So you can imagine how annoyed I was to come into work twice this week to the blue Windows logon screen. Every time this happens it takes me twenty minutes to figure out what I was doing the day before, what I have to do today, and where I stopped with my work. And really what made this so much more painful was that it happened without any advanced warning.

And that’s what got me thinking: could I block restart requests? I researched the Windows shut down process online and then went to work on a prototype. From what I read, calling ExitWindowsEx sends WM_QUERYENDSESSION to all top-level windows. Applications that are not ready to shut down should return false. I figured the best strategy was to install a system-wide hook and filter the message.

Initially I attempted to capture WM_QUERYENDSESSION with the WH_GETMESSAGE hook and replace it with WM_NULL, but trial-and-error revealed that it’s sent through SendMessage and not posted to the window’s queue. This meant that I couldn’t filter out the message.

I switched to WH_CALLWNDPROC and was able to capture the message, but not actually modify it. Since my DLL is memory-mapped into the local process space, it seemed like the only way to filter the message was to create a new WindowProc function that handles WM_QUERYENDSESSION and always returns false. Then inside the hook procedure, I could intercept the message and call SetWindowLong to replace the window’s message procedure.

This demonstrates the basic concept:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22

LRESULT CALLBACK CallWndProc( int nCode, WPARAM wParam, LPARAM lParam )
{
  if( nCode == HC_ACTION ) {
      CWPSTRUCT *msg = (CWPSTRUCT*)lParam;
 
      /* hijack the window proc when we see a shut down message */
      if( msg->message == WM_QUERYENDSESSION )
          oldwndproc = SetWindowLong(msg->hwnd, GWL_WNDPROC, (DWORD)WindowProc);
  }
 
  return CallNextHookEx(g_callwndhk, nCode, wParam, lParam);
}
 
LRESULT CALLBACK WindowProc( HWND hWnd, UINT uiMessage, 
        WPARAM wParam, LPARAM lParam )
{
  /* intercept shut down messages */
  if( uiMessage == WM_QUERYENDSESSION )
      return 0;
 
  return DefWindowProc(hWnd, uiMessage, wParam, lParam);
}

When my little application starts, it calls SetProcessShutdownParameters with level 0×4FF to increase the chances of trapping the message first. I figured this was a good idea since I know its WindowProc function can be safely hijacked. Now when Windows sends WM_QUERYENDSESSION the response is always “NO!”. The added exclamation there is a call to AbortSystemShutdown, which is probably unnecessary but I do it just to be safe. Also, I added an alert message box to warn me when a reboot is triggered.

I’m sort of amazed this actually worked. Some day I’ll test it against InitiateSystemShutdown and ExitWindowsEx with EWX_FORCE to see how it holds up. Interestingly, Windows Vista/7 provides ShutdownBlockReasonCreate for seemingly outright blocking shut down attempts.

You can obtain the sources to this project here.

Now you might be wondering why I don’t just change the screensaver time-out or turn off the requirement for a password. Well even though I’m a local administrator, there is a domain-wide GPO that prevents me from doing so. (Yes I know I can edit the registry, but that setting doesn’t survive a GP refresh.) I understand the reason for the policy, but five minutes seems a bit too short.

I wanted to fix this problem AND keep my job at the same time. Alice’s “dipping duck” inspired me to write a simple program to simulate mouse movement.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43

#include <windows.h>
 
int WINAPI WinMain( HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpszCmdLine, int nCmdShow )
{
    HANDLE htmr = CreateWaitableTimer(NULL, TRUE, L"CheckIdle");
    LARGE_INTEGER lidt;
    LASTINPUTINFO lii;
 
    __int64 qwdt = -30 * 10000000; // 30 seconds
    lidt.LowPart = (DWORD) (qwdt & 0xFFFFFFFF);
    lidt.HighPart = (LONG) (qwdt >> 32);
 
    while( TRUE ) {
        SetWaitableTimer(htmr, &lidt, 0, NULL, NULL, FALSE);
        WaitForSingleObject(htmr, INFINITE);
 
        RtlZeroMemory(&lii, sizeof(LASTINPUTINFO));
        lii.cbSize = sizeof(LASTINPUTINFO);
        BOOL ret = GetLastInputInfo(&lii);
 
        int threshold = 3 * 60; // 3 minutes
        int idletime = ret ? (GetTickCount() - lii.dwTime) / 1000 : 0;
 
        BOOL scrnsvr = FALSE;
        SystemParametersInfo(SPI_GETSCREENSAVERRUNNING, 0, &scrnsvr, 0);
 
        if( idletime > threshold && !scrnsvr ) {
            MOUSEINPUT mi;
            RtlZeroMemory(&mi, sizeof(MOUSEINPUT));
            mi.dwFlags = MOUSEEVENTF_MOVE;
            mi.dx = 1;
            mi.dy = 1;
 
            INPUT in;
            in.type = INPUT_MOUSE;
            in.mi = mi;
 
            SendInput(1, &in, sizeof(in));
        }
    }
 
    return 0;
}

Every thirty seconds the program checks to see if the computer is idle. After three minutes of inactivity (and if the screensaver isn’t running), it moves the mouse cursor one pixel down and to the right. If I lock the workstation or manually activate the screensaver, the program won’t do anything. To compile this program, create a new empty C++ Win32 application project. Add a new cpp file, drop in the code above, and hit “Build Solution”.

Now the screensaver won’t be a nuisance when I’m trying to read. I just have to make sure to hit Win-L before I leave my desk!