how can I disable ctrl+alt + del, and windows key in vista.

1.how can I disable ctrl+alt + del, and windows key.
when my program is running ,disable ctrl+alt + del, and windows key.
when my program leave. enable ctrl+alt + del, and windows key .

In windows xp , I disable ctrl+alt + del by rewrite gina.but in vista gina
is not supported.
Must I write a key board driver.
how can I do that.

2. if I do that, can it work well at vista.

3.I know little about DDK, how can I do it.

best regards

MikeCarlisle
Mon Nov 13 00:31:02 CST 2006

You can trap the windows key using a keybroad hook with the SetWindowsHookEx
api. Just eat the event.

I'm also interested in how to trap ctrl-alt-del on vista, and have been
looking at the DDK with the hope of writting the filter driver, but know very
little about this.

Did you have any luck? Has anyone got any pointers, sample code?

"rocli" wrote:

> 1.how can I disable ctrl+alt + del, and windows key.
> when my program is running ,disable ctrl+alt + del, and windows key.
> when my program leave. enable ctrl+alt + del, and windows key .
>
> In windows xp , I disable ctrl+alt + del by rewrite gina.but in vista gina
> is not supported.
> Must I write a key board driver.
> how can I do that.
>
> 2. if I do that, can it work well at vista.
>
> 3.I know little about DDK, how can I do it.
>
> best regards

Doron
Mon Nov 13 00:59:06 CST 2006

the WDF kbfiltr example shows you how to install a keyboard filter driver
from which you can filter out the keys

d

--
Please do not send e-mail directly to this alias. this alias is for
newsgroup purposes only.
This posting is provided "AS IS" with no warranties, and confers no rights.


"Mike Carlisle" <MikeCarlisle@discussions.microsoft.com> wrote in message
news:C99A18CA-E81F-4DD8-9298-5F0BB216DE7A@microsoft.com...
> You can trap the windows key using a keybroad hook with the
> SetWindowsHookEx
> api. Just eat the event.
>
> I'm also interested in how to trap ctrl-alt-del on vista, and have been
> looking at the DDK with the hope of writting the filter driver, but know
> very
> little about this.
>
> Did you have any luck? Has anyone got any pointers, sample code?
>
> "rocli" wrote:
>
>> 1.how can I disable ctrl+alt + del, and windows key.
>> when my program is running ,disable ctrl+alt + del, and windows key.
>> when my program leave. enable ctrl+alt + del, and windows key .
>>
>> In windows xp , I disable ctrl+alt + del by rewrite gina.but in vista
>> gina
>> is not supported.
>> Must I write a key board driver.
>> how can I do that.
>>
>> 2. if I do that, can it work well at vista.
>>
>> 3.I know little about DDK, how can I do it.
>>
>> best regards

Bruno
Mon Nov 13 02:37:31 CST 2006

> You can trap the windows key using a keybroad hook with the
> SetWindowsHookEx
> api. Just eat the event.

Afaik, there are 2 problems with SetWindowsHookEx:
1) you cannot hook CTRL+ALT+DEL, nor any capture keystrokes in the WinLogon
desktop (by design)
2) SetWindowsHookEx does not give you a means to change the events. it only
alows you to monitor.

--

Kind regards,
Bruno van Dooren MVP - VC++
bruno_nos_pam_van_dooren@hotmail.com
Remove only "_nos_pam"

soviet_bloke
Mon Nov 13 03:49:00 CST 2006

> 1) you cannot hook CTRL+ALT+DEL, nor any capture keystrokes in the WinLogon
> desktop (by design)

In fact, in any desktop, apart from the one that has installed a hook -
Windows hooks
are of desktop-level scope


Anton Bassov

Bruno van Dooren [MVP VC++] wrote:
> > You can trap the windows key using a keybroad hook with the
> > SetWindowsHookEx
> > api. Just eat the event.
>
> Afaik, there are 2 problems with SetWindowsHookEx:
> 1) you cannot hook CTRL+ALT+DEL, nor any capture keystrokes in the WinLogon
> desktop (by design)
> 2) SetWindowsHookEx does not give you a means to change the events. it only
> alows you to monitor.
>
> --
>
> Kind regards,
> Bruno van Dooren MVP - VC++
> bruno_nos_pam_van_dooren@hotmail.com
> Remove only "_nos_pam"

MikeCarlisle
Mon Nov 13 10:48:02 CST 2006

Thanks I'll take a look. I haven't written much C, do you have an example of
how to catch multiple keys with this code?

