Dear TCL/Tk MS-Windows experts,
we are in Windows 10/11 login or locked screen.
Application: send password by emulated keystrokes from a TCL application. A barcode scanner is attached to the application. A login code is scanned by the barcode reader and the password is extracted (it is stored encrypted).
The application sends virtual keyboard data via Windows function "keybd_event" or TWAPI. It is wrapped into a starkit.
I started the app as administrator -> data came not through to lock screen password field
I started the app as a service as user "system" -> did not come through
This page https://learn.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-sendinput
states:
"This function is subject to UIPI. Applications are permitted to inject input only into applications that are at an equal or lesser integrity level.".
Now, how to set the integrity level, probably "system" is required? https://learn.microsoft.com/en-us/windows/win32/secauthz/mandatory-integrity-control
I did not find really anything. Any comments on that?
But I found this: https://learn.microsoft.com/en-us/windows/win32/winauto/uiauto-securityoverview
So, such an application may interact with any other.
Requirements are:
1) Be signed with a certificate to interact with applications running at a higher privilege level.
2) Be trusted by the system. The application must be installed in a secure location that requires a user account control (UAC) prompt for access. For example, the Program Files folder.
3) Be built with a manifest file that includes the uiAccess flag.
Question about 1) signed exe:
- thanks to Paul, here is a howto for self signed certificates: https://wiki.tcl-lang.org/page/SDX+under+Windows
This also works with the starkits compiled by Ashok, I tested it, great!
I suppose, a self signed certificate is not sufficient. So, I may buy one here:
https://www.globalsign.com/de-de/code-signing/microsoft-authenticode
Is that a good idea ? Which of the proposed keys, expensive or more expensive ? On hardware tolken or on TPM module (no Asure, please).
Question about 3) manifest
How may I change or view the manifest of the starkit file ?
Thanks for any answer,
Harald
It sounds like you need to run this before the user is
logged in. I'm not sure if this would work before
you're even logged in, however,
https://windowsloop.com/how-to-run-a-program-as-administrator-without-prompt/
I've used this described procedure with the task
scheduler to run a tcl script at admin privs to run a
program w/o the prompt and then using twapi find its
window and send it mouse clicks.
In the task scheduler, I see one can set in the
general tab, "run whether user is logged on or not"
And there's also a checkbox "run with *highest*
privileges". Not sure how high that really is though.
Then in the triggers tab, with new... (to create a new
trigger) at the top it says "begin the task", one can
choose "at logon" or even "at startup".
I've not tried this, as the above page only discusses
how to setup a task that you run from a shortcut using
the schtasks.exe program.
But perhaps you can adapt it to run prior to logon.
Then maybe you don't need to use the schtasks.exe
directly, but have it run for you at logon or startup.
If it runs with highest privs, maybe that's good enough.
I've only used this on win 10 however, not win 11.
Am 07.06.2023 um 22:18 schrieb et99:
It sounds like you need to run this before the user is
logged in. I'm not sure if this would work before
you're even logged in, however,
https://windowsloop.com/how-to-run-a-program-as-administrator-without-prompt/
I've used this described procedure with the task
scheduler to run a tcl script at admin privs to run a
program w/o the prompt and then using twapi find its
window and send it mouse clicks.
In the task scheduler, I see one can set in the
general tab, "run whether user is logged on or not"
And there's also a checkbox "run with *highest*
privileges". Not sure how high that really is though.
Then in the triggers tab, with new... (to create a new
trigger) at the top it says "begin the task", one can
choose "at logon" or even "at startup".
I've not tried this, as the above page only discusses
how to setup a task that you run from a shortcut using
the schtasks.exe program.
But perhaps you can adapt it to run prior to logon.
Then maybe you don't need to use the schtasks.exe
directly, but have it run for you at logon or startup.
If it runs with highest privs, maybe that's good enough.
I've only used this on win 10 however, not win 11.
Thanks a lot for this valuable contribution.
I appreciate, that you read this long post and thinks on it.
Did you do mouse-clicks on the unlock login screen (if the user has locked the screen)? Did that work? If YES, I am interested, how the application is done. Is the exe signed? Is it at c:\program files..? What is the manifest?
What I tested:
- desktop starkit with user privileges -> can send keypresses to any other program of the user. If the user locks the screen and activates the password entry, it can not send to this entry.
- desktop starkit with admin privileges -> can send keypresses to other admin programs and to user programs. If the user locks the screen and activates the password entry, it can not send to this entry.
