Database Search

match allmatch any Look in all areasLook in current areas Check all datesPrevious dayPrevious 3 daysPrevious weekPrevious fortnightPrevious monthPrevious 2 monthsPrevious 3 monthsPrevious half-yearPrevious year

TechHome

	Backups
	Ctrl Alt Del Issues
	Determine Platform - OS
	Get EXE Name
	Get Machine Name - Workstation
	Icons
	Reboot Issues
	Recycle Bin
	Resource Lock
	System Information
	User Profiles

• !Windows Commandline Tricks
• A Word or Phrase in the file search Not Working on XP
• Access to Hardware MP3 Player Device
• Admin Test
• AskYesNo with TimeOut
• Associate Extension to Run Winbatch File
• Autohide Taskbar Code
• Automate FireFox
• Automatically Answer a Dialog Box
• Automatically Clear Pause after EXE Launches
• Base64 encodeing a file
• Block New Program Installs
• BMP Color Change
• Brute Force Way to Convert an int64 that WinBatch Can Handle
• Calculate Text width and height
• Can WinBatch Associate Files
• Capture Control Break
• Change Cursor to Hourglass
• Change Cursor
• Change Explorer Favorites Location
• Change Ip Address
• Change Proportional to Fixed Fonts in Itembox
• Change Share Path
• Changing Default CDROM Drive
• Changing the Windows language
• Check for Multiple Instances of an Application
• Check If a File Is Locked
• Check if a Server is Available
• Check if Application is Installed
• Check if Application is Responsive
• Check if Computer is Locked or Idle
• Check If Extender Is Already Loaded
• Check if Program is Installed
• Check If Someone Is Logged In
• Check If Third Party Menu Item Is Checkmarked
• Check Systems for the MSBlaster Virus
• Check the Grayed-NonGrayed State of Buttons in Pull Down Menus
• Check Which Patches Are Installed
• Clipboard Input Blocked
• Close Child Windows
• Combining WB Scripts
• Command Line Stdin Stdout
• Communicate with a Third-Party Applications Windows-dialogs
• Compress Directory Attribute
• Configure a Workstation to Run HealthStar
• Control Compatibility Mode
• Controlling Citrix Web Client Using WinBatch
• Convert Hex to Ascii
• Convert Image to TIFF
• Convert Temperatures
• Convert TIF to JPG
• Convert Unicode to Big Endian Format File
• Convert Unicode to Big Endian
• Copy Protecting WinBatch Applications
• Create a PDF File
• Create a Shortcut to DUN
• Create a Template WBT file
• Create a Zero K file
• Create Editbox to Accept Formatted Data
• Create Hard Link
• Create Junction Points
• Create Single Byte Arrays and Structures
• Create Startup or Shutdown Script Policies
• Delete a Large Number of Files
• Delete Internet Cookies
• Detect Interact with Desktop
• Detect System Startup Complete
• Detect Version of Java
• Detecting a Locked Workstation
• Detecting Dual Monitors
• Determine Color Range
• Determine Current CD ROM WB is Running On
• Determine IE version installed
• Determine If Menu Bar Has Been Clicked
• Determine if RAS Connection
• Determine Process Start Time
• Determining If a Machine is a Domain Controller
• Disable a Device
• Disable CD Autorun
• Disable Device
• Disable Enable Network Card
• Display Graphical Directory Tree in a Message
• Displaying JPG Files Using Windows Viewer
• Displaying Text Messages on the Console
• DNS Suffix
• Easily Parse Log Files
• Easter finder
• Email HTML Form Data
• Enable or Disable Network Connections
• Enable or Disable Wireless Connection
• Enumerate Devices
• Even or Odd
• Excel Version
• Executing EXE on Remote Computer
• Exit if PC is Idle
• File Size On Disk
• File System Notification on Change
• Financial calculations
• Force Extender Dll Updates
• Format a disk on Windows 2000 or Windows XP
• FTPS Protocol
• Get Current Power Scheme
• Get Current Process ID
• Get Current User Remotely
• Get Data From Memory Address,txt
• Get Default Internet Connection
• Get Highlighted text from Any Window
• Get IE Cache history
• Get Info from a Pair of Directories
• Get Length of MPEG File
• Get line Count and Append if Necessary
• Get Menu String
• Get Microsoft Office Version
• Get Network Address Using IP Address and Subnet mask
• Get Persistent Drive Mappings
• Get Pixel Color
• Get Preferred Language
• Get Process Information from running WinBatch Scripts
• Get ProcessID Thread
• Get Program Files Directory
• Get Remote IP Addresses and Usernames to a List
• Get Unique Records in a List
• Get Version of Internet Explorer
• Get WinBatch Process Environment Block
• Get Windows API Documentation
