LogonUI fix

README.md

@@ -10,6 +10,7 @@ SecureUxTheme is a software that removes signature verification of styles from W
 * No driver needed
 * Secure boot compatible
 * Probably quite future-proof
+* Fixes LogonUI resetting some colors on locking
 
 ## Limitations
 
@@ -29,6 +30,14 @@ Styles must still have a format-wise valid signature appended, it is just not ve
 
 [Latest release](https://github.com/namazso/SecureUxTheme/releases/latest/download/SecureUxTheme_setup.exe)
 
+## LogonUI fix
+
+Locking Windows makes LogonUI reset certain colors and ignore the currently set style. This tool can fix this problem. A picture comparison showing the Task Manager opened after locking Windows without and with the fix can be seen here:
+
+![LogonUI problem](resources/logonui_comparison.png)
+
+Do note this feature might mess up some high contrast theme features when locking.
+
 ## Screenshot
 
 Installer:

SecureUxTheme/avrf.cpp

@@ -152,27 +152,44 @@ ResolveDelayLoadedAPI_Hook(
   _Reserved_ ULONG                             Flags
 );
 
+BOOL
+WINAPI
+SetSysColors_Hook(
+  _In_                  int             cElements,
+  _In_reads_(cElements) CONST INT       *lpaElements,
+  _In_reads_(cElements) CONST COLORREF  *lpaRgbValues
+);
+
 struct hook_entry
 {
   ANSI_STRING     function_name;
   PVOID           old_address;
   PVOID           new_address;
 };
 
+struct hook_target_image
+{
+  UNICODE_STRING  name;
+  ULONG           hook_bitmap;
+  PVOID           base = nullptr;
+};
+
 #define DEFINE_HOOK(name) {RTL_CONSTANT_STRING(#name), nullptr, (PVOID)&name ## _Hook}
 
 static hook_entry s_hooks[] =
 {
   DEFINE_HOOK(CryptVerifySignatureW),
-  DEFINE_HOOK(ResolveDelayLoadedAPI)
+  DEFINE_HOOK(ResolveDelayLoadedAPI),
+  DEFINE_HOOK(SetSysColors),
 };
 
-static UNICODE_STRING const s_target_images[] =
+static hook_target_image s_target_images[] =
 {
-  RTL_CONSTANT_STRING(L"themeui"),
-  RTL_CONSTANT_STRING(L"themeservice"),
-  RTL_CONSTANT_STRING(L"uxinit"),
-  RTL_CONSTANT_STRING(L"uxtheme"),
+  { RTL_CONSTANT_STRING(L"themeui"),          0b011 },
+  { RTL_CONSTANT_STRING(L"themeservice"),     0b011 },
+  { RTL_CONSTANT_STRING(L"uxinit"),           0b011 },
+  { RTL_CONSTANT_STRING(L"uxtheme"),          0b011 },
+  { RTL_CONSTANT_STRING(L"logoncontroller"),  0b100 },
 };
 
 void* get_original_from_hook_address(void* hook_address)
@@ -234,8 +251,18 @@ static void hook_thunks(PVOID base, PIMAGE_THUNK_DATA thunk, PIMAGE_THUNK_DATA o
   {
     if (!(original_thunk->u1.Ordinal & IMAGE_ORDINAL_FLAG))
     {
-      for (auto& hook : s_hooks)
+      ULONG bitmap = 0u;
+      for (const auto& image : s_target_images)
+        if (image.base == base)
+          bitmap = image.hook_bitmap;
+
+      for (auto i = 0u; i < std::size(s_hooks); ++i)
       {
+        if (!(bitmap & (1 << i)))
+          continue;
+
+        auto& hook = s_hooks[i];
+
         const auto by_name = PIMAGE_IMPORT_BY_NAME((char*)base + original_thunk->u1.AddressOfData);
         if ((hook.old_address && hook.old_address == PVOID(thunk->u1.Function)) || 0 == strcmp(by_name->Name, hook.function_name.Buffer))
         {
@@ -308,11 +335,12 @@ static VOID NTAPI DllLoadCallback(PWSTR DllName, PVOID DllBase, SIZE_T DllSize,
 
   DebugPrint("Got notification of %S being loaded at %p\n", DllName, DllBase);
 
-  for (const auto& target : s_target_images)
+  for (auto& target : s_target_images)
   {
-    if (0 == _wcsnicmp(DllName, target.Buffer, target.Length / sizeof(wchar_t)))
+    if (0 == _wcsnicmp(DllName, target.name.Buffer, target.name.Length / sizeof(wchar_t)))
     {
       DebugPrint("IAT Hooking %S\n", DllName);
+      target.base = DllBase;
       apply_iat_hooks_on_dll(DllBase);
     }
   }
@@ -368,4 +396,20 @@ ResolveDelayLoadedAPI_Hook(
   hook_thunks(base, thunk, original_thunk);
 
   return ret;
+}
+
+BOOL
+WINAPI
+SetSysColors_Hook(
+  _In_                  int             cElements,
+  _In_reads_(cElements) CONST INT       *lpaElements,
+  _In_reads_(cElements) CONST COLORREF  *lpaRgbValues
+)
+{
+  UNREFERENCED_PARAMETER(cElements);
+  UNREFERENCED_PARAMETER(lpaElements);
+  UNREFERENCED_PARAMETER(lpaRgbValues);
+
+  DebugPrint("Called");
+  return TRUE;
 }

installer.nsi

@@ -39,6 +39,7 @@ Page custom install_page
 Var LABEL
 Var CHECKBOX_EXPLORER
 Var CHECKBOX_SETTINGS
+Var CHECKBOX_LOGONUI
 
