Help me suspend winlogon on Win10 without external tools (run as SYSTEM?) Topic is solved

Get help with using AutoHotkey and its commands and hotkeys
User avatar
WAZAAAAA
Posts: 75
Joined: 13 Jan 2015, 19:48

Help me suspend winlogon on Win10 without external tools (run as SYSTEM?)

12 Sep 2017, 16:56

I'm trying to suspend the running process winlogon.exe on a Windows 10 machine without the aid of third party programs, just AHK.
My final goal is to build a script that allows me to easily toggle the desktop composition ON/OFF by triggering the old Basic theme, since the last OS capable of doing this in a "normal" way was Windows 7.

Using AHK I can suspend most of the processes, but winlogon.exe in particular seems to ignore everything coming from my scripts. These are the various suspension methods that have failed me thus far:
NtSuspendProcess/ZwSuspendProcess, SuspendThread/Wow64SuspendThread, DebugActiveProcess
(and the resume ones:)
NtResumeProcess/ZwResumeProcess, ResumeThread/Wow64ResumeThread, DebugActiveProcessStop

Suspending winlogon.exe succeeded with all the other programs I used: Resource Monitor, Process Hacker, Process Explorer and PsSuspend.

I've also tried to launch my script with a combination of admin vs standard privileges, uncompiled vs compiled with ANSI32 vs UNICODE32 vs UNICODE64 and have had no success.

A glimmer of hope was given to me when I found out that running my script as username "NT AUTHORITY\SYSTEM" under Desktop "WinSta0\Default" with the help of Process Hacker's "Run as..." function FINALLY let me to suspend the goddamn process through my script, but I don't know how to code this within AHK, and the only script I've found on the forums that does something similar on Win10 is a 2000 lines long project with like 5 include files that I frankly don't know how to touch https://autohotkey.com/boards/viewtopic.php?t=27709

Therefore, my request would be... is there a way to "self-elevate" a script to run as SYSTEM without external tools? Or is there some alternative way to properly suspend winlogon.exe on Win10 that I'm missing?
YOU'RE NOT ALEXANDER
qwerty12
Posts: 468
Joined: 04 Mar 2016, 04:33
GitHub: qwerty12

Re: Help me suspend winlogon on Win10 without external tools (run as SYSTEM?)  Topic is solved

12 Sep 2017, 17:09

WAZAAAAA wrote:Using AHK I can suspend most of the processes, but winlogon.exe in particular seems to ignore everything coming from my scripts. These are the various suspension methods that have failed me thus far[...]

Suspending winlogon.exe succeeded with all the other programs I used: Resource Monitor, Process Hacker, Process Explorer and PsSuspend.
You're just forgetting to enable SeDebugPrivilege (which by default can only be done in an elevated process, so make sure that's the case first). Look at example 4 here.
A glimmer of hope was given to me when I found out that running my script as username "NT AUTHORITY\SYSTEM" under Desktop "WinSta0\Default" with the help of Process Hacker's "Run as..." function FINALLY let me to suspend the goddamn process through my script, but I don't know how to code this within AHK, and the only script I've found on the forums that does something similar on Win10 is a 2000 lines long project with like 5 include files that I frankly don't know how to touch https://autohotkey.com/boards/viewtopic.php?t=27709
:( But, granted, it is messy and it's overkill for this anyway - the main point of that is to run programs on different desktops. If you really want to run your script as SYSTEM, just take the Task Scheduler function I have in LogonDesktop.ahk or find the example I have there that tries to find a suitable SYSTEM token to impersonate with in the same process (I'm pretty sure that script just relies on LogonDesktop.ahk, nothing else). But you shouldn't need it anyway - enabling the priv above in an elevated process should do it...
User avatar
WAZAAAAA
Posts: 75
Joined: 13 Jan 2015, 19:48

Re: Help me suspend winlogon on Win10 without external tools (run as SYSTEM?)

12 Sep 2017, 19:43

YEEES

That was it, it works. I have copy&pasted example 4 verbatim in my script starting from "Process, Exist" up to "close this process handle to save memory", thank you.

On to my next quest of finding a working way to check if a process has been suspended or not...
Last edited by WAZAAAAA on 10 Oct 2017, 09:07, edited 1 time in total.
YOU'RE NOT ALEXANDER
qwerty12
Posts: 468
Joined: 04 Mar 2016, 04:33
GitHub: qwerty12

Re: Help me suspend winlogon on Win10 without external tools (run as SYSTEM?)

