Bypass "Log on Warning Message" on Windows 7

dgeiser13 · September 24, 2010

Hello, All,

I'm new to AutoIT so please bear with me if I ask foolish questions.

I have a newly built Windows 7 machine and I want to automate the process of logging on to the machine and once logon is complete automate some tasks on the desktop. I have everything working as expected but prior to the auto-logon process this particular machine displays a message which says "IT IS AN OFFENSE TO CONTINUE WITH PROPER AUTHORIZATION...". In Microsoft parlance this is what is referred to as a "Log on Warning Message".

Yes, the machine is part of a domain. This particular policy is being pushed down from the domain. I've viewed it in the Local Security Policy and I cannot change it there.

At first I thought "this will be easy" and I wrote and compiled a script that I ran from Scheduled Tasks with the "At System Startup" setting to wait 2 minutes and then click the Enter button on the screen (since this is how I manually confirm it). For whatever reason this isn't working. I have verified that the script runs by writing to a log file but the keyboard command isn't making it over to the "Log on Warning Message" on the screen.

I've read everything I can find on this forum (and most of Google) and haven't found a good description of a way to bypass this "Log on Warning Message".

I'm currently considering deleting the related registry keys being pushed down through the Policy under...

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system

I would prefer not having to edit the registry to remove a policy that the Domain Admins want and just clicking Enter at the appropriate point in bootup but we definitely have to have the logon of this machine automated.

I've also considered removing the machine from the domain entirely as I know it will (or at least should) function fine without being on the domain.

Just wanted to see if anyone else has ever had to deal with this annoyance in their day-to-day automation and if so how you typically deal with this.

Thanks, Much!

Dan

Tankbuster · September 25, 2010

...mmmh a long post, but as your initial question was:

I have a newly built Windows 7 machine and I want to automate the process of logging on to the machine and once logon is complete automate some tasks on the desktop.

Does your local policy allow this:

control userpasswords2 ?

some hints

http://www.windows7news.com/2009/02/01/automatic-logon-into-windows-7/

(I skip the registry AUTOLOGON, because the password is in text format stored)

And autostart feature in Windows should be no problems, I remember at least 15 ways. RunOnce, Startup folder(user,all),Service,Run,Explore in Registry, load, logonscripts......

But maybe I got it all wrong, and misunderstood your question. Because the message is not familiar to me.

BrewManNH · September 25, 2010

If I were the admin on your network, I'd probably have found out how to get you fired by now for this. You're on a domain, the domain administrators have set up certain safeguards to the computers on their network. This computer is not your's I take it, it's the company's? What you're attempting to do negates any and all security they're trying to enforce on their network. You are making it so that your computer is a wide open door to the bank vault of their network.

You are trying to make it so that your computer doesn't require you to enter your username and password and automatically logs you on to the domain. Not very smart.

Tankbuster · September 25, 2010

@BrewManNH

This is strange. He asked for a solution to HIS problem and you judge his IQ,ethnics and morals.....

What forced you to tell other what to do and think? I guess he is grown up and knwon what is allowed and what not and in the end he IS resposnible for this live. But not "we".

These admin-control-freaks, guys that tell everyone THEY keep the company running, while the rest suffer in pain....

So tell him a solution or keep it to your self. That is my opinion on that. Freedom, even for strange ideas.

Don't take it too personal, but I'm tiered of other people telling others what to do and think. But I accept your opinion on that issue as a value able point of view, no doubt on that.

seandisanti · September 25, 2010

@BrewManNH
This is strange. He asked for a solution to HIS problem and you judge his IQ,ethnics and morals.....
What forced you to tell other what to do and think? I guess he is grown up and knwon what is allowed and what not and in the end he IS resposnible for this live. But not "we".
These admin-control-freaks, guys that tell everyone THEY keep the company running, while the rest suffer in pain....
So tell him a solution or keep it to your self. That is my opinion on that. Freedom, even for strange ideas.
Don't take it too personal, but I'm tiered of other people telling others what to do and think. But I accept your opinion on that issue as a value able point of view, no doubt on that.

