2. NSIS Discussion
  3. Validate Windows Password

Archive: Validate Windows Password


dogo
8th February 2007 14:09 UTC

Validate Windows Password
Hi,

I would like to let the user choose which account should
run a special service.

For that I need to validate a password by user given
to validate with the special windows user password.

Is there any way to to this ?!
Somethink like that:

StrCmp $WindowsPassword $UserPasswordInput ... ??

Thanks for reply,

Wolfgang.

Red Wine
8th February 2007 15:46 UTC

The value of $WindowsPassword represents a password protected Windows account on NT system?

dogo
8th February 2007 20:55 UTC

Ah, yes of course.

Sorry that this is not very clear in my post.

This should be an password for an local Windows account.

Red Wine
8th February 2007 21:00 UTC

I'm afraid isn't possible through NSIS, there are some "tools" out there able to hack the password, however they should be used from a dos or linux bootable media because they are all blocked from AVs within windows environment.

dogo
8th February 2007 21:04 UTC

Ah,

the password should not be hacked, this is not what I want.
I just would like to know if the password that was entered from the user is correct. This should be for an windows service that would be installed. The user has to select an windows user and has to enter the password, because windows needs an password to install a service :(.

Red Wine
8th February 2007 21:12 UTC

If I got it correctly, we're going to the same result from a different direction.
How the installer would be able to retrieve a password and verify if this is the correct password for the given account if not hack it?

dogo
8th February 2007 21:16 UTC

Hm, maybe there is an API function within windows like enumerate users ? Just to check if password is correct ? An function has to exist, because this is used if you add an service ! Maybe some windows guru has got an answer about this ?

kichik
8th February 2007 21:23 UTC

You can call LogonUser using the System plug-in.

Red Wine
8th February 2007 21:26 UTC

Maybe some windows guru has got an answer about this ?
most likely! However I guess the point for you is to know if the service is installed, you may simply perform a check to verify that and if not return to previous stage where users should provide the required details in order to install the service.

edit: I'm still very slow on typing :(

dogo
8th February 2007 21:37 UTC

Ah, thanks for all,

I will give them a try tomorrow :-).

dogo
9th February 2007 11:39 UTC

Okay,

LoginUser is working very well for local computers,
is it also possible to do this for an network which contains
Active Directory ?

Sincearly,

Wolfgang.

kichik
9th February 2007 11:56 UTC

You can pass the domain name in the second parameter of LogonUser.

Also, it'd be nice if you create an example page in the Wiki with the code you've used. I'm sure other users will find it useful as well.

dogo
9th February 2007 12:36 UTC

Hey kichik,

thanks for your fast posts,
as far as I am ready with my installer I planned to write one or more wiki entry`s because my installer is full of such features. I hope I could help some other users with that.
But first of all I had to finish my project ;)

Sincearly,

Wolfgang.

HotButteredSoul
16th February 2007 17:57 UTC

I needed to do the same thing in my install script. The idea: check a user login and make sure it works for a domain.


#
# MSWAuthenticate.nsh - by HotButteredSoul
#
# Function for checking to see if a Microsoft Windows Username/password
# pair authenticate.
#

!ifndef _MSWAuthenticate_nsh
!define _MSWAuthenticate_nsh

#
# MSWAuthenticate - authenticates username/password pair
#
# Example:
#
# Push "bob.username"
# Push "ADOMAIN"
# Push "bobs.password"
# Call MSWAuthenticate
# Pop $0 ; = "success" on succes, or "Logon failure: ..." otherwise.
#
# Uses advapi32.lib LogonUserA
#
Function MSWAuthenticate
    Exch $0 ; password (IN)
    Exch
    Exch $1 ; Domain (IN) / "success" (OUT)
    Exch 2
    Exch $2 ; Username (IN)
    Push $3 ; LogonUserA return code
    Push $4 ; GetLastError() code