"Doron Holan [MS]" wrote:

> the WDF kbfiltr example shows you how to install a keyboard filter driver
> from which you can filter out the keys
>
> d
>
> --
> Please do not send e-mail directly to this alias. this alias is for
> newsgroup purposes only.
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>
> "Mike Carlisle" <MikeCarlisle@discussions.microsoft.com> wrote in message
> news:C99A18CA-E81F-4DD8-9298-5F0BB216DE7A@microsoft.com...
> > You can trap the windows key using a keybroad hook with the
> > SetWindowsHookEx
> > api. Just eat the event.
> >
> > I'm also interested in how to trap ctrl-alt-del on vista, and have been
> > looking at the DDK with the hope of writting the filter driver, but know
> > very
> > little about this.
> >
> > Did you have any luck? Has anyone got any pointers, sample code?
> >
> > "rocli" wrote:
> >
> >> 1.how can I disable ctrl+alt + del, and windows key.
> >> when my program is running ,disable ctrl+alt + del, and windows key.
> >> when my program leave. enable ctrl+alt + del, and windows key .
> >>
> >> In windows xp , I disable ctrl+alt + del by rewrite gina.but in vista
> >> gina
> >> is not supported.
> >> Must I write a key board driver.
> >> how can I do that.
> >>
> >> 2. if I do that, can it work well at vista.
> >>
> >> 3.I know little about DDK, how can I do it.
> >>
> >> best regards
>
>
>

MikeCarlisle
Mon Nov 13 10:51:02 CST 2006

Using a low level hook it is possible to prevent the event, WH_KEYBOARD_LL.
This is good for trapping the windows key, but as you say not ctrl-alt-del.

"Bruno van Dooren [MVP VC++]" wrote:

> > You can trap the windows key using a keybroad hook with the
> > SetWindowsHookEx
> > api. Just eat the event.
>
> Afaik, there are 2 problems with SetWindowsHookEx:
> 1) you cannot hook CTRL+ALT+DEL, nor any capture keystrokes in the WinLogon
> desktop (by design)
> 2) SetWindowsHookEx does not give you a means to change the events. it only
> alows you to monitor.
>
> --
>
> Kind regards,
> Bruno van Dooren MVP - VC++
> bruno_nos_pam_van_dooren@hotmail.com
> Remove only "_nos_pam"
>
>
>

Ray
Mon Nov 13 12:38:39 CST 2006

Mike Carlisle wrote:
> Using a low level hook it is possible to prevent the event, WH_KEYBOARD_LL.
> This is good for trapping the windows key, but as you say not ctrl-alt-del.

Oh, how's that? There doesn't appear to be a *documented* way to do eat
a keystroke from a LL kb hook...

And interesting question is whether LL KB hooks see keystrokes destined
for elevated applications in Vista... a lot of things like that are
prohibited, but since the LL hooks don't require process injection...
who knows?

>
> "Bruno van Dooren [MVP VC++]" wrote:
>
>>> You can trap the windows key using a keybroad hook with the
>>> SetWindowsHookEx
>>> api. Just eat the event.
>> Afaik, there are 2 problems with SetWindowsHookEx:
>> 1) you cannot hook CTRL+ALT+DEL, nor any capture keystrokes in the WinLogon
>> desktop (by design)
>> 2) SetWindowsHookEx does not give you a means to change the events. it only
>> alows you to monitor.
>>
>> --
>>
>> Kind regards,
>> Bruno van Dooren MVP - VC++
>> bruno_nos_pam_van_dooren@hotmail.com
>> Remove only "_nos_pam"
>>
>>
>>


--
Ray

Ali
Mon Nov 13 12:45:25 CST 2006


Ray Trent wrote:
> Mike Carlisle wrote:
> > Using a low level hook it is possible to prevent the event, WH_KEYBOARD_LL.
> > This is good for trapping the windows key, but as you say not ctrl-alt-del.
>
> Oh, how's that? There doesn't appear to be a *documented* way to do eat
> a keystroke from a LL kb hook...
>
> And interesting question is whether LL KB hooks see keystrokes destined
> for elevated applications in Vista... a lot of things like that are
> prohibited, but since the LL hooks don't require process injection...
> who knows?
>
> >
> > "Bruno van Dooren [MVP VC++]" wrote:
> >
> >>> You can trap the windows key using a keybroad hook with the
> >>> SetWindowsHookEx
> >>> api. Just eat the event.
> >> Afaik, there are 2 problems with SetWindowsHookEx:
> >> 1) you cannot hook CTRL+ALT+DEL, nor any capture keystrokes in the WinLogon
> >> desktop (by design)
> >> 2) SetWindowsHookEx does not give you a means to change the events. it only
> >> alows you to monitor.
> >>
> >> --
> >>
> >> Kind regards,
> >> Bruno van Dooren MVP - VC++
> >> bruno_nos_pam_van_dooren@hotmail.com
> >> Remove only "_nos_pam"
> >>
> >>
> >>
>
>
> --
> Ray


If its not process injection then what else it can be?

ali

MikeCarlisle
Mon Nov 13 12:59:02 CST 2006

The way I'm doing it is from C# with PInvoke to SetWindowsHookEx and
CallNextHookEx.