• Getting WinBatch to Wait - Pause
• GINA Winlogon Desktop and Winbatch
• Grab System Information from MSINFO32
• Handle Errors Including UDFs
• Handling Asynchronous Notifications
• Hibernate
• Hide all the Icons on the Desktop
• Holding down a Key
• How To Call Windows API Functions
• How To Check if a File Handle is Closed
• How to clear event logs
• How to Count Items and Delimiters in a List and Extract Items
• How to Encrypt a Line of Text - Simple Explanation
• How to FTP
• How to Get Encrypted Attribute from a Directory
• How to Locate Functions In Helpfiles
• How to Locate functions in the help files
• How to push Microsoft hotfixes
• How To Read Large File in Multiple Parts
• How to Recurively Copy Files
• How to Retrieve Data from a Database File
• How to Set the AskDirectory Dialog Box Size
• HTML Form Submitted to Winbatch Script
• HTTP Authentication
• Icon Extractor
• Image Comparison
• Increment Through the Alphabet
• Inf Install
• Install a font
• Install AD Printer
• Install File and Print Sharing
• International Date Settings
• Internet Explorer Cache History Retrieval
• Internet time monitor
• Interprogram Communication
• ISO CD Image File
• Issues Interacting with FileMaker Pro
• Kill Predecessor
• Killing 16 bit apps in NT
• Last time ScanDisk and Defrag Performed
• Launch a program on the System Tray
• Launch a WBT File using Explorer SendTo
• Launch Script from SendTo
• Launch the file properties dialog for a file
• Launch WinBatch from Internet Explorer Context Menu
• Limit User Access to Computer
• List all Hotkeys
• List Applications Installed on Remote Machines
• List DVD Drives
• List Installed Modems
• Listing Files from within Zip Files
• Lock NT Server
• Loop Forever until SHIFT Key Pressed
• Lotus Notes - DllCall to change password
• Make a Multiline Input Box
• Make a Thumbdrive Read-Only
• Make Directory Listings
• Make Task Bar Blink
• Make WinBatch Delete Itself
• Making Bitmap files via GDI calls
• Manipulate screen or file data
• Map Ports to Services
• Microsoft Service Pack Checker
• MIME Utility for Email Messages
• Modify Internet Explorer Automatic Detect Setting
• Modify Local Group Policy
• Monitor for Windows Shutdown or Logoff
• Mouse Drag and Highlight - Display Image
• Msi Get File Version
• OCR Support
• Open File Search from StartMenu
• Open MultiUser Files on a Network
• Parse HTML
• Pass Memory Variables to VB
• Passing Parameters from Javascript
• Print Formatted Image Files
• Pushing Elevated WinBatch Scripts to Users
• Query Excel Status Bar Txt
• Random Alpha Numeric Number
• Read Hardware Video BIOS
• Read Quote in INI File
• Read Statusbar Text from Browser
• Recursive directory name search
• Reduce Shape Point List
• Refresh Policy
• Regular Expression Question
• Release LAN IP Settings
• Remove HTML Tags
• Rename a Username without Admin Rights
• Reset IE Settings
• Resize and Place Dialog boxes with 2nd wbt
• Retain Quotation Marks in WB Command Lines
• Run Explorer in a Different Security Context
• Run from Current Location - Webpage
• Run PowerShell Command
• Run WinBatch From Webpage
• RunWithLogon Return to Local User Account
• Save Screen to a BMP File
• Script Minimized When Launched from Lotus Notes Email
• Script Windows Component Install
• Scripting the Group Policy Management Console
• Search for Folder Existence
• Send Control Break to a Window
• Server Connectivity
• Set Disk Volume Name
• Set Modified Date for a Directory
• Set USB Drives To Read Only
• Set Volume
• Show Desktop
• Sorting START menu Alphabetically
• Specify a Script to Run on Startup Shutdown Logon Logoff
• Start Program Only at Windows Shutdown
• Store Image in WBT Script
• Strip out Variable from WBERRORHANDLER Line
• Switch with a Variable Name
• Test
• Thoughts on Writing Faster Code
• Track an Incoming Fax
• Transferring info between WB and other programs
• Translate ANSI Sequences
• Traversing Network Neighborhood using AskFileName
• Turn File Sharing Off on Win95
• Uninstalling Software
• Unlock Workstation Trick
• Use Contents of One AskItemList Box within Another
• Use Global Varaible to tell Errorhandler to Ignore Specific Errors
• Using MS System Agent to Run a WBT File
• Validate WIL Variable Name
• Validating Password
• Various Ways to Download a File
• Verify Calling Parent Process
• Wait until no Input
• WAN IP Address
• Web Scraping
• Winbatch Findstr Equivalent
• Working with RAR Files
• Write to USB Port

