Simulate Ctrl-Alt-Del in Vista and later (Windows 7, Windows 2008R2, …)

Simulating Ctrl-Alt-Del in code has always been a nightmare for developers, namely for logins with remote access software or other scenarios.
I never figured out the reason Microsoft hides and undocuments the procedure.
For Windows XP and older releases all the way down to Windows NT 3.51 a solution has been found that spreaded all over the internet. I don’t know who found it, but it works pretty well.

Then enters Windows Vista. The old procedure ceased to work. Microsoft announced that would provide a C library called SASLIB for people requesting it from a certain email address. In most cases, requests deserved no reply from Microsoft, I was one of those cases! I don’t know what was their selection criteria, but I have legal software and I don’t live in a country for which export restrictions are enforced.

Given that state of affairs, a couple of years ago I made some investigation on my own by analyzing the import table of OSK.EXE. This is a utility bundled with Windows, intended to provide some functionality for users with limited mobility, and it can produce Ctrl-Alt-Del through the virtual keyboard.
I found a mysterious function called WmsgSendMessage exported by a not less mysterious WMsgAPI.dll. I experimented a bit with that function, but at the time was unable to unveil a few details and had to give up due to time constraints.
Actually, I was on the right track. WmsgSendMessage works by invoking the client RPC mechanism lodged inside WMsgAPI.dll. Your application only needs to have the TcbPrivilege, i.e the privilege to Act as Part of the Operating System. LocalSystem services already have that privilege, and have it enabled by default.  The local security policy of the computer needs also be configured to allow services to produce Ctrl-Alt-Del (or Security Attention Sequence, SAS, as Microsoft calls it), but this can be done on the spot by changing a simple Registry value before the SAS request.
Very easy, too easy indeed, here is the prototype of the function:
typedef DWORD (WINAPI* lpfnWmsgSendMessage)(DWORD dwSessionId, UINT magicNumber, WPARAM pid, LPARAM lParam);
The magicNumber is 0x208 (there are a few other magic numbers in this function but this one is what we want)
The pid (process id) can be left to zero.
The fourth parameter is just a LONG_PTR to a LONG_PTR initialized to NULL.
Note that the first parameter is the session where you want the Ctrl-Alt-Del to be issued. You can issue a Ctrl-Alt-Del from the console to any Terminal Services session and you can as well issue it from any Terminal Services session to another session including the console! Yes, this is amazing.
With the release of Windows 7 and Windows Server 2008R2, Microsoft shipped a SAS.DLL that can be used to simulate Ctrl-Alt-Del from a LocalSystem service. Windows Vista and Windows Server 2008 do not have it but you can get it through the Windows 7 SDK. With SAS.DLL you can only produce Ctrl-Alt-Del to the session you are in (fair enough in most cases).
There is another way to produce Ctrl-Alt-Del, it is called AsUser, here you don’t need to launch a LocalSystem service to issue the Ctrl-Alt-Del. On the other hand, the application needs to be signed with authenticode, needs to have a manifest with the uiAccess attribute of the requestedExecutionLevel element set to true, UAC must be turned on, needs to be lodged in a secure folder (like Program Files or System32) and the local security policy must be configured to allow applications to simulate a SAS. Five conditions, but not too much of an inconvenience, nowadays most serious developers already sign their software, it is easy as well to set to true the uiAccess of the manifest and most users already install applications in the Program Files folder and keep UAC turned on (at least with Windows 7 and above). The local security policy can be set directly in the Registry if the application is elevated, otherwise launch Gpedit.msc and under Computer Configuration | Administrative Templates | Windows Components | Windows Logon Options | Disable or enable software Secure Attention Sequence set it to Ease of Access Applications or to Services and Ease of Access Applications.

Understanding what WmsgSendMessage does is relatively easy, when we take for granted that WMsgAPI.dll is a black box that just performs what we want. However, producing Ctrl-Alt-Del as AsUser does not make use of the WmsgSendMessage function at all. Then it becomes more difficult, and not a lot of developers are comfortable with RPC, this alone explains why no one ever found the way until now.

In this case, there is no System Dll ready to perform the work for us, as there is when we call WmsgSendMessage from a LocalSystem account.
We do need a RPC client able to send the correct message to rpcrt4.dll (this is sort of middleman that interprets and dispatches RPC requests to the correct handler). The message itself is very simple, it does not even contains Identity Authentication. Even simple, finding it was not easy at all because there is no oicf MIDL decompilers and all the inner RPC workings are largely undocumented or confusing. The best explanation ever written about how it all works is now 11 years old, it appeared in the Microsoft System Journal of January 1999 but is still available in the internet.

While lots of people reverse engineer the Windows internals, and some write books and end getting nice jobs at Microsoft, I have not actually done any reverse engineering. I have just observed, experimented and produced my own solution!

