Can't find the information you are looking for here? Then leave a message over on our WinBatch Tech Support Forum.
Resources:
The gist of these sources is that you *can* do it, by having a service running on the machine under the local system
account. The service will have access to the WinLogon desktop - and once you have that, you're in.
Contains the C++ source code from VNC (as VNC is open source). http://www.codeguru.com/forum/showthread.php?t=330557
The biggest part of the secret is running a service under the local system account, which has the ability to launch a new process on the WinLogon desktop. Microsoft wants you to believe there is something magical about the WinLogon desktop, but there really isn't.
Once the service is running under the local system account, it needs to use DllCall to call CreateProcess directly and specify the WinStation\Desktop for a new process ("WinSta0\Winlogon" if I recall correctly).
Sample code written by Artomegus:
runsendcad.wbt is the code that should run under the local System account (e.g. from a service). It calls another program called sendcad.exe, and expects it to be in the same directory as the current executable. It uses CreateProcess to launch the new process on the Winlogon desktop.
sendcad.wbt is the code that does the work of posting CTRL+ALT+DEL broadcast message on the Winlogon desktop. Must be compiled and called via the code in runsendcad.wbt
sendcad.wbt could be modified to do additional stuff after sending the CTRL+ALT+DEL.
RUNSENDCAD.WBT
sDirExe = FilePath(IntControl(1004, 0, 0, 0, 0)) sCrashLog = StrCat(sDirExe, "runsendcad-crash.txt") FileDelete(sCrashLog) IntControl(38, 1, sCrashLog, 0, 0) sCmdLine = StrCat(sDirExe, "sendcad.exe") sKernel = StrCat(DirWindows(1), "kernel32.dll") hDesktop = BinaryAlloc(32) BinaryPokeStr(hDesktop, 0, "WinSta0\Winlogon") lpDesktop = IntControl(42, hDesktop, 0, 0, 0) hSI = BinaryAlloc(68) BinaryPoke4(hSI,0,68); DWORD cb size of structure BinaryPoke4(hSI,4,0) ; LPTSTR lpReserved BinaryPoke4(hSI,8,lpDesktop); LPTSTR lpDesktop BinaryPoke4(hSI,12,0); LPTSTR lpTitle BinaryPoke4(hSI,16,0); DWORD dwX BinaryPoke4(hSI,20,0); DWORD dwY BinaryPoke4(hSI,24,0); DWORD dwXSize BinaryPoke4(hSI,28,0); DWORD dwYSize BinaryPoke4(hSI,32,0); DWORD dwXCountChars BinaryPoke4(hSI,36,0); DWORD dwYCountChars BinaryPoke4(hSI,40,0); DWORD dwFillAttribute BinaryPoke4(hSI,44,0); DWORD dwFlags BinaryPoke2(hSI,48,0); WORD wShowWindow (SW_HIDE = 0) BinaryPoke2(hSI,50,0); WORD cbReserved2 BinaryPoke4(hSI,52,0); LPBYTE lpReserved2 BinaryPoke4(hSI,56,0); HANDLE hStdInput BinaryPoke4(hSI,60,0); HANDLE hStdOutput BinaryPoke4(hSI,64,0); HANDLE hStdError hPI = BinaryAlloc(16) ;BOOL CreateProcess( ; LPCTSTR lpApplicationName, ; LPTSTR lpCommandLine, ; LPSECURITY_ATTRIBUTES lpProcessAttributes, ; LPSECURITY_ATTRIBUTES lpThreadAttributes, ; BOOL bInheritHandles, ; DWORD dwCreationFlags, ; LPVOID lpEnvironment, ; LPCTSTR lpCurrentDirectory, ; LPSTARTUPINFO lpStartupInfo, ; LPPROCESS_INFORMATION lpProcessInformation) DllCall(sKernel, long:"CreateProcessA", lpnull, lpstr:sCmdLine, lpnull, lpnull, long:0, long:0, lpnull, lpnull, lpbinary:hSI, lpbinary:hPI) BinaryFree(hDesktop) BinaryFree(hPI) BinaryFree(hSI)
SENDCAD.WBT
sDirExe = FilePath(IntControl(1004, 0, 0, 0, 0)) sCrashLog = StrCat(sDirExe, "sendcad-crash.txt") FileDelete(sCrashLog) IntControl(38, 1, sCrashLog, 0, 0) sUser = StrCat(DirWindows(1), "user32.dll") DllCall(sUser, long:"PostMessageA", long:65535, long:786, long:0, long:3014659)
Article ID: W17024
File Created: 2009:04:30:12:12:12
Last Updated: 2009:04:30:12:12:12