Vista Logon Script Replacement

Anything VBScript-related, including Windows Script Host, WMI, ADSI, and more.
Forum rules
Do not post any licensing information in this forum.

Any code longer than three lines should be added as code using the 'Select Code' dropdown menu or attached as a file.
Locked
User avatar
acker
Posts: 3
Joined: Fri Mar 06, 2009 5:22 am

Vista Logon Script Replacement

Post by acker »

Hi,
I'm trying to use a computer startup script to replace the windows
vista logon screen across an entire domain, in a fashion similar to
the manual process documented here:
http://spikex.net/blog/2007/07/18/chang ... n-windows-...
I have my basic script below that works through several steps to
replace a key dll, changing the owner of the file to SYSTEM, renaming
it and copying in a replacement file, which all looks sound and has
worked in a roundabout way for me manually.
This script runs via group policy through the computer configuration
startup script section. I understand from a little searching that
these scripts run under the context of the SYSTEM account which should
be privileged enough to perform the commands I call.
I was hoping someone might be able to help me debug and tune this code
as I'm at a loss as to what to try with it.
Many thanks in advance!!
---------------------

Code: Select all

Option Explicit
On Error Resume Next 
 Dim strCommandLineDim objFSO
strCommandLine = "serverlogonreplaceXCACLS.vbs C:WindowsSystem32imageres.dll /G SID#S-1-5-18:f /E"ExecuteThis(strCommandLine)

objFSO = CreateObject("Scripting.FileSystemObject")objFSO.MoveFile "C:WindowsSystem32imageres.dll", "C:WindowsSystem32imageres.dll~"objFSO.CopyFile "serverlogonreplaceimageres.new.dll", "C:WindowsSystem32imageres.dll"Set objFSO = Nothing
Function ExecuteThis(FULLSTRING)
  Dim objShell : Set objShell = CreateObject("Wscript.Shell")
 ExecuteThis = objShell.Run(FULLSTRING,,1)
 Set objShell = Nothing 
 End Function

User avatar
acker
Posts: 3
Joined: Fri Mar 06, 2009 5:22 am

Vista Logon Script Replacement

Post by acker »

Hi,
I'm trying to use a computer startup script to replace the windows
vista logon screen across an entire domain, in a fashion similar to
the manual process documented here:
http://spikex.net/blog/2007/07/18/chang ... n-windows-...
I have my basic script below that works through several steps to
replace a key dll, changing the owner of the file to SYSTEM, renaming
it and copying in a replacement file, which all looks sound and has
worked in a roundabout way for me manually.
This script runs via group policy through the computer configuration
startup script section. I understand from a little searching that
these scripts run under the context of the SYSTEM account which should
be privileged enough to perform the commands I call.
I was hoping someone might be able to help me debug and tune this code
as I'm at a loss as to what to try with it.
Many thanks in advance!!
---------------------

Code: Select all

Option Explicit
On Error Resume Next 
 Dim strCommandLineDim objFSO
strCommandLine = "serverlogonreplaceXCACLS.vbs C:WindowsSystem32imageres.dll /G SID#S-1-5-18:f /E"ExecuteThis(strCommandLine)

objFSO = CreateObject("Scripting.FileSystemObject")objFSO.MoveFile "C:WindowsSystem32imageres.dll", "C:WindowsSystem32imageres.dll~"objFSO.CopyFile "serverlogonreplaceimageres.new.dll", "C:WindowsSystem32imageres.dll"Set objFSO = Nothing
Function ExecuteThis(FULLSTRING)
  Dim objShell : Set objShell = CreateObject("Wscript.Shell")
 ExecuteThis = objShell.Run(FULLSTRING,,1)
 Set objShell = Nothing 
 End Function

User avatar
jhicks
Posts: 1789
Joined: Sun Jan 21, 2007 11:31 pm

Vista Logon Script Replacement

Post by jhicks »

Can you run the script manually logged on as administrator? What errors are you getting?

User avatar
rasimmer
Posts: 182
Joined: Fri Jan 30, 2009 12:37 am

Vista Logon Script Replacement

Post by rasimmer »

First, I believe if it's under WFP, then it would just get replaced with the cached file unless you disabled WFP. According to the post, you just need to change the permissions to do the hack, so if you are just replacing the file you would just need MODIFY permissions to the file which SYSTEM and Administrator probably already has the access. The question is how long WFP will give you before it checks that file and replaces it with the cached version of the file. Are you checking the modified date on the file? The script could be replacing the file and then WFP immediately replaces it (which would indicate WFP is working like it should). You also might want to run REGSVR32 to re-register the DLL.

User avatar
jhicks
Posts: 1789
Joined: Sun Jan 21, 2007 11:31 pm

Vista Logon Script Replacement

Post by jhicks »

You might also need to replace the file in the WFP cache.

User avatar
rasimmer
Posts: 182
Joined: Fri Jan 30, 2009 12:37 am

Vista Logon Script Replacement

Post by rasimmer »

You shouldn't need to modify perms to do a simple file replacement, so no XCACLS at all. SYSTEM or any local admin should have access to replace the file. Perms needed to be changed to MODIFY the initial file to implement the hack, that's it. Your issue is going to be WFP replacing the file, so look at replacing the file in the cache as well as the file in the SYSTEM32 dir or where ever it is.

User avatar
acker
Posts: 3
Joined: Fri Mar 06, 2009 5:22 am

Vista Logon Script Replacement

Post by acker »

jvierra, would you mind explaining your thoughts a little more in depth for me please?I had originally thought of doing this as an MSI but with the WFP came to think it an impossible route and reverted to this scripting solution.jhicks, thank you very much for all your input on this. The Trusted Installer service you speak of, is that privileged enough to replace an file under WFP? I assume it's a mode of MSIEXEC for when your MSI has been signed?In all of my manual testing, WFP has never once replaced my new file with a cached copy from the dllcache. I don't know if this is simply because there isn't executable code in there, this dll is a simple library of resources.I think there has to be something basically getting in the way as my script doesn't seem to perform any of the file actions at all on computer startup as it should.

jvierra
Posts: 14546
Joined: Tue May 22, 2007 9:57 am
Contact:

Vista Logon Script Replacement

Post by jvierra »

Some scripts like this one will not run unattendedd from a network share on WS2003 and Vista I believe. The location has to be fully trusted.

During startup teh system account is restricted and still is restricted by WFP. This will probably not work as desired.

You cannot replace any file that is under WFP without an installer or without making the file from WFP.

If what you are tryng to do is legitimate then it is a big hole in Vista security.

Logged on as Admin you can have certain rights and, under Vista only, you may be able to manually replace the file. This does not mean that you can do it under the startup script conditions. Remember that the example has someone manually change the file and test it with the logon console. That someone has to be a full administrator.



jvierra
Posts: 14546
Joined: Tue May 22, 2007 9:57 am
Contact:

Vista Logon Script Replacement

Post by jvierra »

Resource DLLs are protected because teh system can treat them like executable files. Resources can be active content or can be items fundamental to teh system health. The DLL happens to have screen savers which can be active and contain code.

WFP owns this file. You cannot change that. WFP will ultimately trap you. I don't believe even the system can bypass WFP only a trusted installation package.

To remove a file from WFP you need to shut down WFP and delete the file. This can only be done interactively.

Use the installer. Look into the InstallShield Express. It is easier to use than the MS installer. It is a free eval for about 20 days. If you like it is is still pretty inexpensive although the MS 4.5 installer is free.

Locked