I attach a handler using

hHook = SetWindowsHookEx(WH_KEYBOARD_LL, keyHookHandler,
Marshal.GetHINSTANCE(Assembly.GetExecutingAssembly().GetModules()[0]), 0);

Then in keyHookHandler return 1 to eat the event, else bubble the event the
the next handler.

private int keyHookHandler(int nCode, IntPtr wParam, IntPtr lParam)
{
if (nCode == HC_ACTION && (wParam = WM_KEYDOWN || wParam == WM_SYSKEYDOWN))
{
hookStruct = (KeyboardHookStruct)Marshal.PtrToStructure(lParam,
typeof(KeyboardHookStruct));
// Left Win key
if (hookStruct.vkCode == 0x5B)
return 1;
else
CallNextHookEx(hHook, nCode, wParam, lParam);
}
}


"Ray Trent" wrote:

> Mike Carlisle wrote:
> > Using a low level hook it is possible to prevent the event, WH_KEYBOARD_LL.
> > This is good for trapping the windows key, but as you say not ctrl-alt-del.
>
> Oh, how's that? There doesn't appear to be a *documented* way to do eat
> a keystroke from a LL kb hook...
>
> And interesting question is whether LL KB hooks see keystrokes destined
> for elevated applications in Vista... a lot of things like that are
> prohibited, but since the LL hooks don't require process injection...
> who knows?
>
> >
> > "Bruno van Dooren [MVP VC++]" wrote:
> >
> >>> You can trap the windows key using a keybroad hook with the
> >>> SetWindowsHookEx
> >>> api. Just eat the event.
> >> Afaik, there are 2 problems with SetWindowsHookEx:
> >> 1) you cannot hook CTRL+ALT+DEL, nor any capture keystrokes in the WinLogon
> >> desktop (by design)
> >> 2) SetWindowsHookEx does not give you a means to change the events. it only
> >> alows you to monitor.
> >>
> >> --
> >>
> >> Kind regards,
> >> Bruno van Dooren MVP - VC++
> >> bruno_nos_pam_van_dooren@hotmail.com
> >> Remove only "_nos_pam"
> >>
> >>
> >>
>
>
> --
> Ray
>

Ray
Mon Nov 13 14:48:39 CST 2006

Ahhh. I'm guessing that Windows is reforwarding the message to the
original destination in the default hook function.

Still, it's not exactly nice to fail to call the next callback in the
hook chain, and that behavior isn't documented as far as I know.

As for how they do it if not process injection, I don't know the
details, but the docs say that they just forward the message to the
hooking thread (you have to have a message loop) instead of the app with
the focus. That seems relatively straightforward for the OS to
accomplish. That probably also explains why the below trick works to eat
the key.

Still... no way to be sure that you're the first one in the chain, so
you can't perfectly block it except with a driver (and even then, you
can't be sure to be the first one in the filter chain).

And I'm still not sure about elevated apps (which winlogin almost
certainly is). I would hope that MS would have prevented that along with
all the other shatter, snooping, and spoofing attacks via UIPI.

Even if it does work today, the chances are pretty good that it will
stop working as soon as MS realizes that it's a security hole. So I
wouldn't count on it.

