Prevent client bypassing in Windows - Libki/libki-client GitHub Wiki

When running the Libki client on a Windows machine, it's possible to bypass it due to a delay when the software launches on login. This page contains a couple of fixes to minimise that delay.

Fix 1: Change the launch order of what runs in which order when a user logs on

When a user logs on in Windows, userinit.exe is called. It runs logon scripts, reestablishes network connections and finally starts explorer.exe - Windows' desktop environment (Actually, explorer.exe only starts the desktop environment the first time it runs - if the desktop environment is already running, it launches the familiar file explorer). This takes a bit of time, and nothing else will run until this is all set up.

This is set in the registry, so fire up the registry editor and browse down to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon. Here's a value named userinit, which should contain C:\Windows\system32\userinit.exe. We're going to change that so Libki can run before userinit.exe runs. Open the userinit value and enter the path to the libki executable before C:\Windows\system32\userinit.exe.

XXX I'm writing this from the top of my head and don't have access to a Windows machine running Libki, so it'd be great if someone could double-check the path!

Edit it so it contains C:\Programs\Libki\libkiclient.exe, C:\Windows\system32\userinit.exe instead. Save and close.

Fix 2: Lock down user input on logon with an Autohotkey script

Autohotkey is my go-to magic in Windows. It allows you to script things like disabling keys on the keyboard, replacing keys with other keys, running software and so on. We're going to use it to lock down all user input for a couple of seconds when the user logs on.

Here's the code:

#NoEnv
SendMode Input
SetWorkingDir %A_ScriptDir%
    
BlockInput, On
Sleep, 30000
BlockInput, Off

The first block is autocreated when making a new script. I deleted the autogenerated comments. The second block is somewhat self-explanatory. It blocks input, sleeps for 30 seconds (the time is set in milliseconds) and then allows user input again.

Download and install Autohotkey on another computer. It's easiest to download the installer from https://autohotkey.com/download/.

This will be our programming computer where we'll write and compile our program. Launch Notepad and enter the code from above. Edit the seconds to your fitting. Save this file somewhere (I suggest the desktop) as lock_input.ahk. Now right-click the file and choose Compile script. It should just take a couple of seconds before it spits out lock_input.exe. Put this on a thumb drive and move it over to your client.

Since this messes with user input, it needs to be run with administrator privileges. And the only way to run things on logon with administrator privileges without a UAC popup is to do it through Task Scheduler.

Start Task Scheduler and create a new task. Set it up to run lock_input.exe on logon, and remember to tick the box saying "Run with the highest privileges". This makes it run with administrator privileges without a UAC popup.