 Function install_page
 	nsDialogs::Create 1018
@@ -50,30 +51,34 @@ Function install_page
 	${NSD_CreateCheckbox} 2% 18u 46% 8u "Also hook SystemSettings"
 	Pop $CHECKBOX_SETTINGS
 
-	${NSD_CreateButton} 2% 30u 22% 15u "Install"
+	${NSD_CreateCheckbox} 2% 28u 46% 8u "LogonUI fix"
+	Pop $CHECKBOX_LOGONUI
+	${NSD_Check} $CHECKBOX_LOGONUI
+
+	${NSD_CreateButton} 2% 40u 22% 15u "Install"
 	Pop $1
 	GetFunctionAddress $0 OnInstall
 	nsDialogs::OnClick $1 $0
 
-	${NSD_CreateButton} 26% 30u 22% 15u "Uninstall"
+	${NSD_CreateButton} 26% 40u 22% 15u "Uninstall"
 	Pop $1
 	GetFunctionAddress $0 OnUninstall
 	nsDialogs::OnClick $1 $0
 
-	${NSD_CreateGroupBox} 0 0 50% 48u ""
+	${NSD_CreateGroupBox} 0 0 50% 58u ""
 	Pop $1
 
-	${NSD_CreateButton} 52% 4u 48% 20u "Fix signature of style"
+	${NSD_CreateButton} 52% 4u 48% 25u "Fix signature of style"
 	Pop $1
 	GetFunctionAddress $0 OnFixSignature
 	nsDialogs::OnClick $1 $0
 
-	${NSD_CreateButton} 52% 28u 48% 20u "Hooked Personalization"
+	${NSD_CreateButton} 52% 33u 48% 25u "Hooked Personalization"
 	Pop $1
 	GetFunctionAddress $0 OnHookedPersonalization
 	nsDialogs::OnClick $1 $0
 
-	${NSD_CreateLabel} 0 52u 100% 100u "\
+	${NSD_CreateLabel} 0 62u 100% 100u "\
 	- Hooking SystemSettings enables custom themes in Themes (Settings app)$\n\
 	${U+00A0}${U+00A0}- However that is only available in Windows 10 1703+$\n\
 	- Hooking explorer enables custom themes in Personalization (Control Panel)$\n\
@@ -167,6 +172,12 @@ Function InstallRegistryKeys
 		Call IFEOAddEntry
 	${EndIf}
 
+	${NSD_GetState} $CHECKBOX_LOGONUI $0
+	${If} $0 == ${BST_CHECKED}
+		Push "LogonUI.exe"
+		Call IFEOAddEntry
+	${EndIf}
+
 	${NSD_GetState} $CHECKBOX_SETTINGS $0
 	${If} $0 == ${BST_CHECKED}
 		Push "SystemSettings.exe"
@@ -227,6 +238,8 @@ Uninstall:
 	Call IFEODeleteEntry
 	Push "explorer.exe"
 	Call IFEODeleteEntry
+	Push "LogonUI.exe"
+	Call IFEODeleteEntry
 	Push "winlogon.exe"
 	Call IFEODeleteEntry
 	Push "dwm.exe"

resources/RECOVERY.md

@@ -6,9 +6,9 @@
    - Do note that you need this from your normal windows installation, and not WinPE (so the one on C: and not X: for most people)
 4. When it asks a name type in anything
 5. Open that key, and navigate to `Microsoft\Windows NT\CurrentVersion\Image File Execution Options\` in it
-6. Delete values `VerifierDlls` and `GlobalFlag` from keys `systemsettings.exe`, `explorer.exe`, `winlogon.exe`, `dwm.exe`
+6. Delete values `VerifierDlls` and `GlobalFlag` from keys `systemsettings.exe`, `explorer.exe`, `winlogon.exe`, `dwm.exe`, `LogonUI.exe`
    - You can just delete the keys for the ones that don't contain other values
-   - Keys `systemsettings.exe`, `explorer.exe` may not exist or not have the keys if you didn't install hook for them
+   - Keys `systemsettings.exe`, `explorer.exe`, `LogonUI.exe` may not exist or not have the keys if you didn't install hook for them
 7. Reboot. Your system should boot properly now
 8. You can completely remove the software by deleting `%windir%\system32\SecureUxTheme.dll`, or just clicking Uninstall in the installer