Winlogon script that executes login screen

[Ulaiphur]

I'm trying to create an HTA script that will allow users to select login through RDP or local login.

I have edited the key 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

and edited with mshta C:\startup.hta

 

Now, startup.hta has two basic commands, LocalLogin which should start the local login window and TSLogin which starts the RDP session. As shown below:

 

<html><head><HTA:Application  ApplicationName = "Login Selector"  Border = "Thick"  BorderStyle = "Dialog"  Caption = "Yes"  ContextMenu = "False"  Scroll = "No"  Selection = "False"  SingleInstance = "True"  SysMenu = "Yes"  ShowInTaskBar = "No"  MaximizeButton = "No"  MinimizeButton = "No"  WindowState = "Maximize"><title>Login Selector</title><style></style></head><script language="VBScript">Sub ExitProgram        window.close()    End SubSub TSLogin()Set objShell = CreateObject("WScript.Shell") objShell.Run("mstsc /f /v:someaddr.somesite.com"), 1, TrueEnd Sub    Sub LocalLogin()Set objShell = CreateObject("WScript.Shell") objShell.Run("explorer.exe"), 1, TrueEnd Sub</script></head> <body bgcolor="white"><font face="Arial"><h3>WinLogon</h3><br><br>Please choose login option<br><br><button onclick='vbscript:TSLogin'>Terminal Services</button><br><br><button onclick='vbscript:LocalLogin'>Local Account</button></font></body></html>

The problem is that when I try to select LocalLogin it does not launch the windows login screen. How come launching explorer.exe from winlogon works but doesn't when I executed through this script?

 

[jaclaz]

I am not sure to understand (actually I am pretty sure I do not understand ).

Can you try explaining what is the actual scope/goal (or intended usage paradigm) and when this hta would be run?

 

jaclaz

[Ulaiphur]

The hta file needs to run before the windows login prompt.

 

The idea of the script is to provide users with an UI to be able to select a login option, remote connect to a server using RDP or login locally (default windows login). 

[jaclaz]

The hta file needs to run before the windows login prompt.

 

The idea of the script is to provide users with an UI to be able to select a login option, remote connect to a server using RDP or login locally (default windows login). 

 

Well, and how exactly do you plan to execute it BEFORE the login?

Under which credentials would the hypothetical script be run?

In which Win station?

 

My guess is that you have not entirely clear the whole NT logon processes, and what you really want/need is a custom GINA (up to XP/2003) or a custom "credential provider" (Vista and later).

 

jaclaz

[Ulaiphur]

OK, so basically I will need to create a user account as autologin, from that user account run the .hta script above and the do it's thing.

 

The only problem with this is that a user is free to bypass the script and get into windows. Even if the script is launched full screen, If i press alt+tab or windows key it allows me to the the entire OS. I just want the users to be able to use just this script. 

[Tripredacus]

I believe that the Shell key is loaded after logon. There used to be HCKU Winlogon Shells in XP, maybe you can use that instead.

[jaclaz]

OK, so basically I will need to create a user account as autologin, from that user account run the .hta script above and the do it's thing.

No , basically you need a custom Gina or "credential provider".

 

The only problem with this is that a user is free to bypass the script and get into windows. Even if the script is launched full screen, If i press alt+tab or windows key it allows me to the the entire OS. I just want the users to be able to use just this script.

Yep , though it is a "show-stopper" kind of problem and that is exactly the reason why you need a custom Gina or "credential provider", Q.E.D.

 

An alternative might be a "Native NT" or "bootexecute" executable but if creating a custom GINA/credential provider wasn't complex enough, Native NT programs are possibly "worse".

There is the pGINA project:

http://pgina.org/

http://pgina.org/docs/v3.1/user.html

but it's not something I would recommend without a deep knowledge and understanding of the involved matters.

 

It's pretty much binary or you do something before having logged in ("right") or you do that after having logged in (wrong in this case of choosing between different login methods).

 

You might find this of interest:

http://homepage.ntlworld.com/jonathan.deboynepollard/FGA/windows-nt-6-boot-process.html

 

jaclaz