Persistent MOF FIDO-Key Removal Issue

Shaun 21 Reputation points
2022-08-14T19:23:05.6+00:00

Hi,

I have been struggling with a compiled MOF. What I'm trying to do is create an event filter which triggers when a FIDO key is removed from a machine. I am then trying to configure an event consumer to execute rundll32.exe user32.dll,LockWorkStation which will then lock the workstation whenever a FIDO key is removed.

Please see the MOF below:

pragma namespace("\\.\root\subscription")

instance of __EventFilter as $EventFilter

{

EventNamespace = "Root\\Cimv2";   

Name  = "Test Command Line Event Filter";   

Query = "Select * From __InstanceDeletionEvent Within 2 "    

        "Where TargetInstance Isa 'Win32_PNPEntity' "   

    "And TargetInstance.Manufacturer LIKE 'FIDO' ";   

QueryLanguage = "WQL";   

};

instance of CommandLineEventConsumer as $Consumer

{

Name = "Test CommandLine Event Consumer";   

RunInteractively = false;  

CommandLineTemplate = "cmd /c "   

    "rundll32.exe user32.dll,LockWorkStation";   

};

instance of __FilterToConsumerBinding

{

Consumer   = $Consumer;   

Filter = $EventFilter;   

};

The MOF compiles fine and I can see 'cmd.exe' and 'rundll32.exe' is fired in task manager under SYSTEM but the machine does not lock. It's almost like the user32.dll,LockWorkStation part of the MOF is not processed. I have tried many many variables to try and get this working, from Powershell to calling a .bat file (https://learn.microsoft.com/en-us/windows/win32/wmisdk/running-a-program-from-the-command-line-based-on-an-event) nothing seems to have the desired outcome.

I have also tried to create an .exe file which runs the powershell script inline: Invoke-Command {rundll32.exe user32.dll,LockWorkStation} when executing the .exe MANUALLY (i.e. double click on the .exe) it locks my workstation with no issue. I have also tried to bake this into the MOF by using the 'ExecutablePath' property. I can see the .exe is executed under SYSTEM in the task manager but again, my screen is not locked.

I have also tried to execute the .exe by following the guide as per https://learn.microsoft.com/en-us/windows/win32/wmisdk/commandlineeventconsumer.

Below is the edited code:

Managed Object Format

instance of CommandLineEventConsumer as $Consumer
{
Name = "Test CommandLine Event Consumer";
RunInteractively = false;
ExecutablePath = "c:\windows\system32\cmd.exe";
CommandLineTemplate = "C:\windows\system32\cmd.exe"
"C:\Scripts\fido.bat";
};

With the above... I can just see cmd.exe executed twice under SYSTEM in the task manager.

Basically at my wits end trying to nail this one. Any help would be much appreciated.

Thank you!

Windows 10
Windows 10
A Microsoft operating system that runs on personal computers and tablets.
10,518 questions
C++
C++
A high-level, general-purpose programming language, created as an extension of the C programming language, that has object-oriented, generic, and functional features in addition to facilities for low-level memory manipulation.
3,504 questions
Windows Hardware Performance
Windows Hardware Performance
Windows: A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.Hardware Performance: Delivering / providing hardware or hardware systems or adjusting / adapting hardware or hardware systems.
1,537 questions
0 comments No comments
{count} votes

Accepted answer
  1. Gary Nebbett 5,721 Reputation points
    2022-08-14T20:06:17.82+00:00

    Hello Shaun,

    The documentation for the LockWorkStation API says:

    The LockWorkStation function is callable only by processes running on the interactive desktop. In addition, the user must be logged on, and the workstation cannot already be locked.

    Common reasons the workstation might not be locked even if the function succeeds include the following: no user is logged on, the workstation is already locked, the process is not running on the interactive desktop, or the request is denied by the Graphical Identification and Authentication (GINA) DLL.

    These conditions are probably not all met in your scenario.

    Gary

    0 comments No comments

0 additional answers

Sort by: Most helpful