Mike Carlisle wrote:
> The way I'm doing it is from C# with PInvoke to SetWindowsHookEx and
> CallNextHookEx.
>
> I attach a handler using
>
> hHook = SetWindowsHookEx(WH_KEYBOARD_LL, keyHookHandler,
> Marshal.GetHINSTANCE(Assembly.GetExecutingAssembly().GetModules()[0]), 0);
>
> Then in keyHookHandler return 1 to eat the event, else bubble the event the
> the next handler.
>
> private int keyHookHandler(int nCode, IntPtr wParam, IntPtr lParam)
> {
> if (nCode == HC_ACTION && (wParam = WM_KEYDOWN || wParam == WM_SYSKEYDOWN))
> {
> hookStruct = (KeyboardHookStruct)Marshal.PtrToStructure(lParam,
> typeof(KeyboardHookStruct));
> // Left Win key
> if (hookStruct.vkCode == 0x5B)
> return 1;
> else
> CallNextHookEx(hHook, nCode, wParam, lParam);
> }
> }
>
>
> "Ray Trent" wrote:
>
>> Mike Carlisle wrote:
>>> Using a low level hook it is possible to prevent the event, WH_KEYBOARD_LL.
>>> This is good for trapping the windows key, but as you say not ctrl-alt-del.
>> Oh, how's that? There doesn't appear to be a *documented* way to do eat
>> a keystroke from a LL kb hook...
>>
>> And interesting question is whether LL KB hooks see keystrokes destined
>> for elevated applications in Vista... a lot of things like that are
>> prohibited, but since the LL hooks don't require process injection...
>> who knows?
>>
>>> "Bruno van Dooren [MVP VC++]" wrote:
>>>
>>>>> You can trap the windows key using a keybroad hook with the
>>>>> SetWindowsHookEx
>>>>> api. Just eat the event.
>>>> Afaik, there are 2 problems with SetWindowsHookEx:
>>>> 1) you cannot hook CTRL+ALT+DEL, nor any capture keystrokes in the WinLogon
>>>> desktop (by design)
>>>> 2) SetWindowsHookEx does not give you a means to change the events. it only
>>>> alows you to monitor.
>>>>
>>>> --
>>>>
>>>> Kind regards,
>>>> Bruno van Dooren MVP - VC++
>>>> bruno_nos_pam_van_dooren@hotmail.com
>>>> Remove only "_nos_pam"
>>>>
>>>>
>>>>
>>
>> --
>> Ray
>>


--
Ray

soviet_bloke
Mon Nov 13 22:11:50 CST 2006

> If its not process injection then what else it can be?

High-level kbd hook procedure gets invoked in the context of a thread
that calls GetMessage() or PeekMessage(), so that DLL gets injected
into the target process.

As opposed to that, low-level kbd hook procedure gets invoked in the
context of installer thread, so that there is no DLL injection here

Anton Bassov

Ali wrote:
> Ray Trent wrote:
> > Mike Carlisle wrote:
> > > Using a low level hook it is possible to prevent the event, WH_KEYBOARD_LL.
> > > This is good for trapping the windows key, but as you say not ctrl-alt-del.
> >
> > Oh, how's that? There doesn't appear to be a *documented* way to do eat
> > a keystroke from a LL kb hook...
> >
> > And interesting question is whether LL KB hooks see keystrokes destined
> > for elevated applications in Vista... a lot of things like that are
> > prohibited, but since the LL hooks don't require process injection...
> > who knows?
> >
> > >
> > > "Bruno van Dooren [MVP VC++]" wrote:
> > >
> > >>> You can trap the windows key using a keybroad hook with the
> > >>> SetWindowsHookEx
> > >>> api. Just eat the event.
> > >> Afaik, there are 2 problems with SetWindowsHookEx:
> > >> 1) you cannot hook CTRL+ALT+DEL, nor any capture keystrokes in the WinLogon
> > >> desktop (by design)
> > >> 2) SetWindowsHookEx does not give you a means to change the events. it only
> > >> alows you to monitor.
> > >>
> > >> --
> > >>
> > >> Kind regards,
> > >> Bruno van Dooren MVP - VC++
> > >> bruno_nos_pam_van_dooren@hotmail.com
> > >> Remove only "_nos_pam"
> > >>
> > >>
> > >>
> >
> >
> > --
> > Ray
>
>
> If its not process injection then what else it can be?
>
> ali

Ali
Tue Nov 14 07:02:38 CST 2006


soviet_bloke@hotmail.com wrote:
> > If its not process injection then what else it can be?
>
> High-level kbd hook procedure gets invoked in the context of a thread
> that calls GetMessage() or PeekMessage(), so that DLL gets injected
> into the target process.
>
> As opposed to that, low-level kbd hook procedure gets invoked in the
> context of installer thread, so that there is no DLL injection here
>
> Anton Bassov
>
> Ali wrote:
> > Ray Trent wrote:
> > > Mike Carlisle wrote:
> > > > Using a low level hook it is possible to prevent the event, WH_KEYBOARD_LL.
> > > > This is good for trapping the windows key, but as you say not ctrl-alt-del.
> > >
> > > Oh, how's that? There doesn't appear to be a *documented* way to do eat
> > > a keystroke from a LL kb hook...
> > >
> > > And interesting question is whether LL KB hooks see keystrokes destined
> > > for elevated applications in Vista... a lot of things like that are
> > > prohibited, but since the LL hooks don't require process injection...
> > > who knows?
> > >
> > > >
> > > > "Bruno van Dooren [MVP VC++]" wrote:
> > > >
> > > >>> You can trap the windows key using a keybroad hook with the
> > > >>> SetWindowsHookEx
> > > >>> api. Just eat the event.
> > > >> Afaik, there are 2 problems with SetWindowsHookEx:
> > > >> 1) you cannot hook CTRL+ALT+DEL, nor any capture keystrokes in the WinLogon
> > > >> desktop (by design)
> > > >> 2) SetWindowsHookEx does not give you a means to change the events. it only
> > > >> alows you to monitor.
> > > >>
> > > >> --
> > > >>
> > > >> Kind regards,
> > > >> Bruno van Dooren MVP - VC++
> > > >> bruno_nos_pam_van_dooren@hotmail.com
> > > >> Remove only "_nos_pam"
> > > >>
> > > >>
> > > >>
> > >
> > >
> > > --
> > > Ray
> >
> >
> > If its not process injection then what else it can be?
> >
> > ali



