This GINA brings new functionality to Windows NT which many users complained is missing:
Copyright (C) 1997-1998 by
This program is free software under the GNU General Public License. See the file LICENSE for details. The latest version of NEWGINA can be found at http://wwwthep.physik.uni-mainz.de/~frink/nt.html.
However, most people consider this behavior simply as a nuisance, but there was no easy way to get rid of it... until now.
As as by-product, while programming this new feature, I found a convenient way to implement a logoff and shutdown script, as well as a really working method to prevent password protected screen savers. The latter option is very useful for PC pools in universities or schools, where users lock their NT workstations, leave, forget to come back, and thus effectively block the machine from being used by others.
The ordinary way to prevent password protected screen savers is to hide the Screen Saver tab from the Display icon in Control Panel with the Policy Editor. Then, you must disable the Registry Editing Tools as well, because otherwise the users can set their screen saver options directly through the registry. Then, you must remove the Run command from the Start Menu, or the users can run their own registry modification program. And you cannot use something like Microsoft Office, because with its macro language you can shell arbitrary programs... With my program, however, the password protection is prevented at a very deep level, and I am pretty sure ordinary users cannot bypass it (assuming you write-protected the Windows system directories and did not relax registry security; let me know if you find a way anyhow). Additionally, you must disable the Lock Workstation button in the Windows NT Security (Ctrl-Alt-Del) dialog. See my NOLOCKWS program to do this.
This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
For short, the main aspects of the GNU General Public License are in my personal interpretation which may not be 100% accurate (I am a physicist, not a lawyer):
Let me briefly explain how the program works and which registry entries it uses. Source code is included, so you may examine it on your own and modify it under the restrictions of the GNU General Public License. All options can be configured with the setup program. If you are not interested in the technical backgrounds, you can safely skip this section and go directly to the Installation section. This information can be useful if you plan to install the new GINA remotely on a larger number of computers (copy files to \\remotepc\admin$\system32, then connect the remote registry hives and make appropriate changes).
GINA stands for Graphical Identification aNd Authorization and describes an interface for the validation of logon credentials. The default implementation is msgina.dll. NT offers the possibility to replace this GINA with a custom one, e.g. to allow identification via smart cards, iris scanning etc. The interface (i.e. which functions any GINA must make available to the WINLOGON process and which WINLOGON functions it can call back) is described in gina.hlp found in directory \mstools\samples\win32\winnt\security\gina on the Win32 SDK CD-ROM. Besides completely rewriting all the GINA functionality, one has the possibility to put a shim between the WINLOGON process and the original GINA which intercepts all calls to the GINA, and so can react under certain conditions, while all other calls are passed to the original GINA without modifications. This way no functionality of the underlying GINA is lost, but new functionality can be added. A basic example how to do this can be found in \mstools\samples\win32\winnt\security\ginastub on the Win32 SDK CD-ROM. This sample was alse used as a skeleton for my new GINA. (At the time of writing one could find these samples on the Microsoft website in the MSDN Online section, but this changes frequently.)
To tell WINLOGON to call a new GINA instead of the original msgina.dll, one has to add a value GinaDLL, type REG_SZ, containing the filename (and path if not in %systemroot%\system32), under the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon (...\Winlogon for short in the following). If you already use a non-standard GINA (e.g. Novell's IntraNetware Client), this value might be present. NEWGINA saves this entry in the value OriginalGinaDLL under the ...\Winlogon key and of course will use this GINA instead of msgina.dll as the underlying GINA (e.g. nwgina.dll for Novell).
This option can be configured with the NeedCtrlAltDel value under the ...\Winlogon key. It can be either REG_SZ or REG_DWORD. 1, yes or true (case insensitive) if you still want to press Ctrl-Alt-Del to log on, or 0, no or false if you want to get rid of it. If the value is not present, it defaults to 0!
It is implemented by hooking the WlxDisplaySASNotice() call. Instead of displaying the 'Press Ctrl + Alt + Delete to log on' message, WlxSasNotify() is called, which simulates a Ctrl-Alt-Del secure attention sequence and in turn brings up the logon dialog box.
This option can be configured with the AllowProtectedSS value under the ...\Winlogon key. It can take on the same values as NeedCtrlAltDel and defaults to 1, which means that protected screen savers are possible.
It is implemented by hooking the WlxIsLockOk() function, which WINLOGON calls when it wants to lock the screen. It gives the GINA the possibility to exercise a veto. If AllowProtectedSS is 1 or the current user is an Administrator, the decision is left to the underlying GINA, otherwise it returns FALSE.
SS still possible, Admins alwaysThis option can be configured with the Script (the .exe or .bat file you want to execute), Logfile (a file where the output from the script is logged to), Timeout (REG_SZ or REG_DWORD in seconds after which time the script is killed, default 60 seconds, 0 means no timeout which is not recommended), Account (in the form DOMAIN\USER, no account means LOCAL_SYSTEM) and Password values under a newly added ...\Winlogon\Shutdown key. The password is not encrypted, but the key has read access for Administrators only. Take care that no users get hold of copies of the registry files (Emergency Repair Disk or files in %systemroot%\repair).
It is implemented by hooking the WlxShutdown() function.
This option can be configured with the UserScript, SystemScript, Logfile and Timeout values (see c for details) under the ...\Winlogon\Logoff key.
