GINA 0.9h (beta)

CONTENT:

1.   Introduction
2.   How does it work?
3.   Installation
4.   Registry entries
5.   Messages during operation
6.   System requirements
7.   GinaSetup program
8.   Uninstallation
9.   Notes
10 Bugs
11. History
12. Future
13. Contacts (with some details about the author)
14. Additional Utilities

1. Introduction:

NT has a few limititations:

The user can interrupt the login script
An administrator cannot logoff a user at a remote workstation
There are no user logon/logoff scripts
There are no system logon/logoff scripts
There is no easy way to stop the user using the SAS sequence and taskmanager during logon or any other time.

These are the reasons for the creation for the found GINA.DLL in this archive.
Before continuation a few terms need to be explained first. Note that some of the documentation provided is directly from the help file(s) provided by Microsoft® in the development environement.

What does SAS, Winlogon and Gina mean?

Winlogon is a component of Microsoft® Windows NT® that provides interactive, logon support. To allow for independent software vendor (ISV) and developer modifications to the interactive logon model, some aspects of Winlogon are replaceable. Specifically, the identification and authentication aspects of Winlogon are implemented in a replaceable dynamic-link library (DLL). This replaceable DLL is referred to as the Graphical Identification and Authentication DLL, or GINA. GINA lets developers implement smart-card, retinal-scan, or other authentication mechanisms in place of the standard Windows NT user name and password authentication.

Winlogon

WINLOGON.EXE is the executable image responsible for implementing interactive logon support. There are many aspects of interactive logon support, including an actual collection of identification and authentication information (as described under the term GINA), and a number of other functions such as window station and desktop management, screen-saver control, and multiple-network provider notifications.

GINA

This specification is used by developers who want to replace the component of Windows NT that performs identification and authentication of interactive users. This replaceable functionality is implemented as a dynamic-link library (DLL) which is loaded and called by WINLOGON.EXE. This DLL is referred to as the Graphical Identification and Authentication DLL, or GINA.

MSGINA.DLL

The standard GINA shipped with Windows NT is MSGINA.DLL.

Secure Attention Sequence (SAS)

Winlogon uses a special sequence of events to recognize when a user wants to log on or perform other secure operations. This sequence of events is referred to as the secure attention sequence or SAS. The SAS provides a secure way for users to enter identification and authentication information. In this way, users are protected from password-collection programs and other flaws inherent in timeshare systems.

As an example, in earlier timeshare systems, users could walk up to an apparently unused terminal and press the ENTER key. The system would then prompt for username and password information. The problem with this was that the terminal could sometimes be in use and with a password collector program running which made the logon appear like a normal logon. However, in reality, the "Trojan horse" program would store away the user's password and then indicate that the user had entered an invalid password (or indicate some other reason why the logon failed). The end result would be that the user just gave his or her password to someone else.

In Windows NT, users can enter a secure attention sequence (SAS). This prompts Winlogon to switch to a secure desktop that no "Trojan horse" program has access to. The SAS for a standard Windows NT system is the CTRL+ALT+DEL key combination. Developers writing a replacement GINA are encouraged to achieve the same level of security with their SAS. By using a device such as a smart-card reader, the SAS could be the insertion or removal of a smart card. Developers can also choose to retain the CTRL+ALT+DEL key combination as the SAS.

Winlogon Process

Winlogon serves as the process that authenticates and logs on the interactive user. Winlogon is in one of three states at any given time. These states are illustrated in the following diagram.

Logged-off State

When Winlogon is in the logged-off state, users are prompted to identify themselves and provide authentication information. If a user provides correct user account information and no restrictions prevent it, the user is logged on and a shell program (such as EXPLORER.EXE) is activated in the user's context. Winlogon changes into the logged-on state.

Logged-on State

When Winlogon is in the logged-on state, users can interact with the shell, activate additional applications, and generally perform their work. From the logged-on state, users can either stop all work and log off, or lock their workstations (leaving all work in place). If the user decides to log off, Winlogon will terminate all processes associated with that logon session and the window station will be available for another user. If, instead, the user decides to lock the workstation, then a secure desktop is displayed.

