Solved

Windows Logon - Shell

Posted on 2011-02-24
10
471 Views
Last Modified: 2012-05-11
Hi,
    Here is what I am trying to do....I want a Win-XP computer to log-in automatically, and our software to start-up after getting into Windows.  The user should not have any access to the Desktop, Windows Explorer, etc, only our customized software that is running. If the user exits our application, only a blank screen should be visible in the desktop.... I think I know how to achieve this, and someone can correct me if I am wrong.  In regedit, create a new string value called 'Shell' and for the 'Value data' field, enter the path of the software that needs to be run upon startup and also setup auto-login capability in control panel.

My real question here is, what if an Administrator (such as myself) needs to login (or access) Windows to update software, modify settings, etc....If the system is setup to auto-login and the capability to get to Desktop, etc is disabled, how then does an Admin login into Windows?

Thanks for your help.  
0
Comment
Question by:arunykand
  • 5
  • 2
  • 2
  • +1
10 Comments
 
LVL 6

Accepted Solution

by:
chuck-williams earned 250 total points
ID: 34970328
Login as the user you want to lock down. Go to HKE_ Current_User\Software\Microsoft\Windows NT\Current Version\Winlogon

Change the shell entry from explorer.exe to your application.

If the computer is set to log on automatically then it will go straigtht to the application as long as its set to log in as that user. To log in as and administrator just simply log off and log on as the administrator. The reg entry I gave you applies only to that user you modified.

This can also be done in group policy. let me know if you need info on that.
0
 
LVL 3

Expert Comment

by:4runnerfun
ID: 34970333
If you're just looking for Admin access once you're logged in, if you're able to open the taskmanager (CTRL+ALT+DEL, then T), you could use the RUNAS command. Once you enter the command, it will prompt you for the password.

Open an admin privileged CMD window:
Runas /user:YourDomain\administrator cmd.exe

Open an admin privileged Explorer window:
Runas /user:YourDomain\administrator explorer.exe
Note: if explorer is your shell, you can kill explorer.exe via taskmanager, and when you run the command above, it will open explorer as your shell, with your admin credentials.

Open an admin privileged Notepad:
Runas /user:YourDomain\administrator notepad.exe
0
 
LVL 6

Expert Comment

by:chuck-williams
ID: 34970337
Sorry I mistyped a bit its
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
0
 
LVL 6

Expert Comment

by:chuck-williams
ID: 34970374
Also in reference to 4runners comment. You may want to lock them down to not allow task manager. Otherwise they can just start explorer or any app they want by themselves.
0
 

Author Comment

by:arunykand
ID: 34970679
Ok, I like all the comments...Let me ask this, is it possible to keep 'CTRL-ALT-DEL'  access for the user,  but only have the 'Log Off' button enabled, so that all the user can do is log-off, and then I (Admin) can login to access full Windows functionality?
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 6

Assisted Solution

by:t-max
t-max earned 250 total points
ID: 34970822
Do this:
Start->Run...->Type "gpedit.msc" and press Enter
On the new Group Policy window, go to:
User Configuration->Administrative Templates->System->Ctrl+Alt+Del Options
On the right you'll see all the available options, and enable/disable them as you wish.
0
 
LVL 6

Expert Comment

by:chuck-williams
ID: 34970907
The only problem with using the local gpedit is that it will affect all users. If you have access to Active Directory you can set a policy just for that user. It may not be an issue just an fyi.
0
 

Author Comment

by:arunykand
ID: 34971021
Correct...as 'Chuck' mentioned, if I disable the 'Lock Computer' for the user, the Admin also has that disabled, not what I wanted....This PC is a stand-alone, not part of 'Active Directory'.  any help? :(
0
 
LVL 6

Expert Comment

by:t-max
ID: 34971548
Those settings can be easily set for a specific user, using the registry.
Usually those settings will be stored inside the key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

That's however a little bit more "dangerous", but if you want more on that, just look for the string above on Google.
I just found that might be enough: http://www.dewassoc.com/support/useful/registry/policy.htm
Regards!
0
 
LVL 6

Expert Comment

by:chuck-williams
ID: 34971639
Here is another trick. If you use local group policy, it creates a local folder called grouppolicy under C:\Windows\system32 I think. It is a hidden system folder. If you move it out of there and reboot the group policy settings will be removed. Then when you make your changes you can add the folder back and reboot again. I did this like 5 or more years ago so I would recommend testing this to verify and make sure my paths or correct. It is either system or system32
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Citrix XenApp, Internet Explorer 11 set to Enterprise Mode and using central hosted sites.xml file.
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now