|
|
[ Home Page ] [ About me ] [ Undocumented Windows ] Undocumented Windows
by Nick Repin
This page contains technical information and source code related to undocumented features of Windows 95/98/2000/NT/etc. explored by myself. Before using the information contained on this page, please read my Terms and Conditions.
All of the following code was written for demonstrative purposes only, so you should review the code according to you needs. The code contains no bugs, but I could omit some calls like GlobalFree() or CloseHandle() to save my expensive time. For the same reason, the code is badly commented. Also most of the code looks pretty ugly because I tried to keep it as close to the original as possible.
Keep in mind that some code was written for Borland C++ 5.02, so you might need to make minor modifications to make it work with other compilers.
Table of Contents
- Locking a window station on Windows NT 4.0
- Command prompt window on the WinLogon desktop
- RAS connect speed
- How to enumerate System Tray icons
- More than 16 colors on System Tray
- Acceleration setting for display hardware
- How to switch a console window to the full-screen mode
- IP configuration
- Minesweeper autoplay
Locking a window station on Windows NT 4.0
There is no special API call to lock a window station on Windows NT 4.0. Winlogon.exe contains a lengthy piece of code that handles this task. So the easiest way to programmatically lock a workstation is to emulate the Ctrl-Alt-Del sequence and a click on the 'Lock Workstation' button in the 'Windows NT Security' dialog.
To gain an access to the secured WinLogon desktop, it is possible to use a service running under the LocalSystem account. To emulate the Ctrl-Alt-Del sequence, it is enough to post the 0x659 message to the window named 'Winlogon generic control dialog', which is located on the WinLogon desktop.
Here are the steps required to programmatically lock a window station on Windows NT 4.0 using my example code.
Copy SRVANY.EXE (Windows NT Resource Kit) to the Windows system directory (say, C:\WINNT).
Run INSTSRV.EXE (Windows NT Resource Kit) to install the SRVANY service:
INSTSRV LockSrv C:\WINNT\SRVANY.EXE
Go to Control Panel/Services, click on the LockSrv service and check the 'System account' checkbox.
Run Task Manager and write down PID of the WINLOGON.EXE process (suppose, it is 35).
Copy files NINJLIB.EXE, LOCKWS.DLL and LOCK.EXE to, say, C:\TEMP directory.
Run the Registry Editor and create the following key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LockSrv\Parameters
Under the just created key, create the following string values:
Application="C:\TEMP\NINJLIB.EXE"
AppParameters="35 C:\TEMP\LOCKWS.DLL DO_NOT_UNLOAD"
Go to Control Panel/Services and run the LockSrv service.
Run LOCK.EXE. That's all - workstation is locked.
Any user (even Guest) can run lock.exe, but to install the service you must be a member of the Administrators group.
P.S. (August, 10 2000).
It is better to simulate Ctrl-Alt-Del with the following code, which is more "generic":
HWND w=FindWindow("SAS window class","SAS window");
SendMessage(w,WM_HOTKEY,0,MAKELPARAM(MOD_ALT|MOD_CONTROL,VK_DELETE));
Back to Top
Command prompt window on the WinLogon desktop
It's funny to see a command prompt window or even Windows Explorer (or any other program) running with the NT Logon prompt at the same time on the screen. You can do whatever you want without logging on as a Windows NT user.
Note that this is not a security bug, because to achieve this you have to be a member of the Administrators group.
Here are the steps required to run a command prompt window on the WinLogon desktop on Windows NT 4.0.
Copy SRVANY.EXE (Windows NT Resource Kit) to the Windows system directory (say, C:\WINNT).
Run INSTSRV.EXE (Windows NT Resource Kit) to install the SRVANY service:
INSTSRV WlConsSrv C:\WINNT\SRVANY.EXE
Go to Control Panel/Services, click on the WlConsSrv service and check the 'System account' checkbox.
Run Task Manager and write down PID of the WINLOGON.EXE process (suppose, it is 35).
Copy files NINJLIB.EXE and WLCONS.DLL to, say, C:\TEMP directory.
Run Registry Editor and create the following key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WlConsSrv\Parameters
Under the just created key, create the following string values:
Application="C:\TEMP\NINJLIB.EXE"
AppParameters="35 C:\TEMP\WLCONS.DLL"
Go to Control Panel/Services and run the WlConsSrv service.
Press Ctrl-Alt-Del or log off to see what's happened.
Back to Top
RAS connect speed
Download the source code , which uses the same way as rasphone.exe to determine the connect speed for a Windows NT RAS connection. See also related discussion.
Back to Top
How to enumerate System Tray icons
Download the source code for Windows 95/98/NT/2000, which uses the same way as Windows Explorer to enumerate all icons on System Tray. See also related discussion.
Back to Top
More than 16 colors on System Tray
System Tray on Windows 95/98/NT4/2000 can display 16-color icons only. All icons placed on it with Shell_NotifyIcon() are converted to the 16-color format. Using the previous code ( How to enumerate System Tray icons ), it's possible to force Windows Explorer to display System Tray icons with up to 32-bit (true) color. Explorer creates an image list by ImageList_Create() with the ILC_COLOR flag, what effectively means ILC_COLOR4. We can create a new ILC_COLOR32 image list that contains copies of the icons and then replace the old list with the new one. From this point and until the next restart, Windows Explorer will display newly added icons with true colors (of course, this depends on the current display mode). The job must be done in the address space of the Explorer's process, that's why a hook DLL is used. Once the new image list is created, the hook is not required any more and may be uninstalled. Download the source code and executables. See also related discussion.
Back to Top
Acceleration setting for display hardware
Download the source code, which uses the same way as the Windows control panel applet to programmatically adjust the Windows 95/98 display hardware acceleration setting (Control panel/System/Performance/Display).
Back to Top
How to switch a console window to the full-screen mode
Download the source code, which uses the same way as Windows to toggle a console application to the full-screen mode. See also related discussion.
Back to Top
IP configuration
Download the source code, which displays the Windows 95-98 IP configuration using the same way as ipconfig.exe and winipcfg.exe.
Back to Top
Minesweeper autoplay
This is just funny stuff, it demonstrates the usage of ReadProcessMemory(). Download the source code, which can automatically play Minesweeper and always wins. Note: this code works with winmine.exe for Windows NT 4.0, timestamp Aug 03 1996 00:00, only! See also related discussion.
Back to Top
Windows 95/98/2000/NT are registered trademarks of Microsoft Corporation.
Borland C++ is a registered trademark of Inprise Corporation.
Copyright © Nick N. Repin, 1997-2000. All rights reserved.
Revised: 12/30/00 12:22.