Now, it is important to state this question: Can you guarantee that your solution will work on any future Service Pack or new Windows Release?
The answer is: No, but WmsgSendMessage and other APIs, even if not documented are being commonly used by OSK.EXE, SAS.DLL and other software distributed by Microsoft to produce Ctrl-Alt-Del. I believe the core functionality will remain for a long time. However, Microsoft may remove the capability to produce Ctrl-Alt-Del to different Terminal Server sessions.
Either way, I flagged that my library can only produce Ctrl-Alt-Del within Windows Major Version 6 (i.e Vista, 7, 2008 and 2008R2).

I am making available a complete package, completely free, with easy integration sample source code  (actually, there is only one function call that needs to be integrated) in C++ and Delphi. The package includes DLLs for 32-bit and 64-bit applications, which allow you to use the functionality in any application you develop; it includes also signed demo standalone applications and signed demo applications making use of the DLLs, compiled both as 32-bit and 64-bit. I just do not include the source code of the Ctrl-Alt-Del library itself, but you can purchase the full source code for a modest fee.

Download fileDownload the FREE AW_SAS (AW_SASLIB.ZIP)

All articles are written by Jose Pascoa and if you quote them you must not misrepresent were you took the information from!


PayPal Buy




19 Responses to Simulate Ctrl-Alt-Del in Vista and later (Windows 7, Windows 2008R2, …)

  • RayCon says:

    Wow, Wow, that has been a headache. Interesting read, it gave me some other ideas as well.

  • Jeff Long says:

    I have some questions, but will send you in a private message

  • Bennis Ditto says:

    Is it possible to use from C#? Do I need to run as Service?

    • jp2712 says:

      You can run it with any .Net language, including C#. You don’t have to run it as a service, you can run it as asUser. Same considerations apply both to unmanaged and mansged.

  • tony says:

    Hi, when I run the demo as a user I get:
    Error #29 (Refer to error codes table)
    which the error doc defines as:
    CTRLALTDEL_SASSECUREREQERROR 29

  • tony says:

    Hi Jose,
    Ran into a major issue with the DLL, you have apparently compiled it with VS 2008 and it’s setup with a side by side manifest configuration and it’s super difficult to use on older Version of XP. Anyway you could compile it with a older version of VS or change the config so it does not require a manifest.
    I know it does not work on XP anyway and my app only calls the function if it’s running on vista and above, but because of the whole manifest mess it won’t load up the app on XP where the side by side DLL manifest hell is not already configured.

    Getting errors like this:
    generate activation context failed for C:program filesRemote Gateway Serviceaw_sas32.dll
    dependent assembly microsoft. vc90.crt could not be found

    I have msvcr90.dll in the same directory as the exe, but it’s complaining about this manfifest and side by side configuration.

  • Alberto says:

    Hello,

    thank you for creating the AW_SAS library.

    I’m really inetrested in purchasing it, but I still have an problem I cannot solve.

    It seems the Ctrl Alt Del command doesn’t work on Windows Server 2008.

    I’ve tried it on 2008 32-bit and 2008 R2 64-bit. Same result.
    I’ve also activated the SAS policy, as recommended in some forums.
    I’ve tried with RealVNC and it works fine.

    What I’ve forgotten ?
    Can you please confirm me the library works on Server 2008 ?
    Otherwise, can you give me a new version that works on Server 2008 ?

    Thanks in advance

    Best Regards

  • HelloMr says:

    Hello Sir
    Great work. This is all I wanted to say. It was useful for my project

    L S – India

  • Ivica Jercic says:

    DemoStandAlone(32/64) not working on Server 2008 R2 Essential(system privileges), static dll load failing with (0xc0150002).
    On Vista 32, Windows 7(32/64), Server 2008 R2 Standard everything works fine.

    Tested with non signeed app (system privileges) with static and dynamic dll loading.

    Great stuff

    • jp2712 says:

      From ntstatus.h:
      // MessageId: STATUS_SXS_CANT_GEN_ACTCTX
      // Windows was not able to process the application binding information.
      // Please refer to your System Event Log for further information.
      #define STATUS_SXS_CANT_GEN_ACTCTX ((NTSTATUS)0xC0150002L)
      ———————————

      I think it is related to the included manifest which contains ‘microsoft.windows.common-controls’ version=’6.0.0.0′ and your system is not providing automatic redirection for a newer version.

  • ChrisG says:

    Wow..great work. Can you send a control-alt-delete if there is no active session? With all sessions disconnected at the Control-Alt-Delete screen I want to sent a CAD from a service event…is this possible?

    thanks in advance,

    Chris

  • wan says:

    how to use the dll file in a C# project ?

  • Pete says:

    Can you please email me (or post it here) the signature for this dll if used in a vb.net app? I’ve been trying to use:

    Declare Auto Function sendCtrlAltDel Lib “aw_sas32.dll” (ByVal asUser As Boolean, ByVal iSession As Integer) As Integer

    and

    _
    Public Shared Function sendCtrlAltDel(ByVal asUser As Boolean, ByVal iSession As Int32) As Integer
    End Function

    to no avail.

    Thanks,
    – Pete

    • jp2712 says:

      I don’t use such fancy languages, but what you tried looks good, so the error is probably elsewhere. Read carefully the article.

Leave a Reply to jp2712 Cancel reply

Your email address will not be published. Required fields are marked *