> As opposed to that, low-level kbd hook procedure gets invoked in the
> context of installer thread, so that there is no DLL injection here


So you mean it is kind of LPC , right?

ali

Ali
Tue Nov 14 07:16:59 CST 2006


Ray Trent wrote:
> Ahhh. I'm guessing that Windows is reforwarding the message to the
> original destination in the default hook function.
>
> Still, it's not exactly nice to fail to call the next callback in the
> hook chain, and that behavior isn't documented as far as I know.
>
> As for how they do it if not process injection, I don't know the
> details, but the docs say that they just forward the message to the
> hooking thread (you have to have a message loop) instead of the app with
> the focus. That seems relatively straightforward for the OS to
> accomplish. That probably also explains why the below trick works to eat
> the key.
>
> Still... no way to be sure that you're the first one in the chain, so
> you can't perfectly block it except with a driver (and even then, you
> can't be sure to be the first one in the filter chain).
>
> And I'm still not sure about elevated apps (which winlogin almost
> certainly is). I would hope that MS would have prevented that along with
> all the other shatter, snooping, and spoofing attacks via UIPI.
>
> Even if it does work today, the chances are pretty good that it will
> stop working as soon as MS realizes that it's a security hole. So I
> wouldn't count on it.
>
> Mike Carlisle wrote:
> > The way I'm doing it is from C# with PInvoke to SetWindowsHookEx and
> > CallNextHookEx.
> >
> > I attach a handler using
> >
> > hHook = SetWindowsHookEx(WH_KEYBOARD_LL, keyHookHandler,
> > Marshal.GetHINSTANCE(Assembly.GetExecutingAssembly().GetModules()[0]), 0);
> >
> > Then in keyHookHandler return 1 to eat the event, else bubble the event the
> > the next handler.
> >
> > private int keyHookHandler(int nCode, IntPtr wParam, IntPtr lParam)
> > {
> > if (nCode == HC_ACTION && (wParam = WM_KEYDOWN || wParam == WM_SYSKEYDOWN))
> > {
> > hookStruct = (KeyboardHookStruct)Marshal.PtrToStructure(lParam,
> > typeof(KeyboardHookStruct));
> > // Left Win key
> > if (hookStruct.vkCode == 0x5B)
> > return 1;
> > else
> > CallNextHookEx(hHook, nCode, wParam, lParam);
> > }
> > }
> >
> >
> > "Ray Trent" wrote:
> >
> >> Mike Carlisle wrote:
> >>> Using a low level hook it is possible to prevent the event, WH_KEYBOARD_LL.
> >>> This is good for trapping the windows key, but as you say not ctrl-alt-del.
> >> Oh, how's that? There doesn't appear to be a *documented* way to do eat
> >> a keystroke from a LL kb hook...
> >>
> >> And interesting question is whether LL KB hooks see keystrokes destined
> >> for elevated applications in Vista... a lot of things like that are
> >> prohibited, but since the LL hooks don't require process injection...
> >> who knows?
> >>
> >>> "Bruno van Dooren [MVP VC++]" wrote:
> >>>
> >>>>> You can trap the windows key using a keybroad hook with the
> >>>>> SetWindowsHookEx
> >>>>> api. Just eat the event.
> >>>> Afaik, there are 2 problems with SetWindowsHookEx:
> >>>> 1) you cannot hook CTRL+ALT+DEL, nor any capture keystrokes in the WinLogon
> >>>> desktop (by design)
> >>>> 2) SetWindowsHookEx does not give you a means to change the events. it only
> >>>> alows you to monitor.
> >>>>
> >>>> --
> >>>>
> >>>> Kind regards,
> >>>> Bruno van Dooren MVP - VC++
> >>>> bruno_nos_pam_van_dooren@hotmail.com
> >>>> Remove only "_nos_pam"
> >>>>
> >>>>
> >>>>
> >>
> >> --
> >> Ray
> >>
>
>
> --
> Ray


SNIP:

>Still, it's not exactly nice to fail to call the next callback in the hook chain, and that >behavior isn't documented as far as I know.


