Hey all!

Seems I've run into a bit of a downer. I'm trying to determine whether or not a remote computer is locked (part of a domain, winXP, I have full admin rights to the machine). Now even though that might seem like a simple and often used function... Several weeks of scouring through google/msdn/technet/endless forums have come up blank.

I have found several pieces of code that do sort of work, but they all have to be run locally (which is not an option). However, I may have found an alternative, but don't know if it is possible.

By Steve Guettler

#definefunction IsMachineLocked()
dill = strcat(dirwindows(1),"user32.dll") ;Set the path to the User32.dll
lock_state = @false ;Initialize variable (Default return value = @false)
dll_hand = dllload(dill) ;Retrieve handle to $dill
desktop_hand = dllcall(dll_hand,long:"OpenInputDesktop",word:0,word:0,word:0) ;Retrieve handle of current desktop

if desktop_hand < 1 ;If $desktop_hand < 1 (NULL or 0), then machine is locked.
lock_state = @true ;Set $lock_state to true if $desktop_hand > 0

dllfree(dll_hand) ;Free the DLL handle
return(lock_state) ;Return the lock state

Note: the success or failure of OpenInputDesktop is going to depend solely on the privileges of the user account calling the function and the effective permissions that exist on the desktop that currently has keyboard & mouse input attached to itself.

Keeping that in mind, in most the situations the method shown above will work provided that the "Winlogon" desktop has not had its security altered to allow the user's process to access it. When the workstation is locked, the "Winlogon" desktop will be the active desktop, and the user's process would normally not have permissions to access it so attempting to open it should fail, with the failure being interpreted as meaning that the workstation is locked.

This would seem like a proper solution, but since I can't run any code locally, and this might sound incredibly stupid if it is not possible but I'm not that advanced in programming and am shooting in the dark here... can I load the user32.dll through the windows admin share (\\<machinename>\C$\Windows\System32\user32.dll) and the use the same code (though converted and everything)? Or will that just result in an overly complicated way of loading a different user32.dll to be used on the computer running the code?

Any help would be much appreciated!

8 Years
Discussion Span
Last Post by ctrl-alt-del

What exactly are you trying to do?

I don't have the exact specifics, but there are limitations to running DLLs from remote locations-- you have to "trust" the location that the DLL is being loaded from.

You can't install anything on the remote machine? I would consider running a service that you could ping from another machine to see if it was locked or not-- you might be able to hook into the user session of the machine, and see what desktop (in this case, like the article said, winlogon) is the running one.


While it's not using C# (the thread in question is in the C++ forum) it might give some idea on the methodology you might use for what you're trying to accomplish.

This thread is related to being able to lock a target machine on a network and terminate all applications running on it. So, while your project involves simply determining whether the remote machine is locked or not, I figured the similarity was enough that it might help.

Hope it helps somewhat :)


Hi all!

Thanks for the replies so far.

As far as trusting the dll I want to load, I do, but I think you are referring to a trust-relationship right? Might it help that there is an Active Directory that is fully available for use? And how would I be able to set up the trust-relation? (I do recall several options being available similarly named in both AD and C#)

I can't run local code because we would have to include the code in all of our workstations, and that will be a problem with management. Plus, I'd really like to keep it all remote, no loose ends and all that.

I checked out the thread from the link as well, funny thing was that I had already read it once. The problem with there approach is that when I connect to the machine in question, I will only be able to check the system as is, and some parts of what will be, but I am not able to gather info on what was. Windows doesn't keep a log of when it locked its system.

I was also thinking of clever ways to get the same result. I was thinking along the lines of checking a state of winlogon.exe. But I don't have a clue on how to accomplish such a thing, or if it is even possible.

Any more tips, hints, or clues?

Thank you all very much so far!

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.