Windows Credential Provider, Filter, and Unlock Workstation Scenario

Question

I'm developing a credential provider and filter. I have some problems with lock scenario.

First, I have tried the SampleAllControlCredentialProvider from here. And it works. Even when I logon and lock it afterward, it shows my credential.

Second, I tried making my own credential provider filter by adding some lines of codes. The filter is filtering out the windows' credential, only my credentials are allowed to appear. These are my addition of codes:

In CSampleProvider.h, I make the class to be implementing ICredentialProviderFilter

class CSampleProvider : public ICredentialProvider, public ICredentialProviderFilter

In CSampleProvider.h, I change the STDMETHOD (QueryInterface) into

STDMETHOD (QueryInterface)(REFIID riid, void** ppv)
{
    HRESULT hr;
    if (IID_IUnknown == riid)
        {
        *ppv = this;
        AddRef();
        hr = S_OK;
        }
        else if (IID_ICredentialProvider == riid)
        {
        *ppv = static_cast<ICredentialProvider*>(this);
        AddRef();
        hr = S_OK;
        }
        else if (IID_ICredentialProviderFilter == riid)
    {
        *ppv = static_cast<ICredentialProviderFilter*>(this);
        AddRef();
        hr = S_OK;
    }
    else
    {
        *ppv = NULL;
        hr = E_NOINTERFACE;
    }
    return hr;
}

Still in CSampleProvider.h, I add these lines of codes

//ICredentialProviderFilter
  public:
        /**
        * \brief method to filter CPProvider
        * \param cpus - CP usage scenario
        * \param dwFlags
        * \param rgclsidProviders
        * \param rgbAllow
        * \param cProviders
        * \return IFACEMETHODIMP
        */
        IFACEMETHODIMP Filter( 
            CREDENTIAL_PROVIDER_USAGE_SCENARIO cpus,
            DWORD dwFlags,
            GUID *rgclsidProviders,
            BOOL *rgbAllow,
            DWORD cProviders);

        /**
        * \brief method to update remote logon credential
        * \param pcpcsIn - serialized logon credential
        * \param pcpcsOut - returned logon credential
        * \return IFACEMETHODIMP
        */
        IFACEMETHODIMP UpdateRemoteCredential( 
            const CREDENTIAL_PROVIDER_CREDENTIAL_SERIALIZATION *pcpcsIn,
            CREDENTIAL_PROVIDER_CREDENTIAL_SERIALIZATION *pcpcsOut);

Then, this is the implementation of the filter methods (inside the CSampleProvider.cpp):

HRESULT CSampleProvider::Filter(CREDENTIAL_PROVIDER_USAGE_SCENARIO cpus,DWORD dwFlags,GUID* rgclsidProviders,BOOL* rgbAllow,DWORD cProviders)
{
    //UNUSED(dwFlags);
    UNREFERENCED_PARAMETER(dwFlags);
    MessageBox(NULL, "Filter!", "Trace", NULL);
    switch (cpus)
    {
        case CPUS_LOGON:
        case CPUS_UNLOCK_WORKSTATION:
            //Filters out the default Windows provider (only for Logon and Unlock scenarios)
            for (int i = 0; i < (int)cProviders; i++)
            {
                if (IsEqualGUID(rgclsidProviders[i], CLSID_CSampleProvider)) rgbAllow[i]=true;
                else rgbAllow[i] = false;;
                //rgbAllow[i]=true;
            }
        return S_OK;
        case CPUS_CREDUI:
        case CPUS_CHANGE_PASSWORD:
        return E_NOTIMPL;
        default:
        return E_INVALIDARG;
    }
}

HRESULT CSampleProvider::UpdateRemoteCredential(const CREDENTIAL_PROVIDER_CREDENTIAL_SERIALIZATION* pcpcsIn, CREDENTIAL_PROVIDER_CREDENTIAL_SERIALIZATION* pcpcsOut)
{
    UNREFERENCED_PARAMETER(pcpcsOut);
    UNREFERENCED_PARAMETER(pcpcsIn);
    return E_NOTIMPL;
}

Finally, I run this .reg file containing:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{F2ADF4EC-5DAA-407e-9776-10B25A64A435}]
@="SampleAllControlsCredentialProvider"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters\{F2ADF4EC-5DAA-407e-9776-10B25A64A435}]
@="SampleAllControlsCredentialProvider"

[HKEY_CLASSES_ROOT\CLSID\{F2ADF4EC-5DAA-407e-9776-10B25A64A435}]
@="SampleAllControlsCredentialProvider"

[HKEY_CLASSES_ROOT\CLSID\{F2ADF4EC-5DAA-407e-9776-10B25A64A435}\InprocServer32]
@="SampleAllControlsCredentialProvider.dll"
"ThreadingModel"="Apartment"

Actually, everything works well except just for the lock scenario. So, after I successfully logon, I click lock. Usually, if I switch user or log off, my credentials should appear there on the logon screen. But now, after only implementing the filter, There appears nothing, only the blue logon screen without any credential.

Does anyone know what happens and what to do?

Answer 1

I know this question is old, but as it was edited only a couple of months ago it might still be relevant.

I believe under your unlock scenario, you are excluding your own credential provider from running; try changing: 'CLSID_CSampleProvider' to 'CLSID_PasswordCredentialProvider' and see what effect thats has. I have a Wrap Credential Provider running and I am using the filter with this ID and its working perfectly. My credentials appear under the logon and unlock scenarios.