My journey began (as these journeys often do) by perusing the Win32 API on MSDN. I knew it was possible to change the wallpaper path in the registry, but that change would only take effect the next time the user logged in. What I needed was a way to set the user’s wallpaper and force their desktop to refresh. I wrote a simple prototype to set my wallpaper by calling SystemParametersInfo() with SPI_SETDESKWALLPAPER and SPIF_SENDCHANGE, and it worked as expected. But how could I do this remotely?

I wrote a simple batch script to copy my prototype to the target machine and then start the process with WMI.

mkdir \\%1\c$\tmp
copy chwp.exe \\%1\c$\tmp
copy cat-owned.bmp \\%1\c$\tmp
wmic /node:"%1" /user:bob.carroll process call create ^
   "cmd.exe /c c:\tmp\chwp.exe \tmp\cat-owned.bmp > c:\tmp\out.txt"

Initially, the call kept failing with ERROR_INSUFFICIENT_BUFFER. I’m a domain administrator so I had the necessary rights, but logging in at the console before running my script seemed to fix the issue. That suggests the problem was caused by not having a profile, but I didn’t look into it further.

At this point I was able to remotely launch my application, but it was executing in a service window station. I figured that my application would need to run in the context of the interactive desktop before I could change the user’s wallpaper. It was easy enough to attach to WinSta0\Default, but I had to adjust the window station’s DACL in order to open it for WINSTA_ALL_ACCESS.

With my application running in the correct desktop context, I attempted to call SystemParametersInfo() but it failed with ERROR_ACCESS_DENIED. This actually made sense because I was still executing as myself but I didn’t own the desktop session. I thought about impersonating the console user, but I needed an access token and LogonUser() requires a password. Calling NtCreateToken() might work, but I’d have to fill the token myself. If only I could steal the console user’s token somehow…

Since I was executing in the console user’s desktop session, I was able to locate the Program Manager window and then get the EXPLORER.EXE process ID. Ideally, I could copy the access token from EXPLORER.EXE and use it to impersonate the console user. I enabled SeDebugPrivilege and opened the process for all access, but I was unable to call OpenProcessToken() with TOKEN_DUPLICATE. Apparently the token itself has a DACL and I was implicitly not allowed to read it.

After hours of reading, I couldn’t find a way around this without stomping on the token and granting myself access. So I switched on SeTakeOwnershipPrivilege and did just that. Interestingly, calling SetTokenInformation() failed with ERROR_ACCESS_DENIED, but calling SetKernelObjectSecurity() succeeded. Once I had rights to read the token, I copied it and called ImpersonateLoggedOnUser(). Now I was running in the console user’s desktop session as that user.

And for the moment of triumph: running my script from machine A caused the desktop wallpaper to change on machine B! I made a video to demo the tool.

You can find the sources here.

So you can imagine how annoyed I was to come into work twice this week to the blue Windows logon screen. Every time this happens it takes me twenty minutes to figure out what I was doing the day before, what I have to do today, and where I stopped with my work. And really what made this so much more painful was that it happened without any advanced warning.

And that’s what got me thinking: could I block restart requests? I researched the Windows shut down process online and then went to work on a prototype. From what I read, calling ExitWindowsEx sends WM_QUERYENDSESSION to all top-level windows. Applications that are not ready to shut down should return false. I figured the best strategy was to install a system-wide hook and filter the message.

Initially I attempted to capture WM_QUERYENDSESSION with the WH_GETMESSAGE hook and replace it with WM_NULL, but trial-and-error revealed that it’s sent through SendMessage and not posted to the window’s queue. This meant that I couldn’t filter out the message.

I switched to WH_CALLWNDPROC and was able to capture the message, but not actually modify it. Since my DLL is memory-mapped into the local process space, it seemed like the only way to filter the message was to create a new WindowProc function that handles WM_QUERYENDSESSION and always returns false. Then inside the hook procedure, I could intercept the message and call SetWindowLong to replace the window’s message procedure.

