Do not build deskflow legacy

[sithlord48]

Do not build deskflow-legacy
removes ToolApp ToolArgs and has CoreTool call the items direct.

Needs extra testing on windows to make sure getActiveDesktop is working correctly.

[nbolton]

Tested on Windows.

non_win_legacy_skip

	Server	Client
Elevated process focused	✔️	✔️
At lock screen	✔️	✔️
At login screen	❌	✔️

master

	Server	Client
Elevated process focused	✔️	✔️
At lock screen	✔️	✔️
At login screen	❌	✔️

Well, those are interesting results. It seems that Microsoft now blocks us the server process from capturing input at the login screen. Tested both on this PR, in master, and went way back to Synergy v1.14... same result.

I suppose this is likely a security feature to protect the user against keyloggers. IIRC that worked in Windows 7 (though that's a long time ago now), but perhaps the ability to do this went away in Windows 10.

I was sure that calling session.getActiveDesktopName() from the SYSTEM user session would cause issues, but not so.

Since this doesn't change any behavior, I'm calling it good.

[nbolton]

shymega self-requested a review 17 hours ago

@shymega Did you want to add a review? :)

[shymega]

Think I selected the wrong PR.

BTW, Parsec has a similar issue with logon screens. Their installer MSI gives you two options:

• Install as user.
• Install as machine service.

It's the same problem as we have over in Input Leap/Barrier with Linux, which are:

• Configurations. Do we share the configs between the user and display manager (insert Windows-specific term here), or duplicate them?
• Are we protected against malware and malicious activity in the Logon screen with this approach?
• Can we trust the connected clients and/or server?

There's probably some more food for thought here. But ultimately, yes, it has changed since Windows 7.

[nbolton]

BTW, Parsec has a similar issue with logon screens. Their installer MSI gives you two options:

• Install as user.
• Install as machine service.

Good to know. That might be good for us to add but for other reasons. We only install as system and the daemon process Windows service runs as the system user.

It's the same problem as we have over in Input Leap/Barrier with Linux, which are:

• Configurations. Do we share the configs between the user and display manager (insert Windows-specific term here), or duplicate them?

Yes, this is a problem faced in Deskflow/Synergy too. If you have a central system config, then you'd have to prompt for password every time you want to apply it. If you save the config in user dir, then which user's config should be used? If duplicating it, what if it gets out of sync? It's a problem.

• Are we protected against malware and malicious activity in the Logon screen with this approach?

Since Windows 10 doesn't let you capture input any more at login, this makes it impossible for a bad actor to abuse Deskflow/Synergy to that end. However, a bad actor could hypothetically exploit some network bug to prevent a user from logging in with some sort of DoS attack. That's why I'm really keen to fix #7806.

• Can we trust the connected clients and/or server?

The fingerprint is the point of trust, which isn't very strong. Client-side certificate verification would help with this, also something that #7806 would fix, IIRC.

There's probably some more food for thought here. But ultimately, yes, it has changed since Windows 7.

I spoke with Synergy QA, and apparently, it did work in Windows 10 at some point, but I think Microsoft must have "fixed" that as a security vulnerability within the last 1-2 years.