DDK says that KbFilter_ServiceCallback for example can do following :

Called when there are keyboard packets to report to the RIT. You can
do anything you like to the packets. For instance:

o Drop a packet altogether
o Mutate the contents of a packet
o Insert packets into the stream

Why we cann't skip these (Ctrl+Alt+Del) keys here?

>As for how they do it if not process injection, I don't know the details, but the docs say >that they just forward the message to the hooking thread (you have to have a message >loop) instead of the app with the focus.


Yeah that's true kbfilter just explains that you can modify the data
with Service class
[http://www.osronline.com/ddkx/intinput/km-ovr_4i7b.htm
] but won't tell you how;-) And ofcourse it is pretty that you will
never know that you are the first or one to modify these packets in
chain.



ali

Ray
Tue Nov 14 11:45:04 CST 2006

Ali wrote:
>> Still, it's not exactly nice to fail to call the next callback in the hook chain, and that >behavior isn't documented as far as I know.
> DDK says that KbFilter_ServiceCallback for example can do following :

Right. It's documented that you can do this (drop/change/whatever keys)
in a kernel mode driver, it's not, as far as I know, documented that you
can do this in a LL keyboard hook in user-mode.
--
Ray

Ali
Fri Nov 17 10:12:44 CST 2006


Ray Trent wrote:
> Ali wrote:
> >> Still, it's not exactly nice to fail to call the next callback in the hook chain, and that >behavior isn't documented as far as I know.
> > DDK says that KbFilter_ServiceCallback for example can do following :
>
> Right. It's documented that you can do this (drop/change/whatever keys)
> in a kernel mode driver, it's not, as far as I know, documented that you
> can do this in a LL keyboard hook in user-mode.
> --
> Ray


SNIP:

>as far as I know, documented that you can do this in a LL keyboard hook in user-mode.

Do you mean that even hooking the keyboard.dll or keyboard.sys will not
work?

ali

Ray
Fri Nov 17 17:37:54 CST 2006

Ali wrote:
>> as far as I know, documented that you can do this in a LL keyboard hook in user-mode.
>
> Do you mean that even hooking the keyboard.dll or keyboard.sys will not
> work?

I honestly don't know what either of those files do. The files exist,
but... The .sys file doesn't appear in my services key, so I doubt it's
even loaded. In fact, neither file appears in the registry in any useful
place that's relevant to Windows XP/2k/Vista, so I'm guessing they are
vestiges of an older OS (keyboard.sys isn't anywhere, and keyboard.dll
only appears in one of the WOW keys... a big hint).

All I meant to say was that user-mode low-level keyboard hooks you set
with SetWindowsHookEx aren't documented as enabling you to drop (or
modify) keystrokes. In fact, they are documented as saying that you
*must* call the next hook in the chain (at least if nCode is < 0, which
I've always seen it to be).

That doesn't mean it won't work (for now), it just means you'd be unwise
to base a product on it...
--
Ray

soviet_bloke
Fri Nov 17 23:07:23 CST 2006

Ray,

> All I meant to say was that user-mode low-level keyboard hooks you set
> with SetWindowsHookEx aren't documented as enabling you to drop (or
> modify) keystrokes.

AFAIK, there is a thing known as "hook timeout" - if hook procedure
does not return control
within some certain timeframe, the system is going to abort the call,
and proceed with the message anyway. This is done for the safety
reasons - imagine what happens if hook procedure enters an infinite
loop. This proves that Windows hooks do not and cannot have control
over keystroke processing - the only thing they can do is passive
monitoring. If you want to drop or modify keystrokes, you have to write
a driver

Anton Bassov





Ray Trent wrote:
> Ali wrote:
> >> as far as I know, documented that you can do this in a LL keyboard hook in user-mode.
> >
> > Do you mean that even hooking the keyboard.dll or keyboard.sys will not
> > work?
>
> I honestly don't know what either of those files do. The files exist,
> but... The .sys file doesn't appear in my services key, so I doubt it's
> even loaded. In fact, neither file appears in the registry in any useful
> place that's relevant to Windows XP/2k/Vista, so I'm guessing they are
> vestiges of an older OS (keyboard.sys isn't anywhere, and keyboard.dll
> only appears in one of the WOW keys... a big hint).
>
> All I meant to say was that user-mode low-level keyboard hooks you set
> with SetWindowsHookEx aren't documented as enabling you to drop (or
> modify) keystrokes. In fact, they are documented as saying that you
> *must* call the next hook in the chain (at least if nCode is < 0, which
> I've always seen it to be).
>
> That doesn't mean it won't work (for now), it just means you'd be unwise
> to base a product on it...
> --
> Ray