Many of us are "admin-control-freaks" and understand the need for silly things like authentication, and the security risk to systems that creative end users may not even be aware exist that bypassing those measures can cause. Telling someone that they're doing something stupid from a security standpoint, and the possible ramifications is CONSTRUCTIVE criticism.

BrewManNH · September 25, 2010

@BrewManNH
This is strange. He asked for a solution to HIS problem and you judge his IQ,ethnics and morals.....
What forced you to tell other what to do and think? I guess he is grown up and knwon what is allowed and what not and in the end he IS resposnible for this live. But not "we".
These admin-control-freaks, guys that tell everyone THEY keep the company running, while the rest suffer in pain....
So tell him a solution or keep it to your self. That is my opinion on that. Freedom, even for strange ideas.
Don't take it too personal, but I'm tiered of other people telling others what to do and think. But I accept your opinion on that issue as a value able point of view, no doubt on that.

How about this, I AM the admin of my school's network, if I found out someone was trying to circumvent the security of MY systems, I would have him escorted out of the building that day. This "problem" of his isn't a problem, he's too lazy to log in for himself and THEN run his script. He wants to not only leave the door unlocked for any criminals, he wants to invite them in and throw them a party. Respect the reasons for the security of the systems that you're allowed to use, don't try to get around them because you can't type your password and hit enter a couple of times.

You help him all you want, I've said my piece, anyone that understands the need for keeping idiots out of their networks shouldn't be helping someone who can't log into a domain computer by himself.

dgeiser13 · September 26, 2010

...mmmh a long post, but as your initial question was:
(I skip the registry AUTOLOGON, because the password is in text format stored)
And autostart feature in Windows should be no problems, I remember at least 15 ways. RunOnce, Startup folder(user,all),Service,Run,Explore in Registry, load, logonscripts......
But maybe I got it all wrong, and misunderstood your question. Because the message is not familiar to me.

Thanks for the reply Tankbuster. I've been able to automate everything except for one item. When the machine first turns on and displays the Log On Warning Message there is an OK button in the middle of the screen. I would like to automatically click that button so the rest of the automation, which I already have setup, can proceed.

dgeiser13 · September 26, 2010

If I were the admin on your network, I'd probably have found out how to get you fired by now for this. You're on a domain, the domain administrators have set up certain safeguards to the computers on their network. This computer is not your's I take it, it's the company's? What you're attempting to do negates any and all security they're trying to enforce on their network. You are making it so that your computer is a wide open door to the bank vault of their network.
You are trying to make it so that your computer doesn't require you to enter your username and password and automatically logs you on to the domain. Not very smart.

Wow, I wasn't expecting to be assaulted the first time I posted on this forum.

First of all, everything I am doing my boss directed me to do.

We currently have 1 departmental webcam which suffers from an assortment of issues. One of the issues is that the machine will occasionally lose power and reboot and if we don't realize this reboot has occured the machine will basically sit in the corner doing nothing until someone realizes what has happened and VNCs into the machine to get everything manually up and running again.

My boss came to me this week and asked me to find another spare box around the office so we can set up a 2nd departmental webcam. He explained the issues that we have been having with the first one and asked me to automate the logon to the machine and the running of the software and if it works well I can also roll the changes over to our original webcam.

Both of these machines are running headless (no mouse, no keyboard and no monitor). We have VNC running on both of them and we can always remote in and make sure everything is up and running but we really want to set it and forget it. And not come back 2 days or a week later and find out for some strange reason the machine has been sitting idle not performing the function that it is intended to do.

When I started running into this issue with the Log On Warning Message and auto-logging on to the machine in general I told him everything that I would need to look into and he told me to proceed with what I was doing. And guess what his boss is the one that directed him to find someone in our department to get the webcam setup in this way.

Now that I feel I have given sufficient information to some Internet stranger to justify being allowed to use an Automation Tool to do Automation I do take major issue with your implication that what I am doing is somehow inherently insecure.