- Windows service starkit with system user: can send keypress to any other program, but not to initial login password field, nor to unlock screen password field.
The corresponding system calls succeed when keystrokes are sent to the login screen, but there is no output. I suppose, the following phrase from the SendInput function help page gives insight to that:
"This function fails when it is blocked by UIPI. Note that neither GetLastError nor the return value will indicate the failure was caused by UIPI blocking."
So, I suppose, your proposition was already tested.
Do you agree with this analysis ?
Thank you again, I appreciate !
Take care,
Harald
On 6/8/2023 3:18 AM, Harald Oehlmann wrote:
Am 07.06.2023 um 22:18 schrieb et99:
It sounds like you need to run this before the user is
logged in. I'm not sure if this would work before
you're even logged in, however,
https://windowsloop.com/how-to-run-a-program-as-administrator-without-prompt/
I've used this described procedure with the task
scheduler to run a tcl script at admin privs to run a
program w/o the prompt and then using twapi find its
window and send it mouse clicks.
In the task scheduler, I see one can set in the
general tab, "run whether user is logged on or not"
And there's also a checkbox "run with *highest*
privileges". Not sure how high that really is though.
Then in the triggers tab, with new... (to create a new
trigger) at the top it says "begin the task", one can
choose "at logon" or even "at startup".
I've not tried this, as the above page only discusses
how to setup a task that you run from a shortcut using
the schtasks.exe program.
But perhaps you can adapt it to run prior to logon.
Then maybe you don't need to use the schtasks.exe
directly, but have it run for you at logon or startup.
If it runs with highest privs, maybe that's good enough.
I've only used this on win 10 however, not win 11.
Thanks a lot for this valuable contribution.
I appreciate, that you read this long post and thinks on it.
Did you do mouse-clicks on the unlock login screen (if the user has
locked the screen)? Did that work? If YES, I am interested, how the
application is done. Is the exe signed? Is it at c:\program files..?
What is the manifest?
What I tested:
- desktop starkit with user privileges -> can send keypresses to any
other program of the user. If the user locks the screen and activates
the password entry, it can not send to this entry.
- desktop starkit with admin privileges -> can send keypresses to
other admin programs and to user programs. If the user locks the
screen and activates the password entry, it can not send to this entry.
- Windows service starkit with system user: can send keypress to any
other program, but not to initial login password field, nor to unlock
screen password field.
The corresponding system calls succeed when keystrokes are sent to the
login screen, but there is no output. I suppose, the following phrase
from the SendInput function help page gives insight to that:
"This function fails when it is blocked by UIPI. Note that neither
GetLastError nor the return value will indicate the failure was caused
by UIPI blocking."
So, I suppose, your proposition was already tested.
Do you agree with this analysis ?
Thank you again, I appreciate !
Take care,
Harald
In your description you didn't mention if you can move the mouse pointer
over the login screen and see it move to the password entry field,
followed by a left click. Are you able to do that?
I never log out nor use the login screen on my computer, but as I
recall, you have to left click on the password text entry to get
anything going.
I don't know if my use of the task scheduler is anything more than what
you are already doing, I just know it lets me avoid the user account
control screen, which I couldn't otherwise do.
I don't use an .exe signature, I'm just launching a tclkit.exe with a
script, which exec's my backup program, finds its main window and sends
it some mouse clicks all using twapi.
The procedure on that page I mentioned is fairly straight forward, it
even shows you pictures of the dialogs you need to fill out to create a
task (just scroll down past the ads).
Good Luck
Am 08.06.2023 um 21:29 schrieb et99:
On 6/8/2023 3:18 AM, Harald Oehlmann wrote:Thanks for the clarification, I appreciate.
Am 07.06.2023 um 22:18 schrieb et99:
It sounds like you need to run this before the user is
logged in. I'm not sure if this would work before
you're even logged in, however,
https://windowsloop.com/how-to-run-a-program-as-administrator-without-prompt/
I've used this described procedure with the task
scheduler to run a tcl script at admin privs to run a
program w/o the prompt and then using twapi find its
window and send it mouse clicks.
In the task scheduler, I see one can set in the
general tab, "run whether user is logged on or not"
And there's also a checkbox "run with *highest*
privileges". Not sure how high that really is though.
Then in the triggers tab, with new... (to create a new
trigger) at the top it says "begin the task", one can
choose "at logon" or even "at startup".
I've not tried this, as the above page only discusses
how to setup a task that you run from a shortcut using
the schtasks.exe program.
