Windows Mobile 5.0 Local Authentication Sub System (LASS) – Part 2


In Part 1 we looked at the power-on-password replacement options for Windows Mobile 2003. In this blog I want to take you through the new Local Authentication Sub System (LASS).


 


This new architecture can be found in Windows CE 5.0 and Windows Mobile 5.0 devices and brings a uniform authentication system to both Smartphone and Pocket PC - prior to Windows Mobile 5.0 it was not possible to replace the PIN lock screen for Smartphone, but with the unified LASS architecture found on both Pocket PC and Smartphone its now (although I haven’t proved it with code yet J) possible.


 


The MSDN docs for LASS are here.


Architechture


The LASS architecture looks a bit like this:


 

 

 


Taking each of the key components:


LASS:


This is the system module responsible for joining user applications to a specific authentication plug-in. It doesn’t provide any authentication stuff in its own right but relies on the LAP to do the work of capturing and verifying credentials. The LASS module exposes a number of API’s:


 


LASSReloadConfig


Causes the LASS module to reload registry information.


CreateEnrollmentConfigDialog


Call’s to this API are forwarded to the active LAP to display the enrolment dialog. If you click the Password applet in settings on Pocket PC 2005 this API is called.


VerifyUser


Call’s to this API are forwarded to the active LAP to capture and verify the user credential.


 


Header file: lass.h


Lib: coredll.lib


 


LAP:


This module is responsible for capturing and verifying user credentials, either by displaying a form for input or integrating with hardware. A custom LAP must export the following methods:


LAPCreateEnrollmentConfigDialog


Display and capture initialization information – replacement for password control panel app.


VerifyUser


Called to capture and verify credentials.


InitLAP


Called when the LAP is loaded.


DeinitLAP


Called when the LAP is unloaded


 


The following are optional exports:


VerifyUserStart


Called before verification takes place – can be used to spin up hardware that might be used during the verification process.


VerifyUserStop


Called after verification has completed – use it to close down hardware ect.


VerifyUserToTop


Move the credentials capture to top in the Z-order (I’ve never seen this called on my LAP).


Authentication Events:


These are registry entries identified with a GUID that define certain parameters about how to verify the user through a LAP. For example if the user only needs to enter a password when the device has been unused for a certain period of time.


Values that can be set:


AEFrequencyValue


AEFrequencyType


DisplayText


 


How it all fits together:


Let’s start with power on. When a password has been configured the shell will check the registry to see which LAP dll is set as active and load the DLL. First InitLAP is called, then VerifyUserStart (if available) and then VerifyUser. The LAP is handed an AE GUID, a tile and a number of options. Based on the options and the AE settings the LAP will then capture and validate the user before returning success or failure. If authentication is successful VerifyUserStop is called, otherwise the LASS will update the Lockout registry information and rerun the LAP appropriately.


 


The shell still uses the old password registry settings [HKCU\ControlPanel\owner\PowrPass] to decide if authentication is required at power on, and desktop ActiveSync password protection operates in the same way as before using the password string stored in the OS.


 


Replacing the password control panel application is no longer necessary because the new CPL application simply calls the exported LAPCreateEnrollmentConfigDialog on the active LAP.


 


Replacing the Active LAP


It’s pretty straight forward although requires native code – you can’t do this in managed code. The one step that caught me out is the signing step: remember Windows Mobile 5.0 brings a one tier security model to Pocket PC, and part of that security means a trusted application can’t load an un-trusted DLL. The LASS components are running trusted so any LAP dll must be signed with a trusted cert.


 


Here are the basic steps for creating and registering a custom LAP:



  • Create a C++ DLL that exports at least LAPCreateEnrollmentConfigDialog, VerifyUser, InitLAP and DeinitLAP. Here is about the most basic one I could come up with .

  • Sign it with a cert derived from something that’s in privileged store on the device – the simplest way to do this is to select a cert in VS2005 signing tab and select ‘provision the device’

  • Deploy the dll to the windows directory

  • Update the registry of the device:


    • Create a new key [HKLM\Comm\Security\LASSD\LAP\<mylap>]

    • Create a string value under that key: dll=<name of LAP dll>.dll

    • Update the default LAP setting  [HKLM\Comm\Security\LASSD\LAP] ActiveLap=<mylap>

  • Soft reset the device

To test it’s all working go into Settings and select Password to see the LAP enroller display.


 


SimpleLAP


Here is the code for a very simple LAP I created for Pocket PC. You will need to have Visual Studio 2005 (standard or above) and Windows Mobile 5.0 Pocket PC SDK installed.


