ctrl+alt+del

[jovton]

I have searched the net all over, everywhere, but have given up hope. I'm looking for a way to disable the CTRL+ALT+DEL Keystrokes on Windows NT/2000/XP, but all I find is ways to do it with Windows 9x/ME and so forth. I know I can disable many keystrokes on Windows NT based systems, heck, EVERYTHING but CTRL+ALT+DEL.

I have posted in this category because I thought that the only way that it may be possible is through direct hardware access or that sort of stuff. I am not an assembly programmer, and does not know anything about it. I have seen the coding styles, but am frightended by it. I do Visual Basic and C++.

But maybe one of you guru dudes here have a piece of code (that I will not neccessarily understand) that may help me in my searching and learning quest for this.

I know there is a way to do it, because I have seen demostrations of it in other security related applications. But nobody on this entire Internet seems to be willing to share his/her knowledge about it. Hopefully I will find such a person in this forum.

Thanks.

[CornedBee]

You might try to contact MS directly...
It seems as this is your last hope.

[Darkwraith]

Did you get an answer from MS yet?

[jovton]

nah.

[Sastraxi]

It's not possible. And a good thing too, from a security standpoint. You wonder why they get you to press CTRL+ALT+DEL to login on NT-based operating systems?

[jovton]

whulaadeedauh... don't you think I know that by now? of course it's for security measures. But, I was thinking more like...

I don't want my proggy to capture the c-a-d sequence and prevent NT from protecting passwords, nooo! I was thinking more like: Preventing ANY program, even NT OS from ... no wait... preventing the press of c-a-d ALLTOGETHER. So, if nobody can press c-a-d, how can someone (or any program) capture the password?

[CornedBee]

If nobody can press CAD, what if an application crashes?

[jovton]

Disabling c-a-d will not be permanent. Gheeez. If my proggy unloads, c-a-d will be available again. same goes for if the pc restarts.

[CornedBee]

Yeah, IF it does

What if while your app is running, another app hangs in a way that prevents the user from closing your app? What is he supposed to do then?

[jovton]

myyy goodness... have you never wanted to achieve anything that breaks the OS? (i.e. hack, for the sake of knowing more, being able to do more) NEVER? Do you work for Microsoft?

[Darkwraith]

lol. This is becoming an interesting thread, isn't it?

There might exist a way where you can stop it in assembler or DirectInput. (I am not that intimately familar with DI to know that if you bypass Windows (there is a way do accomplish this that is well advised for you not to but), you can also bypass Ctrl - Alt - Delete)

Check it out and tell us if you have a solution.

[jovton]

hmmm, it rings a bell. I'm not firmiliar with DI either, but desperation yields strange results

[CornedBee]

Um, no, actually never wanted to crash windows, it crashes easily enough without me helping . I'm not a destructive nature.
And I don't work for MS, I actually don't work for any company at all, I'm still a student.


DirectInput doesn't really bypass windows either. Yes, you bypass most of the windows stuff, but windows still gets the first call on the keyboard - to catch CAD.

[jovton]

catch? catch? I don't want to catch it. I want to disable it! (So that not even I can catch it )

[CornedBee]

I was talking about windows.

[CornedBee]

Here's a tip: take the keys off your keyboard

[jovton]

hey good idea.

[Darkwraith]

idk. Some of the documentation that I fould told me that you can essentially bypass Windows (but we all know how well MS's documents features of their products. )

Now CornedBee's comment begs the question: how are you going to get the user to take the keys off of the keyboard?

[jovton]

hmmm, i'm downloading the source code for doomsday. it contains the DI code for disabling c-a-d. Whether it contains the Win 9x/ME code or the code for NT or maybe both, I don't know yet. Let's see...

[Darkwraith]

Tell me how it turns out.

[jovton]

damnation!!! It uses SystemParametersInfo that only disables c-a-d one Win9x-based systems.

[CornedBee]

Originally posted by Darkwraith
Now CornedBee's comment begs the question: how are you going to get the user to take the keys off of the keyboard?

Include life threats in the product if they won't.

[Darkwraith]

...disables c-a-d one Win9x-based systems.

"On," right? Well, its a start...

[jovton]

Originally posted by Darkwraith
"On," right? Well, its a start...

I already knew that one. See first post.

In one of my other posts somewhere, I came up with an idea of analyzing, and desecting the Win32 core dll's, to see if there may be an exported function that does the trick. The name of the function may not be obvious. Microsoft's theory: Security through obscurity.

The reason I think that there exists a function like that is because I will prove it to you now... Please follow the following steps:
[list=1][*]Log into your NT box and wait until your desktop finishes loading.[*]Now press Ctrl+Alt+Del. If you see a Task Damager or Security or Fast Switching Window, then it works, and we will know that some other dude has not yet accomplished this dream of mine.[*]Now press Ctrl+Alt+Del while still at this window. What happens?[*]If nothing happens, then I have proved my theory. If something happens, then I have proved myself wrong. Why?[/list=1]

If nothing happens, then it is because windows knows that it is already in the c-a-d security mode, and does not have to act on c-a-d again. If we can deceive windows into thinking it is already in this mode, it will not act on the c-a-d sequence when we press it.

Better theories are welcome

[CornedBee]

There is no CAD secure mode. Pressing CAD again while in Task Manager reboots the system.

There is a specific file that does the CAD stuff, but it is loaded into secure memory that can only be accessed by the kernel itself.

[CornedBee]

Which leads me to a thought...

Suppose a CAD gets caught by Windows. It then must decide what to do. It will bring up the Task Manager unless Task Manager is already running, in which case it will do a reboot.

Given that the Task Manager is not running, it has to look up Task Manager and start it. This can still be done in a protected area, but the manager itself - you might be able to intercept its loading and prevent it. No Task Manager -> no reaction to CAD.

[jovton]

Originally posted by CornedBee
There is no CAD secure mode. Pressing CAD again while in Task Manager reboots the system.

You're not quite getting it yet, now are you... It will NOT, I repeat, it will NOT, I repeat again, it will NOT NOT NOT do a reboot on an NT system. What kind of NT box do you have? I already know how to stop c-a-d in Win9x/ME. Am I getting through to you?

There is a specific file that does the CAD stuff, but it is loaded into secure memory that can only be accessed by the kernel itself.

Like... what file is that? Is it the gina? Sure! The gina can be re-written or modified, but I'm sure not every user would approve of that.

[jovton]

hmmm, if that protected memory could somehow be accessed in r/w mode through a dangerous int call, then memory can be modified. Does programs like "Game Shark" not have that ability? If the keyboard driver can be modified dynamically in the memory, then interupt 09H handler can be modified. then problems might be solved

does I sounds too much likes a wannabes?

[CornedBee]

Much like wannabes. WinNT runs in Protected Mode, so you can't replace interrupt handlers.

[CornedBee]

Strange, it really doesn't reboot. I was absolutly sure it did that even in 2k...


Ok, still I think that's it some sort of protected area where this stuff is done - maybe you can write a driver to do your stuff?

[Darkwraith]

Whoa, you are going to try to change BIOS?!

That is not the best idea. You can reallllly do major damage, and I don't just mean to INT 09h. You could mess all of the BIOS routines!

[Darkwraith]

Did you finally accomplish your task?

[jovton]

Nope.