Premise #1: Automating the click of the OK button when the Log On Warning Message pops up is insecure.

Microsoft states in the Windows 2000 Server Baseline Security Checklist, http://technet.microsoft.com/en-us/library/cc751389.aspx, that displaying this warning message does nothing to increase security -- "Though setting a log on warning message does not technically restrict an attacker, it significantly increases an organization's ability to prosecute attacks. Not displaying a warning message reduces the liability assumed by an attacker, which can increase an attackers comfort when initiating attacks." So it's a security "feature" that Microsoft created so the legal department can feel better about their ability to prosecute attacks if/when one occurs.

I'm not an attacker.

Premise #2: Automating the logon of the machine is insecure.

I'll admit there may some sort of unintended consquences that I'm missing here but I just don't see it.

I'm not a security expert but I do read quite a bit about security. Most security people will tell you if an attacker has physical access to your machine than he/she can pretty much figure out how to do anything he wants. In the case of our webcam machines both of them are going to be sitting underneath the desks of personnel in our department. In one case the webcam is sitting under the desk of someone who is two levels above me in the company hierarchy.

Assuming everything is working correctly from an automation standpoint the machine can be turn on (or reboot) and my automation will click OK on the Log On Warning Message, auto-logon by using a username/password pair which I defined on the machine when I first installed Windows 7, wait for windows to load, click on some buttons on the desktop which fires up the webcam and click "Allow" on some weird Adobe Flash Player prompt which we get whenever we fire up the webcam on this machine. That is all my automation does.

If this is so insecure why does Microsoft have registry entries in which you can enter the username/password pair so the machine _can_ auto-logon?

As far as saying that I'm too "lazy" to logon to the machine:

1) My work laptop that I use when I'm in the office and take home for VPN access also prompts me with the Log On Warning Message any time my laptop reboots _and_ asks me to enter a username/password as well. I've been logging on this way for two years and have never once thought about automating this process. If I was that "lazy" wouldn't I have done so by now?

2) Isn't the whole point of Automation to automate tasks that you could very well do manually but you are trying to save yourself some time and/or the headache of remembering how do it or the act of doing it in the first place?

If you still strongly feel that what I'm being asked to do is inherently insecure I would love to hear your reasoning and I'll gladly take that information back to my boss and tell them that I think what they are asking me to do is insecure. But at this point in time I don't see it.

seandisanti · September 26, 2010

Ok, after reading all of this.... i just wanted to point out that

In one case the webcam is sitting under the desk of someone

gave me a hearty laugh.

anyway, regardless of what MS allows or says is secure, automating a login is an obvious security risk. your car maker allows you to park it with the doors unlocked and even OPEN if you're so inclined, that doesn't make it a good idea. I think this whole thing was taken the wrong way, he was pointing out that you are creating a situation that most network administrators would try to avoid, and that that could potentially be risking your job if you had a likeminded administrator. Take it as constructive criticism and don't derail the topic on a security debate that you're on the wrong side of.

Tankbuster · September 27, 2010

..When the machine first turns on and displays the Log On Warning Message there is an OK button in the middle of the screen. I would like to automatically click that button so the rest of the automation, which I already have setup, can proceed.

...don't count much on me to solve this issue. I'm not sure when the Policy is triggered. Actually I believe before any auto run will take place. Maybe you got a chance to run your script as a service.

But as this is Win7 you may have problems accessing the screen (because services run in win7 in the session 0, some sort of "isolated desktop for the system" -- not technical correct, but gives you a rough idea), so process list may work but not Window-Titel-Check (to kill/close)

If you are able to install the service also depends on the policy...and this leads to a dead end?

Not as a real solution:

Buy a Drinking birds just as Homer Simpson did to push a button once a while....ok he also blew nearly the whole nuclear plant...but fun to watch.

Sorry, to not help you solving this problem.

Bypass "Log on Warning Message" on Windows 7

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Create an account or sign in to comment

Create an account

Sign in

Recently Browsing 0 members