 


This C++ project includes a DEF file exporting the required API’s:


LIBRARY     "SimpleLAP"


EXPORTS


      LAPCreateEnrollmentConfigDialog


      VerifyUser


      InitLAP


      DeinitLAP


 


The implementation of each is very simple:


BOOL InitLAP(


        InitLap* il


        )


{


   return TRUE;


}


 


 


void DeinitLAP()


{


    return;


}


 


BOOL VerifyUser(const GUID *AEKey,


                LPCWSTR pwszAEDisplayText,


                HWND   hwndParent,


                DWORD dwOptions,


                PVOID pExtended)


{


      return DialogBoxParam( g_hInstance, MAKEINTRESOURCE(IDD_VERIFY_SQUARE), hwndParent,


            Verify_DlgProc, (LPARAM)false );


}


 


 


BOOL LAPCreateEnrollmentConfigDialog(HWND hwndParent,DWORD dwOptions)


{


      DialogBoxParam( g_hInstance, MAKEINTRESOURCE(IDD_ENROLE_SQUARE), hwndParent,


            Enrole_DlgProc, (LPARAM)false );


      return true;


}


 


Two dialogs are displayed, one for enrolment:


 


 


And one for password validation:


 


 


The interesting bits are in the dialog handler routines:


case IDC_ENABLE:  // Enabling the password


{



// Is a password active? Check with OS


      if (GetPasswordActive())


      {


            // Password is set, change value


            // Now check the old password is OK with the system


            if (CheckPassword(OldPwd))


            {


                  // Change password values


                  if (!SetPassword( OldPwd,  NewPwd))


                  {… error handling}


}


}


// Enable for the first time - set OS password


else


      {


            // Change password value to the new entry


            if (!SetPassword( NULL, NewPwd))


            {… error handling}


// Now make it active


            if (!SetPasswordActive( TRUE,  NewPwd ))


            {… error handling}


 


// Now tell OS to use password on power up


            HKEY hkey;


            RegCreateKeyEx( HKEY_CURRENT_USER, TEXT("ControlPanel\\Owner"), 0, 0, 0, 0, 0, &hkey, 0 );


            RegSetValueEx( hkey, TEXT("PowrPass"), 0, REG_BINARY, (CONST BYTE*)"\x01", 1 );


            RegCloseKey( hkey );


      }


}


break;


 


 


case IDC_DISSABLE: // Dissabling password


{


// Check the OLD password is correct


if (CheckPassword(ItemText))


{


            // Turn it off


            if (!SetPasswordActive(FALSE,ItemText))


            {… error handling}


// Change pwd value to null


if (!SetPassword(ItemText,NULL))   


            {… error handling}


 


            HKEY hkey;


            // Dissable power-on dialog.


            RegCreateKeyEx( HKEY_CURRENT_USER, TEXT("ControlPanel\\Owner"), 0, 0, 0, 0, 0, &hkey, 0 );


RegSetValueEx( hkey, TEXT("PowrPass"), 0, REG_BINARY, (CONST BYTE*)"\x00", 1 );


            RegCloseKey( hkey );


      }


      EndDialog( hDlg, 1 );


}


 


Registering and Enabling a new LAP


I’ve been working with the emulator to build my LAP modules as its much easier to hard reset the emulator than a real device when it all goes horribly wrong (which has happened several times!). However the one thing the emulator is not quick at is a soft reset which is a complete pain when that’s what’s needed to update an active LAP.


 


The good news: there is another way. LASS supports an API LASSReloadConfig that causes the registry information to be reloaded and the active LAP to be unloaded and allow the dll to be updated. So I also built a test hardness to set up the reg key and call the reload api. It’s in C# and requires CF 2.0 to be on the device. Grab the project here.


 


The UI isn’t pretty but it gets the job done:


 

 


These are the important bits of code:


 


Three imports are used to interact with LASS:


[DllImport("coredll.dll")]


private static extern int LASSReloadConfig();


[DllImport("coredll.dll")]


private static extern int VerifyUser(IntPtr AEKey, string DisplayText, IntPtr ParentWindow, int Options, IntPtr Extended);


[DllImport("coredll.dll")]


private static extern int CreateEnrollmentConfigDialog(IntPtr ParentWindow);


 


Reload just calls the OS api:


private void Reload_Click(object sender, EventArgs e)


{


bool ok = (0!=LASSReloadConfig());


      MessageBox.Show("Reload " + (ok ? "Succeeded" : "Failed"));


}


 


Reg Clear sets the active LAP back to the default value (for the emulator) and deletes the key used for the custom LAP.


