Need to control the windows logon process [closed] - windows

It's difficult to tell what is being asked here. This question is ambiguous, vague, incomplete, overly broad, or rhetorical and cannot be reasonably answered in its current form. For help clarifying this question so that it can be reopened, visit the help center.
Closed 10 years ago.
I have an application I wrote in VB6 and it needs to run right after the user logs in but before the desktop actually loads. Why you ask, well I'll tell you. The VB app asks the user for some information that is validated against an external database. if the validation fails then the user should not be allowed to login, hence the VB app forces a logout. I've read some articles about msGina.dll and the logon process but I still am not finding a viable solution. any ideas on this one?

Ideally, you'd want to write your own GINA provider to modify the login mechanism in Windows. Understand, however, that this is a serious undertaking, will require you to write your code in C/C++ and you have to be very, VERY careful about how you build it so as to not open-up several backdoors and vulnerabilities and so that you don't destabilize the rest of Windows.
Your VB6 app is NOT the way to go in this scenario for a multitude of reasons, not least of which are the fact that it's pretty trivial to intercept and bypass your security mechanism entirely.
Buildng a login mechanism seems like a piece of cake until you REALLY start digging into how to build one that's rock solid and bomb-proof. I know this because I once lead a team building a custom GINA for a European government's secure desktops!
If you're certain you DO want to go build a custom GINA, then take a look at these overview articles:
Customizing GINA, Part 1
Customizing GINA, Part 2

A GINA is one option, but only for Windows XP. The equivalent for Windows Vista and later is a credential provider.
As an alternative, you can change the initial user process by changing the Userinit value in this registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
If you do this, make sure your application launches userinit when it is done, or the user's shell won't be started. Note that this will not prevent knowledgeable users from bypassing your application, at least not without further steps.
A credential manager can interact with the user during the logon process, but I don't believe it provides any direct way of rejecting the logon. It might be possible to hack something together but I wouldn't recommend it.
I believe a group policy client-side extension is capable of rejecting a user logon, but I'm not familiar with this technology.

This is a very strange approach to security, you could take a look at the "Autoexec.bat" file although I haven't messed around with this myself. Either way I suspect the user could probably "End Task" your VB6 app from the task manager and head about their merry way.

Related

software creator that is using shortcuts inside an other [closed]

It's difficult to tell what is being asked here. This question is ambiguous, vague, incomplete, overly broad, or rhetorical and cannot be reasonably answered in its current form. For help clarifying this question so that it can be reopened, visit the help center.
Closed 10 years ago.
I am wondering if there is any software that can create a software with shortcuts inside another?
Like if you want to make an web editor you cold say that if you press that button it will write:
<html></html>
And use a browser to render?
If there is no software like this, is it possible to make?
Maybe I am wrong, but I think it will be a breakthrough for opensource development.
I am not a skilled developer so that I won't manage to make something like this, but I want to start a group to do this, with making a website for it. Do you think someone wants to help me or maybe one of you?
I have searched the web for something like this but haven’t found anything.
Edit:
I know this was quite bad formulated and am going to explain this again.
And what I mean is not a web editor, but a software developer application.
The web designer was just a example.
Imagine yourself that you have a UI designer whose you can import other software’s in and then you drag a button in to the screen, and on the settings you say that when you click that button the software will go into one of the software’s you’d imported and do something.
The software I am asking for is this software developer software.
Edit again:
I will do a second attempt to clarify:
You know about bots right? Those who fly around on the web and to crazy things as cheeking hotel prizes to playing poker.
I only wonder about if you cold make a new GUI like QT or GTK that would emulate a certain keyboard event or mouse gesture when clicking a button. And were to get started when doing so.
http://www.linuxquestions.org/questions/linux-newbie-8/kompozer-problems-733285/#post3580690
There's several powerful web editors in a list composed by someone there. It includes editors with a WYSIWYG.
Aptana studio is what I use which can use different browsers to render. It also has a built-in web server so that you can test AJAX requests and php rendering.

