Craftplacer
New Member
Works on SCT and similar I guess
Posts: 20
OS: Windows 11
CPU: Intel i7 550
RAM: 8 GB
GPU: Nvidia GT 710
|
Post by Craftplacer on Apr 24, 2021 1:24:30 GMT -8
I wonder if it's possible to replace LogonUI.exe with a dummy application and check what permissions, system calls you can do. With that, you maybe could reverse engineer how LogonUI works and essentially replace the login screen with a replica of the classic one.
|
|
|
|
Post by OrthodoxWin32 on Apr 24, 2023 4:34:48 GMT -8
Is it possible to get the console login screen with the classic theme, but without disabling DWM ?
In my case, it is displayed with visual style (I use the classic theme by scheduled tasks with CTT).
|
|
rena
New Member
Posts: 4 
OS: Windows 7 Ultimate // Windows 10 IoT Enterprise LTSC 2021 // Void Linux
Theme: Standard Aero // Windows Classic // EMWM
CPU: AMD Ryzen 5 3600
RAM: 32GB DDR4 3600
GPU: AMD Radeon RX 5700XT
|
Post by rena on Apr 24, 2023 6:33:54 GMT -8
Is it possible to get the console login screen with the classic theme, but without disabling DWM ? In my case, it is displayed with visual style (I use the classic theme by scheduled tasks with CTT). It seems like its at least somewhat possible. When the user is signed out the console window either looks like aero with transparency off or it has the thick white frame. When the user is logged on in the ctrl alt del menu or the computer is locked it looks as desired (on SCT):  Not sure if making a small program to theme the console login would work but im tempted to try. |
|
|
|
Post by OrthodoxWin32 on Apr 24, 2023 7:40:15 GMT -8
It seems like its at least somewhat possible. When the user is signed out the console window either looks like aero with transparency off or it has the thick white frame. When the user is logged on in the ctrl alt del menu or the computer is locked it looks as desired (on SCT): View AttachmentNot sure if making a small program to theme the console login would work but im tempted to try. Of course, when I say the "console" I mean the console when the user is logged out. CLS manages to display with the classic theme, it's probably possible with the console. One solution is to use the classic theme without DWM (with the resources folder renamed). But not using DWM is out of the question for me. |
|
rena
New Member
Posts: 4
OS: Windows 7 Ultimate // Windows 10 IoT Enterprise LTSC 2021 // Void Linux
Theme: Standard Aero // Windows Classic // EMWM
CPU: AMD Ryzen 5 3600
RAM: 32GB DDR4 3600
GPU: AMD Radeon RX 5700XT
|
Post by rena on Apr 24, 2023 12:03:41 GMT -8
Of course, when I say the "console" I mean the console when the user is logged out. CLS manages to display with the classic theme, it's probably possible with the console. One solution is to use the classic theme without DWM (with the resources folder renamed). But not using DWM is out of the question for me. I was able to get the classic theme on LogonUI but not without running CTT or SCT as NT Authority\SYSTEM and restarting the process. Even then I had to manually start the batch file.  |
|
|
|
Post by leet on Apr 24, 2023 12:42:17 GMT -8
That is because the classic theme state in Window Station 0 cannot be changed without SYSTEM privileges as it is owned by SYSTEM.
|
|
|
|
Post by OrthodoxWin32 on Apr 24, 2023 12:49:18 GMT -8
Suddenly, it would be necessary to execute a script at system startup, which would start SCT or CTT with SYSTEM privileges.
|
|
|
|
Post by OrthodoxWin32 on Apr 24, 2023 12:53:14 GMT -8
I may have a solution with PsTools.
EDIT : I tried to run CTT with psexec (while connected), I get this error message on the console (with C:\pstools\psexec -s C:\ctt\classicthemetray.exe /enable):
Exception non gÚrÚeá: NtApiDotNet.NtException: (0xC0000034) - Nom dÆobjet introuvable.
Ó NtApiDotNet.NtObjectUtils.CreateResult[T](NtStatus status, Boolean throw_on_error, Func`2 create_func, Action`1 error_func)
Ó NtApiDotNet.NtObjectUtils.CreateResult[T](NtStatus status, Boolean throw_on_error, Func`2 create_func)
Ó NtApiDotNet.NtObjectUtils.CreateResult[T](NtStatus status, Boolean throw_on_error, Func`1 create_func)
Ó NtApiDotNet.NtSection.Open(ObjectAttributes object_attributes, SectionAccessRights desired_access, Boolean throw_on_error)
Ó NtApiDotNet.NtSection.NtTypeFactoryImpl.OpenInternal(ObjectAttributes obj_attributes, SectionAccessRights desired_access, Boolean throw_on_error)
Ó NtApiDotNet.NtObjectWithDuplicate`2.NtTypeFactoryImplBase.Open(ObjectAttributes obj_attributes, AccessMask desired_access, Boolean throw_on_error)
Ó NtApiDotNet.NtType.Open(ObjectAttributes object_attributes, AccessMask desired_access, Boolean throw_on_error)
Ó NtApiDotNet.NtObject.OpenWithType(String typename, String path, NtObject root, AttributeFlags attributes, AccessMask access, SecurityQualityOfService security_quality_of_service, Boolean throw_on_error)
Ó ClassicThemeTray.Program.SetSectionSecurity(String sddl)
Ó ClassicThemeTray.Program.Main(String[] args)
C:\ctt\classicthemetray.exe exited on ******-******** with error code -532462766.
I guess that's what happens when running at system startup by scheduled task (the task then appears as successful, but winlogon appears with the visual style).
|
|
rena
New Member
Posts: 4
OS: Windows 7 Ultimate // Windows 10 IoT Enterprise LTSC 2021 // Void Linux
Theme: Standard Aero // Windows Classic // EMWM
CPU: AMD Ryzen 5 3600
RAM: 32GB DDR4 3600
GPU: AMD Radeon RX 5700XT
|
Post by rena on Apr 24, 2023 20:06:56 GMT -8
I was able to get a small program to run ctt/sct every time Windows goes to the logon screen by doing the utilman exploit but with magnify.exe instead, since you can set the magnifier to run at logon. Its pretty sketch security wise but we are running custom programs as SYSTEM anyway so yeah. Only problem is no matter how many times I try to kill LogonUI it seems like it always needs a manual taskkill for it to display the theme properly. Ive tried creating a dummy LoginUI in an attempt to keep the real one from restarting once its killed but the process restarts pretty quick. Ive also taskkilled it in a loop until the process wasnt found anymore and that didnt work either. Kind of at a loss but Ill try more things tomorrow.
|
|