private void ClearReg_Click(object sender, EventArgs e)


{


// Clear the info from HKLM\Comm\Security\LASSD\LAP\ActiveLAP


Registry.SetValue(@"HKEY_LOCAL_MACHINE\comm\Security\LASSD\LAP", "ActiveLAP", "lap_pw");


Registry.LocalMachine.DeleteSubKey(@"Comm\Security\LASSD\LAP\" + DLLName.Text);


}


 


Set Reg creates the new LAP sub key and sets the active lap to point at it.


private void SetReg_Click(object sender, EventArgs e)


{


Registry.LocalMachine.CreateSubKey(@"Comm\Security\LASSD\LAP\" + DLLName.Text);


Registry.SetValue(@"HKEY_LOCAL_MACHINE\comm\Security\LASSD\LAP\" + DLLName.Text, "Dll", DLLName.Text +".dll");


Registry.SetValue(@"HKEY_LOCAL_MACHINE\comm\Security\LASSD\LAP", "ActiveLAP", DLLName.Text);


}


 


Verify calls through to the LASS and requests validation from the active LAP


private void CallVerify_Click(object sender, EventArgs e)


{


VerifyUser(IntPtr.Zero, "Called from tool", this.Handle, 0, IntPtr.Zero);


}


 


Enrole calls through to the active LAP and shows the enrolement dialog.


private void CallEnrole_Click(object sender, EventArgs e)


{


CreateEnrollmentConfigDialog(this.Handle);


}


 


I think that’s probably enough for this post. In part 3 we will look at porting the LetMeIn SDK sample from Windows Mobile 2003 to WM5.0


 


Marcus


 


Comments (30)

  1. Edouard Dessioux says:

    Hi,

    I’m trying to migrate an authentication program I did on WinCE 4.2 to WinCE 5.0 and your articles are very helpful. However, I does not fully understand what to do when you say :

    "Sign it with a cert derived from something that’s in privileged store on the device – the simplest way to do this is to select a cert in VS2005 signing tab and select ‘provision the device’"

    I had no certificate, so I build one (using makecert). But how can I derive it from "something that’s in privileged store on the device" ??? I’m planning to develop on emulator for the moment, but I’ll have to test it under the real Windows Mobile Device.

  2. marcpe says:

    Edouard,

    You cant ‘make’ a cert derive from a root. Using the root you generate a derived signing cert.

    But I dont think thats what you need here. When you install the WM 5.0 SDK’s there are a set of SDK certs installed on the desktop and available as device install packages. When using VS2005 you need to select the signing tab of the project properties and select the priviliged test cert to sign with. The emulator comes pre-installed with the SDK certs so that should just work on deployment.

    For the device you can install the SDK certs using the CAB or the XML using RapiConfig and then deploy the same code. But this is for testing ONLY.

    When shipping your code you need to switch to a non test cert.

    Marcus

  3. Edouard Dessioux says:

    Sorry, but I still don’t get it.

    When I click on "Select Certificate", I just get an window with no certificate. Then if I try to "Manage Certificates", I got plenty of them, but which one to use ????

    I created one delivered to my company, from the root agency, but I don’t seem to be able to use it.

    Do you know where I can get more information on this ? as I searched but didn’t find a good documentation.

    And speaking of your LASS articles, they are great, it managed to port my authentication to 2005 in a day.

  4. Edouard Dessioux says:

    Sorry for my previous question, i got it. I should have installed SDKSamplePrivDeveloper.pfx provided in the SDK just a you said, but I tought it would be installed with the SDK.

    Now I got the key, I can sign bot my dll and the program I use to load LASS.

  5. Edouard Dessioux says:

    I’m sorry to distrub you once more.

    I have a LAP, running correctly on the emulator.

    I use it on a pocket PC device and the enrollement is working fine. But when I soft-reset the device to test the verifyUser, the verify window is displayed, but the screen don’t stop flashing. Even once I entered the password and is seeing the Today screen, the pocket PC does not stop flashing.

    I seems to have the same behavior on my pocket PC when I flash your simpleLAP instead of mine.

    I precise i’m using the "TEST USE ONLY – Sample Privileged Root for Windows Mobile SDK" certificate from the Privileged Certificate Store.

    I’ve seen on the newsgroup I’m not the only one having an issue with this, have you an idea of what is going on ?

  6. krishna prasad says:

    As I understand WM5.0 let user implement their own LAP with their way of authentication like biometrics. Do we still need to use password there? i.e is it mandatory to do a setPassword() ?

  7. Eylake King says:

    Hi,

    Thanks for your article.

