Tag: activex

Explaining the real time device detector Access demo database

In this post, we’ll examine and explain how the Access application that demonstrates a possible, real life use case, of the device detection feature of the AxDeviceDetector ActiveX server.

See the downloads section below to download a copy of the database.

Scenario

We want to allow, let’s say, restaurant waiters or employees, to register their shifts by typing in their password, clicking a (start or end) button, and then plugging a USB key into the computer, to confirm they are who they say to be. This is an instance of a multi factor authentication, or MFA, system.

The DeviceDetectorAuthDemo.accdb demo database is essentially a finite state machine implementation.

Using USB device for multifactor authentication demo

States and transitions

The frmMain form can be in one of these 4 states:

  1. Select employee
  2. Enter password
  3. Wait for action
  4. Wait for device detection

It’s a cycle, when the wait for the device detection ends, we return on the first state (Select employee).

There is a constant definition for each of these states:

When placed in one of these states, the form needs to update its UI, so only the next possible state(s) can be triggered. This is done in the EnableStepControls() method. This method also updates the UI to show in which state number it is, by moving a green square (it’s a label control) under the correct state number label.

State transition triggers

There are two classes of events that provoke the transition between these states:

  • UI elements actions

    • Double-click on the employee listbox
    • Button clicks
  • Timer event

Each event code that provokes a state transition has the responsibility to do so only if the UI holds valid values for every possible event parameters. In this simple demo, cmdOK_Click() is a good example:

To change state, DisableCurrentStep() and ActivateStep() are called in sequence.
DisableCurrentStep() executes whatever code is needed, before the state transition occurs:

ActivateStep() executes whatever code needed, before the new state is reached:

By design, there is a parameter for the transition to state 4 (Wait for device detection): the action code, which is one of these possible values defined as constants:

This way, when the device arrival/removal event sent by the AxDeviceDetector ActiveX server arrives, we know what action to take. The action code is stored in the miAction form scoped variable. Here an example, in the code executed when we click on the cmdRegisterDevice() button:

In the moDetector_OnDeviceArrival() there is a “Select Case miAction” statement that can now execute the correct action and transition back to step (ie state) #1 (select employee).

A class of state transitions is missing

Guessed which one ? – If not, then try to select another employee while you’re in state #3. You can’t.

There are at least two “cancel” actions that are missing:

  • A “cancel” button is missing, along the “OK” button
  • Another “cancel” button is missing if we want to cancel the wait for the device arrival.

Both of the action could for instance simply return us to state #1. I’ll let that for you.

About hashing

To link the USB device to an Employee, we generate a simple hash with the password, the device product id and the device serial number. That is discriminating enough to make it reasonably difficult to reverse engineer:

I’ve used here one of the first MD5 functions for VBA I googled for. You can replace that with a SHA256 to make it stronger, and add your additional parameters to generate the hash.

You should however avoid displaying and/or logging too much information, as I do for the sake of the demo, like the device product id, in a production application.

Avoiding blocking UI while handling ActiveX server events

We should avoid displaying any blocking UI elements like message boxes, input boxes or modal dialog boxes. This would prevent the server from notifying us of further events while those UI elements block the application’s VBA thread. The ActiveX server itself runs on another process/thread, so it will not block or crash. It has room for buffering 50 messages, that’s its event queue default size. When the server event queue becomes full, it’s emptied and the cleared events are lost.

About the Employee table

  • We have to store the device serial number (field AuthDeviceSerial), if we want to avoid registering an already registered device to another user;
  • The EventLog table is just here for the demo. You may want to (re)use your own logging system.
  • You should of course split your database, ie do not keep the data tables in the same database as the application, but rather link them.

That’s it !

Downloads

All the material including the DeviceDetectorAuthDemo.accdb database, is available in my AxDeviceDetector github project

 

Credits: Post photo by Kentaro Toma on Unsplash

Explaining how to detect device arrival/removal in an ActiveX server in real time

We’ve seen know how to get some useful information (like vendor ID and serial number) from attached Windows devices, using a C DLL. Interfacing the DLL with Visual Basic, was then just a matter of declaring the DLL functions in a standard module. With some more basic wrapping, we’ve obtained a simple API function and a data structure, to query for device information in Access.

Reacting to real time device arrival/removal notifications in VB/A

Getting notified in real time (well, as near as that as we can get, at least), when a USB device is plugged or unplugged from the system is the next step. This will allow us later to do things like build an Access application that can use a USB device as a multifactor authentication device (MFA).

Receiving notifications about device arrival or removal in windows is achieved by registering for that, via the RegisterDeviceNotification() Win32 API function. By then listening for the WM_DEVICECHANGE windows message, we can react accordingly.

