2

I am working with screen sharing project.But i was got into trouble to capture secure desktop. I have already ask related question here and got Answer too

Pls go through above link

as suggested by dymanoid. I am using PsExec exe to capture secured desktop/winlogon desktop as below

The /x and /s switches run the process under the SYSTEM account and on the Winlogon desktop.

PsExec /i /h /x /d /s "path_\screencapture.exe"

Now screencapture exe is running as SYSTEM account on winlogon desktop, i able to see screencapture exe on user login screen but not on user desktop screen.

Now the things reverse i able to capture user login screen but not user desktop.

User desktop gives me Empty/black screen.

If i remove /x from command as below then i able to get userdesktop not secured desktop

PsExec /i /h /d /s "path_\screencapture.exe"

My question is if there any way to do this

Azar Shaikh
  • 445
  • 9
  • 26
  • Perhaps you could set a boolean to see whether you already logged in and you make an if statement to use one command or the other – nalnpir Nov 01 '18 at 13:05
  • my first exe is connected with socket with another computer sending captured screen.in middle secure desktop/UAC appears.how can I start another instance of exe to connect same socket – Azar Shaikh Nov 01 '18 at 13:12

1 Answers1

2

I am unable to test my theory since I'm at work. + I do not have the rights to comment yet... So please bear with me, if this does not work.

Running as system could be related that it does not have a "desktop" directory. So please create a these directories:

32-bit: %windir%\System32\config\systemprofile\desktop
64-bit: %windir%\SYSWOW64\config\systemprofile\desktop

Try again with the SYSTEM account:

PsExec -i -h -x -d -s "path_\screencapture.exe"

Sometimes the working directory is "read only" so by specifying that you could get it to work

PsExec -i -h -x -d -s -w c:\temp "path_\screencapture.exe"

If that does not work, try to attach it to a session, query the user-sessions available to see if a secure desktop are running its own sessioname, i command-prompt enter this:

query sessions

 SESSIONNAME       USERNAME                 ID  STATE   TYPE        DEVICE
 services                                    0  Disc
>console           xxxx                      2  Active
 rdp-tcp                                 65536  Listen

My only session available here is services = 0 and mylogin = 2.

I would suggest to try

PsExec -i 0 -h -x -d -s -w c:\temp "path_\screencapture.exe"

or

PsExec -i 2 -h -x -d -s -w c:\temp "path_\screencapture.exe"

And see if there are any difference in the captures.

I have never worked with the secure desktop before, so it could be an extra layer. In a user situation the -i has always worked fine for me.

Good luck :)

Edit:
I have tested this out with luck, this is what I did:

  1. Downloaded a capture tool with gui, I tried 7capture.com

  2. Then I started 7capture.exe like this:

PsExec -i -s -x c:\7capture.exe

  1. Now I showed the secure desktop with "run as admin" on something. When the popup comes, I pushed ALT+TAB and there was 7capture :)

  2. Press the "Refresh" button to see a list of items. The "desktop" is called something like "$$$Secure UAP Background window" on my computer.

  3. Voila, capture taken and visible

Now for the code on Screenshot secure desktop

I would change the desktop HWND call:

Win32Stuff.GetDesktopWindow();

To a Enum function and take a picture of every HWND you find in the secure desktop.

Untested, but I belive you can use this:

[DllImport("user32.dll")]
private static extern bool EnumWindows(EnumWindowsProc enumProc, IntPtr lParam);

// Delegate to filter which windows to include 
public delegate bool EnumWindowsProc(IntPtr hWnd, IntPtr lParam);

Give that a try and see if you can make it work for all scenarios.

Edit2:
Since these are 2 different user scopes, you need to run two copies of Screencapture.exe. One for secure desktop and one for the interactive session: UAC:

PsExec -i -h -x -d -s "path_\screencapture.exe"

Without UAC:

PsExec -i -h -d "path_\screencapture.exe"

Large
  • 587
  • 4
  • 16
  • 1
    Thanks i have already tried this none of this option works.Thanks for your input – Azar Shaikh Nov 04 '18 at 16:58
  • I added a test using a gui-based tool. If you implement a change in the HWND function you might get a screencapture of what you want. – Large Nov 04 '18 at 21:36
  • I tried, application running as SYSTEM account not allowed to capture user desktop.EnumWindows also a different challenge on Remote desktop where multiple users are connected . Also i tried install service of computer 'with allow service to interact with desktop option'. it also did not work. I can not maintain different application as my application interacting user keyboard and mouse with single socket connection – Azar Shaikh Nov 05 '18 at 05:32
  • On my edit2 one application runs at the secure desktop and the other in each userspace. If you require a single connection and that only one application sends a Mutex / broadcast solution could work for you: https://www.codeproject.com/Tips/1017834/How-to-Send-Data-from-One-Process-to-Another-in-Cs Since the secure desktop only requires to run once, each of the "user sessions" can store and send data to this master-program – Large Nov 05 '18 at 06:10
  • 1
    Yes i observed team viewer. it also maintains two application.One is user GUI application and other is SYSTEM account application.i guess it communicate with SYSTEM account application whenever require secure desktop screenshot using piped connection or as you said using broadcast solution. Thanks for your efforts – Azar Shaikh Nov 05 '18 at 07:00
  • I did with piped connection. Maintaining two application .One is user gui application and other service winlogon exe.Whenever i got black or empty image. I request service with piped connection to send me UAC screen shot. It works:) – Azar Shaikh Nov 30 '18 at 15:27