Dear TCL/Tk MS-Windows experts,

we are in Windows 10/11 login or locked screen.

Application: send password by emulated keystrokes from a TCL
application. A barcode scanner is attached to the application. A login
code is scanned by the barcode reader and the password is extracted (it
is stored encrypted).

The application sends virtual keyboard data via Windows function
"keybd_event" or TWAPI. It is wrapped into a starkit.

I started the app as administrator -> data came not through to lock
screen password field
I started the app as a service as user "system" -> did not come through

This page
https://learn.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-sendinput
states:
"This function is subject to UIPI. Applications are permitted to inject
input only into applications that are at an equal or lesser integrity
level.".

Now, how to set the integrity level, probably "system" is required?
https://learn.microsoft.com/en-us/windows/win32/secauthz/mandatory-integrity-control

I did not find really anything. Any comments on that?

But I found this:
https://learn.microsoft.com/en-us/windows/win32/winauto/uiauto-securityoverview

So, such an application may interact with any other.
Requirements are:

1) Be signed with a certificate to interact with applications running at
a higher privilege level.
2) Be trusted by the system. The application must be installed in a
secure location that requires a user account control (UAC) prompt for
access. For example, the Program Files folder.
3) Be built with a manifest file that includes the uiAccess flag.

Question about 1) signed exe:
- thanks to Paul, here is a howto for self signed certificates:
https://wiki.tcl-lang.org/page/SDX+under+Windows
This also works with the starkits compiled by Ashok, I tested it, great!
I suppose, a self signed certificate is not sufficient. So, I may buy
one here:
https://www.globalsign.com/de-de/code-signing/microsoft-authenticode
Is that a good idea ? Which of the proposed keys, expensive or more
expensive ? On hardware tolken or on TPM module (no Asure, please).

Question about 3) manifest
How may I change or view the manifest of the starkit file ?

Thanks for any answer,
Harald

On 6/7/2023 6:48 AM, Harald Oehlmann wrote:
> Dear TCL/Tk MS-Windows experts,
>
> we are in Windows 10/11 login or locked screen.
>
> Application: send password by emulated keystrokes from a TCL application. A barcode scanner is attached to the application. A login code is scanned by the barcode reader and the password is extracted (it is stored encrypted).
>
> The application sends virtual keyboard data via Windows function "keybd_event" or TWAPI. It is wrapped into a starkit.
>
> I started the app as administrator -> data came not through to lock screen password field
> I started the app as a service as user "system" -> did not come through
>
> This page https://learn.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-sendinput
> states:
> "This function is subject to UIPI. Applications are permitted to inject input only into applications that are at an equal or lesser integrity level.".
>
> Now, how to set the integrity level, probably "system" is required?
> https://learn.microsoft.com/en-us/windows/win32/secauthz/mandatory-integrity-control
>
> I did not find really anything. Any comments on that?
>
> But I found this:
> https://learn.microsoft.com/en-us/windows/win32/winauto/uiauto-securityoverview
>
> So, such an application may interact with any other.
> Requirements are:
>
> 1) Be signed with a certificate to interact with applications running at a higher privilege level.
> 2) Be trusted by the system. The application must be installed in a secure location that requires a user account control (UAC) prompt for access. For example, the Program Files folder.
> 3) Be built with a manifest file that includes the uiAccess flag.
>
> Question about 1) signed exe:
> - thanks to Paul, here is a howto for self signed certificates:
> https://wiki.tcl-lang.org/page/SDX+under+Windows
> This also works with the starkits compiled by Ashok, I tested it, great!
> I suppose, a self signed certificate is not sufficient. So, I may buy one here:
> https://www.globalsign.com/de-de/code-signing/microsoft-authenticode
> Is that a good idea ? Which of the proposed keys, expensive or more expensive ? On hardware tolken or on TPM module (no Asure, please).
>
> Question about 3) manifest
> How may I change or view the manifest of the starkit file ?
>
> Thanks for any answer,
> Harald
>
>
>
>
>
>
>
>

It sounds like you need to run this before the user is
logged in. I'm not sure if this would work before
you're even logged in, however,

https://windowsloop.com/how-to-run-a-program-as-administrator-without-prompt/

I've used this described procedure with the task
scheduler to run a tcl script at admin privs to run a
program w/o the prompt and then using twapi find its
window and send it mouse clicks.

In the task scheduler, I see one can set in the
general tab, "run whether user is logged on or not"
And there's also a checkbox "run with *highest*
privileges". Not sure how high that really is though.

