Internet Explorer Watchdog

Introduction

I'm currently working in a university, and we bought a web solution to a third party company in Windows SharePoint. Basically the site runs on IIS with Basic Authentication and SSL.

After we deployed the solution, we encountered a problem... every student has to input his login/password on the authentication window several times, because the solution always keeps asking for the login/password when someone creates Word, Excel, PDF, etc. documents.

Note: There is only one profile for every computer in the labs, for student usage.

Solution

The solution was to develop a software solution that stays in the icon tray, and monitors all Internet Explorer processes that access the site XXX.
The software could only be disabled by a user with administrator profile.

Note: I used the HansBlomme.Windows.Forms.NotifyIcon.dll to develop the solution.

Watchdog is responsible for resetting the login/password saved in the site XXX after the user has terminated all Internet Explorer windows navigation on the site XXX.

How Do We Do This?

Using WMI to trap all start/terminated processes.

EventArrivedEventHandler
eventArrivedEventHandlerStart = new EventArrivedEventHandler(this.Win32ProcArrived);
            watcherStart =this.GetWatcher("__InstanceCreationEvent");
            watcherStart.EventArrived += eventArrivedEventHandlerStart;
            watcherStart.Start();

After we've trapped an event, we must filter all Internet Explorer browser windows from the process list, and trap all Browser.DocumentComplete events to monitor all URLS entered by the user.

Finally, when someone kills the last Internet Explorer window using the site XXX, watchdog will just erase the login/password entered from the system protected store.

Watchdog erases the credentials by calling cia.exe -dXXXX where XXXX is the site to remove the credentials from.

For erasing the password from the protected store, I’ve developed another application in C++ (CIA) that loads the pstorec.dll from the operating system, searches all keys that match the site XXX, and removes the entered authentication.

There is very little documentation on the protected store subject, but we can get all that we need from the Microsoft site.

Here is the source code to remove the credentials:

#import "pstorec.dll" no_namespace

// http://msdn.microsoft.com/library/default.asp?
//	url=/library/en-us/devnotes/winprog/pstore.asp
typedef HRESULT (WINAPI *PStoreCreateInstancePtr)(IPStore **, DWORD, DWORD, DWORD);

void removeSignature(char *site){

    USES_CONVERSION;
    HRESULT hRes;

    HMODULE hPstoreDLL = LoadLibrary("pstorec.dll"); 
    PStoreCreateInstancePtr PStoreCreateInstance = 
	(PStoreCreateInstancePtr)GetProcAddress(hPstoreDLL, "PStoreCreateInstance");

    IPStorePtr spPStore; 
    hRes = PStoreCreateInstance(&spPStore, 0, 0, 0);    

    IEnumPStoreTypesPtr spEnumTypes;
    hRes = spPStore->EnumTypes(0, 0, &spEnumTypes);

    GUID typeGUID;
    while(spEnumTypes->raw_Next(1,&typeGUID,0) == S_OK){            
        IEnumPStoreTypesPtr spEnumSubTypes;
        hRes = spPStore->EnumSubtypes(0, &typeGUID, 0, &spEnumSubTypes);
        GUID subtypeGUID;
        while(spEnumSubTypes->raw_Next(1,&subtypeGUID,0) == S_OK){
            IEnumPStoreItemsPtr spEnumItems;
            HRESULT hRes = spPStore->EnumItems(0, &typeGUID, 
				&subtypeGUID, 0, &spEnumItems);

            LPWSTR itemName;
            while(spEnumItems->raw_Next(1,&itemName,0) == S_OK){                
                _PST_PROMPTINFO *pi = NULL;                                    
                if (strstr(W2A((LPWSTR) itemName),site))
                    spPStore->WriteItem (0,&typeGUID,&subtypeGUID,itemName,9,
					(unsigned char *)"LOGIN?:",pi,0,0);   
            }
        }
    }
}

Explanation of Some Pieces of Code

_Handlers is the heart of watchdog, this class is responsible for all trapping/monitoring processes/events.

I will explain some of the methods of this class:

isAdministrator() 

This function verifies if the current user has administrative privileges.

public bool isAdministrator()
{
    AppDomain ad = Thread.GetDomain();
    ad.SetPrincipalPolicy(PrincipalPolicy.WindowsPrincipal);
    WindowsPrincipal user = (WindowsPrincipal)Thread.CurrentPrincipal;
    if(user.IsInRole(WindowsBuiltInRole.Administrator) || 
		user.IsInRole(WindowsBuiltInRole.Administrator))
        return true;
    return false;
} 

runPasswordCleaner() 

This function is responsible for running the CIA.EXE.

private void runPasswordCleaner(){                
    if (enabled){                
        string wd = System.IO.Path.GetDirectoryName
		( System.Reflection.Assembly.GetExecutingAssembly().
		GetName().CodeBase ).Replace (@"file:\","");
        System.Diagnostics.Process P= new Process();                        
        P.StartInfo.UseShellExecute = false;
        string site=this.URL.TrimStart ("http://".ToCharArray ());
        site=this.URL.TrimStart ("https://".ToCharArray ());
        P.StartInfo.Arguments = "-d"+site;
        P.StartInfo.RedirectStandardOutput = false;
        P.StartInfo.CreateNoWindow = true;
        P.StartInfo.RedirectStandardError = false;
        P.StartInfo.WorkingDirectory = wd+"\\";
        P.StartInfo.FileName = "cia.exe";
        P.Start();                                    
        P.WaitForExit ();            
        P.Close ();                

        this.siteActive =false;
    }
}

Conclusion

This is of course an application that serves my goals, but the source code can be easily altered to satisfy other purposes.

History

• 18^th April, 2005: Initial post