Click here to Skip to main content
15,867,488 members
Articles / Programming Languages / C++

Taking Advantage of the Winlogon Notification Package

Rate me:
Please Sign up or sign in to vote.
5.00/5 (18 votes)
6 Jan 2001CPOL 339.1K   78   105
Taking advantage of the Winlogon Notification Package
<!-- Add the rest of your HTML here -->

Introduction

The Winlogon Notification Package is a DLL which exports functions that handle Winlogon.exe events. These event messages includes lock, unlock, logoff, logon, startup, shutdown, startscreensaver, stopscreensaver, and startshell. 

This article demonstrates how to use the Winlogon Notification Package as an alternative to NT Services. The main benefits for doing this is better handling of user activities. In addition, the Winlogon Notification Package will be very lightweight and requires much less code then its NT service equivalent. 

The Steps

Creating a Winlogon Notification package is very simple. Just create a DLL with specific functions to run during the Winlogon event messages. To let Winlogon.exe know about your DLL, simply add a few entries into the registry where appropriate. This method can be quite robust and versatile when combined with your services and applications.

Sample

This sample starts a WIN32 application before the user logon. Because the process is started by Winlogon, it is owned by the system account. Users may not end the process through 'End Task'. This is the exact way NT services behave. In this sample, the logoff notification will terminate the process. If the process needed to stay active, the EndProcessAtWinlogoff function should be removed. If we wanted the process to be owned by the user, we could use CreateProcessAsUser during a startup notification instead of a logon notification. 

Step 1.) - the dll

//sample.cpp

#include <windows.h>
#include <Winwlx.h>

PROCESS_INFORMATION g_pi;
TCHAR g_szPath[] = _T("c:\somepath\execut.exe \"arguments\"");

//This function safely terminates a process, allowing
//it to do cleanup (ie. DLL detach)
//It can be found at the Windows Developer's Journal
SafeTerminateProcess(HANDLE hProcess, UINT uExitCode);   

//Entrance function for the DLL
BOOL WINAPI LibMain(HINSTANCE hInstance, DWORD dwReason, LPVOID lpReserved)
{
    switch (dwReason)
    {
        case DLL_PROCESS_ATTACH:
        {
	    DisableThreadLibraryCalls (hInstance);	
        }
        break;
    }
    return TRUE;
}

//Event handler for the Winlogon Logon event
VOID APIENTRY StartProcessAtWinLogon (PWLX_NOTIFICATION_INFO pInfo)
{
    STARTUPINFO si;
    si.cb = sizeof(STARTUPINFO); 
    si.lpReserved = NULL; 
    si.lpTitle = NULL; 
    si.lpDesktop = "WinSta0\\Default"; 
    si.dwX = si.dwY = si.dwXSize = si.dwYSize = 0L; 
    si.dwFlags = 0;; 
    si.wShowWindow = SW_SHOW; 
    si.lpReserved2 = NULL; 
    si.cbReserved2 = 0; 
				
    CreateProcess(NULL, g_szPath, NULL, NULL, FALSE, CREATE_NEW_CONSOLE,
                  NULL, NULL, &si, &g_pi);
}

//Event handler for the Winlogon Logoff event.
VOID APIENTRY StopProcessAtWinLogoff (PWLX_NOTIFICATION_INFO pInfo)
{
    //terminates the process
    SafeTerminateProcess(g_pi.hProcess, 0xDEADBEEF);  
}

//other event handlers
VOID APIENTRY YOUR_EVENT_HANDLERS (PWLX_NOTIFICATION_INFO pInfo)
{
    //code
}

...

Step 2.) - the exports

The program hasn't exported any functions yet. We need to create a .def file.

sample.def

EXPORTS
StartProcessAtWinLogon
StopProcessAtWinLogoff

 

Now add the following to your linkage options in VC6 and build.

/def: "sample.def"

If everything went well, the files sample.dll and sample.exp will be in your output folder. Move these to \%NTROOT%\system32

Step 3.) - the registry

Add the following values and keys to the registry. These values communicate to Winlogon.exe and let it know which procedures to run during an event notification. Add as few or as many notification events as needed.

HKEY_LOCAL_MACHINE
    \Software
        \Microsoft
            \Windows NT
                \CurrentVersion
                    \Winlogon
                        \Notify
                            \NameOfProject
                                \Asynchronous  REG_DWORD  0
                                \Dllname       REG_SZ     NameOfDll.dll
                                \Impersonate   REG_DWORD  0
                                \Logon         REG_SZ     StartProcessAtWinLogon
                                \Logoff        REG_SZ     StopProcessAtWinLogoff
                                \...           REG_SZ     NameOfFunction

That's it! Now restart and Winlogon.exe will launch your app.

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)


Written By
Architect Frontline Direct Inc., Adconion
United States United States
Tony Truong graduated from UCLA in Spring of 2001 and starting worked at Symantec Corporation as a Software Engineer. After a few years of developing various features for Norton SystemWorks, Tony moved to San Diego. He is currently writing database applications using ASP.NET and C# with the .NET Framework. Tony specializes in tara-byte databases with emphasis on high availability, optimization, and complex entity modeling.

