Lars007
asked on
Windows 7 custom WinLogon\Shell Registry question
Hello,
I am trying to lock down a Windows 7 machine (kiosk-type, for security reasons) and as a step to accomplish this, I have written a simple C# app to use instead of explorer.exe. The app is called posshell.exe.
To explain the issue, the easiest is to show the steps I have taken:
1) Login as user with admin rights
2) Using RegEdit, change the value of "HKEY_LOCAL_MACHINE\SOFTWA RE\Microso ft\Windows NT\CurrentVersion\Winlogon \Shell" from "explorer.exe" to "C:\posshell\posshell.exe"
3) Log off
4) Log back in with same user. It now uses the posshell.exe as the shell, as expected.
5) Run RegEdit and look at value for key "HKEY_LOCAL_MACHINE\SOFTWA RE\Microso ft\Windows NT\CurrentVersion\Winlogon \Shell". Strangly enough, it is back to "explorer.exe", but it is still using posshell.exe as the shell.
6) Now I want to revert back to explorer.exe, but how do I do that when the shell is already set to explorer.exe (but is not used)?
I have searched the entire registry for posshell.exe, and that string does not exist. I have tried rebooting and logging back in, but it still uses my custom shell. I have done a registry dump of right after I changed the value of "HKEY_LOCAL_MACHINE\SOFTWA RE\Microso ft\Windows NT\CurrentVersion\Winlogon \Shell" from "explorer.exe" to "C:\posshell\posshell.exe" and then another dump of right after I logged out and then logged back in. There are a bizzillion changes (apparently performed by Windows when first launching my .NET app as a shell).
How can it be using my custom shell when it does not exist in the registry?? How can I revert back?
Thanks,
Lars
Ps. This is a fresh install of Windows 7 (64), no active directory, just local users.
I am trying to lock down a Windows 7 machine (kiosk-type, for security reasons) and as a step to accomplish this, I have written a simple C# app to use instead of explorer.exe. The app is called posshell.exe.
To explain the issue, the easiest is to show the steps I have taken:
1) Login as user with admin rights
2) Using RegEdit, change the value of "HKEY_LOCAL_MACHINE\SOFTWA
3) Log off
4) Log back in with same user. It now uses the posshell.exe as the shell, as expected.
5) Run RegEdit and look at value for key "HKEY_LOCAL_MACHINE\SOFTWA
6) Now I want to revert back to explorer.exe, but how do I do that when the shell is already set to explorer.exe (but is not used)?
I have searched the entire registry for posshell.exe, and that string does not exist. I have tried rebooting and logging back in, but it still uses my custom shell. I have done a registry dump of right after I changed the value of "HKEY_LOCAL_MACHINE\SOFTWA
How can it be using my custom shell when it does not exist in the registry?? How can I revert back?
Thanks,
Lars
Ps. This is a fresh install of Windows 7 (64), no active directory, just local users.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks but the key in question is under HKEY_LOCAL_MACHINE, so it is not user-specific (=I don't believe it has anything to do with the user profile). Nevertheless, I still tried deleting the profile (and it did not help).
Suggestions welcome...
Suggestions welcome...
Check the System.ini in the C:\windows dir......
ASKER
Johnb6767,
I tried adding a "shell" key under HKEY_Current_User\Software \Microsoft \Windows NT\CurrentVersion\Winlogon with the value "explorer.exe". The effect is that it launched the file explorer (without a desktop). However, this might solve my issue - I could just let the HKEY_LOCAL_MACHINE alone and only create the above key for the restricted user (the only issue is that you have to login as the restricted user in order to create this key).
But I still want to know the answer to my original question, since there must be something very fundamental I am missing about this and I want to understand it: If my custom shell does not exist anywhere in the registry, how can it still use it? And how would I ever revert back if I set the shell under HKEY_LOCAL_MACHINE (since it by itself "reverts back" the value of the shell key to "explorer.exe", but still uses the custom shell)?
Thanks,
Lars
I tried adding a "shell" key under HKEY_Current_User\Software
But I still want to know the answer to my original question, since there must be something very fundamental I am missing about this and I want to understand it: If my custom shell does not exist anywhere in the registry, how can it still use it? And how would I ever revert back if I set the shell under HKEY_LOCAL_MACHINE (since it by itself "reverts back" the value of the shell key to "explorer.exe", but still uses the custom shell)?
Thanks,
Lars
Think our posts crossed....
ASKER
Johnb6767,
Nope, no ini files have been modified for years (but your suggestion brought back memories from the good old days...)
Nope, no ini files have been modified for years (but your suggestion brought back memories from the good old days...)
I have seen those modified in recent years,mainly from infections, but I believe that it is still a valid place to load a different shell...
Process Monitor
http://live.sysinternals.com/procmon.exe
Options>Enable Boot Logging>Reboot, and once logged on, launch it again and complie the logs.
Then hopefully you can see where it is loaded, and by what process.... (long shot).....
Process Monitor
http://live.sysinternals.com/procmon.exe
Options>Enable Boot Logging>Reboot, and once logged on, launch it again and complie the logs.
Then hopefully you can see where it is loaded, and by what process.... (long shot).....
ASKER
I enabled boot logging with procmon.exe, but after that the computer blue screens with "BAD_POOL_CALLER" on boot.
However, I did some more testing:
First off, this is a VM, so I have been rolling back to a default state when ever needed during this testing. So I reverted back to default again, then I ran the posshell.exe application manually once, to make sure any .NET specific registry changes, etc. that apparently takes place when you run a .NET app for the first time on a machine gets done. Then I repeated the test of making posshell.exe the Shell under HKEY_LOCAL_MACHINE\SOFTWAR E\Microsof t\Windows NT\CurrentVersion\Winlogon \Shell, and this time it behaved as it should! After re-logging in, the custom shell took effect and when I checked the key with RegEdit, it still had the custom shell (it had not reverted back to a phantom explorer.exe). I changed it back to explorer.exe, and re-logged in, and the regular shell was back.
I am not sure if the issue with running a .NET app as a shell without having run a .NET app on the machine before is a bug, or what is going on with it, but I am not going to spend more time on it. Problem solved.
Thanks.
However, I did some more testing:
First off, this is a VM, so I have been rolling back to a default state when ever needed during this testing. So I reverted back to default again, then I ran the posshell.exe application manually once, to make sure any .NET specific registry changes, etc. that apparently takes place when you run a .NET app for the first time on a machine gets done. Then I repeated the test of making posshell.exe the Shell under HKEY_LOCAL_MACHINE\SOFTWAR
I am not sure if the issue with running a .NET app as a shell without having run a .NET app on the machine before is a bug, or what is going on with it, but I am not going to spend more time on it. Problem solved.
Thanks.
ASKER
Not exactly the answer to my question, but gave me a better way to solve the problem.
Glad I could nudge ya..... :)
Log on to the computer as a different user (must be member of local administrator group) and delete the profile of the user you tested with.
r-click Computer>Properties>Advanc
choose the profile you were testing with and then delete.
reboot (may not be necessary) - login as the test user.