Ray
Mon Nov 20 13:24:41 CST 2006

True, but that's separate from whether or not you call CallNextHookEx
before returning.

soviet_bloke@hotmail.com wrote:
> Ray,
>
>> All I meant to say was that user-mode low-level keyboard hooks you set
>> with SetWindowsHookEx aren't documented as enabling you to drop (or
>> modify) keystrokes.
>
> AFAIK, there is a thing known as "hook timeout" - if hook procedure
> does not return control
> within some certain timeframe, the system is going to abort the call,
> and proceed with the message anyway. This is done for the safety
> reasons - imagine what happens if hook procedure enters an infinite
> loop. This proves that Windows hooks do not and cannot have control
> over keystroke processing - the only thing they can do is passive
> monitoring. If you want to drop or modify keystrokes, you have to write
> a driver
>
> Anton Bassov
>
>
>
>
>
> Ray Trent wrote:
>> Ali wrote:
>>>> as far as I know, documented that you can do this in a LL keyboard hook in user-mode.
>>> Do you mean that even hooking the keyboard.dll or keyboard.sys will not
>>> work?
>> I honestly don't know what either of those files do. The files exist,
>> but... The .sys file doesn't appear in my services key, so I doubt it's
>> even loaded. In fact, neither file appears in the registry in any useful
>> place that's relevant to Windows XP/2k/Vista, so I'm guessing they are
>> vestiges of an older OS (keyboard.sys isn't anywhere, and keyboard.dll
>> only appears in one of the WOW keys... a big hint).
>>
>> All I meant to say was that user-mode low-level keyboard hooks you set
>> with SetWindowsHookEx aren't documented as enabling you to drop (or
>> modify) keystrokes. In fact, they are documented as saying that you
>> *must* call the next hook in the chain (at least if nCode is < 0, which
>> I've always seen it to be).
>>
>> That doesn't mean it won't work (for now), it just means you'd be unwise
>> to base a product on it...
>> --
>> Ray
>


--
Ray

MikeCarlisle
Sat Nov 25 01:55:01 CST 2006

Ok I've gotten as far as writting and installing a driver. I can disable
Ctrl-Alt-Del by always changing the Ctrl key, what I can't work out how to do
is trap Ctrl-Alt-Del explicity.

What scan code/codes do I need to use? I tried changing the Ctrl key to
something else when Alt (0x38) and Del (0x53) is also pressed but it doesn't
work.

How can I detect the key combination from SystemBuffer?


"Doron Holan [MS]" wrote:

> the WDF kbfiltr example shows you how to install a keyboard filter driver
> from which you can filter out the keys
>
> d
>
> --
> Please do not send e-mail directly to this alias. this alias is for
> newsgroup purposes only.
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>
> "Mike Carlisle" <MikeCarlisle@discussions.microsoft.com> wrote in message
> news:C99A18CA-E81F-4DD8-9298-5F0BB216DE7A@microsoft.com...
> > You can trap the windows key using a keybroad hook with the
> > SetWindowsHookEx
> > api. Just eat the event.
> >
> > I'm also interested in how to trap ctrl-alt-del on vista, and have been
> > looking at the DDK with the hope of writting the filter driver, but know
> > very
> > little about this.
> >
> > Did you have any luck? Has anyone got any pointers, sample code?
> >
> > "rocli" wrote:
> >
> >> 1.how can I disable ctrl+alt + del, and windows key.
> >> when my program is running ,disable ctrl+alt + del, and windows key.
> >> when my program leave. enable ctrl+alt + del, and windows key .
> >>
> >> In windows xp , I disable ctrl+alt + del by rewrite gina.but in vista
> >> gina
> >> is not supported.
> >> Must I write a key board driver.
> >> how can I do that.
> >>
> >> 2. if I do that, can it work well at vista.
> >>
> >> 3.I know little about DDK, how can I do it.
> >>
> >> best regards
>
>
>

Doron
Sat Nov 25 14:57:46 CST 2006

you have to maintain your own state machine b/c you will only see one key
up/down at a time in a KEYBOARD_INPUT_DATA. What SystemBuffer are you
talking about? in the read irp? are you filtering above kbdclass or below
it?

d

--
Please do not send e-mail directly to this alias. this alias is for
newsgroup purposes only.
This posting is provided "AS IS" with no warranties, and confers no rights.


