What is that? MSDN say’s: A Winlogon Notification Package is a DLL that exports functions that handle Winlogon events. For example, when a user logs onto the system, Winlogon calls each notification package’s logon event handler function to provide information about the event.
So you might know, the mechanism of Winlogon Notification Package is available in [...]

I am proud to announce the completed conversion of the Microsoft Event Tracing API for Windows (ETW).
What is ETW anyway?
MSDN says:
Event Tracing for Windows (ETW) provides application programmers the ability to start and stop event tracing sessions, instrument an application to provide trace events, and consume trace events. Trace events contain an event header [...]

JWSCL provides access to auto pointers or objects. It means that allocated space or objects are automtically destroyed/freed as soon as the auto object runs out of scope. What is a scope? A scope exists as long as the (I say) parent object exists. Parent objects can be:

The process. The auto pointer and thus the [...]

This simple example shows how you can change the target session of a new process.

uses

  JwaWindows,

  JwsclToken,

  JwsclComUtils;

var

   NewToken,

   UserToken : TJwSecurityToken;

   S : TStartupInfo;

   P : TProcessInformation;

begin

  UserToken := TJwSecurityToken.CreateWTSQueryUserTokenEx(nil, 1);

  TJwAutoPointer.Wrap(UserToken); //automatic destroy

  NewToken := TJwSecurityToken.CreateDuplicateExistingToken(UserToken.TokenHandle, MAXIMUM_ALLOWED);

  TJwAutoPointer.Wrap(NewToken);  

  //needs TCB privilege -> Service

  JwEnablePrivilege(SE_TCB_NAME, pst_Enable);

  NewToken.TokenSessionId := 2;

  //simple CreateProcessAsUser

  [...]

I just finished reading this excellent article about code injection. However the article doesn’t go just into the “how to” stuff but also goes deeply into the organization of executable files. I have to thank Ashkbiz Danehkar for sharing his expert knowledge.
Go ahead, take your time and read Inject your code to a Portable Executable [...]

The group TrustedInstaller is not called “TrustedInstaller” but
“NT SERVICE\Trusted Installer“.
Yes with a slash and space in it.

Send post as PDF to convert this post to pdf.

Did you know?
ShellExecuteEx ignores the active desktop (the one that has input). It just starts the application on the default desktop (winsta0\default). However ShellExecute (without Ex) works fine with multiple desktops. Unfortunately, the last function isn’t that powerful.

Send post as PDF to convert this post to pdf.

TMessage is not TMsg!
TMessage is defined in Unit Messages and should not be mixed up with TMsg (Windows.pas) in the following case:

const

  WM_TEST = WM_USER + 1;

type

  TForm1 = class(TForm)

  public

    procedure XY(var Msg : TMessage); message WM_TEST;

  end;

…

  SendMessage(Form1.Handle, WM_TEST, 1,2);

You should abandon all tutorials which use TMsg. You’ll get strange results. TMessage [...]

You cannot impersonate a pipe until you have read from it. Even a write call doesn’t work. So a service has to wait for a dummy client write call until it can check the client’s token.
The following codes shows how multi instance pipe server could look like. Be aware that I wrote this to show [...]

If you create a new process without adding the environment block (by calling CreateEnvironmentBlock) the new process may fail to call Shellexecute and some other functions. Don’t think that the enviroment variables aren’t that important.
Find out more about CreateProcess in the post about “CreateProcess in full glory“.

Send post as PDF to convert this [...]