Then in the triggers tab, with new... (to create a new
trigger) at the top it says "begin the task", one can
choose "at logon" or even "at startup".

I've not tried this, as the above page only discusses
how to setup a task that you run from a shortcut using
the schtasks.exe program.

But perhaps you can adapt it to run prior to logon.
Then maybe you don't need to use the schtasks.exe
directly, but have it run for you at logon or startup.
If it runs with highest privs, maybe that's good enough.

I've only used this on win 10 however, not win 11.

Am 07.06.2023 um 22:18 schrieb et99:
>
> It sounds like you need to run this before the user is
> logged in. I'm not sure if this would work before
> you're even logged in, however,
>
> https://windowsloop.com/how-to-run-a-program-as-administrator-without-prompt/
>
> I've used this described procedure with the task
> scheduler to run a tcl script at admin privs to run a
> program w/o the prompt and then using twapi find its
> window and send it mouse clicks.
>
> In the task scheduler, I see one can set in the
> general tab, "run whether user is logged on or not"
> And there's also a checkbox "run with  *highest*
> privileges". Not sure how high that really is though.
>
> Then in the triggers tab, with new... (to create a new
> trigger) at the top it says "begin the task", one can
> choose "at logon" or even "at startup".
>
> I've not tried this, as the above page only discusses
> how to setup a task that you run from a shortcut using
> the schtasks.exe program.
>
> But perhaps you can adapt it to run prior to logon.
> Then maybe you don't need to use the schtasks.exe
> directly, but have it run for you at logon or startup.
> If it runs with highest privs, maybe that's good enough.
>
> I've only used this on win 10 however, not win 11.

Thanks a lot for this valuable contribution.
I appreciate, that you read this long post and thinks on it.

Did you do mouse-clicks on the unlock login screen (if the user has
locked the screen)? Did that work? If YES, I am interested, how the
application is done. Is the exe signed? Is it at c:\program files..?
What is the manifest?

What I tested:
- desktop starkit with user privileges -> can send keypresses to any
other program of the user. If the user locks the screen and activates
the password entry, it can not send to this entry.
- desktop starkit with admin privileges -> can send keypresses to other
admin programs and to user programs. If the user locks the screen and
activates the password entry, it can not send to this entry.
- Windows service starkit with system user: can send keypress to any
other program, but not to initial login password field, nor to unlock
screen password field.

The corresponding system calls succeed when keystrokes are sent to the
login screen, but there is no output. I suppose, the following phrase
from the SendInput function help page gives insight to that:
"This function fails when it is blocked by UIPI. Note that neither
GetLastError nor the return value will indicate the failure was caused
by UIPI blocking."

So, I suppose, your proposition was already tested.

Do you agree with this analysis ?

Thank you again, I appreciate !

Take care,
Harald

On 6/8/2023 3:18 AM, Harald Oehlmann wrote:
> Am 07.06.2023 um 22:18 schrieb et99:
>>
>> It sounds like you need to run this before the user is
>> logged in. I'm not sure if this would work before
>> you're even logged in, however,
>>
>> https://windowsloop.com/how-to-run-a-program-as-administrator-without-prompt/
>>
>> I've used this described procedure with the task
>> scheduler to run a tcl script at admin privs to run a
>> program w/o the prompt and then using twapi find its
>> window and send it mouse clicks.
>>
>> In the task scheduler, I see one can set in the
>> general tab, "run whether user is logged on or not"
>> And there's also a checkbox "run with  *highest*
>> privileges". Not sure how high that really is though.
>>
>> Then in the triggers tab, with new... (to create a new
>> trigger) at the top it says "begin the task", one can
>> choose "at logon" or even "at startup".
>>
>> I've not tried this, as the above page only discusses
>> how to setup a task that you run from a shortcut using
>> the schtasks.exe program.
>>
>> But perhaps you can adapt it to run prior to logon.
>> Then maybe you don't need to use the schtasks.exe
>> directly, but have it run for you at logon or startup.
>> If it runs with highest privs, maybe that's good enough.
>>
>> I've only used this on win 10 however, not win 11.
>
> Thanks a lot for this valuable contribution.
> I appreciate, that you read this long post and thinks on it.
>
> Did you do mouse-clicks on the unlock login screen (if the user has locked the screen)? Did that work? If YES, I am interested, how the application is done. Is the exe signed? Is it at c:\program files..? What is the manifest?
>
> What I tested:
> - desktop starkit with user privileges -> can send keypresses to any other program of the user. If the user locks the screen and activates the password entry, it can not send to this entry.
> - desktop starkit with admin privileges -> can send keypresses to other admin programs and to user programs. If the user locks the screen and activates the password entry, it can not send to this entry.
> - Windows service starkit with system user: can send keypress to any other program, but not to initial login password field, nor to unlock screen password field.
>
> The corresponding system calls succeed when keystrokes are sent to the login screen, but there is no output. I suppose, the following phrase from the SendInput function help page gives insight to that:
> "This function fails when it is blocked by UIPI. Note that neither GetLastError nor the return value will indicate the failure was caused by UIPI blocking."
>
> So, I suppose, your proposition was already tested.
>
> Do you agree with this analysis ?
>
> Thank you again, I appreciate !
>
> Take care,
> Harald
>

