How to make sure a Service starts BEFORE a user logs on?

  • Thread starter Thread starter Polaris
  • Start date Start date
P

Polaris

Hi:

I have a regular Windows Service program (not a kernel driver) which must
start BEFORE a user logs into his machine (XP or W2K). It works most of the
time, but sometimes, I noticed that it started AFTER I log on the machine;
especially if I logged in the machine fast right after a reboot.

Is there a way in the service program, I can do something to make sure that,
after reboot, the service starts before a user logs in the machine (no
matter how fast the user is trying to complete his logon process)?

Thanks In Advance !
Polaris
 
Services can, of course, take an arbitrary and unpredictable amount of
time to "start up". Off the top of my head, the only way I can think of
to do what you want here would be to write a GINA and synchronize its
passing on of credentials with completion of your service startup.

Ugly job, and nasty if there turns out to be a bug in your code :-).

Why does your service need to run before a user logs on? This sounds
suspiciously like you're asking the wrong question.
 
Thanks for the info.

Within the service program, I need to "detect" the event that the machine
has JUST rebooted. So I look for (each second) the change of logged on user
count: right after reboot, the logged on user count should be one (which is
the "System" account, assuming the service starts before any user has logged
on the machine). After the user logs on the machine, the service will notice
that the user count increased to 2 and get a "conclution" that the machine
must have JUST been rebooted. It works fine as long as the user did not log
on to the machine before the service starts.

May be there is other way to detect a reboot event?

Polaris
 
Polaris said:
Thanks for the info.

Within the service program, I need to "detect" the event that the
machine has JUST rebooted. So I look for (each second) the change of
logged on user count: right after reboot, the logged on user count
should be one (which is the "System" account, assuming the service
starts before any user has logged on the machine). After the user
logs on the machine, the service will notice that the user count
increased to 2 and get a "conclution" that the machine must have JUST
been rebooted. It works fine as long as the user did not log on to
the machine before the service starts.
May be there is other way to detect a reboot event?
Click to expand...

Given that you're actually detecting the user logging on and off, which
isn't the same thing at all as a reboot event, you could try watching the
system event log for "EventLog" to log a 6009 event closely followed by a
6005 event.

Or you could set the Net Logon service to have your service as a dependancy.
 
Hi Polaris,
just a stupid thought maybe, but how likely is it
that some user restarts your service?
So, isn't start of your service information enough
that the machine JUST rebootet?

Roland
 
Yes, there are tons of better ways to determine that the machine has
just booted. Probably the easiest really reliable way is to write a
non-unloadable kernel driver that starts during boot. Its DriverEntry
routine will be called exactly.

If you need a service, another poster suggested just using the start of
the service as a flag for this. That works too and is probably even
easier if you already have a service that does something you want it to
do. Services aren't normally restarted, and you can prevent that with
access controls if you're worried about a non-administrator restarting
it. If you're worried about an admin restarting your service, well,
there's not a lot you can do about that in the general case, so don't try.

BTW, detecting a "reboot" (as in a warm boot vs. a cold boot) is
somewhat harder (and a lot harder if not impossible if it has to
determine this with 100% reliability), but it doesn't sound like that's
what you're trying to do.

In any event, the "logged on user count" can be 1 in a large number of
circumstances, so I wouldn't use this as a key for anything.
 
Hi Polaris,
Thanks for the info.

Within the service program, I need to "detect" the event that the machine
has JUST rebooted. So I look for (each second) the change of logged on user
count: right after reboot, the logged on user count should be one (which is
the "System" account, assuming the service starts before any user has logged
on the machine). After the user logs on the machine, the service will notice
that the user count increased to 2 and get a "conclution" that the machine
must have JUST been rebooted. It works fine as long as the user did not log
on to the machine before the service starts.

May be there is other way to detect a reboot event?
Click to expand...

My suggestion is a winlogon notification package for the startup event.
This is really easy to create and reliable and gives you exactly the
event you are looking for: A machine startup. However, winlogon
notification packages are not an option if you target NT4.
 
Ray Trent said:
Services can, of course, take an arbitrary and unpredictable amount of
time to "start up". Off the top of my head, the only way I can think of to
do what you want here would be to write a GINA and synchronize its passing
on of credentials with completion of your service startup.

Ugly job, and nasty if there turns out to be a bug in your code :-).

Why does your service need to run before a user logs on? This sounds
suspiciously like you're asking the wrong question.
Click to expand...
There are all kinds of reasons to start before the user logins... especially
if the service is providing a feature that helps in the login process.

There is no need to try to find out reboots and the like... there is a
simple and architected way to have your service start before WinLogon. The
way is to tell the Service manager that your service is a member of a group
that is a DependOnGroup for WinLogon. Look at information about the
following Service registry key values: DependOnService, DependOnGroup and
Group.

Phil Doragh
 
Lots of options -
Login:
you can make a dll that is called by the gina for logins
you can replace the windows login gina with one of your own
you can set policies to track all log-in events (successful or not) and
watch for those
events in the registry.

Boot
People can't log in until drivers that have start value set for boot-up
are done at least
initializing so that's a a very good place and not much code.

there are group policies to log these events. On by default I believe. I
believe you can
set up alerts for these events also that can be used to trigger actions.

I wouldn't depend on login if you want to start 'before' login. I'd just
make it
a kernel service that starts on bootup and sets what information you want
during init. The downside is that will slow the machine's boot up some - it
may or may not be able to get WHQL cert if it takes too long :) If you care.

DMU
 
Back
Top