But perhaps you can adapt it to run prior to logon.
Then maybe you don't need to use the schtasks.exe
directly, but have it run for you at logon or startup.
If it runs with highest privs, maybe that's good enough.
I've only used this on win 10 however, not win 11.
Thanks a lot for this valuable contribution.
I appreciate, that you read this long post and thinks on it.
Did you do mouse-clicks on the unlock login screen (if the user has
locked the screen)? Did that work? If YES, I am interested, how the
application is done. Is the exe signed? Is it at c:\program files..?
What is the manifest?
What I tested:
- desktop starkit with user privileges -> can send keypresses to any
other program of the user. If the user locks the screen and activates
the password entry, it can not send to this entry.
- desktop starkit with admin privileges -> can send keypresses to
other admin programs and to user programs. If the user locks the
screen and activates the password entry, it can not send to this entry.
- Windows service starkit with system user: can send keypress to any
other program, but not to initial login password field, nor to unlock
screen password field.
The corresponding system calls succeed when keystrokes are sent to
the login screen, but there is no output. I suppose, the following
phrase from the SendInput function help page gives insight to that:
"This function fails when it is blocked by UIPI. Note that neither
GetLastError nor the return value will indicate the failure was
caused by UIPI blocking."
So, I suppose, your proposition was already tested.
Do you agree with this analysis ?
Thank you again, I appreciate !
Take care,
Harald
In your description you didn't mention if you can move the mouse
pointer over the login screen and see it move to the password entry
field, followed by a left click. Are you able to do that?
I never log out nor use the login screen on my computer, but as I
recall, you have to left click on the password text entry to get
anything going.
I don't know if my use of the task scheduler is anything more than
what you are already doing, I just know it lets me avoid the user
account control screen, which I couldn't otherwise do.
I don't use an .exe signature, I'm just launching a tclkit.exe with a
script, which exec's my backup program, finds its main window and
sends it some mouse clicks all using twapi.
The procedure on that page I mentioned is fairly straight forward, it
even shows you pictures of the dialogs you need to fill out to create
a task (just scroll down past the ads).
Good Luck
I will test, if this works for me.
Thank you and take care,
Harald
Am 08.06.2023 um 21:51 schrieb Harald Oehlmann:
Am 08.06.2023 um 21:29 schrieb et99:
On 6/8/2023 3:18 AM, Harald Oehlmann wrote:Thanks for the clarification, I appreciate.
Am 07.06.2023 um 22:18 schrieb et99:
It sounds like you need to run this before the user is
logged in. I'm not sure if this would work before
you're even logged in, however,
https://windowsloop.com/how-to-run-a-program-as-administrator-without-prompt/
I've used this described procedure with the task
scheduler to run a tcl script at admin privs to run a
program w/o the prompt and then using twapi find its
window and send it mouse clicks.
In the task scheduler, I see one can set in the
general tab, "run whether user is logged on or not"
And there's also a checkbox "run with *highest*
privileges". Not sure how high that really is though.
Then in the triggers tab, with new... (to create a new
trigger) at the top it says "begin the task", one can
choose "at logon" or even "at startup".
I've not tried this, as the above page only discusses
how to setup a task that you run from a shortcut using
the schtasks.exe program.
But perhaps you can adapt it to run prior to logon.
Then maybe you don't need to use the schtasks.exe
directly, but have it run for you at logon or startup.
If it runs with highest privs, maybe that's good enough.
I've only used this on win 10 however, not win 11.
Thanks a lot for this valuable contribution.
I appreciate, that you read this long post and thinks on it.
Did you do mouse-clicks on the unlock login screen (if the user has locked the screen)? Did that work? If YES, I am interested, how the application is done. Is the exe signed? Is it at c:\program files..? What is the manifest?
What I tested:
- desktop starkit with user privileges -> can send keypresses to any other program of the user. If the user locks the screen and activates the password entry, it can not send to this entry.
- desktop starkit with admin privileges -> can send keypresses to other admin programs and to user programs. If the user locks the screen and activates the password entry, it can not send to this entry.
- Windows service starkit with system user: can send keypress to any other program, but not to initial login password field, nor to unlock screen password field.
The corresponding system calls succeed when keystrokes are sent to the login screen, but there is no output. I suppose, the following phrase from the SendInput function help page gives insight to that:
"This function fails when it is blocked by UIPI. Note that neither GetLastError nor the return value will indicate the failure was caused by UIPI blocking."
