1

I am trying to setup a client-server application where the server can unlock client PCs from their windows login screen. The server can also logout or lock the clients as well but unlocking the client PCs from the login screen seems to be more difficult.

I have read about credential provider but I don't understand yet if credential providers will also allow another PC from sending a signal to another PC (client PC) telling them to unlock.

I know C# well but not C++... but I am willing to learn if needed. I would really appreciate your help guys.. Thanks

devpro101
  • 318
  • 1
  • 3
  • 13
  • You'll probably need to create a Windows Service to handle the auto-logon part. Check [this](https://stackoverflow.com/a/19975840/4934172). Locking, on the other hand, is very easy; you can just execute this command: `rundll32.exe user32.dll, LockWorkStation`. – 41686d6564 stands w. Palestine Apr 15 '19 at 06:23
  • Thank you for your suggestion, I just have one concern with the workaround that you gave. My goal is to prevent client PCs from accessing their desktop unless I unlocked it for them using the server PC. If I am going to enable auto login for them then it defeats the purpose of the app. Also if I were to run the LockWorkstation() right after auto login, then I am back to the same problem of unlocking client PC at will... – devpro101 Apr 15 '19 at 06:45
  • Here's an easier solution: 1) Design your own "lock screen" as an image. 2) When it's time to "lock" the PC, display that image in a fullscreen window, make the window top-most, and disable mouse and keyboard inputs. 3) When it's time to "unlock", reverse the actions you did in the previous step. For step #2, you can also run a timer which continuously brings your window to front, just in case another top-most window pops up. – 41686d6564 stands w. Palestine Apr 15 '19 at 07:09
  • Thank you again for your very fast suggestions Ahmed really appreciate the effort. I could actually make that method work but that means; 1) I need to open the Client PCs first and run the custom lock screen or 2) implement your first suggestion by auto logging the client PCs then autorun the lock screen to make it appear that my custom lock screen actually replaced the windows login screen. Is there no way of unlocking the client PC just from their windows login screen? Like the user credentials for each of the client PCs are provided by the server PC through the network or something? – devpro101 Apr 15 '19 at 07:27
  • Just enable [auto-login](https://superuser.com/q/243681/545963) on the client PCs (or remove the password altogether) and then make your client app run on Windows startup. Your server side will then communicate with the clients to trigger a "lock" or "unlock" at any given time. – 41686d6564 stands w. Palestine Apr 15 '19 at 07:32

2 Answers2

1

You can write your own Credential Provider library (C++ only) and control it remotely somehow. Or use LogonExpert remotely (via PsExec or your own means).

Oleg Korzhukov
  • 555
  • 4
  • 18
  • Thank you, actually I started reading on it again two weeks ago and now I am practicing on the sample hardware event provider. I think it might actually work. Right now I am just figuring out how I can send the signal from another computer through the network. If you have any idea how to send the signal via network it would really help me a lot ^_^ – devpro101 May 04 '19 at 08:25
  • 1
    You need a separate thread running a network server (TCP/UDP/Pipe/MailSlot, anything should work) in your credential provider. Once the server receives data you can call CredentialsChanged() using ICredentialProviderEvents object you got on Advice() to unlock the machine. Some other things to consider: credential provider cannot bypass Ctrl+Alt+Del requests and it is destroyed as soon as machine is logged on. So you might need to create a service to manage other tasks. – Oleg Korzhukov May 04 '19 at 10:30
  • Ahhh genius, thank you so much for the advice. Please let me try it first, I think I'll be able to finish this project soon ^_^ – devpro101 May 04 '19 at 11:08
0

TeamViewer does that, but it's hard.

They have their service handling all desktops / sessions, including secure ones. This way it also handles UAC prompts in addition to the logon screen.

SendInput for input. And some method of screen capture for recording the screen, I would start with desktop duplication API but I have no idea will it work for secure desktops.

Soonts
  • 18,116
  • 9
  • 55
  • 116
  • Thank you, I will look into it now – devpro101 Apr 15 '19 at 09:45
  • Hello, I have read through the TeamViewer API. I had to stop because I think the TeamViewer API method is not for me. Based from the sample VB code and the documentation, the resulting app that I will produce using the API will need to have constant internet access for it to be able to communicate with the API using the redirect URI created in the application creation from their management console. I would like my app to not be dependent on the internet just to allow me to unlock client PCs. Do you have any other ideas in mind sir? thanks – devpro101 Apr 16 '19 at 08:45
  • Here are the links to the documentations I read: https://www.teamviewer.com/en/for-developers/#create-application-section and https://www.codeguru.com/columns/vb/how-to-use-teamviewer.html – devpro101 Apr 16 '19 at 08:45