Windows XP/VISTA/7
How might it be possible to run an application during the logoff procedure of a user, after explorer.exe terminates?
The purpose is to block shutdown but with an application that runs after explorer has terminated.
It is of course possible to temporararily block shutdown in vista with ShutdownBlockReasonCreate, or to cancel it in XP via WM_QUERYENDSESSION. However both of those methods occur during the user session before Explorer terminates. The question is how to get an app to run after explorer terminates AND to block shutdown.
This is not possible from a service because in VISTA/7 if the user has selected Shutdown/Restart, the service seems to have no way to block shutdown after the user has been logged-off. (The kernel seems to terminate the service and the service itself cannot block shutdown like a user app can ?)
How and when exactly does WinLogon terminate explorer.exe? It seems that it waits until all/any other applications have terminated and have ceased blocking shutdown, then it terminates explorer?
Does WinLogon wait for explorer.exe to close before it will finally close the desktop / session?
I have considered, for example attempting to hook NTDLL for the APIs that terminate a process and intercept the termination of explorer but it is unclear how or why Winlogon would then wait rather than continue the shutdown.
The purpose of all this is to find a way to run an executable during Vista/7 shutdown, which is able to block shutdown for as long as it pleases, only AFTER explorer has exited and all files and resources have been released by explorer and all other apps running as that user.
In XP this is possible by simply cancelling the shutdown in WM_QUERYENDSESSION then re-issuing ExitWindowsEx (LOGOFF) then doing the tasks in a system service. It however leaves the user at a logon screen with no progress indication.
If it was possible to inject a process after explorer terminated, the process would be able (in my theory) to show UI on the same user's desktop and effectively act as a second-time-around custom shell during the logoff procedure.
It is believed/suspected that Windows performs something similar when it installs updates during shutdown (but this behaviour has not been noted on Vista so far)
In summary there seems to be no obvious way in Vista to block shutdown after explorer closes during a user's logout?