"Shift" + "Ctrl" + "Esc" - Problem

[tbr]

Dear Madshi,

I am using MadCollectionBeta 2.6.2.7 and have the following problem:

My service injects my hook-DLLs into all processes except those on my exclude list and system applications.
That works fine except on Windows XP:
When I open the task manager using explorer bars context menu, it is being hooked. Process Explorer shows my DLL in the processes DLL list.
When I open the task manager by pressing "Shift" + "Ctrl" + "Esc", my DLL is not injected. The process is shown as child of winlogon.exe but its token has user credentials.
This is being reproduced on Windows XP SP3 and Windows XP X64 Edition SP2.
On Windows 7 the task manager is being hooked both times.

Do you have any idea on this?

Thanks,
TBR

[madshi]

When using Ctrl+Shift+Esc, the task manager is started with a "run as" similar logic. In the end it does run under your own user account, but it doesn't start that way. The madCodeHook injection driver sees the process at a point in time where the "run as" logic has not done its magic yet. As a result the task manager process "looks" like it's running under a system account. There's not much I can do about it.

A workaround for you would be to inject into system processes, too (only in XP), and then in your hook dll's DLL_PROCESS_ATTACH you can check whether you're in a system or user process and behave accordingly (e.g. in a system process do nothing).

[tbr]

Hello Madshi,

thank you for your workaround.
Can I make the AmSystemProcess call without having done InitializeMadCHook before?

[madshi]

I'd recommend to call InitializeMadCHook() before using any madCodeHook APIs. I can't guarantee stability if you don't do that, although it is possible that it would run stable without it, too. The static 32bit lib shipping with madCodeHook is based on a Delphi dll. And not calling InitializeMadCHook() means that the whole Delphi RTL won't be initialized at all, which is not what the RTL would ever expect.

[tbr]

Ok,
then i will follow your recommendation...
Thanks