Making a custom ICredentialProviderCredential2 show for a local account that does not have a password

Alan Adams 1 Reputation point
2021-03-15T15:57:19.323+00:00

This is something I'm probably going to eventually figure out, but hoping someone who might know the answer could help speed things along.

How can I convince LogonUI to offer my V2 credential, even for a local Windows user account that does not have a password set yet?

Additional information:

I have a custom V2 credential provider which is working correctly, is using ICredentialProviderSetUserArray to learn the exact list of accounts and SIDs that LogonUI wants to present credentials for, and is successfully returning a credential with an ICredentialProviderCredential2 interface that LogonUI then uses GetUserSid to learn which account the credential was for. All that works fine.

What I'm noticing is that for local Windows user accounts that do not have an account password set yet, its as though LogonUI "doesn't WANT to show" other available V2 credentials for those users. At least, that's the behavior I'm getting as observed on Windows 10 20H2 x64.

After reboot, if you select one of those users from the logon screen, LogonUI immediately proceeds with logon as that user who doesn't have a password set yet. Without showing any "Sign-On Options" link you could have used to choose which credential provider to use.

If you logoff from Windows instead of rebooting, then LogonUI does at least pause to show the selected credential instead of immediately logging on with it. But you still are not given any "Sign-On Options" link to choose among credential providers.

This is despite the fact that I can see, from my debug log, that LogonUI is aware that there is an additional V2 credential for that same user SID. If I change the user account password such that it's no longer a blank password, NOW LogonUI does show the "Sign-On Options" link and lets me choose among the available credentials for that same user.

The things I need to do from my V2 credential are still entirely valid even if "blank" is the current correct Windows account password for the user. It's fine if the user CHOOSES to use one of the other V2 credentials instead, but they need the ability to choose mine while their account password is still blank, too.

But I'm not seeing anything obvious I can do from my V2 credential for these users, that I'm not already doing, in order to convince LogonUI that alternative V2 credentials should be offered even when the Windows account password is blank.

Note we're not talking about an ARSO (Automatic Restart Sign-On) scenario, or "intentional automatic logon" of that sort. This is a behavior that repeats even when you simply logoff from Windows, without rebooting. LogonUI does not seem to acknowledge the existence of additional V2 credentials for this local Windows user account, until the account has been assigned a password.

Windows API - Win32
Windows API - Win32
A core set of Windows application programming interfaces (APIs) for desktop and server applications. Previously known as Win32 API.
2,512 questions
{count} votes