.exe will launch your app.

License

This article has no explicit license attached to it but may contain usage terms in the article text or the download files themselves. If in doubt please contact the author via the discussion board below.

A list of licenses authors might use can be found here

About the Author

Tony Truong

Architect Frontline Direct Inc., Adconion
United States

Tony Truong graduated from UCLA in Spring of 2001 and starting worked at Symantec Corporation as a Software Engineer. After a few years of developing various features for Norton SystemWorks, Tony moved to San Diego. He is currently writing database applications using ASP.NET and C# with the .NET Framework. Tony specializes in tara-byte databases with emphasis on high availability, optimization, and complex entity modeling.

Article Top

Poor

Excellent

Add a reason or comment to your vote: x
Votes of 3 or less require a comment

Taking advantage of the Winlogon Notification Package

Type	Article
Licence
First Posted	5 Jan 2001
Views	248,936
Bookmarked	74 times

VC6Win2K
Visual-StudioDev, +