In your description you didn't mention if you can move the mouse pointer over the login screen and see it move to the password entry field, followed by a left click. Are you able to do that?

I never log out nor use the login screen on my computer, but as I recall, you have to left click on the password text entry to get anything going.

I don't know if my use of the task scheduler is anything more than what you are already doing, I just know it lets me avoid the user account control screen, which I couldn't otherwise do.

I don't use an .exe signature, I'm just launching a tclkit.exe with a script, which exec's my backup program, finds its main window and sends it some mouse clicks all using twapi.

The procedure on that page I mentioned is fairly straight forward, it even shows you pictures of the dialogs you need to fill out to create a task (just scroll down past the ads).

Good Luck

Am 08.06.2023 um 21:29 schrieb et99:
> On 6/8/2023 3:18 AM, Harald Oehlmann wrote:
>> Am 07.06.2023 um 22:18 schrieb et99:
>>>
>>> It sounds like you need to run this before the user is
>>> logged in. I'm not sure if this would work before
>>> you're even logged in, however,
>>>
>>> https://windowsloop.com/how-to-run-a-program-as-administrator-without-prompt/
>>>
>>> I've used this described procedure with the task
>>> scheduler to run a tcl script at admin privs to run a
>>> program w/o the prompt and then using twapi find its
>>> window and send it mouse clicks.
>>>
>>> In the task scheduler, I see one can set in the
>>> general tab, "run whether user is logged on or not"
>>> And there's also a checkbox "run with  *highest*
>>> privileges". Not sure how high that really is though.
>>>
>>> Then in the triggers tab, with new... (to create a new
>>> trigger) at the top it says "begin the task", one can
>>> choose "at logon" or even "at startup".
>>>
>>> I've not tried this, as the above page only discusses
>>> how to setup a task that you run from a shortcut using
>>> the schtasks.exe program.
>>>
>>> But perhaps you can adapt it to run prior to logon.
>>> Then maybe you don't need to use the schtasks.exe
>>> directly, but have it run for you at logon or startup.
>>> If it runs with highest privs, maybe that's good enough.
>>>
>>> I've only used this on win 10 however, not win 11.
>>
>> Thanks a lot for this valuable contribution.
>> I appreciate, that you read this long post and thinks on it.
>>
>> Did you do mouse-clicks on the unlock login screen (if the user has
>> locked the screen)? Did that work? If YES, I am interested, how the
>> application is done. Is the exe signed? Is it at c:\program files..?
>> What is the manifest?
>>
>> What I tested:
>> - desktop starkit with user privileges -> can send keypresses to any
>> other program of the user. If the user locks the screen and activates
>> the password entry, it can not send to this entry.
>> - desktop starkit with admin privileges -> can send keypresses to
>> other admin programs and to user programs. If the user locks the
>> screen and activates the password entry, it can not send to this entry.
>> - Windows service starkit with system user: can send keypress to any
>> other program, but not to initial login password field, nor to unlock
>> screen password field.
>>
>> The corresponding system calls succeed when keystrokes are sent to the
>> login screen, but there is no output. I suppose, the following phrase
>> from the SendInput function help page gives insight to that:
>> "This function fails when it is blocked by UIPI. Note that neither
>> GetLastError nor the return value will indicate the failure was caused
>> by UIPI blocking."
>>
>> So, I suppose, your proposition was already tested.
>>
>> Do you agree with this analysis ?
>>
>> Thank you again, I appreciate !
>>
>> Take care,
>> Harald
>>
>
>
> In your description you didn't mention if you can move the mouse pointer
> over the login screen and see it move to the password entry field,
> followed by a left click. Are you able to do that?
>
> I never log out nor use the login screen on my computer, but as I
> recall, you have to left click on the password text entry to get
> anything going.
>
> I don't know if my use of the task scheduler is anything more than what
> you are already doing, I just know it lets me avoid the user account
> control screen, which I couldn't otherwise do.
>
> I don't use an .exe signature, I'm just launching a tclkit.exe with a
> script, which exec's my backup program, finds its main window and sends
> it some mouse clicks all using twapi.
>
> The procedure on that page I mentioned is fairly straight forward, it
> even shows you pictures of the dialogs you need to fill out to create a
> task (just scroll down past the ads).
>
> Good Luck
>
Thanks for the clarification, I appreciate.
I will test, if this works for me.