Subclassing

VB/A cannot listen for windows messages on its own. We have to use a “subclassing” technique, where we redirect all the messages Windows sends to a VB Form (which itself is a window), to a custom routine. I use a subclassing technique derived from “Sensei” Bruce McKinney’s “Hardcore VB 5” book (free link), where we end up responding to the Windows messages we choose by implementing an ISubclass interface, in a Visual Basic Form. Here’s the snippet in frmMain that handles what we need:

Building an out-of-process ActiveX exe server

An ActiveX out-of-process server written in (classic) Visual Basic, is an independent 32 bits executable that serves objects running on their own threads, in an external process. In VBA hosts like Access or Excel, the Visual Basic code runs in a single thread of execution, so it cannot handle simultaneously the tasks of continuously responding to Windows messages and running the VBA application. I already explained why it would be a bad idea to use subclassing techniques in a VBA host application, talking about how to detect Windows session lock/unlock in VBA.

Object classes that are exposed by an ActiveX OOP server have the additional advantage of being accessible in 32 and 64 bits VBA hosts, thanks to (automatic) COM inter process communication marshalling.

I’ve used this technique in the three ActiveX servers I’m presenting on this series on my blog:

  • AxSessionLockDetector

    • Provides classes and events to detect and react when a user locks or unlocks his/her Windows session.
  • AxDeviceDetector

    • Provides classes and events to detect then there’s a device (or media) arrival or removal from the system (The one we’re discussing here).
  • AxHttpSrv

    • Provides classes and events to implement an HTTP web server in Microsoft Access.
    • Although this is the last one of this series, it is the oldest (I wrote it back in 2011), and it served as a base template for the two others.

However, when writing the ActiveX server we’re discussing here, I ran into a quite unexpected problem.

While trying to raise events or invoking OLE callbacks to notify the host for events, automation errors where popping up, instead of raising events (or executing OLE callbacks), basically rendering the solution useless. The first actionable information I found about that by googling around is in this KB article, located in a quite interesting github repository (it’s a static repository of Microsoft knowledge base articles).

A nice workaround consists in queuing the Windows messages we receive in the function implementing the ISubclass interface, and notifying them a bit later, using a timer to pop them back from the queue.

So, I quickly added a fixed size queue, stored in a circular memory array, specializing the CQueue class I presented in an earlier article where I was illustrating how a circular queue implementation works.

Strangely, I did not have to use this queue/timer technique for the two other ActiveX EXE server, but, alas, I can’t explain why is the difference between all of them.

Events or OLE callbacks ?

For an ActiveX server (or DLL for that matter), we can use two techniques to notify an object instance owner:

  • Events

    • Technically, they’re disguised OLE callbacks. You first declare the event in a class definition module, then raise the event with the RaiseEvent VB keyword;
  • OLE Callbacks

    • The client process has to give a reference to an (untyped) Object, to the ActiveX server class, that will keep a reference on it.
    • The ActiveX server class then tries a late bound call on a specific method name on the object reference, that’s the late bound call or OLE callback.
    • One key difference with raising events is that you control the callback sequence in the ActiveX server, when you chain multiple OLE callbacks; when you raise events, you can’t control in what sequence the client receives them.

The DeviceDetector class in the AxDeviceDetector ActiveX server allows for both methods to be used. For each of the two methods, you also have the option of passing parameters to the event procedures or OLE callbacks or not. If not, then the client can call methods on the class to get them. This is commented in the class source code:

 

Then

You should see a schema illustrating a bit more nicely how this ActiveX Server works, as the image of this post.
Head to the github repository to download all the related material.

In the next post, we’ll see a real life possible use case for this ActiveX server.
I’ll explain the Access Demo application that you can see here in the mean time:

Using USB device for multifactor authentication demo

Downloads

Browse the source code for more specific comments and explanations.

How to detect windows session lock/unlock in VBA

There are (at least) 3 solutions to detect when a user locks his/her workstation on Windows and react on the event.

  • A light and efficient solution using Classic Visual Basic (here VB5).
  • A very bad solution in VBA, which involves subclassing and using the Windows API directly.
  • An hybrid solution for an Access (VBA) application, which uses an out of process 32bits ActiveX EXE server written in Classic Visual Basic (VB5), that’ll work with 32 and 64bits VBA versions.

I’m trying not to use C (or any other language/tool) to write a DLL, although that would be also easily possible.

The windows API function that allows us to be notified when a user session is locked or unlocked (among other notifications) is the WTSRegisterSessionNotification() function.

