. UltraVnc v1.03 Beta tech info
. Changes
. The build in winvnc service is replaced by an external service. . Vista
require an isolation between the service and the desktop application.
. For
security, applications started by a service, should by started as the same user
as the desktop owner, this prevent other applications trying to gain admin
access via winvnc.
. v1.0.3 RC1 doesn't use any more the registry for option saving.
. It
was too complicated to get the registry permissions right, and because
winvnc.exe needs to be started as system, password and ports could change if
user and system have different settings
. We are thinking about reserving
the use of ultravnc.ini file for Vista only and keep the registry for others
Windows versions. . We could also support both modes.
. Actually v1.0.3 with
registry works under Vista but users must configure both WinVNC "default" and
"User" settings even when then don't install the WinVNC service...
. - Location: same directory as winvnc.exe
. - If you want to prevent normal users to change the file, you need to set restrictions on the write access of this file
. The viewer now auto reconnects when the desktop security changes or when
the user login/logoff.
. The default delay is 10s (no viewer screen
refresh).
. If the autoreconnect ever fails you still can manually reconnect
and should be able to gain access to all (logon/screen saver/default/UAC)
security desktop.
. ctrl-alt-del
. Winvnc can not send the ctrl-alt-del sequence if you have UAC disable and
CAD enable.
. UAC not only popup a "accept" box for elevated apps, but also
process the manifest security settings.
. If you disable UAC, you also need
to disable CAD, else no software( including MS on screen keyboard) can simulate
the CAD sequence.
. If you download and unzip the files Vista put a security bit on them and
ask permission each time you want to execute them. . This prevent the winvnc
service from proper working.
. After you downloaded and extracted the files
you need to copy them in a subfolder in "Program Files", this reset this bit.
. BACKGROUND INFO
. Activate/Deactivate ctrl-alt-del in Vista
. You
can configure the local security policy so the Windows Security dialog box will
be displayed, requiring all users to press CTRL + ALT + DEL to log on.
.
Users will then be prompted to provide a valid username and password to access
the computer.
. 1° Within the Control Panel, click System and Maintenance.
. 2° Click Administrative Tools then the Local Security Policy.
. 3° Within the console, expand Computer Configuration | Windows Settings | Security Settings | Local Policies.
. 4° Click Security Options. . The various security options are displayed in the details pane.
. 5° Scroll through the options and locate Interactive Logon: Do not require CTRL + ALT + DEL.
. 6° Double click the security option.
. 7° Select Disabled to require users to press CTRL + ALT + DEL.
. 8° Click OK.
.
Enable/Disable UAC . 1° Run MsConfig from Run option.
. 2° In System Configuration window, click on the Tools tab.
. 3° Scroll down and locate “Disable UAP” or “Disable UAC” option item.
. Click on that line. . 4° Click the Launch button.
. 5° A command prompt window will open and automatically execute and run certain process to disable UAC.
. 6° Close CMD window when done.
. 7° Close Msconfig.
. 8° Restart computer for changes to apply and effective.
. To re-enable UAC, simply select “Enable UAP” or “Enable UAC” instead of “Disable UAP” or “Disable UAC”, and then click on Launch button.
. Vista Challenge I (session isolation)
. We spend about 4 months on R&D and final got it working with some support of the MS helpdesk.
. Vnc and all remote control softwares are having trouble withy the new Vista security model. . In de old model, winlogon was always running in the same session as the services, session0
. While in the new model, the winlogon run in the same session as the desktop.
. The isolation of the session0, now only used for services, prevent winvnc in service mode to access session X and no interaction with the desktop in session X is possible. . Using the service, you can't logon or capture the desktop.
. Running winvnc in application mode ( started manual in sessionX) all seems to work as long as you don't logoff or use any system application that popup the UAC.
. Solution I
. Winvnc need to split exe in a service and a application part. . When we run the winvnc_service in session0 and let the service start winvnc_app in the sessionX, winvnc_app can communicate with the desktop and control the mouse and keyboard.