    ; LOGON32_LOGON_NETWORK = 3
    ; LOGON32_PROVIDER_DEFAULT = 0
    System::Call "advapi32::LogonUserA(t r2, t r1, t r0, i 3, i 0, *i) i .r3 ?e"
    Pop $4 ; the ?e flag from System::Call pushes the result of GetLastError() onto the stack.
    IntCmp 0 $3 reject ; return value of 0 is failure.
    StrCpy $1 "success"
    GoTo done

    reject:
    IntCmp   87 $4 ERROR_LOGON_FAILURE
    IntCmp 1326 $4 ERROR_LOGON_FAILURE
    IntCmp 1327 $4 ERROR_ACCOUNT_RESTRICTION
    IntCmp 1328 $4 ERROR_INVALID_LOGON_HOURS
    IntCmp 1329 $4 ERROR_INVALID_WORKSTATION
    IntCmp 1330 $4 ERROR_PASSWORD_EXPIRED
    IntCmp 1331 $4 ERROR_ACCOUNT_DISABLED
    ;an error of some other sort
        StrCpy $1 "Logon failure: $4"
        GoTo done
    ERROR_LOGON_FAILURE:
        StrCpy $1 "Logon failure: unknown user name or bad password."
        GoTo done
    ERROR_ACCOUNT_RESTRICTION:
        StrCpy $1 "Logon failure: user account restriction."
        GoTo done
    ERROR_INVALID_LOGON_HOURS:
        StrCpy $1 "Logon failure: account logon time restriction violation."
        GoTo done
    ERROR_INVALID_WORKSTATION:
        StrCpy $1 "Logon failure: user not allowed to log on to this computer."
        GoTo done
    ERROR_PASSWORD_EXPIRED:
        StrCpy $1 "Logon failure: the specified account password has expired."
        GoTo done
    ERROR_ACCOUNT_DISABLED:
        StrCpy $1 "Logon failure: account currently disabled."
        GoTo done

    done:
    Pop $4
    Pop $3
    Pop $2
    Pop $0
    Exch $1
FunctionEnd
!endif ; _MSWAuthenticate_nsh

HotButteredSoul
16th February 2007 21:41 UTC

Wiki'd

Yathosho
7th June 2007 22:09 UTC

1. i have a problem with your function when the user's password is empty, it always reports "user account restriction". doesn't matter if it's a limited account or admin.

2. when is the message i get supposed to show up anyway?

3. when i try the function with guest accounts, the error message is "Logon failure: 1385".

4. is there a way to check if the user has admin rights?

Anders
8th June 2007 02:41 UTC

xp fails with blank passwords for network logons by default. You can set limitblankpassworduse=0 in HKLM\SYSTEM\CurrentControlSet\Control\Lsa to override this

Yathosho
8th June 2007 10:17 UTC

so that means if i want to use that function to validate a user really is administrator (who happens to have an empty password), it will not work?

Yathosho
8th June 2007 19:14 UTC

..or asked differently, is this script not for winlogons?

Yathosho
12th June 2007 00:04 UTC

5. in what other cases will "user account restriction" be displayed?

Yathosho
30th June 2007 14:51 UTC

i've attached a script using the MSWAuthenticate function. it is meant to bring something like UAC to NSIS installers on older windows nt versions. however, to improve it i need some of the above questions answered. do i get the "user account restriction" only only when i have an empty password? does it work when the user specifies a different user (admin user) than the user logged in? any hints for improvements are welcome!

kichik
30th June 2007 15:32 UTC

There are more restrictions available in Windows but the empty password, so I doubt that'd be the only case.

LogonUser should work with other users but the current user. It won't be too useful without working that way.

Anders
20th September 2007 08:06 UTC

Sorry to bring back this old topic, but I came across something related to this that would probably solve the empty password issue, its called SSPI (Security Service Provider Interface)

More info @ http://www.winterdom.com/dev/security/sspi.html

Hopefully someone will write a plugin (or use the system plugin if you are insane)

Fork me on GitHub