Adding a button to the Windows 7 Logon screen

BastianW picture BastianW · Nov 8, 2012 · Viewed 12.3k times · Source

I want to implement a self reset password functionality for Windows 7 users. When the Logon screen prompts the domain users should be presented with a forgot password button which will open the password reset wizard. So the problem is how to add a command button to the standard windows logon screen?

I know about GINA in Windows XP as mentioned here: Adding command button to Windows Logon screen

But this topic is 3 years old, and with Vista / Windows 7 Microsoft came up with "Microsoft Windows Credential Provider".

Answer

ixe013 picture ixe013 · Nov 9, 2012

Those button are called "Tiles", and they are implemented in a Credential Provider. Anything you read about a Gina will not work in Vista or later.

Those tiles a created by the LogonUI.exe process, itself launched by Winlogon.exe. LogonUI.exe runs with high priviledges. You don't want to run anything there. Besides, any wizard you run will run under the system account. Security issues aside, anything that resets the password of the current user will not work.

But let's assume that you have a solution that can reset a user's password. Like a web site (or a local application) that :

  1. Ask for the user's name
  2. Ask some security questions
  3. Connects to Active Directory to reset the password

Then here is a way to implement the functionality.

Create a user, a domain user if possible. Give it a name and a password easy to remember, like "reset" and "reset". Make shure that everybody knows the password.

Change the shell of that user to Internet Explorer, that you would be running in kiosk mode, pointing to your web application.

Now when someone wants to reset their password, here is what they will do :

  1. Use the standard Windows Credential Provider, like they do every day, but with the user "reset" and the password "reset".
  2. Instead of the normal Windows shell, they will be presented with your password reset web application.
  3. The user resets their password and they are instructed to log off using CTRLATLDEL
  4. They can log in with their own username and brand new password.

This idea can be improved upon if you are ready to write some code:

  • Instead of Internet Explorer, write a simple web application that wraps the web browser control. if the application is closed, or any other funny business, logoff.
  • Hack one of the Credential Provider samples to supply the well know password reset username and password, making password reset merely a click away
  • Change that password reset credential provider's image to reflect the password reset functionnality.