Windows Logon - Shell

    Here is what I am trying to do....I want a Win-XP computer to log-in automatically, and our software to start-up after getting into Windows.  The user should not have any access to the Desktop, Windows Explorer, etc, only our customized software that is running. If the user exits our application, only a blank screen should be visible in the desktop.... I think I know how to achieve this, and someone can correct me if I am wrong.  In regedit, create a new string value called 'Shell' and for the 'Value data' field, enter the path of the software that needs to be run upon startup and also setup auto-login capability in control panel.

My real question here is, what if an Administrator (such as myself) needs to login (or access) Windows to update software, modify settings, etc....If the system is setup to auto-login and the capability to get to Desktop, etc is disabled, how then does an Admin login into Windows?

Thanks for your help.  
Who is Participating?
Login as the user you want to lock down. Go to HKE_ Current_User\Software\Microsoft\Windows NT\Current Version\Winlogon

Change the shell entry from explorer.exe to your application.

If the computer is set to log on automatically then it will go straigtht to the application as long as its set to log in as that user. To log in as and administrator just simply log off and log on as the administrator. The reg entry I gave you applies only to that user you modified.

This can also be done in group policy. let me know if you need info on that.
If you're just looking for Admin access once you're logged in, if you're able to open the taskmanager (CTRL+ALT+DEL, then T), you could use the RUNAS command. Once you enter the command, it will prompt you for the password.

Open an admin privileged CMD window:
Runas /user:YourDomain\administrator cmd.exe

Open an admin privileged Explorer window:
Runas /user:YourDomain\administrator explorer.exe
Note: if explorer is your shell, you can kill explorer.exe via taskmanager, and when you run the command above, it will open explorer as your shell, with your admin credentials.

Open an admin privileged Notepad:
Runas /user:YourDomain\administrator notepad.exe
Sorry I mistyped a bit its
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

Also in reference to 4runners comment. You may want to lock them down to not allow task manager. Otherwise they can just start explorer or any app they want by themselves.
arunykandAuthor Commented:
Ok, I like all the comments...Let me ask this, is it possible to keep 'CTRL-ALT-DEL'  access for the user,  but only have the 'Log Off' button enabled, so that all the user can do is log-off, and then I (Admin) can login to access full Windows functionality?
Do this:
Start->Run...->Type "gpedit.msc" and press Enter
On the new Group Policy window, go to:
User Configuration->Administrative Templates->System->Ctrl+Alt+Del Options
On the right you'll see all the available options, and enable/disable them as you wish.
The only problem with using the local gpedit is that it will affect all users. If you have access to Active Directory you can set a policy just for that user. It may not be an issue just an fyi.
arunykandAuthor Commented: 'Chuck' mentioned, if I disable the 'Lock Computer' for the user, the Admin also has that disabled, not what I wanted....This PC is a stand-alone, not part of 'Active Directory'.  any help? :(
Those settings can be easily set for a specific user, using the registry.
Usually those settings will be stored inside the key:

That's however a little bit more "dangerous", but if you want more on that, just look for the string above on Google.
I just found that might be enough:
Here is another trick. If you use local group policy, it creates a local folder called grouppolicy under C:\Windows\system32 I think. It is a hidden system folder. If you move it out of there and reboot the group policy settings will be removed. Then when you make your changes you can add the folder back and reboot again. I did this like 5 or more years ago so I would recommend testing this to verify and make sure my paths or correct. It is either system or system32
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.