Thank you and take care,
Harald

Am 08.06.2023 um 21:51 schrieb Harald Oehlmann:
> Am 08.06.2023 um 21:29 schrieb et99:
>> On 6/8/2023 3:18 AM, Harald Oehlmann wrote:
>>> Am 07.06.2023 um 22:18 schrieb et99:
>>>>
>>>> It sounds like you need to run this before the user is
>>>> logged in. I'm not sure if this would work before
>>>> you're even logged in, however,
>>>>
>>>> https://windowsloop.com/how-to-run-a-program-as-administrator-without-prompt/
>>>>
>>>> I've used this described procedure with the task
>>>> scheduler to run a tcl script at admin privs to run a
>>>> program w/o the prompt and then using twapi find its
>>>> window and send it mouse clicks.
>>>>
>>>> In the task scheduler, I see one can set in the
>>>> general tab, "run whether user is logged on or not"
>>>> And there's also a checkbox "run with  *highest*
>>>> privileges". Not sure how high that really is though.
>>>>
>>>> Then in the triggers tab, with new... (to create a new
>>>> trigger) at the top it says "begin the task", one can
>>>> choose "at logon" or even "at startup".
>>>>
>>>> I've not tried this, as the above page only discusses
>>>> how to setup a task that you run from a shortcut using
>>>> the schtasks.exe program.
>>>>
>>>> But perhaps you can adapt it to run prior to logon.
>>>> Then maybe you don't need to use the schtasks.exe
>>>> directly, but have it run for you at logon or startup.
>>>> If it runs with highest privs, maybe that's good enough.
>>>>
>>>> I've only used this on win 10 however, not win 11.
>>>
>>> Thanks a lot for this valuable contribution.
>>> I appreciate, that you read this long post and thinks on it.
>>>
>>> Did you do mouse-clicks on the unlock login screen (if the user has
>>> locked the screen)? Did that work? If YES, I am interested, how the
>>> application is done. Is the exe signed? Is it at c:\program files..?
>>> What is the manifest?
>>>
>>> What I tested:
>>> - desktop starkit with user privileges -> can send keypresses to any
>>> other program of the user. If the user locks the screen and activates
>>> the password entry, it can not send to this entry.
>>> - desktop starkit with admin privileges -> can send keypresses to
>>> other admin programs and to user programs. If the user locks the
>>> screen and activates the password entry, it can not send to this entry.
>>> - Windows service starkit with system user: can send keypress to any
>>> other program, but not to initial login password field, nor to unlock
>>> screen password field.
>>>
>>> The corresponding system calls succeed when keystrokes are sent to
>>> the login screen, but there is no output. I suppose, the following
>>> phrase from the SendInput function help page gives insight to that:
>>> "This function fails when it is blocked by UIPI. Note that neither
>>> GetLastError nor the return value will indicate the failure was
>>> caused by UIPI blocking."
>>>
>>> So, I suppose, your proposition was already tested.
>>>
>>> Do you agree with this analysis ?
>>>
>>> Thank you again, I appreciate !
>>>
>>> Take care,
>>> Harald
>>>
>>
>>
>> In your description you didn't mention if you can move the mouse
>> pointer over the login screen and see it move to the password entry
>> field, followed by a left click. Are you able to do that?
>>
>> I never log out nor use the login screen on my computer, but as I
>> recall, you have to left click on the password text entry to get
>> anything going.
>>
>> I don't know if my use of the task scheduler is anything more than
>> what you are already doing, I just know it lets me avoid the user
>> account control screen, which I couldn't otherwise do.
>>
>> I don't use an .exe signature, I'm just launching a tclkit.exe with a
>> script, which exec's my backup program, finds its main window and
>> sends it some mouse clicks all using twapi.
>>
>> The procedure on that page I mentioned is fairly straight forward, it
>> even shows you pictures of the dialogs you need to fill out to create
>> a task (just scroll down past the ads).
>>
>> Good Luck
>>
> Thanks for the clarification, I appreciate.
> I will test, if this works for me.
>
> Thank you and take care,
> Harald

Dear ET99,

I have made additional tests.