Solution 1: The Classic Visual Basic 5 solution

We generate a simple 32bits standalone EXE application:

Get the binaries:

SessionLockDetector.exe (13.5 K, MD5: 57f23cb31c6f9ccd2a35c52384b90ff5)
If you need the VB5 runtime DLL (should already be present on XP up), download it here, unzip it and drop it in the same directory as the SessionLockDetector.EXE (.zip MD5: 7f32b01c04b0208ac917d7e266eb6709, extracted .dll MD5: eac679185ad621eeace9b6b286372f27).

Get the source code: SessionLockDetector (standalone) Visual Basic 5 project.

This task in quite easy in VB5 and it is also nicely stable. We just have to subclass the Form to be able to receive and handle the windows messages sent by the system.

Solution 2: The (very) bad solution

You might be tempted, as I did, to simply jump into a new Access database and apply the same technique. Just add the standard and class modules from the vb5 project, and subclass an Access Form like we did for the VB5 Form.

But Access is a different beast than vb5.

Subclassing the Form (in VBA) will make Access quite irresponsive at some point, because the subclassed form will throw a lot of messages in the WindowProc hooked into the (single threaded) VBA interpreter. Access will enter an almost unbreakable loop trying to keep up handling the event cascade while also trying to do its own work (you will see the VBA IDE window title bar endlessly update its text, if you try to run the sample database; but don’t do it please, take my word for it). At this point, even Windows itself (the desktop explorer process) will become frighteningly irresponsive. So take at look at this database code if you’re curious, but, once again, DO NOT EXECUTE / OPEN the “frmMain” form it contains (open in design mode only, don’t double-click it).

You’ve been warned. Download the very bad database that you shouldn’t open, at your own risk.

Solution 3: The hybrid solution

This is where we build an ActiveX EXE server with the same VB5 code that we used in the first solution, but we wrap the functionality inside an automation class. This will be the “LockUnlockDetector” class (which fully qualified with the name of the ActiveX server is “SessionLockDetector.LockUnlockDetector”), that will throw just two events, one for when the session was locked (OnSessionLock), and the other when it unlocks (OnSessionUnlock).

Building the VB5 ActiveX EXE server

Here’s the code of the LockUnlockDetector class module (VB5, 32bits):

By the way, according to the coding guidelines published here, we’re creating a class which will be made available outside of the VB project (that’s the goal), so we do not use any prefix before the class name (no “C” preceding the name).

To create an ActiveX EXE server, we set the properties of the project like that:

Now every object instance of class LockUnlockDetector will run in its own thread, and as this thread is in the EXE, it runs in the background and isolates the host (Access) from any problem occurring in the EXE.

Best of all, even if the EXE is 32bits, thanks to the beautiful architecture of COM (ie. ActiveX), cross platform calls are transparently marshalled and a 64bits Access VBA host can also use these 32bits automation classes.

The only disadvantage of this solution, is that we have to register the EXE server on the target machine.
In order to do that, we open an console window in administrator mode, navigate to the directory where the compiled EXE server is, and run it. This will silently write the required windows registry entries, and we’ll see the automation server appear in the Project References dialog of the VBA IDE in Access.

To use the detector class in Access, we then add the reference to our project:

Then we create a form (named frmMain here), and we just need this code:

Then we can respond to Lock/Unlock events as we wish:

In the provided sample Access database I added an history table to store the events, that’s what the AddHistoryRecord function does:

Downloads

AxSessionLockDetector.EXE – ActiveX EXE server binary (if you’re missing MSVBVM50.dll see the above download link in solution 1).
SessionLockDetector – VB5 ActiveX EXE server project and source code.
SessionLockDetector.accdb sample database using the EXE server (remember to register the SessionLockDetector ActiveX server (AxSessionLockDetector.exe) binary by running it once with administrator privileges).

Then

  • You can extend the functionality of the ActiveX EXE server to be notified for other events supported by the WTSRegisterSessionNotification windows API, and raise appropriate events. You can write a windows service that directly uses the server or transform solution 1 to be a windows service.
  • You can also modify solution 1 to be notified for other supported events and take any action you need, like running a batch file.
  • You can use the hybrid solution in your Access projects to be able to do smart things like freeing database or resource locks once a user locks its workstation.

MIT Licence

Copyright © 2019, Francesco Foti, devinfo.net.
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the “Software”), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. The Software is provided “as is”, without warranty of any kind, express or implied, including but not limited to the warranties of merchantability, fitness for a particular purpose and noninfringement. In no event shall the authors or copyright holders (Francesco Foti) be liable for any claim, damages or other liability, whether in an action of contract, tort or otherwise, arising from, out of or in connection with the software or the use or other dealings in the Software. Except as contained in this notice, the name of Francesco Foti or devinfo.net shall not be used in advertising or otherwise to promote the sale, use or other dealings in this Software without prior written authorization from Francesco Foti.