| Everyone |
| (Getting the hang of it) |
| 2004-07-20 05:50 PM |
|
BREAK OFF not working if SetConsole("Hide")
|
BREAK OFF appears not to work if SetConsole("Hide") under KiXtart 4.22 on Windows XP Professional Service Pack 1a systems. I haven't tested it on any other operating systems yet.
When the console is hidden, a user with local admin rights can terminate kix32.exe from the task managers process list without getting logged off.
Normal users get an "Access denied".
At first I thought it may have something to do with kix32.exe and the script being part of a kixcrypt .exe package. I tested running the script through normal means (not encoded into the .exe), same thing. I changed it to SetConsole("minimize"), and it worked as expected. The script logged me off when closing the console window, and when ending the process through task manager, just like it should.
Why isn't it doing this if the console is hidden?
Did I miss something in the manual that says it's supposed to behave this way?
| Les |
| (KiX Master) |
| 2004-07-20 07:48 PM |
|
Re: BREAK OFF not working if SetConsole("Hide")
|
I wonder why you use the "console" version (KiX32.exe) and not the "consoleless" WKiX32.exe since you are hiding the console anyway. BREAK has been kinda messed up in WKiX for a while too.
| Everyone |
| (Getting the hang of it) |
| 2004-07-20 08:18 PM |
|
|
|
Re: BREAK OFF not working if SetConsole("Hide")
|
Quote:
I wonder why you use the "console" version (KiX32.exe) and not the "consoleless" WKiX32.exe since you are hiding the console anyway. BREAK has been kinda messed up in WKiX for a while too.
Because I want the user to be logged off it they terminate the script. WKiX doesn't do that. I have 2 different versions of the script, one using kixforms with no console display, and one without, where the console is set to alwaysontop in one case.
The one without kixforms is a fail safe for systems that kixforms.dll wasn't successfully loaded/registered on. The kixforms I've created are purely for looks, and not needed for the script to function.
A seperate script that has been put into a kixcrypt .exe package is loaded at the end of the logon script. One version with kixforms, one version that uses a console window. It sleeps in the background for 13 hours and 50 minutes, then pops up a message stating that domain logons are limited to 14 hours, and the user will be logged off in 10 minutes. The message displays a timer counting down from 10 minutes to 0. When the timer reaches 0, the script logs the user off.
For the version of it that uses the console... I don't have to worry about someone closing it, or ending the process, it will log them off, which is what is intended anyway. For the version without the console that uses a kixform, a user with local admin privileges can still terminate kix32.exe
Hopefully that explains it a little better.
Lonkero
|
| (KiX Master Guru) |
| 2004-07-20 08:24 PM |
|
Re: BREAK OFF not working if SetConsole("Hide")
|
Code:
Because I want the user to be logged off it they terminate the script
so, actually, what you are saying that "break off" works just as it should.
you just don't want to read from the manual what it does.
and, you can't terminate wkix32 process with any priviledges without proper special tools.
| Bryce |
| (KiX Supporter) |
| 2004-07-20 09:41 PM |
|
|
Re: BREAK OFF not working if SetConsole("Hide")
|
actualy lonk, He is wanting the users to be loged off if the script is terminated while break is OFF, and accurding to the manual that is the stated behavior. I see no special instructions involving BREAK OFF and a hidden console. Many a time i forgot to set break on for a scriot only to have it enter a loop.. causing me to end the script via other means, and getting logged out
I have a small voice in the back of my head that this behavior/bug of break off and a hidden console for kix32.exe has been talked about before.... but be damned if i can find a topic on it.
Bryce
| Everyone |
| (Getting the hang of it) |
| 2004-07-21 01:27 AM |
|
|
|
Re: BREAK OFF not working if SetConsole("Hide")
|
Quote:
so, actually, what you are saying that "break off" works just as it should.
you just don't want to read from the manual what it does.
Uh so actually you're just calling me lazy, because you were too lazy to read my posts. I know what the manual says it does, in fact if you read my posts, I mention the behavior described in the manual. What I am trying to figure out is why the behavior described in the manual isn't working if the console is hidden.
Quote:
and, you can't terminate wkix32 process with any priviledges without proper special tools.
