How to take a screenshot of Windows 10 logon screen

このサイトを検索 | Search this site
,Japan

I've found a way to take a screenshot of the logon screen (password entry screen) before logging in to Windows 10, so I'll share the steps I've taken.

When the Windows 10 logon screen is displayed, it is not possible to take screenshots because execution of arbitrary applications and use of keyboard shortcuts are restricted.

I think that the behavior is a security measure to prevent taking screenshots after entering the password.

After investigating, I found a way to launch an arbitrary program when I click the "Easy operation icon of computer" displayed at the bottom right of the logon screen.

The easy operation icon of the computer is the icon surrounded by the red frame of the first image displayed at the lower right of the logon screen.

Using that method, I succeeded in launching IrfanView while the logon screen was displayed and taking a screenshot.

The following is the logon screen shot with IrfaView.

snapshot-signin_admin

I ran the information from multiple sites explaining how to use the time difference capture of the Snipping Tool that comes with Windows 10, but it didn't work in my environment.

Verification version
Windows 10 Pro May 2019 Update, v1903.18362.239

This article describes the procedure to change the value of the registry so that IrfanView can be started in capture mode when you click the easy operation icon (utilman.exe) of the computer in the lower right of the logon screen.

Use the following Windows tools.
  1. Registry editor
  2. Windows Defender

Instead of IrfanView, a program with a screen capture function such as Snipping Tool may be effective.

This information is useful for anyone who needs a clear screenshot image of their logon screen.


New creation of utilman.exe and Debugger

Change the registry value so that IrfanView can be started in capture mode when you click the "Easy computer operation" icon.

Registry operations are at your own risk
Before working with Registry Editor
Make a backup copy of your registry in case something goes wrong.

1. Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

Launch Registry Editor and locate the registry subkey [Image File Execution Options].
2.utilman.exe
Display the right-click menu of Image File Execution Options and create a new key [utilman.exe].

reg_ImageFileExeutionOptions


When you go to New> key, a subkey [new key #1] will be created at the bottom of Image File Execution Options, so rename it to [utilman.exe].
  1. Image File Execution Options> New> Key
  2. Rename [new key #1] to utilman.exe
3. New> String value
Display the right-click menu in the right pane of utilman.exe and create a new string value.

utilman.exe> New> String value

New_string value

  1. Show right-click menu in right pane of utilman.exe
  2. New> transition to a string value
  3. Rename [New Value #1] to [Debugger]
4. Debugger
  1. Double click Debugger to display "Edit String"
  2. Describe the full path and arguments of the IrfanView executable file in the value data

6 = start in capture mode
C:\...\IrfanView\i_view64.exe /capture=6

Debugger_i_view64exe

*If you are interested in the launch option of IrfanView, please read the related article at the end of the sentence.
5. IrfanView
Screenshot of IrfanView Display the detailed setting screen and set the following.

Activate IrfanView and press C on the keyboard to launch the advanced screenshot settings.
  • All areas displayed on all screens
  • Display the acquired image data in the main window
  • Take with hotkey Ctrl+F11

CaptureSetup

Windows Defender

With the settings in the previous section, clicking the utilman.exe icon on the logon screen starts IrfanView, but at that time, Windows Defender attached to Windows 10 judges the operation as "threat" and immediately terminates IrfaView.

At the same time, the newly created registry key [utilman.exe] is also deleted.

Protection history
Status: Quarantined
The quarantined files are in a restricted location so that they don't cause problems on the device. These will be deleted automatically.
Detected threat: Behavior:Win32/AccessibilityEscalation.O
Warning level: Critical
Category: Suspicious behavior
Details: This program is dangerous and executes commands from an attacker.

To work around this issue, stop Windows Defender real-time protection only when you take a screenshot of the logon screen.

Settings> Update & Security> Windows Security: Open Windows Security
Windows Security> Virus and threat protection: Manage settings

WD-Management of settings

Turn off real-time protection.

realtime-off

Now you're ready to take a screenshot of the logon screen.

Afterword

Here's how to take a screenshot of the logon screen.

  1. Press Win + L on the keyboard to move to the lock screen
  2. Release the lock screen by clicking the mouse
  3. Since the screen changes to the lock screen, click the utilman.exe icon.
  4. IrfanView starts in capture mode
  5. Press Ctrl + F11 to capture the logon screen
  6. Login to Window
  7. Check IrfanView


For reference, the delay setting screen of Snipping Tool is posted.

snippingtool-delay

In an environment where Winodws Defender is disabled by default, the utilman.exe registry settings seem to work fine.

Validation: Windows 10 Pro May 2019 Update, v1903.18362.239
SC2
Windowsランキング 将棋ランキング スマホ・携帯ランキング にほんブログ村 IT技術ブログ ライフハックへ にほんブログ村 その他趣味ブログ 将棋へ

このサイトを検索 | Search this site