SetWindowDisplayAffinity bad usecase

Question

Hey,

We have a classroom of exam computers that are monitored by the class admin through a remote feed that uses the Windows API to take screenshots at specified intervals. Some students have found that if they execute an app with SetWindowDisplayAffinity(logo_hwnd, WDA_EXCLUDEFROMCAPTURE), it will be invisible to any monitoring tool except physical cameras, thus allowing them to cheat, which is bad. Can a computer administrator execute some command to disable this function? Maybe there is methods to take a screenshot ignoring this setting.

Sincerely, Marius

Answer 1

Another option that will require some programming to accomplish --

A per-user service can be installed that starts automatically at user sign-on and periodically checks top-level windows with the GetWindowDisplayAffinity function. Advantages of per-user services are that non-administrators cannot stop a service and service restart options can be used to automatically restart the service if the user kills its process. If the service detects a window for which WDA_EXCLUDEFROMCAPTURE or WDA_MONITOR has been set then the service can terminate the related process and perform logging and/or notification actions.

Answer 2

Entering the facility before closing and hiding in the premises until after closing.

Answer 3

A way is to inject code into the remote process and call SetWindowDisplayAffinity with WDA_NONE

I tested on Windows10 22H2 with a WH_GETMESSAGE hook (global hook with a DLL, J. Richter method by posting to the window a (WM_USER + x) message to call SetWindowDisplayAffinity)

I don't know if this still works on Windows 11...

(should be doable without DLL with CreateRemoteThread, but more complex)

Answer 4

Hello @Marius Ukt,

It's better to apply an Application Whitelist Policy in Windows instead of breaking the API. See Administer Software Restriction Policies or search guides on Internet.

Thank you.