Do you consider Task Manager a special tool? While logged in with an account that has local admin privileges to the workstation, I can go to the processes list in Task Manager, highlight wkix32.exe, click the "End Process" button, click "Yes" on the warning that says something about ending a process could adversely affect your system, and wkix32.exe will terminate. Now on my workstation, yes I do have all kinds of "special tools", such as the Windows Server 2003 resource kit. However none of those tools change the behavoir of the task manager. I can do the exact same thing from any other workstation on my network. In fact my test machine has nothing but the OS, Office, and all the latest service packs and hot fixes installed on it.
Quote:
I have a small voice in the back of my head that this behavior/bug of break off and a hidden console for kix32.exe has been talked about before.... but be damned if i can find a topic on it.
I couldn't find a topic on it either. Found some really old topics about modifying a .dll file to remove the close button from the console window... crazy stuff like that. Nothing specifically mentioning break off not working on a hidden console.
As soon as you change the console state to anything other than hidden, it works the way the manual says it should. Just doesn't work while it's still hidden.
| Les |
| (KiX Master) |
| 2004-07-21 01:42 AM |
|
Re: BREAK OFF not working if SetConsole("Hide")
|
Well... all of your complaining will not change BREAK OFF unless of course you manage to bend Ruud's ear. You could start by NOT giving users admin rights.
| Les |
| (KiX Master) |
| 2004-07-21 01:48 AM |
|
Re: BREAK OFF not working if SetConsole("Hide")
|
BTW, Break may be broken but our board search is working. A quick search on the keywords:
break AND broken
revealed Interesting... and then some.
| Everyone |
| (Getting the hang of it) |
| 2004-07-21 01:59 AM |
|
|
|
Re: BREAK OFF not working if SetConsole("Hide")
|
Not all users have admins rights. My network would be considered a MAN, it's spread out over a large land area, each LAN (a section of the MAN, all part of the same domain, seperated by OUs in Active Directory), has at least 1 user with local admin privleges to the workstations they are responsible for. The larger OU, the more admins assigned to that OU. We call them "Workgroup Managers"... even though the entire MAN is part of one domain, no workgorups exist on the network.
I do not want the "Workgroup Managers" terminating the script. They're the only ones on the network outside of my work center that even come close to having the level of computer literacy needed to know how to terminate a process. They don't always like to do the things we tell them, the logon script is one way to enforce things.
| Les |
| (KiX Master) |
| 2004-07-21 02:07 AM |
|
Re: BREAK OFF not working if SetConsole("Hide")
|
Maybe you should do more in GPOs and less in the logon script. Besides trying to force-feed them the logon script, if they are quasi-techo-geeks, they can just rip much of what you do in the script and undo it. You should look at doing more with central admin scripts that reach them over the MAN providing you have the bandwidth.
| Everyone |
| (Getting the hang of it) |
| 2004-07-21 02:46 AM |
|
|
|
Re: BREAK OFF not working if SetConsole("Hide")
|
There's a catch, the MAN is part of a WAN. I don't control the WAN. Our MAN is just one domain, one "Tree" in the Active Directory "forest". Our AD servers are controlled by the people who control the WAN. We don't have access to GPOs. I've sent several GPO requests up to the people who control the WAN. They've added synchonous logon, and disable Windows XP fast logon optimization to the GPO at my request, but haven't added a few others I would like to see.
There isn't a GPO (that I know of) that will log a user off 14 hours after they log on. Don't want to set logon hours, due to shift work, and sheer number of users and workstations.
I'd post the script so you could understand what I'm doing, but it's 35 files, and over 3000 lines of code.
Thanks for the link to that thread. After reading that, it looks like this has been a problem since KiX 4.02, maybe even before that. I guess we have to do what Les said and "bend Ruud's ear" to get this fixed. Unless someone has another idea.
|
Lonkero
|
| (KiX Master Guru) |
| 2004-07-21 08:18 AM |
|
Re: BREAK OFF not working if SetConsole("Hide")
|
everyone...
you tried this only on XP machine?
without touching the "break" setting (i.e. using default) it logs you off.
anyway, what I've used to terminate my kix-processes has been "kill -f", so I won't be logged off.
kill hasn't worked on XP.
so, my quess would go it has something to do with the system.
can't say so much about XP as I almost never use it (thank god) nor kix32.exe as I never use it either.
but with wkix32.exe, setting break ON has always failed, way or another.
and without setting it, the behavior is still totally different to that of kix32.exe's
about my yesterday's post, ja, it was propably me who was lazy.
read the post but didn't bother understanding it before posting.
| Everyone |
| (Getting the hang of it) |
| 2004-07-21 04:47 PM |
|
|
|
Re: BREAK OFF not working if SetConsole("Hide")
|
Lonkero,
Yes so far I've only tried this on XP machines. We're supposed to have everything on XP by the end of August. So XP machines are my main concern. It hasn't been just one XP system I've tried it on either, it's been 3 different ones. I'll try it on a couple 2000 machines as well.