So, I suppose, your proposition was already tested.
Do you agree with this analysis ?
Thank you again, I appreciate !
Take care,
Harald
In your description you didn't mention if you can move the mouse pointer over the login screen and see it move to the password entry field, followed by a left click. Are you able to do that?
I never log out nor use the login screen on my computer, but as I recall, you have to left click on the password text entry to get anything going.
I don't know if my use of the task scheduler is anything more than what you are already doing, I just know it lets me avoid the user account control screen, which I couldn't otherwise do.
I don't use an .exe signature, I'm just launching a tclkit.exe with a script, which exec's my backup program, finds its main window and sends it some mouse clicks all using twapi.
The procedure on that page I mentioned is fairly straight forward, it even shows you pictures of the dialogs you need to fill out to create a task (just scroll down past the ads).
Good Luck
I will test, if this works for me.
Thank you and take care,
Harald
Dear ET99,
I have made additional tests.
The following script was wrapped into a starkit (by Ashok, tcl8.6.12, TWAPI 4.7.2, 32bit) on WIndows 10 64bit GER and started as administrator:
<SCRIPT>
package require Tk
console show
wm withdraw .
update
package require twapi
proc s {} {
twapi::send_input [list [list key 65 0x1e]]
puts -nonewline a
after 10000 s
}
after 10000 s
proc m {} {
puts "[catch {twapi::move_mouse 100 100} e] $e"
after 10000 m
}
</SCRIPT>
Wrap command:
tclkit-cli-8_6_12-twapi-4_7_2-x86-max.exe sdx.kit wrap twapisend.exe -runtime tclkit-gui-8_6_12-twapi-4_7_2-x86-max.exe
Then, the lock screen was activated.
The mouse move and key press is active in the lock screen.
The keypress changes to the password screen.
The mouse moves to the upper-right corner.
But when changing (by the keypress) to the password entry screen, nor mouse move, nor keypress are recognized.
The mouse move returns an error:
1 Wrong parameter
The keypress just does not appear.
Is this also what you see, or are you able to move the mouse in the password part of the lock screen ?
Thank you and take care,
Harald
On 6/15/2023 3:36 AM, Harald Oehlmann wrote:
Am 08.06.2023 um 21:51 schrieb Harald Oehlmann:
Am 08.06.2023 um 21:29 schrieb et99:
On 6/8/2023 3:18 AM, Harald Oehlmann wrote:Thanks for the clarification, I appreciate.
Am 07.06.2023 um 22:18 schrieb et99:
It sounds like you need to run this before the user is
logged in. I'm not sure if this would work before
you're even logged in, however,
https://windowsloop.com/how-to-run-a-program-as-administrator-without-prompt/
I've used this described procedure with the task
scheduler to run a tcl script at admin privs to run a
program w/o the prompt and then using twapi find its
window and send it mouse clicks.
In the task scheduler, I see one can set in the
general tab, "run whether user is logged on or not"
And there's also a checkbox "run with *highest*
privileges". Not sure how high that really is though.
Then in the triggers tab, with new... (to create a new
trigger) at the top it says "begin the task", one can
choose "at logon" or even "at startup".
I've not tried this, as the above page only discusses
how to setup a task that you run from a shortcut using
the schtasks.exe program.
But perhaps you can adapt it to run prior to logon.
Then maybe you don't need to use the schtasks.exe
directly, but have it run for you at logon or startup.
If it runs with highest privs, maybe that's good enough.
I've only used this on win 10 however, not win 11.
Thanks a lot for this valuable contribution.
I appreciate, that you read this long post and thinks on it.
Did you do mouse-clicks on the unlock login screen (if the user has
locked the screen)? Did that work? If YES, I am interested, how the
application is done. Is the exe signed? Is it at c:\program
files..? What is the manifest?
What I tested:
- desktop starkit with user privileges -> can send keypresses to
any other program of the user. If the user locks the screen and
activates the password entry, it can not send to this entry.
- desktop starkit with admin privileges -> can send keypresses to
other admin programs and to user programs. If the user locks the
screen and activates the password entry, it can not send to this
entry.
- Windows service starkit with system user: can send keypress to
any other program, but not to initial login password field, nor to
unlock screen password field.
The corresponding system calls succeed when keystrokes are sent to
the login screen, but there is no output. I suppose, the following
phrase from the SendInput function help page gives insight to that:
"This function fails when it is blocked by UIPI. Note that neither
GetLastError nor the return value will indicate the failure was
caused by UIPI blocking."