Workstation-locked State

When Winlogon is in the workstation-locked state, the secure desktop is displayed either until the user unlocks the workstation (by providing identification and authentication information that matches the information provided by the user who originally logged on), or until an administrator forces a logoff. If the workstation is unlocked, the user's typical desktop is again displayed and work can resume. If, however, an administrator unlocks the workstation (by providing the identification and authentication information of an administrator account), the logged-on user's processes are terminated and the workstation becomes available for another user. However, the adminstrator must be in front of that workstation to log off the user.

Development of the provided GINA:

Microsoft® provides the required information in its development environment called Microsoft® Visual Studio 97 in two subdirectories called "Gina" and Ginastub" in DevStudio\Vc\Samples\Sdk\Winnt\Security\. Most of the information in this readme file is from the help file found in the Gina dirs called "gina.hlp".

There are two ways now to provide GINA functionality:

Rewrite GINA and provide all functionality in that new GINA
Hook into the Microsoft® original MSGINA and only provide additional functionality and let the orginal MSGINA do the rest.

The GINA provided in this archive uses the second way, a so called GINASTUB.
Therefore all the original functionality is securely provided as shown in "MSGINA Features".

This GINA uses some of the functionality of Alexander Frinks GINA found at http://wwwthep.physik.uni-mainz.de/~frink/nt.html. I have tried to contact Alexander at Alexander.Frink@Uni-Mainz.DE but he never responded to my emails. I wanted to incorporate some/all of his GINA's functionality (not neccessarily using his code). The functionality of his GINA is provided by the GINA in this archive.

Back to the top.

2. How does it work?

Windows NT is shipped to load and execute the standard Microsoft GINA (MSGINA.DLL). To load a different GINA or use a GINASTUB, you must alter the following registry key value in the HKEY_LOCAL_MACHINE registry:

KeyName: \Software\Microsoft\Windows NT\CurrentVersion\Winlogon
ValueName: GinaDLL
ValueType: [REG_SZ]

If this value is present, it should have a GINA name and the GINA MUST reside in the system32 directory. The name of the PATH does not need to be included in the valuename, it is known to be found in the system32 directory. Winlogon will load and use that GinaDll.

Note: Failure to provide a dll in the system32 once you have set the registry entry will hang your system upon the next boot, because Winlogon will try to load a GinaDll with the specified name and its not there. If you just make the value and do not provide a name and keace it empty the system will try to load a GINA with a name "" and hence stall!

Upon system startup the GinaDll is loaded and stays in memory for the entire system uptime.
At startup it sets up some default values and provides functionality to the LAUNCHER program (provided in this archive) and acts upon the FLAG SETTINGS which are under the root HKEY_LOCAL_MACHINE of the registry under the keys:

    \Software\Microsoft\Windows NT\CurrentVersion\Winlogon
    \Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ForceLogoff
    \Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Logoff
    \Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Logon
    \Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shutdown

and

\Software\UserCommandLauncher\System
\Software\UserCommandLauncher\User

These flags decide what the GINA does when certain system events occur, eg the user presses the SAS, logoff, logon and even forcelogoff. These flags (registry entries) are explained below in Registry Entries.

Back to the top.

3. Installation:

Read my legal information first.

You must make sure that you can recover you system to its original working state.
You have a number of possibilites:

Have an emergency partition available:

You can have one build into the system on a spare partition, use the minimal install of WINNT to do so.

All systems in my company have a removable hardisk slot so in case of a problem I can boot from that emergency partion.

NTSID

Use ERD commander from NT System Internals to make bootable floppies.

Use RDISK from the Windows NT command utilities to make a backup of your registry and other. You can use the 3 NT bootdisks (or bootable CDROM) and the emergency repair disk to get your system back.

Use Rdisk to make a backup copy of your registry without the "S" switch to backup the registry into the repair directory of the current install. Then use SCOPY to copy your WINNT directory to WINNT2 (or some other name) on the same partition as your system. (you need of course lots of space!) Then expand the BACKED UP registry to the newly created WINNT2 directory and you made a copy of your complete system without the install hassles in a short time!

I prefer the option with the removable hardisk for obvious reasons as it solves many other problems as well!

Precautions:

A GinaDll operates in the context of the Winlogon process and, as such, is invoked at the later stages of the boot process. The DLL must follow rules so the integrity of the system is maintained, particularly in respect to interaction with the user. When installing the GINA make sure that AT THE VERY LEAST that:

the specified gina as in the registry entry is in the \winnt\system32 directory
the registry entry is pointing to the correct gina.

