Re: How to catch CTRL-ALT-DEL keystroke in a credential provider before displaying 'logoff/lock/switch user' screen?

On Oct 5, 5:11 pm, "Larry Smith" <no_spam@xxxxxxxxxxx> wrote:
I've been implementing my own credential provider. But I've got a
problem that I can't solve by myself:

I need to configure the access to the system keystroke CTRL-ALT-DEL
for every user. Example:
- user A (e.g. admin) should be allowed to press the keystroke and see
the appearing screen (logoff/lock/switch user).
- user B should be forbidden to press the keystroke because of
security reasons. This should be one of the user restrictions. Nothing
should happen while pressing ctrl-alt-del.

Does anyone know how the described functionality should be implemented
in my credential provider?

Thanks in advance for your response.
Andreas.

There are some policy options you can change related to Ctrl+Alt+Del which
are simple registry changes (on a per-user basis). To get the control you're
talking about however I think the only practical way may be to provide your
own version of the GINA DLL. I've never had the need to do this myself but I
don't believe it should be difficult. You would need to provide your own
replacement for "WlxLoggedOutSAS()" and delegate all other calls to the
original GINA DLL ("msgina.dll" is MSFT's original but this too might have
been replaced by some other app). See the latter function in MSDN for
starters (look at WLX_SAS_TYPE_CTRL_ALT_DEL under the "dwSasType"
parameter). The following link should also help but googling for the latter
function is really the key. Note however that users may not appreciate your
approach since most expect something to happen when they press Ctrl+Alt+Del.
A dialog indicating that it's unavailable (by the administrator) would
normally be preferable and as I recall, you may be able to pull this off
using the policy options route. Let me know if this is an option (opposed to
nothing happening at all) and I'll see if I can dig up the info I once had
on this.

http://msdn.microsoft.com/msdnmag/issues/05/05/SecurityBriefs/default...

Sorry that I didn't write it explicitly: I've been developing a
credential provider for WINDOWS VISTA. Security model used in Vista is
quite different as the one in XP or NT. In Vista, there is no GINA.DLL
and your possibilities to control the logon process are limited. The
'old' Gina methods don't work anymore...


.