Can't find the information you are looking for here? Then leave a message over on our WinBatch Tech Support Forum.

Unlock Workstation Trick

---

Note: Prior to Vista, this method of escalation will work reliably since a native NT service could be configured to run as "Local System" and thus have the same privileges as the O.S. itself and all services would run in session #0, which was guaranteed to be the console session. However, as of Vista, services no longer have access to the interactive desktop, are confined to session #0 and the console is no longer associated with session #0. In effect, this escalation method has been made unusable on Vista & newer.

Resources:
The gist of these sources is that you *can* do it, by having a service running on the machine under the local system account. The service will have access to the WinLogon desktop - and once you have that, you're in.

Contains the C++ source code from VNC (as VNC is open source). http://www.codeguru.com/forum/showthread.php?t=330557

http://groups.google.com/group/microsoft.public.vb.general.discussion/browse_thread/thread/b38338dea240f866/adb7aaa1bc4ba6ac%23adb7aaa1bc4ba6ac?sa=X&oi=groupsr&start=2&num=3

---

The biggest part of the secret is running a service under the local system account, which has the ability to launch a new process on the WinLogon desktop. Microsoft wants you to believe there is something magical about the WinLogon desktop, but there really isn't.

Once the service is running under the local system account, it needs to use DllCall to call CreateProcess directly and specify the WinStation\Desktop for a new process ("WinSta0\Winlogon" if I recall correctly).

---

Sample code written by Artomegus:

runsendcad.wbt is the code that should run under the local System account (e.g. from a service). It calls another program called sendcad.exe, and expects it to be in the same directory as the current executable. It uses CreateProcess to launch the new process on the Winlogon desktop.

sendcad.wbt is the code that does the work of posting CTRL+ALT+DEL broadcast message on the Winlogon desktop. Must be compiled and called via the code in runsendcad.wbt

sendcad.wbt could be modified to do additional stuff after sending the CTRL+ALT+DEL.

---

RUNSENDCAD.WBT

sDirExe = FilePath(IntControl(1004, 0, 0, 0, 0))

sCrashLog = StrCat(sDirExe, "runsendcad-crash.txt")

FileDelete(sCrashLog)

IntControl(38, 1, sCrashLog, 0, 0)

sCmdLine = StrCat(sDirExe, "sendcad.exe")

sKernel = StrCat(DirWindows(1), "kernel32.dll")

hDesktop = BinaryAlloc(32)
BinaryPokeStr(hDesktop, 0, "WinSta0\Winlogon")
lpDesktop = IntControl(42, hDesktop, 0, 0, 0)

hSI = BinaryAlloc(68)
BinaryPoke4(hSI,0,68);        DWORD   cb                  size of structure
BinaryPoke4(hSI,4,0) ;        LPTSTR  lpReserved
BinaryPoke4(hSI,8,lpDesktop); LPTSTR  lpDesktop
BinaryPoke4(hSI,12,0);        LPTSTR  lpTitle
BinaryPoke4(hSI,16,0);        DWORD   dwX
BinaryPoke4(hSI,20,0);        DWORD   dwY
BinaryPoke4(hSI,24,0);        DWORD   dwXSize
BinaryPoke4(hSI,28,0);        DWORD   dwYSize
BinaryPoke4(hSI,32,0);        DWORD   dwXCountChars
BinaryPoke4(hSI,36,0);        DWORD   dwYCountChars
BinaryPoke4(hSI,40,0);        DWORD   dwFillAttribute
BinaryPoke4(hSI,44,0);        DWORD   dwFlags
BinaryPoke2(hSI,48,0);        WORD    wShowWindow (SW_HIDE = 0)
BinaryPoke2(hSI,50,0);        WORD    cbReserved2
BinaryPoke4(hSI,52,0);        LPBYTE  lpReserved2
BinaryPoke4(hSI,56,0);        HANDLE  hStdInput
BinaryPoke4(hSI,60,0);        HANDLE  hStdOutput
BinaryPoke4(hSI,64,0);        HANDLE  hStdError

hPI = BinaryAlloc(16)

;BOOL CreateProcess(
;  LPCTSTR lpApplicationName,
;  LPTSTR lpCommandLine,
;  LPSECURITY_ATTRIBUTES lpProcessAttributes,
;  LPSECURITY_ATTRIBUTES lpThreadAttributes,
;  BOOL bInheritHandles,
;  DWORD dwCreationFlags,
;  LPVOID lpEnvironment,
;  LPCTSTR lpCurrentDirectory,
;  LPSTARTUPINFO lpStartupInfo,
;  LPPROCESS_INFORMATION lpProcessInformation)

DllCall(sKernel, long:"CreateProcessA", lpnull, lpstr:sCmdLine, lpnull, lpnull, long:0, long:0, lpnull, lpnull, lpbinary:hSI, lpbinary:hPI)

BinaryFree(hDesktop)
BinaryFree(hPI)
BinaryFree(hSI)

---

SENDCAD.WBT

sDirExe = FilePath(IntControl(1004, 0, 0, 0, 0))
sCrashLog = StrCat(sDirExe, "sendcad-crash.txt")
FileDelete(sCrashLog)
IntControl(38, 1, sCrashLog, 0, 0)
sUser = StrCat(DirWindows(1), "user32.dll")
DllCall(sUser, long:"PostMessageA", long:65535, long:786, long:0, long:3014659)

---

Article ID:   W17024

File Created: 2009:04:30:12:12:12

Last Updated: 2009:04:30:12:12:12