So, I suppose, your proposition was already tested.
Do you agree with this analysis ?
Thank you again, I appreciate !
Take care,
Harald
In your description you didn't mention if you can move the mouse
pointer over the login screen and see it move to the password entry
field, followed by a left click. Are you able to do that?
I never log out nor use the login screen on my computer, but as I
recall, you have to left click on the password text entry to get
anything going.
I don't know if my use of the task scheduler is anything more than
what you are already doing, I just know it lets me avoid the user
account control screen, which I couldn't otherwise do.
I don't use an .exe signature, I'm just launching a tclkit.exe with
a script, which exec's my backup program, finds its main window and
sends it some mouse clicks all using twapi.
The procedure on that page I mentioned is fairly straight forward,
it even shows you pictures of the dialogs you need to fill out to
create a task (just scroll down past the ads).
Good Luck
I will test, if this works for me.
Thank you and take care,
Harald
Dear ET99,
I have made additional tests.
The following script was wrapped into a starkit (by Ashok, tcl8.6.12,
TWAPI 4.7.2, 32bit) on WIndows 10 64bit GER and started as administrator:
<SCRIPT>
package require Tk
console show
wm withdraw .
update
package require twapi
proc s {} {
twapi::send_input [list [list key 65 0x1e]]
puts -nonewline a
after 10000 s
}
after 10000 s
proc m {} {
puts "[catch {twapi::move_mouse 100 100} e] $e"
after 10000 m
}
</SCRIPT>
Wrap command:
tclkit-cli-8_6_12-twapi-4_7_2-x86-max.exe sdx.kit wrap twapisend.exe
-runtime tclkit-gui-8_6_12-twapi-4_7_2-x86-max.exe
Then, the lock screen was activated.
The mouse move and key press is active in the lock screen.
The keypress changes to the password screen.
The mouse moves to the upper-right corner.
But when changing (by the keypress) to the password entry screen, nor
mouse move, nor keypress are recognized.
The mouse move returns an error:
1 Wrong parameter
The keypress just does not appear.
Is this also what you see, or are you able to move the mouse in the
password part of the lock screen ?
Thank you and take care,
Harald
Yes I see pretty much what you do. I can move the mouse pointer
send it a character that opens the password text box.
After that, the only thing active is the onscreen keyboard
or the actual keyboard. I have to enter a password to leave.
I can't even paste anything into the password field.
So, sorry, this doesn't appear to work.
I did find this discussion and it seems likely that only using a driver
will work:
https://stackoverflow.com/questions/9652358/simulating-input-in-windows-logon-screen-using-a-driver
Thank you all reading this thread. The current state is logged on the following wiki page:
https://wiki.tcl-lang.org/page/MS+Windows%3A+assistive+technology%2C+code+signing%2C+send+keystrokes+to+other+applications+and+Windows+login+password+field
Thank you,
Harald
Hello Harald,
Below is not perfect but working example of using IsProcessInJob with Ffidl. It is based on topic https://stackoverflow.com/questions/5595918/using-ffidl-with-tcl-to-return-pass-by-reference-strings-and-arrays
package require twapi
package require Ffidl
package require Ffidlrt
ffidl::callout IsProcessInJob {int int pointer-var} int [ffidl::symbol kernel32.dll IsProcessInJob]
proc is_process_in_job {process job} {
set res_ptr [binary format [::ffidl::info format int] 0]
if {[IsProcessInJob $process $job res_ptr]} {
binary scan $res_ptr [::ffidl::info format int] res_ptr
return $res_ptr
} else {
puts "Error executing IsProcessInJob"
return -1
}
}
Test case:
ffidl::callout CreateJobObjectA {int pointer-utf8} int [ffidl::symbol kernel32.dll CreateJobObjectA]
set cur_process [lindex [twapi::get_process_handle [twapi::get_current_process_id] ] 0]
set job [CreateJobObjectA 0 "testJob"]
(bin) 26 % is_process_in_job $cur_process 0
1 ; # search process in any job is successfull
(bin) 27 % is_process_in_job $cur_process $job
0 ; # process is not in testJob
| Sysop: | Keyop |
|---|---|
| Location: | Huddersfield, West Yorkshire, UK |
| Users: | 715 |
| Nodes: | 16 (2 / 14) |
| Uptime: | 22:42:46 |
| Calls: | 12,105 |
| Calls today: | 5 |
| Files: | 15,006 |
| Messages: | 6,518,137 |