[Incomplete] First Classic logon experience on Windows 10/11
Jul 5, 2021 7:22:41 GMT -8
Post by leet on Jul 5, 2021 7:22:41 GMT -8
After a lot of research and testing I've finally found a way to get a login experience similar to Windows 2K on Windows 10 and 11. It works by simulating a logon screen through a custom Winlogon shell.
Video: youtu.be/k06rSJUtcR4
For those who want to know the 'how':
The first idea was to replace LogonUI with a custom executable that would mimic its functionality. A lot of trial and error went into writing code to analyse and mimic LogonUI until I came to the conclusion that it does more than just display a UI. It also handles the logon, and communicates with CSRSS and Winlogon to get the users Console, Workstation and Desktop active. Without source that'll be near impossible to replicate.
After that failure, I tried to shorten the span in which you see the Windows 10/11 logon and replace the first thing that comes after: the shell. For this, the administrator account was required because I needed to run an executable without UAC but with Administrator permissions. This account is the only account where the user can log in to that can do this. Setting HKCU\SOFTWARE\Microsoft\Windows NT\Winlogon\Shell to my executable makes it the first thing that runs when you log into Administrator.
Finally another crucial part: how do you log into a user using public API's? I've looked through pretty much the entire Windows programmer reference and I have not found a single thing that does this. Luckily, the brain is big and has found a way: RDP. My program basically does the following: Check the credentials with LogonUser. Letting RDP check the credentials results in a modern login box appearing when you enter an incorrect password. Create an RDP session that connects to the local computer. See note 1. When the session is connected start checking if the login has finished using the WTS API (WTSEnumerateSessions). When the login has finished tell RDP to disconnect and start checking when the session is free for use (WTS_DISCONNECTED). When that is the case tell WTS to connect the current console session to the console session of the freshly logged in user. At this point log out of the Administrator account.
Note 1: Creating an RDP session that connects to the local computer isn't actually possible. Well it is, but Microsoft doesn't allow for it. It's not the connecting to the local computer that's the issue but rather having multiple users logged in at the same time (Specifically: logged in and not locked). I use a program called RDP Wrapper in order to patch RDP so that it allows multiple simultaneous connections.
Uses/Does:
Replace the shell for the Administrator user to custom login prompt
Auto login Administrator so that you will only see the Windows login for a split second
Create custom login prompt that logs in with RDP and then switches to that account
Display funny background
Patch RDP using RDPWrapper so that it allows an RDP connection while still logged in to Administrator
Has to in the future:
Automatically log into Administrator on logoff or switch users (Maybe Credential Provider?)
Be more secure. Right now you can just press Ctrl+Shift+Esc to get a task manager with full permissions
Add a dialog that can change the system colours of the Administrator user
Add a form that displays the users background color Done as of 1.1.0
Add animation
BAD:
Switching users/logging off goes to the Windows login screen
Windows Update will screw over RDPWrapper making you unable to login
Not much else surprisingly
Video: youtu.be/k06rSJUtcR4
For those who want to know the 'how':
The first idea was to replace LogonUI with a custom executable that would mimic its functionality. A lot of trial and error went into writing code to analyse and mimic LogonUI until I came to the conclusion that it does more than just display a UI. It also handles the logon, and communicates with CSRSS and Winlogon to get the users Console, Workstation and Desktop active. Without source that'll be near impossible to replicate.
After that failure, I tried to shorten the span in which you see the Windows 10/11 logon and replace the first thing that comes after: the shell. For this, the administrator account was required because I needed to run an executable without UAC but with Administrator permissions. This account is the only account where the user can log in to that can do this. Setting HKCU\SOFTWARE\Microsoft\Windows NT\Winlogon\Shell to my executable makes it the first thing that runs when you log into Administrator.
Finally another crucial part: how do you log into a user using public API's? I've looked through pretty much the entire Windows programmer reference and I have not found a single thing that does this. Luckily, the brain is big and has found a way: RDP. My program basically does the following: Check the credentials with LogonUser. Letting RDP check the credentials results in a modern login box appearing when you enter an incorrect password. Create an RDP session that connects to the local computer. See note 1. When the session is connected start checking if the login has finished using the WTS API (WTSEnumerateSessions). When the login has finished tell RDP to disconnect and start checking when the session is free for use (WTS_DISCONNECTED). When that is the case tell WTS to connect the current console session to the console session of the freshly logged in user. At this point log out of the Administrator account.
Note 1: Creating an RDP session that connects to the local computer isn't actually possible. Well it is, but Microsoft doesn't allow for it. It's not the connecting to the local computer that's the issue but rather having multiple users logged in at the same time (Specifically: logged in and not locked). I use a program called RDP Wrapper in order to patch RDP so that it allows multiple simultaneous connections.
Uses/Does:
Replace the shell for the Administrator user to custom login prompt
Auto login Administrator so that you will only see the Windows login for a split second
Create custom login prompt that logs in with RDP and then switches to that account
Display funny background
Patch RDP using RDPWrapper so that it allows an RDP connection while still logged in to Administrator
Has to in the future:
Automatically log into Administrator on logoff or switch users (Maybe Credential Provider?)
Be more secure. Right now you can just press Ctrl+Shift+Esc to get a task manager with full permissions
Add a dialog that can change the system colours of the Administrator user
Add animation
BAD:
Switching users/logging off goes to the Windows login screen
Windows Update will screw over RDPWrapper making you unable to login
Not much else surprisingly