If you have a registry entry pointing to LauncherGina.dll but there is no gina with that name in the system32 directory your system will boot happily but once the "Press Ctrl-Alt-Del to log on" should appear your system will crash with a BOD (Blue Screen of Death) because Winlogon.exe is trying to find the non-exixsting GINA! So once you have the registry entry make sure the gina is in the system32 directory!
You will have the same problem with a faulty gina.

Unzip the archive:

You are looking at the HTML file so you must have already unzipped the files.

Unzip the archive into a temporary directory. You can keep this directory afterwards to keep all the binaries at a position related to Gina and Launcher and rename it as you wish.

The only files needed are the Launcher in the \\PDC\netlogon directory and Gina in the system32 directory.
All other files are optional one you have installed everything.

Installing Gina:

You can either do it by hand or use the provided utils to do it for you!

Do it by hand:
Copy the Gina in this archive to the system32 directory.
If you have had a GINA before you must move the old GinaDll to some other name eg Gina.old, Windows uses THAT GinaDll until you reboot! Once you have moved the original gina to a "backup gina" you can copy the new gina into the system32 directory.
Note that you cannot copy over the original GinaDll since the file is IN USE, hence the move first and then the copy.
If you never had a GINA before simply copy the gina into the system32 directory.
The same is valid if your previous GINA has a different name. You can simply copy the new GinaDll into the system dir and set the value GinaDLL in the Winlogon registry entry to point to the new gina and REBOOT to make that Gina the current one.

Example where the gina is in the current directory with a previous gina installed:

    del d:\winnt\system32\LauncherGina.old
    move d:\winnt\system32\LauncherGina.dll d:\winnt\system32\LauncherGina.old
    copy LauncherGina.dll d:\winnt\system32\LauncherGina.dll

Once you have copied the gina you must set the registry entry of GinaDLL to point to this Gina for the GINA to become active.
If you have had a Gina and the GinaNames are the same you do not need to do anything other then set the registry entries to suit your needs. You can just call GinaSetup.exe to setup some default values and reboot!
If you never had a Gina you must enter the GinaDLL into the registry for the gina to become active. If you do not enter a name and you reboot nothing will happen, the gina will simply not load!

Use Utils provided:

Use the GinaSetup.exe to copy Gina to the system32 directory.
Use "CopyGinaToSystemDir.cmd" in the Gina subdirectory of this archive to copy the dll to the system32 directory.

Use the "Setup.exe" in the archives "setup" subdirectory and follow the instructions during the setup process.

which type of install you want; either "typical" or "custom".

where you want the files to be copied to (%systemroot%\Program Files\LauncherGina is the default)
whether you want to start copying

Setup.

Registry entries:

You have a number of options to setup the registry keys:

Do it by hand (but I think this is cumbersome)
Use the provided *.reg files to merge the registry entries into the registry using "regedit.exe"
Use the provided *.regini files to merge the registry entries into the registry using a utility found in the NTRESKIT called "regini.exe". This has the advantage as it sets the permissions as well.

for /f "skip=3 eol=T" %i in ('net view') do regini -m \\%i winlogon.regini

which would find all the machines on the network and "regini" would set the registry entries on all machines found to the registry values found in the file "usercommandlauncher.regini". I use this command quite often.

Use the provided "GinaSetup.exe" to setup the registry entries.

Back to the top.

4. Registry entries:

This section has two purposes:

It will introduce the readers to the feature available in this GINA.
It will show which registry entries to set to request certain features.

All values for the Gina are found in the root: HKEY_LOCAL_MACHINE!
All of the values for the GINA are of the same type: REG_SZ!
Make sure that all registry entries are READONLY for everyone, full control for Admins, Creator Owner and System, except for the "shutdown" key which should only be visible for the appropriate people!

