How do I lock the workstation from a windows service?

Question

I need to lock the workstation from a windows service written in VB.Net. I am writing the app on Windows 7 but it needs to work under Vista and XP as well.

User32 API LockWorkStation does not work as it requires an interactive desktop and I get return value of 0.

I tried calling %windir%\System32\rundll32.exe user32.dll,LockWorkStation from both a Process and from Shell, but still nothing happens.

Setting the service to interact with the desktop is a no-go as I am running the service under the admin account so it can do some other stuff that requires admin rights - like disabling the network, and you can only select the interact with desktop option if running under Local System Account.

That would be secondary question - how to run another app with admin rights from a service running under Local System Account without bugging the user.

I am writing an app to control my kids computer/internet access (which I plan to open source when done) so I need everything to happen as stealthily as possible.

I have a UI that handles settings and status notifications in the taskbar, but that is easy to kill and thus defeat the locking. I could make another hidden Windows Forms app to handle the locking, but that just seems a rather inelegant solution.

Better ideas anyone?

Answer 1

In order to interact with user session in a service, you first need to use a user session id. basically you'll need to use WTSGetActiveConsoleSessionId, WTSGetActiveConsoleSessionId and CreateEnvironmentBlock prior to calling CreateProcessAsUser.
The important part is the CreateEnvironmentBlock. The first two methods allow us not to use a predefiend username/password which is desirable . The Python snippet as a proof of concept for locking the workstation from a service is as follow :

import win32process
import win32con
import win32ts

console_session_id = win32ts.WTSGetActiveConsoleSessionId()
console_user_token = win32ts.WTSQueryUserToken(console_session_id)
startup = win32process.STARTUPINFO()
priority = win32con.NORMAL_PRIORITY_CLASS
environment = win32profile.CreateEnvironmentBlock(console_user_token, False)
handle, thread_id ,pid, tid = win32process.CreateProcessAsUser(console_user_token, None, "rundll32.exe user32.dll,LockWorkStation", None, None, True, priority, environment, None, startup)

ref

Answer 2

I've been fighting with this over a week and after reading a lot of information about this issue, finally got the solution for this...

You have to use the CreateProcessAsUser function like this:

  Private Shared Sub Executer(ByVal content As String)
    Dim objProcess As System.Diagnostics.Process

    Dim filename As String
    filename = "e:\lock.bat" 
    'create a bat file with ''rundll32.exe user32.dll,LockWorkStation'' inside

    Dim UserTokenHandle As IntPtr = IntPtr.Zero
    WindowsApi.WTSQueryUserToken(WindowsApi.WTSGetActiveConsoleSessionId, UserTokenHandle)

    Dim ProcInfo As New WindowsApi.PROCESS_INFORMATION
    Dim StartInfo As New WindowsApi.STARTUPINFOW
    StartInfo.cb = CUInt(Marshal.SizeOf(StartInfo))

    WindowsApi.CreateProcessAsUser(UserTokenHandle, filename, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero, False, 0, IntPtr.Zero, Nothing, StartInfo, ProcInfo)
    If Not UserTokenHandle = IntPtr.Zero Then
        WindowsApi.CloseHandle(UserTokenHandle)
    End If

End Sub

Got most of the code from here where you can, also, find the WindowsApi to use with this function. I'me still trying to find if can avoid the bat file but at least is a very decent solution.

EDIT: To avoid using an external *.bat file to execute the code just edit the WindowsApi Class and replace the CreateProcessAsUser and the advapi32.dll import part with this:

    <DllImport("Advapi32.dll", EntryPoint:="CreateProcessAsUser", ExactSpelling:=False,      SetLastError:=True, CharSet:=CharSet.Unicode)> _
    Public Shared Function CreateProcessAsUser( _
                       ByVal hToken As IntPtr, _
                       ByVal lpApplicationName As String, _
                       <[In](), Out(), [Optional]()> ByVal lpCommandLine As StringBuilder, _
                       ByVal lpProcessAttributes As IntPtr, _
                       ByVal lpThreadAttributes As IntPtr, _
                       <MarshalAs(UnmanagedType.Bool)> ByVal bInheritHandles As Boolean, _
                       ByVal dwCreationFlags As Integer, _
                       ByVal lpEnvironment As IntPtr, _
                       ByVal lpCurrentDirectory As String, _
                       <[In]()> ByRef lpStartupInfo As STARTUPINFOW, _
                       <Out()> ByRef lpProcessInformation As PROCESS_INFORMATION) As <MarshalAs(UnmanagedType.Bool)> Boolean
    End Function

And now you can use a stringbuilder as the thrid argument(comandline) for CreateProcessAsUser function and put the second(applicationame) as 'Nothing' like this:

Dim cmdline As New StringBuilder
cmdline.Append("rundll32.exe user32.dll,LockWorkStation")
WindowsApi.CreateProcessAsUser(UserTokenHandle, Nothing, cmdline, IntPtr.Zero, IntPtr.Zero, False, 0, IntPtr.Zero, Nothing, StartInfo, ProcInfo)

And it WILL WORK!!!!

Regards, AP

Answer 3

Am am not totally satisfied with my answer but Window's security leaves me little alternative. Anything opened bu the service (through Process, Shell whatever) will not have desktop access. I understand the reasons behind the limitations Microsoft has created but still frustrating!

My Service uses IPC to tell my UI to lock the computer. Here is a basic link on doing that:

http://anoriginalidea.wordpress.com/2007/08/09/simple-inter-process-communication-in-vbnet/

See his reference links for additional data.

However, that still does not quite work. Also see this link for how to do it without the Access Is Denied messages:

http://social.msdn.microsoft.com/Forums/en-US/windowssecurity/thread/ce968b5b-04fe-46d2-bb75-73e367a8b0c3

Make sure your URIs are correct. The portName property on the server side is the first part of the IPC path in the GetObject method call. The second part maps to the second parameter of the RegisterWellKnownServiceType call on the server side.

And apparently the portName properties need to be DIFFERENT on the sever and client sides.

If you get "Failed to connect to an IPC Port: The system cannot find the file specified." on your client then the server has not started yet so there is nothing to hear you scream.

Answer 4

What you're trying to do is actively blocked by Microsoft - if you did get it working, it'd be exploiting a loophole that will surely be closed soon.

What you can do though is the Friar Tuck/Robin Hood solution - have two programs running and monitoring each other. When one is killed, the other detects this and restarts it (or, just logs the current user out as punishment, depending on how severe you want this to be).

Answer 5

You could try to launch a screensaver from a windows service that automatically locks the workstation.

Answer 6

Another inelegant solution (but without the drawbacks of signaling your UI application) is to have another service that is installed to interact with the desktop whose job it is to listen for a signal to lock the desktop.

I agree that it's not great to have to run with local system credentials, but if all the service does is lock the desktop, there's a pretty small footprint that needs secured.