The following script was wrapped into a starkit (by Ashok, tcl8.6.12,
TWAPI 4.7.2, 32bit) on WIndows 10 64bit GER and started as administrator:
<SCRIPT>
package require Tk
console show
wm withdraw .
update
package require twapi
proc s {} {
twapi::send_input [list [list key 65 0x1e]]
puts -nonewline a
after 10000 s
} after 10000 s

proc m {} {
puts "[catch {twapi::move_mouse 100 100} e] $e"
after 10000 m
} </SCRIPT>

Wrap command:
tclkit-cli-8_6_12-twapi-4_7_2-x86-max.exe sdx.kit wrap twapisend.exe
-runtime tclkit-gui-8_6_12-twapi-4_7_2-x86-max.exe

Then, the lock screen was activated.
The mouse move and key press is active in the lock screen.
The keypress changes to the password screen.
The mouse moves to the upper-right corner.
But when changing (by the keypress) to the password entry screen, nor
mouse move, nor keypress are recognized.

The mouse move returns an error:
1 Wrong parameter
The keypress just does not appear.

Is this also what you see, or are you able to move the mouse in the
password part of the lock screen ?

Thank you and take care,
Harald

On 6/15/2023 3:36 AM, Harald Oehlmann wrote:
> Am 08.06.2023 um 21:51 schrieb Harald Oehlmann:
>> Am 08.06.2023 um 21:29 schrieb et99:
>>> On 6/8/2023 3:18 AM, Harald Oehlmann wrote:
>>>> Am 07.06.2023 um 22:18 schrieb et99:
>>>>>
>>>>> It sounds like you need to run this before the user is
>>>>> logged in. I'm not sure if this would work before
>>>>> you're even logged in, however,
>>>>>
>>>>> https://windowsloop.com/how-to-run-a-program-as-administrator-without-prompt/
>>>>>
>>>>> I've used this described procedure with the task
>>>>> scheduler to run a tcl script at admin privs to run a
>>>>> program w/o the prompt and then using twapi find its
>>>>> window and send it mouse clicks.
>>>>>
>>>>> In the task scheduler, I see one can set in the
>>>>> general tab, "run whether user is logged on or not"
>>>>> And there's also a checkbox "run with  *highest*
>>>>> privileges". Not sure how high that really is though.
>>>>>
>>>>> Then in the triggers tab, with new... (to create a new
>>>>> trigger) at the top it says "begin the task", one can
>>>>> choose "at logon" or even "at startup".
>>>>>
>>>>> I've not tried this, as the above page only discusses
>>>>> how to setup a task that you run from a shortcut using
>>>>> the schtasks.exe program.
>>>>>
>>>>> But perhaps you can adapt it to run prior to logon.
>>>>> Then maybe you don't need to use the schtasks.exe
>>>>> directly, but have it run for you at logon or startup.
>>>>> If it runs with highest privs, maybe that's good enough.
>>>>>
>>>>> I've only used this on win 10 however, not win 11.
>>>>
>>>> Thanks a lot for this valuable contribution.
>>>> I appreciate, that you read this long post and thinks on it.
>>>>
>>>> Did you do mouse-clicks on the unlock login screen (if the user has locked the screen)? Did that work? If YES, I am interested, how the application is done. Is the exe signed? Is it at c:\program files..? What is the manifest?
>>>>
>>>> What I tested:
>>>> - desktop starkit with user privileges -> can send keypresses to any other program of the user. If the user locks the screen and activates the password entry, it can not send to this entry.
>>>> - desktop starkit with admin privileges -> can send keypresses to other admin programs and to user programs. If the user locks the screen and activates the password entry, it can not send to this entry.
>>>> - Windows service starkit with system user: can send keypress to any other program, but not to initial login password field, nor to unlock screen password field.
>>>>
>>>> The corresponding system calls succeed when keystrokes are sent to the login screen, but there is no output. I suppose, the following phrase from the SendInput function help page gives insight to that:
>>>> "This function fails when it is blocked by UIPI. Note that neither GetLastError nor the return value will indicate the failure was caused by UIPI blocking."
>>>>
>>>> So, I suppose, your proposition was already tested.
>>>>
>>>> Do you agree with this analysis ?
>>>>
>>>> Thank you again, I appreciate !
>>>>
>>>> Take care,
>>>> Harald
>>>>
>>>
>>>
>>> In your description you didn't mention if you can move the mouse pointer over the login screen and see it move to the password entry field, followed by a left click. Are you able to do that?
>>>
>>> I never log out nor use the login screen on my computer, but as I recall, you have to left click on the password text entry to get anything going.
>>>
>>> I don't know if my use of the task scheduler is anything more than what you are already doing, I just know it lets me avoid the user account control screen, which I couldn't otherwise do.
>>>
>>> I don't use an .exe signature, I'm just launching a tclkit.exe with a script, which exec's my backup program, finds its main window and sends it some mouse clicks all using twapi.
>>>
>>> The procedure on that page I mentioned is fairly straight forward, it even shows you pictures of the dialogs you need to fill out to create a task (just scroll down past the ads).
>>>
>>> Good Luck
>>>
>> Thanks for the clarification, I appreciate.
>> I will test, if this works for me.
>>
>> Thank you and take care,
>> Harald
>
> Dear ET99,
>
> I have made additional tests.
>
> The following script was wrapped into a starkit (by Ashok, tcl8.6.12, TWAPI 4.7.2, 32bit) on WIndows 10 64bit GER and started as administrator:
> <SCRIPT>
> package require Tk
> console show
> wm withdraw .
> update
> package require twapi
> proc s {} {
>     twapi::send_input [list [list key 65 0x1e]]
>     puts -nonewline a
>     after 10000 s
> }
> after 10000 s
>
> proc m {} {
>     puts "[catch {twapi::move_mouse 100 100} e] $e"
>     after 10000 m
> }
> </SCRIPT>
>
> Wrap command:
> tclkit-cli-8_6_12-twapi-4_7_2-x86-max.exe sdx.kit wrap twapisend.exe -runtime tclkit-gui-8_6_12-twapi-4_7_2-x86-max.exe
>
> Then, the lock screen was activated.
> The mouse move and key press is active in the lock screen.
> The keypress changes to the password screen.
> The mouse moves to the upper-right corner.
> But when changing (by the keypress) to the password entry screen, nor mouse move, nor keypress are recognized.
>
> The mouse move returns an error:
> 1 Wrong parameter
> The keypress just does not appear.
>
> Is this also what you see, or are you able to move the mouse in the password part of the lock screen ?
>
> Thank you and take care,
> Harald