Comments and Discussions

 
QuestionWill not work on Vista and later. Pin
Assaf Levy4-Oct-11 5:17
Assaf Levy4-Oct-11 5:17 
AnswerRe: Will not work on Vista and later. Pin
isaprgmr29-Aug-12 12:23
isaprgmr29-Aug-12 12:23 
QuestionHow to start service... Pin
gothic_coder27-May-10 3:54
gothic_coder27-May-10 3:54 
QuestionMinGW c/c++ attempt ...I'm stuck, any ideas? Pin
twohawks2-Mar-10 16:52
twohawks2-Mar-10 16:52 
As old as this posted code is, it appears to be popular...
Thank you, Tony, for the demonstration/example, you should've received more +5 votes ;^).

I am a total newb who never made a DLL or even coded in c/c++/c# before... please be gentle while I learn the correct syntactical referencing, etc.
My questions have to do with creating this in MinGW C/C++

1) anyone here succeeded in creating a workable DLL for WinLogon with MinGW?

--------------------------
I am uncertain what the problem is with the code I created based on Tony's example.
At first I was having a real problem with the Alias (Entry Points) issues (learning about Export), but I think I sorted that out...
...now all my variations compile seemingly okay, i.e., no Entry Point error when I run my dll, but then nothing happens when I run it.

I think it may have to do with lacking export with regard to the main WIN function... but I haven't a clue really...

I will provide an example of how far I got, and some methods (gcc/g++) used to build, but forgive me, it would be too volumnous to try to expose all the approaches I tried...

---------------------------
Essentially I took and coded the aliases / entry points right into the DLL (since I am not using the code to also create an exe), rather than relying on a .def to create a library (although I did that too, and seemingly correctly).
To mention... the road there included variations on recreating my own .def file (using dlltool to compile it from a primary sample.dll) and then compiling with a .a or .lib ...kinds of things.

I actually was successful compiling the DLL with proper entry point aliasing (I think) using several of these different methods (with and without my own external header or lib files)... the only error that was persistent was the "missing entry point" that it seemed I had to figure out each time,
BUT,
...no matter my success, when calling a successfully compiled DLL -->> nothing happens.


Here is a sample of the code using MinGW and using either gcc or g++ to compile it:
//sample3.cpp
// to test, RUN: RUNDLL32 C:\Temp\sample3.dll,StartProcessAtWinLogon
// this one compiles okay with gcc -Wall -shared %FILENAME% -o %FILENAMENOEXT%.DLL
// several other command approaches listed below

#include <windows.h>
#include <Winwlx.h>

extern "C" // this cleans up the prefix on the entry handles, but not the suffixes [@nn]
{
__declspec (dllexport) void __stdcall StartProcessAtWinLogon (void)
{
return;
}
__declspec (dllexport) void __stdcall StopProcessAtWinLogoff (void)
{
return;
}

} /// end Extern C


// droped the T macro since its not really needed in this application (or so I have read)...
PROCESS_INFORMATION g_pi;
TCHAR g_szPath[] = "c:\\temp\\test.exe";
//I keep testing with variation on the path syntax to be sure its not as simple as my exe is not launching

//I have dropped the terminate stuff for now while testing
// SafeTerminateProcess(HANDLE hProcess, UINT uExitCode);

//Entrance function for the DLL (LibMain | DllMain)
//This is where I think the problem is. I think when using MinGW may require dllexport with this
// but I have been trying attempts with that with no success (compiling yes, but triggering a response when run, no)
BOOL WINAPI LibMain(HINSTANCE hInstance, DWORD dwReason, LPVOID lpReserved)
{
switch (dwReason)
{
case DLL_PROCESS_ATTACH:
{
DisableThreadLibraryCalls (hInstance);
}
break;
}
return TRUE;
}

//Event handler for the Winlogon Logon event
VOID APIENTRY StartProcessAtWinLogon (PWLX_NOTIFICATION_INFO pInfo)
{
STARTUPINFO si;
si.cb = sizeof(STARTUPINFO);
si.lpReserved = NULL;
si.lpTitle = NULL;
si.lpDesktop = "WinSta0\\Default";
si.dwX = si.dwY = si.dwXSize = si.dwYSize = 0L;
si.dwFlags = 0;;
si.wShowWindow = SW_SHOW;
si.lpReserved2 = NULL;
si.cbReserved2 = 0;

CreateProcess(NULL, g_szPath, NULL, NULL, FALSE, CREATE_NEW_CONSOLE,
NULL, NULL, &si, &g_pi);
}

//Event handler for the Winlogon Logoff event.
VOID APIENTRY StopProcessAtWinLogoff (PWLX_NOTIFICATION_INFO pInfo)
{
//terminates the process
// SafeTerminateProcess(g_pi.hProcess, 0xDEADBEEF);
}

//other event handlers
VOID APIENTRY YOUR_EVENT_HANDLERS (PWLX_NOTIFICATION_INFO pInfo)
{
//code
}
// ...End Code