This demonstrates the basic concept:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22

LRESULT CALLBACK CallWndProc(int nCode, WPARAM wParam, LPARAM lParam)
{
  if (nCode == HC_ACTION) {
      CWPSTRUCT *msg = (CWPSTRUCT*)lParam;
 
      /* hijack the window proc when we see a shut down message */
      if (msg->message == WM_QUERYENDSESSION)
          oldwndproc = SetWindowLong(msg->hwnd, GWL_WNDPROC, (DWORD)WindowProc);
  }
 
  return CallNextHookEx(g_callwndhk, nCode, wParam, lParam);
}
 
LRESULT CALLBACK WindowProc(HWND hWnd, UINT uiMessage, 
        WPARAM wParam, LPARAM lParam)
{
  /* intercept shut down messages */
  if (uiMessage == WM_QUERYENDSESSION)
      return 0;
 
  return DefWindowProc(hWnd, uiMessage, wParam, lParam);
}

When my little application starts, it calls SetProcessShutdownParameters with level 0x4FF to increase the chances of trapping the message first. I figured this was a good idea since I know its WindowProc function can be safely hijacked. Now when Windows sends WM_QUERYENDSESSION the response is always “NO!”. The added exclamation there is a call to AbortSystemShutdown, which is probably unnecessary but I do it just to be safe. Also, I added an alert message box to warn me when a reboot is triggered.

I’m sort of amazed this actually worked. Some day I’ll test it against InitiateSystemShutdown and ExitWindowsEx with EWX_FORCE to see how it holds up. Interestingly, Windows Vista/7 provides ShutdownBlockReasonCreate for seemingly outright blocking shut down attempts.

You can obtain the sources to this project here.

I use Spark on my workstation to connect to the company’s internal IM server. The application works alright, but the contacts window always appears in the taskbar. So I started to think about ways I could programmatically solve my problem.

I could set the WS_EX_TOOLWINDOW style on the window, but that would alter the window’s appearance. What I really wanted was a way to tell Windows to remove the tab. A quick search on Google turned up the answer: use COM to create an instance of ITaskbarList. The interface has the function ITaskbarList::DeleteTab() which takes a window handle. Perfect!

Now I just needed to get the window’s handle. FindWindow() would have worked, but that meant hard-coding my username into the program. I felt a more elegant solution was to enumerate all of the windows, and look for the one with the right class and title prefix.

Since the tab would reappear every time I brought the contact list window to the foreground, I ended up wrapping my fix with a loop and a timer. Here’s the finished product:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69

/* NoSpark.cpp - Hides the Spark contacts window tab in the taskbar */
 
#include <windows.h>
#include <Shobjidl.h>
 
BOOL CALLBACK EnumWindowsProc(HWND, LPARAM);
 
int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpszCmdLine, int nCmdShow)
{
	HANDLE htmr = CreateWaitableTimer(NULL, TRUE, L"CheckSpark");
	LARGE_INTEGER lidt;
	ITaskbarList* ptl;
 
	__int64 qwdt = -60 * 10000000; /* 1 minute */
	lidt.LowPart = (DWORD)(qwdt & 0xFFFFFFFF);
	lidt.HighPart = (LONG)(qwdt >> 32);
 
	while (TRUE) {
		SetWaitableTimer(htmr, &lidt, 0, NULL, NULL, FALSE);
		WaitForSingleObject(htmr, INFINITE);
 
		HWND hsparkwnd = 0;
		EnumWindows(&EnumWindowsProc, (LPARAM)&hsparkwnd);
		if (hsparkwnd == 0) continue;
 
		CoInitialize(NULL);
		HRESULT ret = CoCreateInstance(
			CLSID_TaskbarList, 
			NULL, 
			CLSCTX_SERVER, 
			IID_ITaskbarList, 
			(LPVOID*) &ptl
		);
 
		if (ret == S_OK)
			ptl->DeleteTab(hsparkwnd);
 
		ptl->Release();
		CoUninitialize();
	}
 
	return 0;
}
 
BOOL CALLBACK EnumWindowsProc(HWND hwnd, LPARAM lParam)
{
	int tmpsz = 16;
	LPWSTR lptmp = (LPWSTR)malloc(sizeof(WCHAR) * tmpsz);
 
	RtlZeroMemory(lptmp, tmpsz);
	GetClassName(hwnd, lptmp, tmpsz);
 
	if (wcscmp(lptmp, L"SunAwtFrame") != 0) {
		free(lptmp);
		return TRUE;
	}
 
	RtlZeroMemory(lptmp, tmpsz);
	GetWindowText(hwnd, lptmp, tmpsz);
 
	if (wcscmp(lptmp, L"Spark -") > 0) {
		*((HWND*) lParam) = hwnd;
		free(lptmp);
		return FALSE;
	}
 
	free(lptmp);
	return TRUE;
}

To compile this program, create a new, empty Visual C++ project. Create a new cpp file and drop the code above inside. If you get compile errors about converting wchar_t* to const char* then change your character set from Multibyte to Unicode in the project properties.