Yes I see pretty much what you do. I can move the mouse pointer
send it a character that opens the password text box.

After that, the only thing active is the onscreen keyboard
or the actual keyboard. I have to enter a password to leave.

I can't even paste anything into the password field.

So, sorry, this doesn't appear to work.

I did find this discussion and it seems likely that only using a driver will work:

https://stackoverflow.com/questions/9652358/simulating-input-in-windows-logon-screen-using-a-driver

Am 16.06.2023 um 00:50 schrieb et99:
> On 6/15/2023 3:36 AM, Harald Oehlmann wrote:
>> Am 08.06.2023 um 21:51 schrieb Harald Oehlmann:
>>> Am 08.06.2023 um 21:29 schrieb et99:
>>>> On 6/8/2023 3:18 AM, Harald Oehlmann wrote:
>>>>> Am 07.06.2023 um 22:18 schrieb et99:
>>>>>>
>>>>>> It sounds like you need to run this before the user is
>>>>>> logged in. I'm not sure if this would work before
>>>>>> you're even logged in, however,
>>>>>>
>>>>>> https://windowsloop.com/how-to-run-a-program-as-administrator-without-prompt/
>>>>>>
>>>>>> I've used this described procedure with the task
>>>>>> scheduler to run a tcl script at admin privs to run a
>>>>>> program w/o the prompt and then using twapi find its
>>>>>> window and send it mouse clicks.
>>>>>>
>>>>>> In the task scheduler, I see one can set in the
>>>>>> general tab, "run whether user is logged on or not"
>>>>>> And there's also a checkbox "run with  *highest*
>>>>>> privileges". Not sure how high that really is though.
>>>>>>
>>>>>> Then in the triggers tab, with new... (to create a new
>>>>>> trigger) at the top it says "begin the task", one can
>>>>>> choose "at logon" or even "at startup".
>>>>>>
>>>>>> I've not tried this, as the above page only discusses
>>>>>> how to setup a task that you run from a shortcut using
>>>>>> the schtasks.exe program.
>>>>>>
>>>>>> But perhaps you can adapt it to run prior to logon.
>>>>>> Then maybe you don't need to use the schtasks.exe
>>>>>> directly, but have it run for you at logon or startup.
>>>>>> If it runs with highest privs, maybe that's good enough.
>>>>>>
>>>>>> I've only used this on win 10 however, not win 11.
>>>>>
>>>>> Thanks a lot for this valuable contribution.
>>>>> I appreciate, that you read this long post and thinks on it.
>>>>>
>>>>> Did you do mouse-clicks on the unlock login screen (if the user has
>>>>> locked the screen)? Did that work? If YES, I am interested, how the
>>>>> application is done. Is the exe signed? Is it at c:\program
>>>>> files..? What is the manifest?
>>>>>
>>>>> What I tested:
>>>>> - desktop starkit with user privileges -> can send keypresses to
>>>>> any other program of the user. If the user locks the screen and
>>>>> activates the password entry, it can not send to this entry.
>>>>> - desktop starkit with admin privileges -> can send keypresses to
>>>>> other admin programs and to user programs. If the user locks the
>>>>> screen and activates the password entry, it can not send to this
>>>>> entry.
>>>>> - Windows service starkit with system user: can send keypress to
>>>>> any other program, but not to initial login password field, nor to
>>>>> unlock screen password field.
>>>>>
>>>>> The corresponding system calls succeed when keystrokes are sent to
>>>>> the login screen, but there is no output. I suppose, the following
>>>>> phrase from the SendInput function help page gives insight to that:
>>>>> "This function fails when it is blocked by UIPI. Note that neither
>>>>> GetLastError nor the return value will indicate the failure was
>>>>> caused by UIPI blocking."
>>>>>
>>>>> So, I suppose, your proposition was already tested.
>>>>>
>>>>> Do you agree with this analysis ?
>>>>>
>>>>> Thank you again, I appreciate !
>>>>>
>>>>> Take care,
>>>>> Harald
>>>>>
>>>>
>>>>
>>>> In your description you didn't mention if you can move the mouse
>>>> pointer over the login screen and see it move to the password entry
>>>> field, followed by a left click. Are you able to do that?
>>>>
>>>> I never log out nor use the login screen on my computer, but as I
>>>> recall, you have to left click on the password text entry to get
>>>> anything going.
>>>>
>>>> I don't know if my use of the task scheduler is anything more than
>>>> what you are already doing, I just know it lets me avoid the user
>>>> account control screen, which I couldn't otherwise do.
>>>>
>>>> I don't use an .exe signature, I'm just launching a tclkit.exe with
>>>> a script, which exec's my backup program, finds its main window and
>>>> sends it some mouse clicks all using twapi.
>>>>
>>>> The procedure on that page I mentioned is fairly straight forward,
>>>> it even shows you pictures of the dialogs you need to fill out to
>>>> create a task (just scroll down past the ads).
>>>>
>>>> Good Luck
>>>>
>>> Thanks for the clarification, I appreciate.
>>> I will test, if this works for me.
>>>
>>> Thank you and take care,
>>> Harald
>>
>> Dear ET99,
>>
>> I have made additional tests.
>>
>> The following script was wrapped into a starkit (by Ashok, tcl8.6.12,
>> TWAPI 4.7.2, 32bit) on WIndows 10 64bit GER and started as administrator:
>> <SCRIPT>
>> package require Tk
>> console show
>> wm withdraw .
>> update
>> package require twapi
>> proc s {} {
>>      twapi::send_input [list [list key 65 0x1e]]
>>      puts -nonewline a
>>      after 10000 s
>> }
>> after 10000 s
>>
>> proc m {} {
>>      puts "[catch {twapi::move_mouse 100 100} e] $e"
>>      after 10000 m
>> }
>> </SCRIPT>
>>
>> Wrap command:
>> tclkit-cli-8_6_12-twapi-4_7_2-x86-max.exe sdx.kit wrap twapisend.exe
>> -runtime tclkit-gui-8_6_12-twapi-4_7_2-x86-max.exe
>>
>> Then, the lock screen was activated.
>> The mouse move and key press is active in the lock screen.
>> The keypress changes to the password screen.
>> The mouse moves to the upper-right corner.
>> But when changing (by the keypress) to the password entry screen, nor
>> mouse move, nor keypress are recognized.
>>
>> The mouse move returns an error:
>> 1 Wrong parameter
>> The keypress just does not appear.
>>
>> Is this also what you see, or are you able to move the mouse in the
>> password part of the lock screen ?
>>
>> Thank you and take care,
>> Harald
>
>
> Yes I see pretty much what you do. I can move the mouse pointer
> send it a character that opens the password text box.
>
> After that, the only thing active is the onscreen keyboard
> or the actual keyboard. I have to enter a password to leave.
>
> I can't even paste anything into the password field.
>
> So, sorry, this doesn't appear to work.
>
> I did find this discussion and it seems likely that only using a driver
> will work:
>
> https://stackoverflow.com/questions/9652358/simulating-input-in-windows-logon-screen-using-a-driver
>
>