    I have a question or a help.

    About introducing AE in your article ,

    "For example if the user only needs to enter a password when the device has been unused for a certain period of time.".

    How to implement this example using AE?

    Do I need implement user idel event by key board monitor?

  8. Pradeep says:

    I tried simple Lap program on my device. I used Manipulate LAP tool to reload LAP configuration.

    Every things works fine. If I do manual soft reset of my device, Simple LAP password applet is not coming up and device hangs and I have to hard reset of device. Please suggest if Sample LAP program need to change for this. I am using I-mate JasJar.

  9. Eylake says:

    Thanks for your article about LASS.

    I have a question about AE.

    In article, mention that "For example if the user only needs to enter a password when the device has been unused for a certain period of time." when you introduced AE.

    I hope to know how to implement this function?

    Thanks!

  10. Pradeep says:

    I tried simple Lap program on my device. I used Manipulate LAP tool to reload LAP configuration.

    Every thing works fine. If I do manual soft reset of my device, Simple LAP password applet is not coming up and device hangs and I have to do hard reset of the device. Please suggest if Sample LAP program need to change for this.

  11. loic says:

    Hi !

    I’ve read your three parts and it helps me to understand how the authentication for windows Mobile work. But I’m still asking me something, where is stored the password or the print of the password on the handeld?

    So where apply the function setpasswd. I’ve looked on msdn but I don’t find anything

    If you have any idea, you’ll be welcome.

    Thanks for your help

  12. bryant says:

    I tried simple Lap program on my device. I used Manipulate LAP tool to reload LAP configuration.

    Every thing works fine. If I do manual soft reset of my device, Simple LAP password applet is not coming up and device hangs and I have to do hard reset of the device. Please suggest if Sample LAP program need to change for this.

    If you have any idea, you’ll be welcome.

    Thanks for your help  

  13. Edouard Dessioux says:

    bryant and Pradeep : according to what you said, I think this could be due to the AKU 2 update.

    Maybe you should try to modify your LAP to include the good exStyle parameters.

    DWORD dwExStyle = GetWindowLong( hDlg, GWL_EXSTYLE );

    dwExStyle |= WS_EX_ABOVESTARTUP;

    SetWindowLong( hDlg, GWL_EXSTYLE, dwExStyle );

    Hope this could help, it worked for me.

    Edouard Dessioux.

  14. stan says:

    please , can you advise me in which register and file is located wifi mac adress

    thanks

  15. Choo says:

    Hi all,

    I managed to follow the guide to create a custom LAP. On power off/on my LAP dialog is displayed to prompt user for password.

    However if i do a softreset, my LAP dialog is not displayed and the PDA screen hang with a "Password" toolbar at the top.

    Anyone has any clue? I appreciate any help. Thanks Thanks.

  16. choo says:

    I am facing the same problem as Bryant. After a soft-reset my LAP dialog is not displayed and PDA hang. Anyone has any idea? Thanks.

  17. Riaan Kruger says:

    I am not getting the menubar (the one at the bottom) or SIP to show with the password validation dialog?

    Am I missing something

  18. John says:

    I am trying to get existing applications like IE to be launched only after beign authenticated by the password. How do I get the exisiting apps like IE to show the password dialog before launching?

  19. Gabriel says:

    Hi,

    Sorry to disturb you all, I am quite new the CE device programming.

    I want to implement custom LAP on my Windows CE 5.0 based mobile device.

    I know this sample is for Windows Mobile, but the manufracturer of my device said it supports LASS (though they are not sure on this).

    I removed some API call for WM and compiled a dll.

    I followed the instructions and also the comments above to sign the dll and change registry.

    However, when I use the RefreshSecurity program to change security and press Validate User button, there is no response.

    (But when I change the LAP to default lap_pw, the validate dialog can pop up when press the button.)

    Therefore, I want to ask:

    – How can I know if my device (CE 5.0) supports LASS or not?

    – How to change the sample from WM specific to Windows CE compatible?

    Thanks for your kindly help.

  20. John Wang says:

    Where can i find sample example for creating a custom LAP in Windows Mobile 5 Pocket PC as well as Windows Mobile 5 Smart Phone?

    The Sample i got from Marcus Perryman’s WebLog does not seem to work on my HP hx6960 WM5 Smart Phone which is using AKU2 (MSFP) OS build of WM5.

    I wanted the LAP to load everytime i power on / off the PDA, it works for my Pocket PC which is using an older OS build of WM5, however when it comes to Smart Phone it fails to load.

