Simulate Ctrl-Alt-Del in Vista and above
(Originally posted at WordPress.com. Updated January 2015)
Simulating Ctrl-Alt-Del in code has always been a nightmare for developers, namely for logins with remote access software or other scenarios.
I never figured out the reason Microsoft hides and undocuments the procedure.
For Windows XP and older releases all the way down to Windows NT 3.51 a solution has been found and spreaded all over the internet. I don’t know who discovered it, but it works pretty well.
Then enters Windows Vista. The old procedure ceased to work. Microsoft announced that would provide a C library called SASLIB for people requesting it from a certain email address. In most cases, requests deserved no reply from Microsoft, I was one of those cases! I don’t know what was their selection criteria, but I have legal software and I don’t live in a country for which export restrictions are enforced.
Given that state of affairs, a couple of years ago I made some investigation on my own by analyzing the import table of OSK.EXE. This is an utility bundled with Windows, intended to provide some functionality for users with limited mobility, and it can produce Ctrl-Alt-Del through the virtual keyboard.
I found a mysterious function called WmsgSendMessage exported by a not less mysterious WMsgAPI.dll. I experimented a bit with that function, but at the time was unable to unveil a few details and had to give up due to time constraints.
Actually, I was on the right track. WmsgSendMessage works by invoking the client RPC mechanism lodged inside WMsgAPI.dll. Your application only needs to have the TcbPrivilege, i.e the privilege to Act as Part of the Operating System. LocalSystem services already have that privilege, and have it enabled by default. The local security policy of the computer needs also be configured to allow services to produce Ctrl-Alt-Del (or Security Attention Sequence, SAS, as Microsoft calls it), but this can be done on the spot by changing a simple Registry value before the SAS request.
Very easy, too easy indeed, here is the prototype of the function:
typedef DWORD (WINAPI* lpfnWmsgSendMessage)(DWORD dwSessionId, UINT magicNumber, WPARAM pid, LPARAM lParam);
The magicNumber is 0x208 (there are a few other magic numbers in this function but this one is what we want)
The pid (process id) can be left to zero.
The fourth parameter is just a LONG_PTR to a LONG_PTR initialized to NULL.
Note that the first parameter is the session where you want the Ctrl-Alt-Del to be issued. You can issue a Ctrl-Alt-Del from the console to any Terminal Services session and you can as well issue it from any Terminal Services session to another session including the console! Yes, this is amazing.
With the release of Windows 7 and Windows Server 2008R2, Microsoft shipped a SAS.DLL that can be used to simulate Ctrl-Alt-Del from a LocalSystem service. Windows Vista and Windows Server 2008 do not have it but you can get it through the Windows 7 SDK. With SAS.DLL you can only produce Ctrl-Alt-Del to the session you are in (fair enough in most cases, but you can not statically link it inside your executable).
There is another way to produce Ctrl-Alt-Del, it is called AsUser, here you don’t need to launch a LocalSystem service to issue the Ctrl-Alt-Del. On the other hand, the application needs:
- to be signed with authenticode
- to have a manifest with the uiAccess attribute of the requestedExecutionLevel element set to true
- UAC must be turned on
- needs to be lodged in a secure folder (like Program Files or System32)
- the local security policy must be configured to allow applications to simulate a SAS.
Five conditions, but not too much of an inconvenience, nowadays most serious developers already sign their software, it is easy as well to set to true the uiAccess of the manifest and most users already install applications in the Program Files folder and keep UAC turned on (at least with Windows 7 and above). The local security policy can be set directly in the Registry if the application is elevated, otherwise launch Gpedit.msc and under Computer Configuration | Administrative Templates | Windows Components | Windows Logon Options | Disable or enable software Secure Attention Sequence set it to Ease of Access Applications or to Services and Ease of Access Applications.
Understanding what WmsgSendMessage does is relatively easy, when we take for granted that WMsgAPI.dll is a black box that just performs what we want. However, producing Ctrl-Alt-Del as AsUser does not make use of the WmsgSendMessage function at all. Then it becomes more difficult, and not a lot of developers are comfortable with RPC, this alone explains why no one ever found the way until now.
In this case, there is no System Dll ready to perform the work for us, as there is when we call WmsgSendMessage from a LocalSystem account.
We do need a RPC client able to send the correct message to rpcrt4.dll (this is sort of middleman that interprets and dispatches RPC requests to the correct handler). The message itself is very simple, it does not even contains Identity Authentication. Even simple, finding it was not easy at all because there is no oicf MIDL decompilers and all the inner RPC workings are largely undocumented or confusing. The best explanation ever written about how it all works is now 11 years old, it appeared in the Microsoft System Journal of January 1999 but is still available in the internet.
While lots of people reverse engineer the Windows internals, and some write books and end getting nice jobs at Microsoft, I have not actually done any reverse engineering. I have just observed, experimented and produced my own solution!
Now, it is important to state this question: Can you guarantee that your solution will work on any future Service Pack or new Windows Release?
The answer is: No, but WmsgSendMessage and other APIs, even if not documented are being commonly used by OSK.EXE, SAS.DLL and other software distributed by Microsoft to produce Ctrl-Alt-Del. I believe the core functionality will remain for a long time. However, Microsoft may remove the capability to produce Ctrl-Alt-Del to different Terminal Server sessions.
I am making available a complete package, completely free, with easy integration sample source code (actually, there is only one function call that needs to be integrated) in C++ and Delphi. The package includes DLLs for 32-bit and 64-bit applications, which allow you to use the functionality in any application you develop; it includes also signed demo standalone applications and signed demo applications making use of the DLLs, compiled both as 32-bit and 64-bit. I just do not include the source code of the Ctrl-Alt-Del library itself, but you can purchase it (it is really a major learning experience, I guarantee). The project is developed in VS 2010 C++ (no MFC). I have also part of the source code in Delphi and C# (the part of issuing CAD from a Local Service).
Download the FREE AW_SAS (AW_SASLIB.ZIP)