KEY: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon This key sets the basic featues of the Gina: GinaName Logon Box behaviour Ctrl-Alt-Del dialog box behaviour Script execution behaviour Force Logon flag Flag to show whether somebody is logged on
ValueName	Value Range	Description

GinaDLL	Name of DLL	This is the name of the GinaDll. This fields must match the name of the GinaDll in the system32 dir.
OriginalGina	Orginal Gina Name	This is the name of the Gina which was original on the system, usually "msgina.dll". Note that a number of vendor ginas do not provide proper setup and fail to work with GinaStubs (as launcher gina is).
NeedCtrlAltDel	"1": Ctrl-Alt-Del required "0": Ctrl-Alt-Del NOT required	Controls if you have to press `Ctrl-Alt-Del` to bring up the logon box. Disabling this options makes your system vulnerable to Trojan Horse attacks; a malicious user could write a program that looks like the logon box, but captures the password you entered to a file. This is certainly not a problem for your home machine.
CtrlAltDelBox	"1": Ctrl-Alt-Del enabled "0": Ctrl-Alt-Del disabled	This flag enables or disables the ability to start the Windows NT Security Dialogbox (the one which has the Lock Workstation, Logoff, Shutdown, Change Password and TaskManager button) using Ctrl-Alt-Del. If set it will simply do nothing. During the login process with Launcher together it is set to disabled so the user cannot stop the script by other means, after the scripts have finished it is set to the state it was found before Launcher start. Note: if logging in as admin the Ctrl-Alt-Del is enabled for admins to enable the use of Taskmanager.
CtrlAltDelBoxNever	"1": Ctrl-Alt-Del always disabled "0": Ctrl-Alt-Del is enabled is above is set to "0".	This disables the Ctrl-Alt-Del to start the Windows Security dialog box for the entire logon session. It simply overwrites the flag above. If this is set the above flag has no influence and the user is not able to use the Windows Security Box.
UseCtrlAltDelBox	"1": Use above flags "0": Do not use above flags	This is an overriding flag. It simply enables or disables the use of the two flags above CtrlAltDelBox and CtrlAltDelBoxNever. It is a quick way to override the functions of both flags above and could be used for debugging purposes, adminstrative functions etc.
ShutdownWithoutLogon	"1": Shutdown button on Logon box. "0":Shutdown button NOT on Logon box.	This is a Windows NT flag provided by Microsoft. I simply included this flag to enable quick reboots from the shutdown box when I install new software or I am testing script/programs on machines. It should ALWAYS be set to "0" (in my eyes).
RunLogonScriptSync	"1": Run scripts in sync. "0": Do not run scripts in sync.	This flag enables/diables the start of the desktop (and hence menus) before/after the logon scripts have finished. If it is enabled the logon scripts will be finished before the desktop is launched. This has advantages not only for security purposes but it will make sure that every mapping/setups are finished before the use can proceed to start work! It should ALWAYS be set to "1" (in my eyes).
ForceLogoff	"1": Force user logoff enabled "0": Force user logoff disabled	If this flag is set to "1" the user is logged of after a delay of maximum of 60 seconds: The flag is checked by the underlying layer ever 60 seconds and if found "1" the user is logged off, if found "0" the checking process is put to sleep for another 60 seconds, thus if the flag is set in the middle of the 60 secs the user will be logged off after 30secs. The overhead put onto the system is very minimal and I could not measure it with any of the utilities I could get my hands on.
AllowProtectedSS	"1": allow protected SS "0": disallow protected SS	This flag allows/disallows the user the use of protected screen savers. If it is set this flag overrides the settings in the "Display Control Panel" and even if "password protected" is set it will disable the screen saver by the normal process of moving the mouse or touching the keyboard. If set to "0" the setting of the protected screensaver in the display panel will be valid.
SomeBodyLoggedOn	"1": User logged on "0": Nobody logged on	This flag is set by the GinaDll whenever somebody logs into the machine. Thus an adminstrator could use utils like regedt32.exe, reg.exe(NtResKit) or Perl to find out whether somebody is logged on to a machine. Do not change the settings of the flag as it is set be the GinaDll upon logon of user to the system and reset when the user logs out!

KEY: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Logon This values in this key set the values for LOGON scripts: Logfile Script names Timeout
ValueName	Value Range	Description

LogFile	Empty or Name of file	This is the name of the logfile. All output produced by the logoff script end up in this file or are discarded if no file is specified.
SystemScript	Empty or Name of File	If set it is the name of the script which should be executed when logon occurs. This script runs under the context of "SYSTEM ACCOUNT" so make sure that the file is READ ONLY (or none) by everyone! If empty no system script will be executed.
UserScript	Empty or Name of File	If set it is the name of the script which should be executed when logon occurs and be run under the context of the user. You simply could point this to a script in the user dirs called z:\logon.cmd. If empty no user script will be executed.
Timeout	time in seconds	This makes sure that hang scripts are killed after an elapsed time to make sure no zombies are hanging around and users can't do silly things in their scripts. The disadavantage is that the time must be long enough for the script to finish properly or it will be killed before it finshed.

