Everhart, Glenn From: Johannes Rath [JohannesR@DiamondMM.com] Sent: Friday, June 19, 1998 4:56 AM To: 'ntdev@atria.com' Subject: RE: [ntdev] watch keyboard stroke befor user logon > Johannes, > > If what you're saying that hooks work for WinLogon > desktop as well, then it would be possible to capture keyboard > characters even before and during user > logon. In my existing code, the only ones that are lacking are > to install itself as a Win32 service (doable on my side) and write the > code that will locate the ID of the WinLogon desktop. Any ideas on the > latter task? Edgar, you have to do something like this: // Get the default desktop on winsta0 // hdesk = OpenDesktop("Winlogon", 0, FALSE, DESKTOP_CREATEMENU | DESKTOP_CREATEWINDOW | DESKTOP_ENUMERATE | DESKTOP_HOOKCONTROL | DESKTOP_JOURNALPLAYBACK | DESKTOP_JOURNALRECORD | DESKTOP_READOBJECTS | DESKTOP_SWITCHDESKTOP | DESKTOP_WRITEOBJECTS); if (hdesk == NULL) return FALSE; // // Set the desktop to be "winlogon" // if (!SetThreadDesktop(hdesk)) return FALSE; For more information read my previous messages in this thread. When writing your service you must make sure that your service gets loaded before the user can do anything. I achieve this by putting the service into the video load group. This means the service will be loaded at the same stage as the display driver. It works but I dont know about any side effects. Anyone who knows more about the loading sequence at boot time? > > BTW, don't you think NT has made an exception here so as > not to compromise security during user logon, e.g., Trojan horses or a > program that masquerades as a WinLogon? If this exception is correct, > then, there's no way to capture keyboard messages by hooks alone -- you > need to go as low as to the level of the keyboard device driver -- way > up front of NT OS. I think there is some confusion between the winlogon desktop and the winlogon process. I was just talking about the winlogon desktop. I managed to set a hook there ( to manipulate the window positions ). So I suppose it should be possible to get any keyboard input as well. Regards Johannes - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - [ To unsubscribe, send email to ntdev-request@atria.com with body UNSUBSCRIBE (the subject is ignored). ]