"Mike Carlisle" <MikeCarlisle@discussions.microsoft.com> wrote in message
news:F86A0920-05FB-4AEA-83C6-9E7E65A5CFD0@microsoft.com...
> Ok I've gotten as far as writting and installing a driver. I can disable
> Ctrl-Alt-Del by always changing the Ctrl key, what I can't work out how to
> do
> is trap Ctrl-Alt-Del explicity.
>
> What scan code/codes do I need to use? I tried changing the Ctrl key to
> something else when Alt (0x38) and Del (0x53) is also pressed but it
> doesn't
> work.
>
> How can I detect the key combination from SystemBuffer?
>
>
> "Doron Holan [MS]" wrote:
>
>> the WDF kbfiltr example shows you how to install a keyboard filter driver
>> from which you can filter out the keys
>>
>> d
>>
>> --
>> Please do not send e-mail directly to this alias. this alias is for
>> newsgroup purposes only.
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>>
>> "Mike Carlisle" <MikeCarlisle@discussions.microsoft.com> wrote in message
>> news:C99A18CA-E81F-4DD8-9298-5F0BB216DE7A@microsoft.com...
>> > You can trap the windows key using a keybroad hook with the
>> > SetWindowsHookEx
>> > api. Just eat the event.
>> >
>> > I'm also interested in how to trap ctrl-alt-del on vista, and have been
>> > looking at the DDK with the hope of writting the filter driver, but
>> > know
>> > very
>> > little about this.
>> >
>> > Did you have any luck? Has anyone got any pointers, sample code?
>> >
>> > "rocli" wrote:
>> >
>> >> 1.how can I disable ctrl+alt + del, and windows key.
>> >> when my program is running ,disable ctrl+alt + del, and windows key.
>> >> when my program leave. enable ctrl+alt + del, and windows key .
>> >>
>> >> In windows xp , I disable ctrl+alt + del by rewrite gina.but in vista
>> >> gina
>> >> is not supported.
>> >> Must I write a key board driver.
>> >> how can I do that.
>> >>
>> >> 2. if I do that, can it work well at vista.
>> >>
>> >> 3.I know little about DDK, how can I do it.
>> >>
>> >> best regards
>>
>>
>>

MikeCarlisle
Sat Nov 25 21:04:01 CST 2006

Ok finally got this working.

All the keys aren't enum'ed in the SystemBuffer, only the current key press,
so you have to set flags to remember which keys are still down to trap the
right combination. There may be a way of determining this directly from the
data, but I don't know how. If anyone does I'd be grateful for some help.

"Mike Carlisle" wrote:

> Ok I've gotten as far as writting and installing a driver. I can disable
> Ctrl-Alt-Del by always changing the Ctrl key, what I can't work out how to do
> is trap Ctrl-Alt-Del explicity.
>
> What scan code/codes do I need to use? I tried changing the Ctrl key to
> something else when Alt (0x38) and Del (0x53) is also pressed but it doesn't
> work.
>
> How can I detect the key combination from SystemBuffer?
>
>
> "Doron Holan [MS]" wrote:
>
> > the WDF kbfiltr example shows you how to install a keyboard filter driver
> > from which you can filter out the keys
> >
> > d
> >
> > --
> > Please do not send e-mail directly to this alias. this alias is for
> > newsgroup purposes only.
> > This posting is provided "AS IS" with no warranties, and confers no rights.
> >
> >
> > "Mike Carlisle" <MikeCarlisle@discussions.microsoft.com> wrote in message
> > news:C99A18CA-E81F-4DD8-9298-5F0BB216DE7A@microsoft.com...
> > > You can trap the windows key using a keybroad hook with the
> > > SetWindowsHookEx
> > > api. Just eat the event.
> > >
> > > I'm also interested in how to trap ctrl-alt-del on vista, and have been
> > > looking at the DDK with the hope of writting the filter driver, but know
> > > very
> > > little about this.
> > >
> > > Did you have any luck? Has anyone got any pointers, sample code?
> > >
> > > "rocli" wrote:
> > >
> > >> 1.how can I disable ctrl+alt + del, and windows key.
> > >> when my program is running ,disable ctrl+alt + del, and windows key.
> > >> when my program leave. enable ctrl+alt + del, and windows key .
> > >>
> > >> In windows xp , I disable ctrl+alt + del by rewrite gina.but in vista
> > >> gina
> > >> is not supported.
> > >> Must I write a key board driver.
> > >> how can I do that.
> > >>
> > >> 2. if I do that, can it work well at vista.
> > >>
> > >> 3.I know little about DDK, how can I do it.
> > >>
> > >> best regards
> >
> >
> >