Windows Defender Credential Guard Prevents RDP from Using Saved Credentials

After recent windows update, Windows Defender Credential Guard blocks Saved Credentials when connecting to remote desktop.

CredentialUIBroker
AutomationId and ClassName of Fields

I modified my previous codes, and it now works for both types of RDP credential window.

CredentialAutoInput class can be used as following simple codes.

namespace UI
{
    internal class Uimain
    {
        static void Main(string[] args)
        {
            var u = new CredentialAutoInput();
            switch(u.GetId())
            {
                case "myid1":
                    u.Connect("myid1", "mypass1");
                    break;

                case "myid2":
                    u.Connect("myid2", "mypass2");
                    break;
            }
        }
    }
}

Remote Desktop Shadow Session with Saved Credentials

Remote Desktop Shadow Mode allows administrators to remotely view and/or interact with the user’s desktop.

To connect shadow session, /prompt option is needed because mstsc.exe tries to connect to client with the current user credential.

However, with /prompt option, mstsc.exe always requests a user credential to connect and it cannot be bypassed with saved one.

CredentialUIBroker

This credential window is not a standard WIN32 window but a XAML UI, thus it can be manipulated via UI Automation.

AutomationId and ClassName of Fields

Delete Team Project from the Team Foundation Server

C:\Program Files (x86)\Microsoft Visual Studio 11.0\VC>TfsDeleteProject /collection:https:[Team Foundation Service URL]/DefaultCollection [Team Project Name]
경고: 팀 프로젝트를 삭제한 후에는 복구할 수 없습니다. 모든 버전 제어, 작업 항목
추적 및 Team Foundation 빌드 데이터가 시스템에서 제거됩니다. 이 데이터를 복구하
려면 저장된 데이터베이스 백업을 복원해야 합니다. 팀 프로젝트 및 해당 데이터를 모
두 삭제하시겠습니까(Y/N)?y

Build에서 삭제하는 중...
완료
버전 제어에서 삭제하는 중...
완료
작업 항목 추적에서 삭제하는 중...
완료
TestManagement에서 삭제하는 중...
완료
ProcessManagement에서 삭제하는 중...
완료
LabManagement에서 삭제하는 중...
완료
ProjectServer에서 삭제하는 중...
완료
경고. 보고서 서버 서비스를 찾을 수 없습니다.
경고. SharePoint 사이트 서비스를 찾을 수 없습니다.
Team Foundation Core에서 삭제하는 중...
완료

C:\Program Files (x86)\Microsoft Visual Studio 11.0\VC>

Check in/Check out files to/from the Team Foundation Server with command prompt

**********************************************************************
** Visual Studio 2017 Developer Command Prompt v15.0.26430.16
** Copyright (c) 2017 Microsoft Corporation
**********************************************************************
C:\>tf
Microsoft (R) TF – Team Foundation 버전 제어 도구, 버전 15.112.26421.0
Copyright (c) Microsoft Corporation. All rights reserved.

지원되는 버전 제어 명령 목록을 보려면 tf vc help를 입력합니다.
지원되는 Git 명령 목록을 보려면 tf git help를 입력합니다.
지원되는 서버 설정 명령 목록을 보려면 tf settings help를 입력합니다.

C:\>tf checkin
체크 인한 파일이 없습니다.

C:\>tf get
모든 파일이 최신 상태입니다.

C:\>

RunAs.exe with /netonly and /savecred simultaneously

RunAs allows a user to run specific tools and programs with different permissions than the user’s current logon provides.
However, the paremeter /netonly and /savecred cannot be used same time.
We can use windows API ‘CreateProcessWithLogonW’ instead.

#pragma comment(lib, "Advapi32")
#include <windows.h>

BOOL RunAsNetOnly(LPCWSTR szUser, LPCWSTR szDomain, LPCWSTR szPass, LPCWSTR szApp)
{
	// VARIABLE
	STARTUPINFOW si;
	PROCESS_INFORMATION pi;

	// INIT
	ZeroMemory(&si, sizeof(si));
	ZeroMemory(&pi, sizeof(pi));
	si.cb = sizeof(si);

	return CreateProcessWithLogonW(szUser, szDomain, szPass, LOGON_NETCREDENTIALS_ONLY,
		szApp, NULL, CREATE_DEFAULT_ERROR_MODE, NULL, NULL, &si, &pi);
}

Get idle time from system services with windows API

There are several methods to get user idle time.

No 1. one of most widely used is GetLastInputInfo.
However, the API returns invalid values when called by system services, because system services are isolated to session 0 and no input triggers signaled.

No 2. second option is WTSQuerySessionInformation.
The 3rd parameter, WTSInfoClass can be set to WTSSessionInfo and WTSINFO structure could be obtained.
API itself can be used by system services, but LastInputTime would not be valid if the API’s called for local (Console) user.

No 3. third option is to build another user mode app with Inter Process Communication (IPC).
To achieve that, service process must launch a new user mode process and communicate each other.
To create user mode process, valid user token should be obtained by WTSQueryUserToken, and then call CreateProcessAsUser with acquired token.

No 4. Querying WMI
System service process can query WMI and obtain Last Input data.
ReadOperationCount would be changed if any keyboard or mouse input occurred.
Query Win32_process, csrss.exe
There were two process handle in my computer. '516' was session 0 (service process) and '12516' was Console session.
SessionId and ReadOperationCount can be found.

Turn On/Off display monitor windows API

To turn off monitor in Windows, SendMessage(HWND_BROADCAST, WM_SYSCOMMAND, SC_MONITORPOWER, (LPARAM)2) is most widely used.
Instead, we can use low-level monitor configuration functions.