Can someone guide me in building a log viewer [closed]

It's difficult to tell what is being asked here. This question is ambiguous, vague, incomplete, overly broad, or rhetorical and cannot be reasonably answered in its current form. For help clarifying this question so that it can be reopened, visit the help center.
Closed 11 years ago.
I want to make a iis log viewer for websites I develop. I know there are utilities already developed out there, for e.g http://visuallogparser.codeplex.com/ , but I want to develop something of my own. Couple of questions I've is, how can I access files on the windows 2003 server.The log files are stored in a particular folder on the server. I've to manually open the files and then look through them for the information that might be relevant.
The first problem I see is being able to first get this file as input to let's say perl or python for file processing and then the issue of sorting and filtering data as is desired. Also getting a GUI for this.
I've no clue in what language or any framework this can be build. Looking for guidance here.
Personally, I think C# is head-and-shoulders above the competition for building standalone GUIs. It also has good support for parsing text, including decent support for regular expressions.
According to http://www.sqlservercentral.com/Forums/Topic525288-146-1.aspx you can just run a query to find out where your SQL-Server instance keeps it's log (and data) files.
If you're just starting out programming it'd be a real good idea to work through "the basics" in tutorials before you get started on project like this. Once you "feel ready" then have a go, looking for tutorials/discussion on each aspect as it arrises... and if you get stuck you can ask more specific questions right here.
One other piece of advise: Before you start coding this sort of thing sit down and do a mock-up of the interface. Workout what operations you want to perform. Analysing the problem WHILE you attempt to code a solution is a CLASSIC recipe for spending a lot of time to get not-much done. You need clear goals BEFORE you start coding... and then, of course, you "adapt" your goals as you learn more... as you go along... But it REALLY helps to be clear about what (roughly) you want before you start.
It might help you to use a couple of those existing log-presenters. Find-out what other people have done... what THEY find useful. If you find a particular functionality useful then you could attempt to copy-cat it... or maybe something someone else has done just gets you wondering "HOW do they do that?" and that get's your creative juices running.
finally, The blank canvas is the scariest one. Just get SOMEthing really simple working, and then add functionality to that, iteratively.
Cheers. Keith.