Now you might be wondering why I don’t just change the screensaver time-out or turn off the requirement for a password. Well even though I’m a local administrator, there is a domain-wide GPO that prevents me from doing so. (Yes I know I can edit the registry, but that setting doesn’t survive a GP refresh.) I understand the reason for the policy, but five minutes seems a bit too short.

I wanted to fix this problem AND keep my job at the same time. Alice’s “dipping duck” inspired me to write a simple program to simulate mouse movement.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43

#include <windows.h>
 
int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpszCmdLine, int nCmdShow)
{
    HANDLE htmr = CreateWaitableTimer(NULL, TRUE, L"CheckIdle");
    LARGE_INTEGER lidt;
    LASTINPUTINFO lii;
 
    __int64 qwdt = -30 * 10000000; /* 30 seconds */
    lidt.LowPart = (DWORD)(qwdt & 0xFFFFFFFF);
    lidt.HighPart = (LONG)(qwdt >> 32);
 
    while (TRUE) {
        SetWaitableTimer(htmr, &lidt, 0, NULL, NULL, FALSE);
        WaitForSingleObject(htmr, INFINITE);
 
        RtlZeroMemory(&lii, sizeof(LASTINPUTINFO));
        lii.cbSize = sizeof(LASTINPUTINFO);
        BOOL ret = GetLastInputInfo(&lii);
 
        int threshold = 3 * 60; /* 3 minutes */
        int idletime = ret ? (GetTickCount() - lii.dwTime) / 1000 : 0;
 
        BOOL scrnsvr = FALSE;
        SystemParametersInfo(SPI_GETSCREENSAVERRUNNING, 0, &scrnsvr, 0);
 
        if (idletime > threshold && !scrnsvr) {
            MOUSEINPUT mi;
            RtlZeroMemory(&mi, sizeof(MOUSEINPUT));
            mi.dwFlags = MOUSEEVENTF_MOVE;
            mi.dx = 1;
            mi.dy = 1;
 
            INPUT in;
            in.type = INPUT_MOUSE;
            in.mi = mi;
 
            SendInput(1, &in, sizeof(in));
        }
    }
 
    return 0;
}

Every thirty seconds the program checks to see if the computer is idle. After three minutes of inactivity (and if the screensaver isn’t running), it moves the mouse cursor one pixel down and to the right. If I lock the workstation or manually activate the screensaver, the program won’t do anything. To compile this program, create a new empty C++ Win32 application project. Add a new cpp file, drop in the code above, and hit “Build Solution”.

Now the screensaver won’t be a nuisance when I’m trying to read. I just have to make sure to hit Win-L before I leave my desk!

TracFS uses FUSE for VFS operations and is written in PHP. It also supports authenticating with a Shibboleth SSO gateway. Other authentication mechanisms can be easily added in the future.

Install

• Install FUSE — You can use your distro’s package manager or visit the project site for manual installation instructions.
  • Linux/BSD — http://fuse.sourceforge.net/
  • OS X — http://code.google.com/p/macfuse/
• Install PHP — Consult the PHP manual for your platform.
• Install php_fuse — Follow the build instructions here.
• Check out TracFS — Using a git client, check out http://github.com/rcarz/tracfs.

TracFS is licensed under the GNU GPL.

How to Use

Mounting a file system is very simple. Suppose you want to mount Trac’s source tree to /Volume/trac, you would execute:

$ mkdir /Volumes/trac
$ php ~/Desktop/tracfs/tracfs.php http://trac.edgewall.org/ /Volumes/trac

Tada! The Trac sources appear as regular files in your file manager.