##################################
Without getting into specifics, here are some of the various commands I have worked with for compiling (of course, using alternate versions from teh code provided above).....
// to test my dll I do RUN:
// RUNDLL32 C:\Temp\sample3.dll,StartProcessAtWinLogon <optional arguments>
// compile: gcc -Wall -shared %FILENAME% -o %FILENAMENOEXT%2.DLL
// g++ -WI --add-stdcall-alias -shared %FILENAME% -o %FILENAMENOEXT%2.DLL
// g++ -WI,--add-stdcall-alias -shared %FILENAME% -o %FILENAMENOEXT%2.DLL

// when working with a .def file I used dlltool on a compiled sample to retrieve the exports
// in order to create the /lib, then recompiled the sample.dll for the final (seemingly successfully... variations...
// dlltool -A -D sample2.dll -l sample2dll.lib
// dlltool -d -k sample.def -l sample2dll.lib
// gcc -Wall -shared %FILENAME% -o %FILENAMENOEXT%3.DLL -lsample2dll
// gcc -Wall -shared %FILENAME% -o %FILENAMENOEXT%3.DLL -L %PATH% -l sample2dll

// http://www.mingw.org/wiki/sampleDLL
// run first: g++ -c -DBUILDING_EXAMPLE_DLL %FILENAMENOEXT%.cpp
// run next: g++ -shared -o %FILENAMENOEXT%.dll %FILENAMENOEXT%.o -Wl,--out-implib,lib%FILENAMENOEXT%.a

// gcc -Wall -shared %FILENAME% -o %FILENAMENOEXT%.DLL

####################################

I would think you can simply call this dll like any other (using Rundll32) for testing
I am about ready to give up... I thought this should be fairly straightforward, however, now I wonder that without taking a course ...maybe its unreasonable to spend more time on this.

Anyone got any pointers?
Thanks.
AnswerRe: MinGW c/c++ attempt ...I'm stuck, any ideas? Pin
twohawks2-Mar-10 17:55
twohawks2-Mar-10 17:55 
AnswerRe: MinGW c/c++ attempt ...some progress... Pin
twohawks2-Mar-10 19:07
twohawks2-Mar-10 19:07 
QuestionCan I see the notpad's and logon's UI at same time? Pin
Ason18-Feb-09 21:14
Ason18-Feb-09 21:14 
GeneralError:unresolved external symbol "int __cdecl SafeTerminateProcess(void *,unsigned int)" Pin
Rajeshshewale6-Jun-08 19:32
Rajeshshewale6-Jun-08 19:32 
GeneralWinLogon Notification Package Pin
Bodanapu14-Sep-07 0:45
Bodanapu14-Sep-07 0:45 
AnswerRe: WinLogon Notification Package Pin
A56471828-Sep-07 7:22
A56471828-Sep-07 7:22 
GeneralRe: WinLogon Notification Package Pin
Member 857955622-Feb-12 0:06
Member 857955622-Feb-12 0:06 
GeneralCan't make this thing to work Pin
teebonaire19-Jul-07 18:54
teebonaire19-Jul-07 18:54 
GeneralNotification Packages removed on vista Pin
ppckiller4-Jun-07 7:27
ppckiller4-Jun-07 7:27 
Questionhow to create and use manifest file in winlogon package Pin
prem kumar singh22-Dec-06 1:47
prem kumar singh22-Dec-06 1:47 
QuestionHow to bypass the logon windows( user to input username and password) Pin
Johngle29-Oct-06 17:07
Johngle29-Oct-06 17:07 
QuestionComplete Sample for Novice Pin
Vindalf27-Aug-06 9:18
Vindalf27-Aug-06 9:18 
GeneralWinlogon notification packages in Non-Domain env.! Pin
baluspage17-Aug-06 20:30
baluspage17-Aug-06 20:30 
QuestionHow to get this code to work with VS.NET 2003? Pin
id10t24-May-06 2:44
id10t24-May-06 2:44 
QuestionEvent DLL not working on clean install of XP ? Pin
mojomonkeyhelper25-Sep-05 23:36
mojomonkeyhelper25-Sep-05 23:36 
AnswerRe: Event DLL not working on clean install of XP ? Pin
mojomonkeyhelper26-Sep-05 23:00
mojomonkeyhelper26-Sep-05 23:00 
GeneralDebug version works, release version doesn't Pin
areeves-cp3-May-05 11:29
areeves-cp3-May-05 11:29 
GeneralWorks on XP, does not work on 2003 Server Pin
Alpar26-Apr-05 10:15
Alpar26-Apr-05 10:15 
QuestionNo more information than in MSDN, surely? Pin
Coruscant6-Apr-05 12:41
Coruscant6-Apr-05 12:41 
Questionchange winlogon notification package timeout? Pin
chca6-Jan-05 9:48
chca6-Jan-05 9:48 
AnswerRe: change winlogon notification package timeout? Pin
Blake Miller25-Mar-05 12:07
Blake Miller25-Mar-05 12:07 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.