Help needed with windows hooks

I am working on building a system that can monitor how users react to security alerts on their systems (software updates, warnings etc.). It also needs to monitor the web traffic and the processes running on the system and I am looking to the community to help me design this system. We intend to provide users with test laptops and monitor their behavior over a period of time to see how they react to security alerts thrown by various applications and the OS(windows in this case).
Following are my questions
Can I use windows hooks to solve the first problem i.e finding how users reacted to the alerts thrown by various applications. Specifically, can global hooks be used to solve this?
(How this information should be collected (XML?) and relayed back to a server(how frequently?) is another problem)
Can I do this in C# or it has to be done only in c++ or VB?
Do you know any alternate approach to solve the problem? Is there any software that has these capabilities.
I have many more questions but getting these answered would be a good first step. Really hoping for some good insights from the knowledgeable people on this community
Thank you in advance
Edit:
Example scenario is when adobe prompts you to update the flash player or the antivirus prompts you to update definitions or any application displays a notification(security related having keywords like update, warning, install etc.) needing the user to take some action. Windows system updates is another example. I want to know how the user reacted to these alerts/notifications/updates (which are typically a pop-up window). So i was wondering if i placed a global hook that can monitor the content of the windows displayed on screen and notify me(server) when certain words like update, alert, warning etc. appear in the content/title of the windows and what the user did with the message(dismissed it, Oked it etc). Unfortunately, i do not have any more specifications than this. I can use anything I want to achieve this and I am not clear on what my choices are.
Edit 2:
After having reviewed my requirements and having read about hooks, I feel like I could achieve this by a combination of hooks and the following textGrab SDK, http://www.renovation-software.com/en/text-grab-sdk/textgrab-sdk.html. I want some guidance to know if I am on the right track. I am thinking if I can install hooks then it gives me handles to all possible windows on the screen and I can use the textGRAB SDK to look for certain keywords in those windows. Although this may capture some interesting text, I am still not sure how I will know what action the user had taken on the window. Anybody having any experience with either hooks or textGRAB, please let me know if this looks like a reasonable thing to do. If the community has some other Ideas on how I could possibly monitor security related messages thrown by any application in the system, please suggest. I am looking forward to some useful advice for completing a challenging project.
First of all, you need to define, how you will "see" security alerts in code. "Security alert" is quite a vague term. Will it be some window with some caption and some message to the user or ... ?
Next, about web and processes: Windows hooks won't help you with your task. They are more low-level and not as advanced as you'd need. You can't hook network traffic (you need either network filter driver for pre-Vista or Microsoft Filtering Platform for Vista and later). See this question for some information about checking the process list with C# (there seems to be no easy way to catch process startup either).
It honestly sounds like you need a more solid direction. I commend you for trying to provide details, but It appears that you still need more information about your problem(s)..
I will attempt to answer some of your questions, but like I said - it sounds like you need to know more about your problems before we can provide you with optimal answer(s).
-Alerts is too vague a term, you will need to define this better. Are these 'alerts' applications that YOU have control over or are they third party applications? Not every application will show an 'Alert' in the same fashion, and even if they did - I think using a System Level Hook would probably be too problematic to implement your solution with. I'm not saying it's necessarily impossible, but you're talking about possibly implementing a different set of logic(to determine the data for a given application's Alert(s)) for each application that you want to monitor.
-It's impossible for any of us to determine the optimal storage mechanism for your particular needs, that is something that you will either need to provide more details about or decide on your own.
-How often you collect data is also something that you will have to either provide more details for or decide for on your own.
-C/C++ Would probably provide you with the most portable solution, although there is nothing preventing you from using c# to call Win32 API. (Not everyone has the .NET framework installed - believe it or not)
-The problem that you mentioned appears to be a somewhat specialized problem... I don't know of any existing software that will do everything that you want to do.
Another possible issue that you haven't touched on:
You haven't specified your target audience for this 'service', but I want you to know that if I found an application monitoring as many events as what you're talking about doing, I would promptly remove it and write a nasty letter to the company that wrote it.
In summary, Read this Article on hooks to get a better understanding of how they work.

Hidden Windows shortcuts [closed]

It's difficult to tell what is being asked here. This question is ambiguous, vague, incomplete, overly broad, or rhetorical and cannot be reasonably answered in its current form. For help clarifying this question so that it can be reopened, visit the help center.
Closed 12 years ago.
Anyone know where I can find a list of the different hidden shortcuts built into windows like "control userpasswords2".
I'm building a small app that will help my team get to those buried panels such as the pagefile settings, IE's proxy settings, Editing the Boot.ini
***I am not talking about shortcut keys like ctrl+alt+del. But commands you can put into the run dialog.
Thank you
To elaborate more, I'm looking for a list like MS KB192806 & commands, & another. That gives me some of the commands I'm looking for like "control intl.cpl". However I'm looking for others that are not in that list and I would like more control. For example to go strait to the connections tab when running "control intl.cpl".
You can find control panel specific list here:
http://support.microsoft.com/kb/192806
For your application, I would recommend you to design the required interfaces and take the input from user directly in to your application. After that, you can make the user defined changes from your program. Most (not all) of these settings are stored in registry which you can modify appropriately. Its easy to find the required registry key by searching on net or using some monitoring tools (like regmon or procmon).
Also note that, just setting the registry values will not always update the configuration immediately. Some setting changes have to be notified to the respective programs.
There are few similar software already available on the net, which can do management of few basic stuffs.

