Solved

CreateProcess() and WM_ENDSESSION

Posted on 1998-03-04
13
1,107 Views
Last Modified: 2013-12-03
Under Windows NT4(sp3), how do I CreateProcess() a new process so that the new process will receive a WM_ENDSESSION indicating shutdown?

Simplification:

 A process (the one I'm interested in) has been started by an NT service using CreateProcess().

 When the user selects "log-off", the new process receives a WM_ENDSESSION with TRUE and ENDSESSION_LOGOFF as the parameters. All ok so far.

 Here's the problem:

 When the user selects "shutdown", the new process recieves exactly the same as above. Therefore, I can't tell the difference between a shutdown and a log-out.

 Now for the question:

 Is there something I should do in the parent process before I call CreateProcess()? i.e. How do I make sure that I will receive the WM_ENDSESSION with TRUE and 0 as the parameters (indicating shutdown) in the child?
0
Comment
Question by:dogma
13 Comments
 
LVL 22

Expert Comment

by:nietod
Comment Utility
I doubt there is anything you can do about this.  I suspect NT allways indicates that the user is logging off, even when they are really shutting down.  
0
 
LVL 22

Expert Comment

by:nietod
Comment Utility
You are getting the WM_ENDSESSION message right?   the First part of you question sounds like you're not getting the message.  The second part sounds like the LPARAM is never zero.  Is assume that is really your problem.
0
 

Author Comment

by:dogma
Comment Utility
Yes. I'm not getting the message with WM_ENDSESSION indicating a shutdown (lParam=0) only the one indicating a log off (lParam=ENDSESSION_LOGOFF).
So, how do I make sure I get this message? I've read the help pages a thousand times but to no avail.

If I launch direct from the desktop/CMD, I get the shutdown message correctly. When I use CreateProcess() from a parent process, I don't get the message. The parent process is an NT service, if that makes any difference. In the parameters to CreateProcess(), I pass CREATE_NEW_PROCESS_GROUP and DETACHED_PROCESS.

Obvously I've missed something in the CreateProcess(). So the question is what???!

tia.

0
 

Author Comment

by:dogma
Comment Utility
Edited text of question
0
 
LVL 22

Expert Comment

by:nietod
Comment Utility
Sorry but I am still confussed.  I see two ways of interpretting what you've said.

(1) regardless of whethor or you logout or shut down you get lparam = ENDSESSION_LOGOUT.  That is you always get the message, but lparam is wrong on a shutdown.

(2) You get the message on a logout, but don't get it on a shutdown.

Regardless of your answer.  I probably can't help you, but other experts will probably have the same confussion.
0
 

Author Comment

by:dogma
Comment Utility
Edited text of question
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 

Author Comment

by:dogma
Comment Utility
Edited text of question
0
 
LVL 11

Expert Comment

by:alexo
Comment Utility
According to the documentation and WINUSER.H, only the ENDSESSION_LOGOFF flag is currently supported (there is no distinction between logoff and shutdown)

Do other processes receive the notification you're waiting for?

0
 
LVL 22

Expert Comment

by:nietod
Comment Utility
My interpretation of the docs was that it was the only flag supported, but that no flags (i.e. 0) is shutdown and that flag indicates logoff.   I've never tried though.
0
 

Author Comment

by:dogma
Comment Utility
Applications launched from the DeskTop, or from a DOS box receive both incarnations of the message. Children don't receive the shutdown version.

Your assumtions were the same as mine, only one flag given (ENDSESSION_LOGOFF). But as it's a *flag*, it can be either set or unset. i.e. lParam could be ENDSESSION_LOGOFF or 0.

I have a feeling that I'm going to have to look for the source code for CMD.EXE etc. to get the answer. But thanks for the help.

I'll leave this question open for a little while, in case anyone has some inspiration!

0
 

Author Comment

by:dogma
Comment Utility
Adjusted points to 500
0
 
LVL 15

Accepted Solution

by:
Tommy Hui earned 500 total points
Comment Utility
Here's something to try. Can you use WinExec to spawn the application? Does it make a difference? How about ShellExecute()? Another possibility would be to have a hidden application that is like a server. This server would watch for WM_ENDSESSION and sends to any children processes that it is shutting down or logging off. Of course, this introduces quite a bit of complexity, but it should be more flexible in terms of the sequence. The whole point is that you need another process under your control that catches whether the user is shutting down or logging off.
0
 

Author Comment

by:dogma
Comment Utility

THANKS FOR ALL YOUR HELP
However, I managed to solve the problem.
FYI:

I solved it by using a control handler (registered using SetConsoleCtrlHandler) , catching CTRL_SHUTDOWN_EVENT then using PostMessage(hWnd,WM_ENDSESSION,TRUE,0).


0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Suggested Solutions

With most software applications trying to cater to multiple user needs nowadays, the focus is to make them as configurable as possible. For e.g., when creating Silverlight applications which will connect to WCF services, the service end point usuall…
For most people, the WrapPanel seems like a magic when they switch from WinForms to WPF. Most of us will think that the code that is used to write a control like that would be difficult. However, most of the work is done by the WPF engine, and the W…
This is Part 3 in a 3-part series on Experts Exchange to discuss error handling in VBA code written for Excel. Part 1 of this series discussed basic error handling code using VBA. http://www.experts-exchange.com/videos/1478/Excel-Error-Handlin…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now