KEY: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Logoff This values in this key set the values for LOGOFF scripts: Logfile ScriptName Timeout
ValueName	Value Range	Description

LogFile	Empty or Name of file	This is the name of the logfile. All output produced by the logoff script end up in this file or are discarded if no file is specified.
SystemScript	Empty or Name of file	If set it is the name of the script which should be executed when a logoff occurs. This script runs under the context of "SYSTEM ACCOUNT" so make sure that the file is READ ONLY (or none) by everyone! If empty no system script will be executed.
UserScript	Empty or Name of file	If set it is the name of the script which should be executed when a logoff occurs and be run under the context of the user. You simply could point this to a script in the user dirs called z:\logoff.cmd. If empty no user script will be executed.
Timeout	time in seconds	This makes sure that hang scripts are killed after an elapsed time to make sure no zombies are hanging around and users can't do silly things in their scripts. The disadavantage is that the time must be long enough for the script to finish properly or it will be killed before it finshed.

KEY: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shutdown This values in this key set the values for SHUTDOWN scripts: Logfile ScriptName TimeoutTimeout Make sure you set the security settings appoproate if you have a password in this key as the password must be given in ASCII.
ValueName	Value Range	Description

Logfile	Empty or Name of file	This is the name of the logfile. All output produced by the logoff script end up in this file or are discarded if no file is specified.
Account	Empty or Name of User	This is the name of the account under which context the shutdown script should be run, it should be a valid account or the script will fail as the underlying layer will log into that account before executing the script! If this is empty it default to the "SYSTEM ACCOUNT" so make sure that the script file has the appropriate security settings!
Password	Empty or password of account	This should be the password for the above account. Note that the password is in straight ASCII so make sure that permissions are set appropriately for this key!
Script	Empty or Name of file	If set it is the name of the script which should be executed when logon occurs and be run under the context ACCOUNT. Make sure that the script receives the appropriate security settings!
Timeout	timeout in seconds	This makes sure that hang scripts are killed after an elapsed time to make sure no zombies are hanging around and users can't do silly things in their scripts. The disadavantage is that the time must be long enough for the script to finish properly or it will be killed before it finshed.

KEY: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ForceLogoff This values in this key set the values for FORCELOGOFF scripts: Logfile Script Logoff Program Timeout ForceLogoff scripts deal with the forced logoff of a user at a remote machine (or local, be careful !!). Note that the LOGOFF process is initiated within GinaDll and does not require an external logoff utility. The logoff script can be used to warn the user with a TIMED message. Once the script finishes the user is logged out, hence if the script is empty, the user is logged out straight away. Note there is a small timedelay in the response to the setting of the flag as the checking of the "Forcelogoff flag" is done every 60 seconds with very little overhead for the system.
ValueName	Value Range	Description

Logfile	Empty or Name of file	This is the name of the logfile. All output produced by the logoff script will end up in this file or are discarded if no file is specified. The output of the Logoff process will be written to this file as well.
Script	Empty or Name of file	If set it is the name of the script which should be executed when a forced logoff occurs. This script runs under the context of the current user account. If empty no script will be executed but the user will still be logged off! Note the script does not need to include a logoff program (as this is done within the GinaDll), it should contain a message for the user that a logoff is pending and s/he should save the work and maybe some cleanup stuff! Not that the script SHOULD CONTAIN a SLEEP function as the user is logged off as soon as the script is finished.
Timeout	timeout in seconds	This makes sure that hung scripts are killed after an elapsed time to make sure no zombies are hanging around and users can't do silly things in their scripts. This makes sure too that the user MUST LOGOFF or SAVE THE DATA within a certain timeout, if the user does not press the Messagebox "OK" button and the messagebox is not started using "start" then the script would never return. The timeout makes sure that the user will be logged out once the timeout is elapsed. If you specify a SLEEP within the script which is LONGER than the timeout, the script is terminated after the timeout time elapses!