Is it unethical to send data to myself once a customer installs my software? [closed]

Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 7 years ago.
Improve this question
I'm trying to get an idea of how often my software is being installed. I was thinking about just including a simple URL call in the background the very first time the software is started. I am not trying to gather a lot of information. I really just want to get the date and time the software was installed. Is this unethical or commonly done by other developers?
You could always just have the installer open up a "Thank you for installing our product" page that's hosted on your web server. Since this page would normally only be hit after an install it should give you a decent indicator without being evil.
P.s. Before anyone hounds me on this please note that Firefox does this directly after an install.
In my opinion, yes, sending any data back that isn't authorized is unethical. Most software will prompt you to ask if it's OK to send back anonymous usage data. You could also track downloads and guestimate how many of them are actually installed.
There are a number of software products that gather data from the user but they all get the user's consent before sending any information. I suggest you do the following:
Ask the users to register, this way you will know some basic information like (roughly) when the software was installed.
If you need more complex/interesting usage statistics then make this a feature that users can easily turn off. Some people are not comfortable sending any data to you, Eclipse does this very well, the first time it wants to gather some usage statistics it allows the user to turn off the feature right away.
Finally , which ever way you implement this feature ensure that the users can see exactly what data you are collecting and sending and can choose to not do so.
If you do this in this correctly way you will gather some data in a way that does annoy your users or intrude on their privacy.
Just popup before installation:
"If you click Yes, the date and time the software was installed will be sent to us via your Internet connection. We would appreciate it a lot."
Let "Yes" be the default option and avoid the popup if there is no Internet connection available.
Doing it behind the scenes is unethical in my opinion.
you will always have to ask before calling home with anything, no matter how harmless you think it is.
kind of like you should always ask permission before putting a shortcut on a desktop.
If you want to do that — ask user permission.
Some companies just have automatic check for updates feature.
Only do this if your application uses the network as a primary function, otherwise a user will get weirded out by their standalone application asking to get internet access through their firewall.
Also: If you add in-line updates to your software, or ask to check for software updates periodically, you can easily log this information.
this is kind of tricky, if u are getting the information about the software only; without identifying the user, perhaps it might be passed as alright.
just think of google, i know it never gets installed on your system, but chrome again is a google product, which i believe probes ur google searches to give relevant advertisements. what is reading a cookie, is it any different from reading information from your computer.
also i have seen relevant advertising poping up in yahoo mail when i search for shopping stuff on google. they for sure are reading some info on your computer or browser session.
I think its ok to send the info from software, as long as u have no way to identify from what user it is coming from.
I don't see any particular areas of unethical or illegality except for this: My software, my computer, none of your business if I want to install it or just have it sitting in an installer.
Although I think a convincing argument could be made that it literally is your business to know about your software's installs.
Best route is simply to request to send 'anonymous usage information'.
How many of you windows users tell windows its OK to phone home and verify that your copy is genuine?
0.
There are a lot of high and mighty my-computer-is-my-domain answers here, and the bottom line is while its rude, its not against the law. Rather, its commonplace. Stick a disclosure in the EULA and you're good to go.
It is unethical to hide your collection of usage statistics.
That said, almost every website has a TON of personally identifiable information in the form of web logs that are almost never used to their "fullest potential for evil"
To ethically collect your install count just ask the users to activate the product on first usage or ....
Provide something useful! Prompt the user to check for updates on first use.
This approach IS ethical, can get you better and more relevant data (you can put voluntary forms together) and allows you to make a value exchange.
I think the circumstances also play a part.
If the app is a free app and the developers find that knowing each time an app is installed then as long as the user is told then most users wouldn't have an issue with that.
If the app contains sensitivie data (i.e. financial or credentials) and you notice the app calling home then that would freak most users out and wonder what else is being sent.
Also another point is having it call home each time the app is installed doesn't really tell the developers much, what if a user reinstalls the app or the operating system? What if the call home is denied by security software or their computer isn't even connected?
In my opinion if you can't collect meaningful useful stats then is it really worth collecting them to analyze them?
It’s unethical.
In the case the URL is opened in the default browser: A user might have explictly set beforehand that your tool should not be allowed to connect to the Internet. If your tool just calls the browser, you are circumventing this.
In some countries, users may face oppression or punishment for using specific tools. While they might manage to get the tool via sneakernet, your phoning home would be detectable by authorities.
You might lose/change your domain. If Malice registers it, she’ll have access to the incoming data from installations of your tool.
When your software wants to phone home, inform your users beforehand and allow them to cancel it.

Resources