I'm trying to suspend the running process winlogon.exe on a Windows 10 machine without the aid of third party programs, just AHK.
My final goal is to build a script that allows me to easily toggle the desktop composition ON/OFF by triggering the old Basic theme, since the last OS capable of doing this in a "normal" way was Windows 7.
Using AHK I can suspend most of the processes, but winlogon.exe in particular seems to ignore everything coming from my scripts. These are the various suspension methods that have failed me thus far:
NtSuspendProcess/ZwSuspendProcess, SuspendThread/Wow64SuspendThread, DebugActiveProcess
(and the resume ones:)
NtResumeProcess/ZwResumeProcess, ResumeThread/Wow64ResumeThread, DebugActiveProcessStop
Suspending winlogon.exe succeeded with all the other programs I used: Resource Monitor, Process Hacker, Process Explorer and PsSuspend.
I've also tried to launch my script with a combination of admin vs standard privileges, uncompiled vs compiled with ANSI32 vs UNICODE32 vs UNICODE64 and have had no success.
A glimmer of hope was given to me when I found out that running my script as username "NT AUTHORITY\SYSTEM" under Desktop "WinSta0\Default" with the help of Process Hacker's "Run as..." function FINALLY let me to suspend the goddamn process through my script, but I don't know how to code this within AHK, and the only script I've found on the forums that does something similar on Win10 is a 2000 lines long project with like 5 include files that I frankly don't know how to touch https://autohotkey.com/boards/viewtopic.php?t=27709
Therefore, my request would be... is there a way to "self-elevate" a script to run as SYSTEM without external tools? Or is there some alternative way to properly suspend winlogon.exe on Win10 that I'm missing?
Help me suspend winlogon on Win10 without external tools (run as SYSTEM?) Topic is solved
Help me suspend winlogon on Win10 without external tools (run as SYSTEM?)
YOU'RE NOT ALEXANDER
Re: Help me suspend winlogon on Win10 without external tools (run as SYSTEM?) Topic is solved
You're just forgetting to enable SeDebugPrivilege (which by default can only be done in an elevated process, so make sure that's the case first). Look at example 4 here.WAZAAAAA wrote:Using AHK I can suspend most of the processes, but winlogon.exe in particular seems to ignore everything coming from my scripts. These are the various suspension methods that have failed me thus far[...]
Suspending winlogon.exe succeeded with all the other programs I used: Resource Monitor, Process Hacker, Process Explorer and PsSuspend.
But, granted, it is messy and it's overkill for this anyway - the main point of that is to run programs on different desktops. If you really want to run your script as SYSTEM, just take the Task Scheduler function I have in LogonDesktop.ahk or find the example I have there that tries to find a suitable SYSTEM token to impersonate with in the same process (I'm pretty sure that script just relies on LogonDesktop.ahk, nothing else). But you shouldn't need it anyway - enabling the priv above in an elevated process should do it...A glimmer of hope was given to me when I found out that running my script as username "NT AUTHORITY\SYSTEM" under Desktop "WinSta0\Default" with the help of Process Hacker's "Run as..." function FINALLY let me to suspend the goddamn process through my script, but I don't know how to code this within AHK, and the only script I've found on the forums that does something similar on Win10 is a 2000 lines long project with like 5 include files that I frankly don't know how to touch https://autohotkey.com/boards/viewtopic.php?t=27709
Re: Help me suspend winlogon on Win10 without external tools (run as SYSTEM?)
YEEES
That was it, it works. I have copy&pasted example 4 verbatim in my script starting from "Process, Exist" up to "close this process handle to save memory", thank you.
On to my next quest of finding a working way to check if a process has been suspended or not...
That was it, it works. I have copy&pasted example 4 verbatim in my script starting from "Process, Exist" up to "close this process handle to save memory", thank you.
On to my next quest of finding a working way to check if a process has been suspended or not...
Last edited by WAZAAAAA on 10 Oct 2017, 09:07, edited 1 time in total.
