简体繁体 English

Ctrl + Alt +删除WM消息号

[英]Ctrl + Alt + Delete WM message number

原文 2012-02-20 17:49:37 5 2 windows/ security

Any one know what the windows procedure when press the keys Ctrl + Alt + Del ? 有人知道按Ctrl + Alt + Del键时Windows程序如何吗？ I ask about the windows procedure message number returned when you press those keys. 我问一下按这些键时返回的Windows过程消息号。 I would like to know the number on all possible windows versions (w7, xp, vista, ...). 我想知道所有可能的Windows版本（w7，xp，vista等）上的数字。

2 个解决方案

Winlogon.exe intercept the Secure Attention Sequence (SAS), wich is CTRL-ALT-DEL. Winlogon.exe截获安全注意序列（SAS），其名称为CTRL-ALT-DEL。 It is a regular hotkey, registered with RegisterHotKey , but since Winlogon gets it first, you cannot steal it or disable it, in any programming language. 它是一个常规的热键，已向RegisterHotKey ，但是由于Winlogon首先获得它，因此您无法以任何编程语言来窃取或禁用它。

When Winlogon receives the SAS, it launches LogonUI.exe . Winlogon收到SAS时，将启动LogonUI.exe 。 LogonUI is the process that displays the "tiles", those squares you see on the logon screen. LogonUI是显示“平铺”的过程，即您在登录屏幕上看到的正方形。 Each square is an implementation of a Credential Provider . 每个正方形都是凭据提供程序的实现。

The credential provider collects your credential data, often a name and password. 凭据提供者会收集您的凭据数据，通常是名称和密码。 It sends back that information to Winlogon as an opaque array of bytes, along with the name of an Authentication Package . 它将信息以不透明的字节数组形式发送回Winlogon，以及身份验证包的名称。

The authentication package knows how to make sense of that array of bytes. 身份验证程序包知道如何理解该字节数组。 I will use that information to log you in, maybe by getting a Kerberos ticket or checking your password againts a stored hash. 我将使用该信息来登录，例如通过获取Kerberos票证或再次检查密码来存储哈希。 If all checks out, it will give a security TOKEN representing your user to Winlogon. 如果全部签出，它将向Winlogon提供代表您的用户的安全TOKEN 。

Almost done. 快完成了

Winlogon creates a new Window Station , with a Desktop named "Default". Winlogon创建一个新的Window Station ，其桌面名为“默认”。 I will create the process identified by the Userinit registry key, usually userinit.exe (unless your computer is part of a botnet ;). 我将创建由Userinit注册表项（通常为userinit.exe）标识的进程（除非您的计算机是僵尸网络的一部分；）。 That process runs with the token from the Authentication package. 该过程与Authentication包中的令牌一起运行。

Userinit performs some tasks, like creating your profile if this is your first logon ever. Userinit执行一些任务，例如，如果您是首次登录，则创建您的个人资料。 It will then launch your shell, usually Explorer.exe which will read various startup parameter, like all those unreadable icons next to the clock. 然后它将启动您的外壳程序，通常是Explorer.exe ，它将读取各种启动参数，例如时钟旁边的所有那些不可读的图标。

I've put the major mile stones in bold . 我用粗体表示了重要的里程碑 。 I suggest you research the parts that interests so we can better help you by answering a more specific question. 我建议您研究感兴趣的部分，以便我们通过回答更具体的问题更好地为您提供帮助。

I think winlogon is called from the raw input thread, I don't remember exactly how, maybe a event or LPC. 我认为winlogon是从原始输入线程调用的，我不记得确切是怎么回事，也许是事件或LPC。 The whole point of CAD is that a normal program cannot intercept it. CAD的全部意义在于普通程序无法拦截它。

You can try to emulate it on pre Vista systems with a custom GINA that calls WlxSasNotify . 您可以尝试使用调用WlxSasNotify的自定义GINA在Vista之前的系统上模拟它。