    I wonder if the cause is due to the different OS builds or due to the differences in Pocket PC and Smart Phone platform.

  21. green says:

    Hello.

    I wrote custom LAP on  Windows Mobile 5.0 ppc as you said.

    The name of my device is Dopod D600.

    My custom lap is working well on the emulator.

    On the device, enrollment dialog is displayed, but verify dialog is not displayed after soft reset.

    So I checked the parameter of verifyuser(LAP) function, and found out the dwOption parameter was always VU_NO_UI on device unlike emulator.  

    Because of this problem, I have spent a lot of time.

    I can’t this solution anywhere.

    Please help me.!!!

    Regards.

  22. green says:

    Hello.

    I wrote custom LAP on  Windows Mobile 5.0 ppc as you said.

    The name of my device is Dopod D600.

    My custom lap is working well on the emulator.

    On the device, enrollment dialog is displayed, but verify dialog is not displayed after soft reset.

    So I checked the parameter of verifyuser(LAP) function, and found out the dwOption parameter was always VU_NO_UI on device unlike emulator.  

    Because of this problem, I have spent a lot of time.

    I can’t this solution anywhere.

    Please help me.!!!

    Regards.

  23. green says:

    Hello.

    I wrote custom LAP on  Windows Mobile 5.0 ppc.

    My device is Dopod D600 and platform is  Windows Mobile 5.0 with AKU 3.2.

    My custom lap is working well on the emulator.

    On the device,  enrollment dialog is displayed.

    And verfiy dialog is displayed only when application calls verfiyuser(LASS), but not displayed at the time of power on/off and soft reset.

    At the time of power on/off and soft reset,  I checked the parameter of verifyuser(LAP) function.

    dwOption was VU_NO_UI and hWndParent was -1 (invalid window) on device unlike emulator, so creation of verify dialog failed.

    I guess that this problem would perhaps be due to the version of AKU.

    I want to know the possibility of custom lap on WM 5.0 with AKU 3.x.

    Thanks in advance.

    Regards.

  24. Bhanu Rekha says:

    Hi All,

     i have WinCE image on GumStix platform where i am trying to add customized LAP.

    I have build the dll from SimpleLAP sample and added signing to it. i copied the dll to Windows folder but after reset the windows is not persitent. so i copied the dll to storage card and added registry entry under init so that after booting dll from storage card will be copied to Windows. i also added key ‘mylap’ under LAP and the value i have given for tis key is SimpleLAP.dll. under LAP i added the string ‘ActiveLap’ and the value for it is ‘mylap’. After doing the above steps i reset the device and observed nothing on the screen.

    Here my questions are:

    1) Registry entry under HKLMInit copies the dll once the explorer and autolaunch are loaded. is there any chance that this migth causing the problem?

    2) Does we need to add any AE for Customizing the LAP?

    3) After reset does LAP screens comes on the screen automatcally (or) we need to go to settinsPasswordand enable password protection there?

    can anyone help me in providing the answers for these questions quickly.

    thanks in advance.

    bhanurekha.

  25. Kin says:

    Hi,

    I managed to follow the guide to create a custom LAP. I tried simple Lap application on my device. I used Manipulate LAP tool to reload LAP configuration. Everything works fine.

    However if i do a soft reset on the device, Simple LAP application is not coming up. Device acts like it is hung.

    Here is the device that i am using:

    Microflex 2240 device with Window mobile version 5.0 OS 5.1.195 (build 14955.2.3.0).

    Can anyone help me? I appreciate any help.

    Thank you in advance.

    Kin

  26. I handled a couple of cases related to this and therefore I think it’s worth mentioning it here, to help

  27. Joe says:

    Is there a way to query the OS to see if the password type is simple 4 digit or strong alphanumeric?  If not, is there a registry key to check for the current password type?

  28. Rao says:

    I am not able to download the simpleLap.zip. Can you please rectify this problem.Thanks.

  29. Jan Gerza says:

    Hello Marcus.

    I was wondering, how I can use this LAP. Your article was good, told me a lot of this technology. But I still don’t really know, how can I put my application on my device using LAP. I have an application based on "Picture image selection". I wrote it simply as a windows mobile form application to easily verify code etc. Now I am done, but I don’t know, how actually fit my application on PDA. Can you please give me any idea or clue which help me with my problem? You can write your answer here or if you’ll be interested of this authentication method, you can write me on jan.gerza@gmail.com . Regards, Jan.

  30. Jan Gerza says:

    Is it possible to write a LAP in C# code? I have got my whole application in C# and I don’t think that rewriting it into a C++ is ideal way.

Skip to main content