There are some example scripts in the subdirectory "scripts" in this archive.

Back to the top.

5. Messages during operation:

All output from the user scripts is redirected into the appropriate logfiles so you will be able to find out why a particular step did not work or whether it succeded!
The output from the logout sequence is written into the ForceLogoffLog as well, so you can remotely see whether the user was logged off (or simply click on the "CHECK" button on GinaSetup!)
The GinaDll does not produce any information. If there is enough interest I might put some logging infromation into the GinaDll but I do not think it nesseccary.

Back to the top.

6.System requirements

The following setup is required for Launcher 0.9h to work:

Windows NT 4.0 with Service Pack 3!

Administrative user rights
It will NOT WORK on Windows95 as a GINA is not supported on Windows 95.

Platforms supported:

Intel

Back to the top.

7. GinaSetup:

Provided in this archive is a program called GinaSetup.exe.
This tools provides you with a GUI interface to setup a local or remote GINA.

Upon starting GinaSetup checks whether the registry entries required for GINA are available and if available it displays the values as found in the field boxes.

If they are not available the field boxes will be blank and you need to use the "Initialize" button to enter the entries (with default values) into the registry. This has the advantage that you can setup other machines without setting up the machine you are working on (my servers do not have the gina running as no user can log onto them anyway).

You can change the values simply by typing into the field boxes and then press update to write the values into the registry. Pressing cancel will close the setup program without updating the values.
Upon startup you see:

Install Only

Gina Name

Original Gina

Copy From

Copy To

Copy

It has advantages if not using the MOVEFILE on REBOOT. The file is copied immediately and visible straight away in the system32 directory, hence you can see what file you moved to the system32 dir!

The disadavantage is that the user needs to know the limitations
The original GinaDll (if one is there) MUST BE MOVED to anotherfile eg:

move mygina.dll mygina.old

before the a new gina can be copied since IN USE system files cannot be deleted but can be MOVED!
WindowsNT then "knows" that the original GinaDll now has a different file name and the file in USE is now the one with the new name. The advantage is you can copy as many as you like to the original name (or leave it blank if you leave the entry to GinaDll in the registry blank as well!)
You cant move another file to mygina.old since that file is now in USE!

Normal working conditions:

You need to have the GINA setup and running (rebooted) for these to work!

Computer

Connect

CheckLogon

Force User Logoff Connected Machine

Update

Cancel

Initialize
This sets up the entries in the registry with default values.
Note that upon startup this program checks whether there are any values found in the registry and if none are found the field boxes are empty.

All other fields are explained in the Regsitry section above.

Back to the top.

8. UNINSTALLATION:

You MUST FIRST delete the following value

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GinaDLL

and reboot the machine. You may not leave the value empty, you MUST DELETE IT.
Failure to delete the value will hang your machine upon reboot as WINLOGON trys to load a DLL
with the empty name of "". That file does not exist and you will not be able to make the file, see Notes.

After this step you must reboot the computer so the DLL will not be loaded upn startup.
Then you are able to remove the files:

LauncherGina.dll
LauncherGina.dll.old (if exist)

from the \winnt\system32 directory. You cannot delete the DLL before reboot since WinNT has a lock on it (as it is using it)!

Once you have rebooted you can delete the following values within the keys:

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon
    GinaDLL
    NeedCtrlAltDel
    CtrlAltDelBox
    CtrlAltDelBoxNever
    UseCtrlAltDelBox
    ShutdownWithoutLogon
    RunLogonScriptSync
    ForceLogoff
    AllowProtectedSS
    SomeBodyLoggedOn
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\ForceLogoff
        Script
        Logfile
        Timeout
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\Logoff
        UserScript
        SystemScript
        LogFile
        timeout
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\Logon
        SystemScript
        LogFile
        timeout
        UserScript
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\Shutdown
        Script
        Logfile
        Timeout
        Account
        Password

If you delete these values before you have rebooted the machine some of the values will reappear as the still loaded GinaDll will set some of the values again. So make sure the GinaDll is not loaded upon startup before you remove the values or you have to do some of the removals again.

For NTREskit Users:

If you have the NTResource Kit you can use the included "RemoveGinaValues.cmd" in the registry subdirectory of this archive to remove all the values from the registry. It uses the NTResourceKit utility "reg.exe"!