. An other problem is that sessionX have different desktop, let's take a closer look how desktop exist in Vista. . (This model was already partly in use on XP, for the "Fast user switching", remember the black screen you had with VNC after switching user)
. - Session 0 | | | ---- WinSta0 (interactive window station) | | | | | ---- Default (desktop) | | | | | ---- Disconnect (desktop) | | | | | ---- Winlogon (desktop) | | | ---- winvnc Service (non-interactive window station) | | | | | ---- Default (desktop) | | - Session 1 | | | ---- WinSta0 (interactive window station) | | | | | ---- Default (desktop)(1**) | | | | | ---- Disconnect (desktop) | | | | | ---- Winlogon (desktop) | | - Session 2 | | | ---- WinSta0 (interactive window station) | | | | | ---- Default (desktop) | | | ---- Disconnect (desktop) | | | | | ---- Winlogon (desktop) (2**)
. The service need to check the console desktop and session.
. If the
console desktop is (1**) the service need to start winvnc_app in session1 on the
default desktop, the default desktop is the normal desktop where your
application run on.
. If the console desktop is (2**) the service need to
start winvnc_app in session2 on the winlogon desktop, this is the secure desktop
used to logon.
. To avoid access problems, you best start the winvnc_app
with the same security context as the desktop he is started in.
. Default
Desktop --> user
. Winlogon Desktop -> local system
.
Createprocessasuser() allow the service to start the exe in the correct security
context.
. This method would be a complete solution to support Fast user switching and access on PC's running RDP. . But Vista has other nasty tricks to prevent applications to control a desktop.
. Vista Challenge II (elevation and UAC)
. Security elevation. From previous MS OS's you know that permissions where based on users. . If
you logged on as administrator, you could simple click on an executable to start
it. . As normal user, you needed execute permission on that executable.
. In
Vista applications have a "security elevation".
. Low: Iexplorere started as
administrator runs in low security elevation, this block iexplorer access to
many system sources and applications.
. Normal: A standard application, word
pad, run in normal elevation.
. High: For system utilities, like service
manager..
. The elevation block some interaction from lower elevated
application to higher. . For Vnc the most important is that sendinput() is
blocked. . You can't control an application running in higher elevation then the
elevation winvnc is running.
. If you start the service manager from within
VNC, VNC mouse clicks get locked by the elevated "service manager" application.
. If the remote users minimize the "service manager" you have full access
again, but remote you are blocked.
. In older OS version you could simple start a "system application" with a
double click, in Vista the UAC jumps in. . The UAC popup a "OK" window in the
secure desktop, he temporal switch to the winlogon desktop and ask your
permission to execute that program.
. The problem for VNC is that your
winvnc_app running in the default desktop has no permission to access the
winlogon desktop, remote the whole desktop lock and you need to ask the remote
user the press the ok button to continue.
. Solution II
. UAC problem can be solved by restarting the winvnc_app in the winlogon
desktop, to press OK, and the restarting it again in the default desktop.
.
Great, but now VNC lock because the "system app" has focus and sendinput() is
locked because it run in "high" elevation.
. No problem, should you think,
we just add a manifest to the winvnc_app and tell that it need to start in
"high" elevation, then it can control all application. . ( elevation high has
access to all elevation >=high)
. This works, when you manual click on
the winvnc_app.exe, it popup the UAC and you press OK, but when you start it
from the service you get a permission denied, CreateprocessAsUser(CPAU) is not
allowed to start elevated application......
. Don't play with the manifest, the only way is to play with the token passed to CPAU and pass the full elevated token, then winvnc_app start elevated and you have access.
. Vista Challenge II ( Ctrl-alt-del)
. In previous OS's you could send a message from a service in the winlogon
desktop to simulate the CAD sequence...
.
PostMessage(HWND_BROADCAST,WM_HOTKEY,0,MAKELPARAM(MOD_ALT|MOD_CONTROL,VK_DELETE));
. This does not work in Vista....
. Solution III
. We are testing, it has to be possible, the osk (on screen keyboard) can
simulate the sequence. . The osk use undocumented functions, the "winlogon IPC
API"...
. As workaround, you can use the on screen keyboard. . When you
press the left/down icon it popup the keyboard and you can that to simulate
CAD...
. Problem solved , Ctrl-Alt-Del can be made with a separate exe
"cad.exe"