Kill works fine for me on XP, but like I said, I've just been using the task manager.
I'm actually using wkix32.exe for the main logon script right now. Had planned to change that once everybody is using the script. Only using kix32.exe as part of the kixcrypt .exe package for the logon time limit script.
I haven't tried not using the break statement at all. I used kixforms designer to create the layout of my kixforms. I noticed that it adds BREAK ON to the script by default. I just searched through all my scripts and changed ON to OFF. I'll have to try removing the BREAK statement all together and see if that helps.
| Everyone |
| (Getting the hang of it) |
| 2004-07-21 05:20 PM |
|
|
|
Re: BREAK OFF not working if SetConsole("Hide")
|
Ok here's the results of my tests.
Test Machine 1 and 2, Test 1
O/S: Windows XP
Privilege Level: Local Admin
BREAK: Not set (default)
Console: Alwaysontop
Results: End Process on kix32.exe from Task Manager terminates the process without logging me off.
Closing the console window results in logoff.
End Task on console window from Task Manager results in logoff.
Test Machine 1 and 2, Test 2
O/S: Windows XP
Privilege Level: Local Admin
BREAK: BREAK OFF
Console: Alwaysontop
Results: End Process on kix32.exe from Task Manager terminates the process without logging me off.
Closing the console window results in logoff.
End Task on console window from Task Manager results in logoff.
Test Machine 1 and 2, Test 3
O/S: Windows XP
Privilege Level: User
BREAK: Not set (default)
Console: Alwaysontop
Results: End Process on kix32.exe from Task Manager results in "Access Denied" error message.
Closing the console window results in logoff.
End Task on console window from Task Manager results in logoff.
Test Machine 1 and 2, Test 4
O/S: Windows XP
Privilege Level: User
BREAK: BREAK OFF
Console: Alwaysontop
Results: End Process on kix32.exe from Task Manager results in "Access Denied" error message.
Closing the console window results in logoff.
End Task on console window from Task Manager results in logoff.
Test Machine 3, Test 1
O/S: Windows 2000
Privilege Level: Local Admin
BREAK: Not set (default)
Console: Alwaysontop
Results: End Process on kix32.exe from Task Manager results in "Access Denied" error message.
Closing the console window results in logoff.
End Task on console window from Task Manager results in logoff.
Test Machine 3, Test 2
O/S: Windows 2000
Privilege Level: Local Admin
BREAK: BREAK OFF
Console: Alwaysontop
Results: End Process on kix32.exe from Task Manager results in "Access Denied" error message.
Closing the console window results in logoff.
End Task on console window from Task Manager results in logoff.
Test Machine 3, Test 3
O/S: Windows 2000
Privilege Level: User
BREAK: Not Set (default)
Console: Alwaysontop
Results: End Process on kix32.exe from Task Manager results in "Access Denied" error message.
Closing the console window results in logoff.
End Task on console window from Task Manager results in logoff.
Test Machine 3, Test 4
O/S: Windows 2000
Privilege Level: User
BREAK: BREAK OFF
Console: Alwaysontop
Results: End Process on kix32.exe from Task Manager results in "Access Denied" error message.
Closing the console window results in logoff.
End Task on console window from Task Manager results in logoff.
I ran the same tests using kixforms instead of a console window. Set the console window to hide. The results were the same on ending the process. The only thing that's different is you can't do anything to terminate the script that results in it logging you off, since there's no console window to close or end task on.