Make sure you have permissions do delete the keys, ie Administrative rights for THAT machine!
Make sure the file REG.EXE and CHOICE.EXE are in the path specified by the NTRESKIT environmental variable, these are checked before the util executes!
Specify the COMPUTERNAME of the remote machine as parameter where you want to delete the values or specify "local" if you want to remove them from the local machine.

For Setup users:

If you used SETUP.EXE you can simply run the UNISTALL option from the Add/Remove panel of the control panel. The name of the unistall option is "LanucherGina".

Back to the top.

9. NOTES:

Make sure you understand what this GINA does before you install it.

Make sure that you have a valid GinaDll in the system32 directory if you specify a GinaDll name in the registry. Your computer will hang with BOD upon reboot once Winlogon is trying to load a not available GINA!

Make sure you have the Emergency disk handy in case soething goes wrong if you do not have another boot partition available!
It does not matter if you have not setup the registry keys!

If you bugger things up you can ALWAYS connect to the machine with problems (Using regedt32) and change the REGISTRY settings on that machine.

You MUST delete the value "GinaDLL" from the SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon key when you want to un-install. Do not leave an EMPTY "GinaDLL" value as it will hang your machine on your next reboot! Why? Winlogon will try to load a GinaDll with no name and because its not there it will hang! There is no way to copy "LauncherGina.dll" to an empty filename like "" to let Winlogon load that file. If this happens to you you must boot to a secondary installation of WinNT (see above) to load the software hive and delete the entry or use the Emergency disk to repair your primary WinNT installation!

Back to the top.

10. Bugs:

I do not know of any bugs.
It works everyday in my company and I have not had a machine crashing for the last few weeks after this version was installed.

Please! If you find one dont throw the utility away! Send me some mail and I fix it!

Back to the top.

11. History:

0.0	used it for my own company with hardcoded settings
0.1	bugfix as I forgot to pass on some messages. (It hung on occasions one of my machines).
0.2 - 0.8	Changes to the program - registry use: away from hardcoded - added readme file(s)
0.9	First release to friends to give it a test.
0.9a	Logoff scripts Logon scripts Copy gina button on GUI A few more switches avaiable on the GUI
0.9b - 0.9g	ForceLogoff user on remote machines. Furthermore it took a while to update this as I my son was born last year! Lots of nappy changes instead of code changes.
0.9h	Made Launcher/Gina compatible. Added a setup program to make administration easier. (Although I dont use it, I have my little script files in Perl inc using some of the NTRESKIT utils).

Back to the top.

12. Future:

Uninstall program
Encrypt password for the shutdown script
other platforms

Back to the top.

13. Contacts:

The program was written for two reasons:
- There are no logon/logoff/shutdown script (problem with time settings etc)
- The user can interrupt the logon scripts
- I cannot logoff somebody from my admin station

I have been programming for years in different environments including various flavours of UNIX, OS/2 (Initor is one of my programs there) and for my PhD (some 30000 lines of code!). I have been a Tutor/Demonstrator for various languages including ASM, FORTRAN, PASCAL, COBOL, C and C++. This program is written in C as it would be total overkill to write it in C++!

I look after the LAN in a company (I own it 50%). We had OS/2 but due to companies not providing code for Win3.1 anymore I needed to move to NT. NT certainly has some good features and is better than OS/2 in some cases, but note(!) that in 3.5 years of OS/2 (WARP3) I had not ONE day where the system wasn't working at *ALL* times and the only problem I had every now and then is that an application send some funny chars to the printer and that stopped it working (a little reset fixed that!).

Jobst Schmalenbach
Technical Director of Barrett Consulting Group PTY LTD and Part time PhD student
PO Box 277
782 Glenhuntly Road
Caulfield South, Vic, 3162
Australia

Phone : 61 3 9532 7677
Fax : 61 3 9532 7388
Mobile: 61 41 161 1855

Email : jobst@senna.eng.monash.edu.au (and soon jobst@barrett.com.au)

Back to the top.

14. Additional Utilities:

I have included two utilties which can be used with the LauncherGina in the script files.
Use these programs as stated by the author in the help or by the GNU General Public License.

MSGBOX

SLEEP

Back to the top.

Enjoy the "LauncherGina".
Jobst Schmalenbach