YOU'RE NOT ALEXANDER
Re: Help me suspend winlogon on Win10 without external tools (run as SYSTEM?)
I had the C equivalent of this, taken from the Process Hacker source code, lying around when fixing a bug in clink. There's something off with my conversion,WAZAAAAA wrote:On to my next quest of finding a working way to check if a process has been suspended or not...
Code: Select all
#NoEnv
ProcessIsSuspended(pid, ByRef isPartiallySuspended := 0) {
static initialBufferSize := 0x4000, cbSYSTEM_THREAD_INFORMATION := A_PtrSize == 8 ? 80 : 64
static SystemProcessInformation := 5, STATUS_BUFFER_TOO_SMALL := 0xC0000023, STATUS_INFO_LENGTH_MISMATCH := 0xC0000004
static Waiting := 5, Suspended := 5
static UniqueProcessIdOffset := A_PtrSize == 8 ? 80 : 68, NumberOfThreadsOffset := 4, ThreadsArrayOffset := A_PtrSize == 8 ? 256 : 184
static ThreadStateOffset := A_PtrSize == 8 ? 68 : 52, WaitReasonOffset := A_PtrSize == 8 ? 72 : 56
bufferSize := initialBufferSize
VarSetCapacity(ProcessBuffer, bufferSize)
Loop {
status := DllCall("ntdll\NtQuerySystemInformation", "UInt", SystemProcessInformation, "Ptr", &ProcessBuffer, "UInt", bufferSize, "UInt*", bufferSize, "UInt")
if (status == STATUS_BUFFER_TOO_SMALL || status == STATUS_INFO_LENGTH_MISMATCH) {
VarSetCapacity(ProcessBuffer, bufferSize)
}
else {
break
}
}
if (status < 0) {
return False
}
if (bufferSize <= 0x100000) initialBufferSize := bufferSize
isSuspended := pid > 0
isPartiallySuspended := False
ThisEntryOffset := 0
Loop {
if (NumGet(ProcessBuffer, ThisEntryOffset + UniqueProcessIdOffset, "Ptr") == pid) {
Loop % NumGet(ProcessBuffer, ThisEntryOffset + NumberOfThreadsOffset, "UInt") {
ThisThreadsOffset := ThisEntryOffset + ThreadsArrayOffset + (cbSYSTEM_THREAD_INFORMATION * (A_Index - 1))
ThreadState := NumGet(ProcessBuffer, ThisThreadsOffset + ThreadStateOffset, "UInt")
WaitReason := NumGet(ProcessBuffer, ThisThreadsOffset + WaitReasonOffset, "UInt")
if (ThreadState != Waiting || WaitReason != Suspended) {
isSuspended := False
} else {
isPartiallySuspended := True
}
}
return isSuspended
}
} until (!(NextEntryOffset := NumGet(ProcessBuffer, ThisEntryOffset, "UInt")), ThisEntryOffset += NextEntryOffset)
return -1
}
MsgBox % ProcessIsSuspended(560)
EDIT:
Oops. Thanks, adding the missing four bytes sorted it.jeeswg wrote:According to this, the size is 80 or 64.
Last edited by qwerty12 on 13 Sep 2017, 16:35, edited 2 times in total.
Re: Help me suspend winlogon on Win10 without external tools (run as SYSTEM?)
Re. x64 v. x32.
SYSTEM_THREAD_INFORMATION
http://www.geoffchappell.com/studies/wi ... thread.htm
According to this, the size is 80 or 64.
SYSTEM_THREAD_INFORMATION
http://www.geoffchappell.com/studies/wi ... thread.htm
According to this, the size is 80 or 64.
homepage | tutorials | wish list | fun threads | donate
WARNING: copy your posts/messages before hitting Submit as you may lose them due to CAPTCHA
WARNING: copy your posts/messages before hitting Submit as you may lose them due to CAPTCHA
Re: Help me suspend winlogon on Win10 without external tools (run as SYSTEM?)
Thank you for your service
YOU'RE NOT ALEXANDER
Who is online
Users browsing this forum: No registered users and 361 guests