So it appears the problem is only with users that have local admin privileges on Windows XP systems. If it gave an "Access Denied" when trying to end the process like it does on 2000, I'd be happy with that.
|
Lonkero
|
| (KiX Master Guru) |
| 2004-07-23 10:24 AM |
|
Re: BREAK OFF not working if SetConsole("Hide")
|
k, now you ran these all tests with kix32.exe and none with wkix32.exe
and, you can't close the console window of wkix32.exe as it's different design.
so, instead of logging user off, wkix just goes on with the script.
| Everyone |
| (Getting the hang of it) |
| 2004-07-28 11:17 PM |
|
|
|
Re: BREAK OFF not working if SetConsole("Hide")
|
Lonkero:
I just ran the same tests using wkix32.exe instead of kix32.exe. The results are pretty much the same. A user with local admin rights on a Windows XP system can still end the process. The only difference is the console cannot be closed, and that's the way it's designed. So the problem still exists with being able to terminate a script if you have local admin rights on a Windows XP system. Doesn't matter if you use kix32.exe or wkix32.exe. As far as I can tell, everything works the way it's supposed to on Windows 2000 systems for both kix32.exe and wkix32.exe.
| Les |
| (KiX Master) |
| 2004-07-28 11:40 PM |
|
Re: BREAK OFF not working if SetConsole("Hide")
|
What happens if you code it to run as a scheduled task? If they keep killing the task, you could run a central script to see if the task is running and reboot the computer if it is not.
| Everyone |
| (Getting the hang of it) |
| 2004-07-28 11:46 PM |
|
|
|
Re: BREAK OFF not working if SetConsole("Hide")
|
Les,
Interesting idea. I don't think that would be very practical with the number of users and workstations we have. I don't think my superiors would go for that either.
| Les |
| (KiX Master) |
| 2004-07-29 12:38 AM |
|
Re: BREAK OFF not working if SetConsole("Hide")
|
Well then, you are back to square one. Your only choice then is to not hide the console.
| Everyone |
| (Getting the hang of it) |
| 2004-07-29 12:46 AM |
|
|
|
Re: BREAK OFF not working if SetConsole("Hide")
|
Les,
No, not hiding the console doesn't fix anything. You could still terminate the script by ending the kix32.exe or wkix32.exe process through the task manager on Windows XP if you have local admin rights.
| Les |
| (KiX Master) |
| 2004-07-29 12:51 AM |
|
Re: BREAK OFF not working if SetConsole("Hide")
|
Well, pardon me for missing the fine print. Your title "BREAK OFF not working if SetConsole("Hide")" is misleading.
Guess you are snookered.
|
Lonkero
|
| (KiX Master Guru) |
| 2004-07-29 02:05 AM |
|
Re: BREAK OFF not working if SetConsole("Hide")
|
indeed.
| Sealeopard |
| (KiX Master) |
| 2004-07-29 04:38 AM |
|
|
Re: BREAK OFF not working if SetConsole("Hide")
|
What exactly is actually the problem? A local administrator can kill pretty much any process in the windows Task Manager. And KiXtart has not ben written to be an unkillable process, anyway. Why make the user local administrator if you cannot even trust them?
| Everyone |
| (Getting the hang of it) |
| 2004-07-29 05:04 PM |
|
|
|
Re: BREAK OFF not working if SetConsole("Hide")
|
Quote:
Well, pardon me for missing the fine print. Your title "BREAK OFF not working if SetConsole("Hide")" is misleading.
When I first posted this, I was under the impression that it only wasn't working if the console was set to hidden. After running more tests, it turned out that it didn't matter what the console was set to.
Quote:
What exactly is actually the problem?
A user with local administrator privileges on a Windows XP machine can terminate the KiXtart process(es) from the Windows Task Manager.
Quote:
A local administrator can kill pretty much any process in the windows Task Manager. And KiXtart has not ben written to be an unkillable process, anyway.
On Windows 2000 systems, any user, even one with local administrator privileges, will get an "Access Denied" message if they attempt to terminate the KiXtart process(es).
Quote:
Why make the user local administrator if you cannot even trust them?
Because someone higher up than me says I have to, and if I didn't, I'd have way too much work to do. Read the whole thread, it may make more sense then.
| Les |
| (KiX Master) |
| 2004-07-29 05:49 PM |
|
Re: BREAK OFF not working if SetConsole("Hide")
|
Since you are not prepared to work around this limitation, there is no further recourse... unless of course you manage to bend Ruud's ear. Even then, unless he is prepared to give you a special build, you would have to wait for a future release that can change the DACL on XP.
|
Shawn
|
| (KiX Supporter) |
| 2004-07-29 06:21 PM |
|
|
Re: BREAK OFF not working if SetConsole("Hide")
|
ja, only Ruud can fix afaik. He is probably aware of this, have seen other threads about this, here and on other boards he frequents.