13 Sep 2017, 09:52

WAZAAAAA wrote:On to my next quest of finding a working way to check if a process has been suspended or not...
I had the C equivalent of this, taken from the Process Hacker source code, lying around when fixing a bug in clink. There's something off with my conversion, because this works only with 64-bit AutoHotkey (the original C program works fine under 32-bit). Fixed thanks to jeeswg

Code: Select all

#NoEnv

ProcessIsSuspended(pid, ByRef isPartiallySuspended := 0) {
	static initialBufferSize := 0x4000, cbSYSTEM_THREAD_INFORMATION := A_PtrSize == 8 ? 80 : 64
	static SystemProcessInformation := 5, STATUS_BUFFER_TOO_SMALL := 0xC0000023, STATUS_INFO_LENGTH_MISMATCH := 0xC0000004
	static Waiting := 5, Suspended := 5
	static UniqueProcessIdOffset := A_PtrSize == 8 ? 80 : 68, NumberOfThreadsOffset := 4, ThreadsArrayOffset := A_PtrSize == 8 ? 256 : 184
	static ThreadStateOffset := A_PtrSize == 8 ? 68 : 52, WaitReasonOffset := A_PtrSize == 8 ? 72 : 56
	bufferSize := initialBufferSize

	VarSetCapacity(ProcessBuffer, bufferSize)
	
	Loop {
		status := DllCall("ntdll\NtQuerySystemInformation", "UInt", SystemProcessInformation, "Ptr", &ProcessBuffer, "UInt", bufferSize, "UInt*", bufferSize, "UInt")
		if (status == STATUS_BUFFER_TOO_SMALL || status == STATUS_INFO_LENGTH_MISMATCH) {
			VarSetCapacity(ProcessBuffer, bufferSize)
		}
		else {
			break
		}
	}

	if (status < 0)	{
		return False
	}

	if (bufferSize <= 0x100000) initialBufferSize := bufferSize

	isSuspended := pid > 0
	isPartiallySuspended := False
	ThisEntryOffset := 0

	Loop {
		if (NumGet(ProcessBuffer, ThisEntryOffset + UniqueProcessIdOffset, "Ptr") == pid) {
			Loop % NumGet(ProcessBuffer, ThisEntryOffset + NumberOfThreadsOffset, "UInt") {
				ThisThreadsOffset := ThisEntryOffset + ThreadsArrayOffset + (cbSYSTEM_THREAD_INFORMATION * (A_Index - 1))
				ThreadState := NumGet(ProcessBuffer, ThisThreadsOffset + ThreadStateOffset, "UInt")
				WaitReason := NumGet(ProcessBuffer, ThisThreadsOffset + WaitReasonOffset, "UInt")
				if (ThreadState != Waiting || WaitReason != Suspended) {
					isSuspended := False
				} else {
					isPartiallySuspended := True
				}
			}
			return isSuspended
		}
	} until (!(NextEntryOffset := NumGet(ProcessBuffer, ThisEntryOffset, "UInt")), ThisEntryOffset += NextEntryOffset)
	
	return -1
}

MsgBox % ProcessIsSuspended(560)
I believe another way of checking if a process is suspended is with enumerating the process's threads with WMI, but I neither like it nor know how to use it...

EDIT:
jeeswg wrote:According to this, the size is 80 or 64.
Oops. Thanks, adding the missing four bytes sorted it.
Last edited by qwerty12 on 13 Sep 2017, 16:35, edited 2 times in total.
User avatar
jeeswg
Posts: 6904
Joined: 19 Dec 2016, 01:58
Location: UK

Re: Help me suspend winlogon on Win10 without external tools (run as SYSTEM?)

13 Sep 2017, 10:50

Re. x64 v. x32.
SYSTEM_THREAD_INFORMATION
http://www.geoffchappell.com/studies/wi ... thread.htm
According to this, the size is 80 or 64.
homepage | tutorials | wish list | fun threads | donate
WARNING: copy your posts/messages before hitting Submit as you may lose them due to CAPTCHA

Return to “Ask For Help”

Who is online

Users browsing this forum: Bing [Bot], dave444344, Groot, spencer and 219 guests