Win32 API hooks and OS hardening

[rashkar]

Hi guys,

I have an application written as a windows service (installed to run as localsystem) that will specifically monitor one application and securely inject a password when it detects the correct screen. It works perfectly when I test it on every PC and VM in the office, but at the client site, the service can't see any windows events AT ALL. I'm really confused.

When i enable full logging of the Win32 events, my app in the office grabs a shedload of events. But the service running on the client site doesn't see a thing. If I launch the observer module at the command line rather than through the service, it works!!

Is there any OS hardening setting that could be blocking my app on the client's PC?

Regards,
mike

[hankdane]

Your client probably has a domain structure set up with policies completely different from those in place at your office.

Try this:
Have the client run your service as an administrator (not necessarily the built-in adminstrator account, but any account belonging to the administrator group). They need to go in Control Panel, Administrative Tools, Services, and selecting your service, right-click and choose "Properties." Choose the "Log On" tab, select "This account:" and let them enter credentials for an admin account.

I'm not suggesting this is a solution to your problem, but it will help you determine if it's a security/policy issue.

[rashkar]

Hi!

Yeah, that's the first thing we tried. It had no effect.

Regards,
Mike

[rashkar]

Hi guys, it wasn't OS hardening... It was RDP. since the topic has changed, I'll close this and start a fresh thread.