Dear Et99,

I want to thank you for the efforts to always follow my messages and to
check what I have done. I really appreciate !
Thanks for the great pointer with a lot of research. I will first try
the "Assistent technology" approach before trying the driver method.

Thank you and take care,
Harald

Thank you all reading this thread. The current state is logged on the
following wiki page:

https://wiki.tcl-lang.org/page/MS+Windows%3A+assistive+technology%2C+code+signing%2C+send+keystrokes+to+other+applications+and+Windows+login+password+field

Thank you,
Harald

Am 13.07.2023 um 17:28 schrieb Harald Oehlmann:
> Thank you all reading this thread. The current state is logged on the
> following wiki page:
>
> https://wiki.tcl-lang.org/page/MS+Windows%3A+assistive+technology%2C+code+signing%2C+send+keystrokes+to+other+applications+and+Windows+login+password+field
>
> Thank you,
> Harald

Assistive Technology realy works to solve the problem. This is big fun
to have the TCL application run in the Windows Logon screen ;-).

Enjoy the logbook,
Harald

Hello Harald,

Below is not perfect but working example of using IsProcessInJob with Ffidl.
It is based on topic https://stackoverflow.com/questions/5595918/using-ffidl-with-tcl-to-return-pass-by-reference-strings-and-arrays

package require twapi
package require Ffidl
package require Ffidlrt

ffidl::callout IsProcessInJob {int int pointer-var} int [ffidl::symbol kernel32.dll IsProcessInJob]

proc is_process_in_job {process job} {
set res_ptr [binary format [::ffidl::info format int] 0]
if {[IsProcessInJob $process $job res_ptr]} {
binary scan $res_ptr [::ffidl::info format int] res_ptr
return $res_ptr
} else {
puts "Error executing IsProcessInJob"
return -1
}
}

Test case:

ffidl::callout CreateJobObjectA {int pointer-utf8} int [ffidl::symbol kernel32.dll CreateJobObjectA]

set cur_process [lindex [twapi::get_process_handle [twapi::get_current_process_id] ] 0]
set job [CreateJobObjectA 0 "testJob"]

(bin) 26 % is_process_in_job $cur_process 0
1 ; # search process in any job is successfull
(bin) 27 % is_process_in_job $cur_process $job
0 ; # process is not in testJob

Great, Yuriy, I appreciate. I am at the conference, thank on holiday,
will test mid August.

Thanks again,
Harald

Am 20.07.2023 um 12:19 schrieb Yuriy Kovalenko:
> Hello Harald,
>
> Below is not perfect but working example of using IsProcessInJob with Ffidl.
> It is based on topic https://stackoverflow.com/questions/5595918/using-ffidl-with-tcl-to-return-pass-by-reference-strings-and-arrays
>
> package require twapi
> package require Ffidl
> package require Ffidlrt
>
> ffidl::callout IsProcessInJob {int int pointer-var} int [ffidl::symbol kernel32.dll IsProcessInJob]
>
> proc is_process_in_job {process job} {
> set res_ptr [binary format [::ffidl::info format int] 0]
> if {[IsProcessInJob $process $job res_ptr]} {
> binary scan $res_ptr [::ffidl::info format int] res_ptr
> return $res_ptr
> } else {
> puts "Error executing IsProcessInJob"
> return -1
> }
> }
>
>
> Test case:
>
> ffidl::callout CreateJobObjectA {int pointer-utf8} int [ffidl::symbol kernel32.dll CreateJobObjectA]
>
> set cur_process [lindex [twapi::get_process_handle [twapi::get_current_process_id] ] 0]
> set job [CreateJobObjectA 0 "testJob"]
>
> (bin) 26 % is_process_in_job $cur_process 0
> 1 ; # search process in any job is successfull
> (bin) 27 % is_process_in_job $cur_process $job
> 0 ; # process is not in testJob