It is implemented by hooking the WlxIsLogoffOk() function.
kein Timeout, user+systemRead this documentation carefully before you begin! IT IS *REALLY* DANGEROUS TO PLAY AROUND WITH GINAs. IF YOU INSTALL A CORRUPT GINA, YOUR SYSTEM WILL NO LONGER BOOT. I have experienced this several times while developing this program!
So, first the standard disclaimer:
This program is provided "as is" and comes without any warranty
of any kind, either expressed or implied, including but not
limited to fitness for a particular purpose or a particular
system. In no case shall the author be liable for any damage
or unwanted behavior of any computer hardware and/or software,
including but not limited to data loss or time spent to recover
your system.
Do not test this program on your production machines without
a backup you know you can restore!
As a minimum equipment to recover your system, prepare a NEW Emergency Repair Disk (with rdisk /s) and the three setup disks (winnt /ox, in the \i386 directory of your NT CD). In case of failure, boot from the setup disks, choose the repair option, and restore the SOFTWARE hive of your registry from the ERD.
If you have 200-300 MB left on your hard disk, I ADDITIONALLY recommend to make a local backup copy of the \winnt directory to \winntbak with 'scopy /o/a/s' from the Resource Kit. You must manually expand the registry hives which scopy could not copy from \winnt\repair to \winntbak\system32\config and \winntbak\profiles\administrator (ntuser.dat) resp. Then, duplicate the existing lines for Windows NT in c:\boot.ini and change c:\winnt to c:\winntbak. Test if you can boot your backup system. Now you can modify the original installation's registry with the Load Hive... option in RegEdt32 (c:\winnt\system32\config\software). (I silently assumed that %systemroot% is c:\winnt.)
For full safety, back up your complete system to a tape. (And verify that you can restore it!)
You must be logged on as a member of the Administrators group (not necessarily the Administrator itself). Unpack the distribution file with a unzip program which preserves long filenames and the directory structure. I recommend Info-ZIP's unzip 5.x for Alpha or Intel (the full package with documentatin and source can be downloaded for free from ftp://ftp.cdrom.com/pub/infozip/). You further need the Microsoft Foundation Classes library mfc40.dll for Alpha or mfc42.dll for Intel which are not included in this distribution, because you will probably already find them on your system (in %systemroot%\system32, where %systemroot% is your Windows directory, e.g. c:\winnt) and they are quite large (1MB for Intel, 2MB for Alpha). If they are not on your system, download and copy them to %systemroot%\system32.
After unpacking, you will find some documentation files in the current directory, subdirectories .\axp and .\x86 with the binaries for Alpha and Intel resp., and a subdirectory .\source with the source files. Change the current directory according to your architecture (cd axp or cd x86; see the section Rebuilding from source if you have neither Alpha nor Intel). Then start the ginasetup.exe program. It will test if the new GINA is already installed, if not prompts you to copy the files gina_(arch).dll and ginasetup.exe to %systemroot%\system32 (where (arch) is axp or x86 resp.). You will have to reboot now (sorry, it is really necessary).
To configure the options of the new GINA once it is installed, start ginasetup.exe again. Since it is now in %systemroot%\system32 you do not have to specify a path.
The setup window is divided into three sections. Topmost you will find the General options, in the middle the Shutdown script options, and at the bottom the Logoff script options.
This distribution contains binaries for DEC Alpha and Intel x86.
The program is tested on NT 4.0 Server (U.S./Intel) and NT 4.0 Workstation (U.S./Alpha and German/Intel). I do not expect problems with international NT versions, because there are no language-specific system calls (at least for those versions based on Windows codepage 1250, as all American and Western European languages).
An older version was reported to run on NT 3.51 as well. The GINA specifications are backward compatible. But I doubt it will work on upcoming NT 5.0 without modifications, especially if it will really include multi-user capabilities (no use is currently made of the pWlxContext pointer that may serve to distinguish between users).
You should not notice any side effects, since all calls to the new gina are directly passed to the original msgina.dll. Therefore it should work as well with systems that have a replaced GINA, e.g. systems where authentication is performed on a Novell or Unix server. On these systems, you will already have a GinaDLL value in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon. The value from GinaDLL will be saved in a new value OriginalGinaDLL under ..\Winlogon.
#ifdef _M_IX86in both globals.h files and add a name for GINA_DLL appropriate for your platform. The different names for the platforms are meant as an extra security to prevent you from installing the wrong version.
| LICENSE | GNU General Public License |
| readme.1st | first instructions |
| readme.html | this documentation |
| changes.html | summary of what has changed between versions |
| axp\ginasetup.exe | precompiled setup file for DEC Alpha |
| axp\gina_axp.dll | precompiled GINA for DEC Alpha |
| x86\ginasetup.exe | precompiled setup file for Intel x86 |
| x86\gina_x86.dll | precompiled GINA for Intel x86 |
| source\newgina\* | source files for the new GINA |
| source\ginasetup\* | source files for the setup program |
%systemroot%\system32\rdisk.exe /s- net use x: /delete net use x: \\YourServer\RepairShare$ /persistent:no if not exist x:\%computername% md x:\%computername% copy %systemroot%\repair\* x:\%computername% net use x: /deleteThe '-' with rdisk.exe /s- is important, it suppresses the dialog!
del /q c:\temp\*
Thanks to Gary T. Desrosiers for his sample GINA source code.
If you have any suggestions, ideas for improvements, problems or anything else concerning the program or the documentation, send an e-mail to Alexander.Frink@Uni-Mainz.DE or snailmail to Alexander Frink, Hermann Schauss Str. 8, D-65232 Taunusstein, Germany.
A short list of possible improvements I have collected: