Windows 7 custom WinLogon\Shell Registry question
Posted on 2011-10-11
I am trying to lock down a Windows 7 machine (kiosk-type, for security reasons) and as a step to accomplish this, I have written a simple C# app to use instead of explorer.exe. The app is called posshell.exe.
To explain the issue, the easiest is to show the steps I have taken:
1) Login as user with admin rights
2) Using RegEdit, change the value of "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell" from "explorer.exe" to "C:\posshell\posshell.exe"
3) Log off
4) Log back in with same user. It now uses the posshell.exe as the shell, as expected.
5) Run RegEdit and look at value for key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell". Strangly enough, it is back to "explorer.exe", but it is still using posshell.exe as the shell.
6) Now I want to revert back to explorer.exe, but how do I do that when the shell is already set to explorer.exe (but is not used)?
I have searched the entire registry for posshell.exe, and that string does not exist. I have tried rebooting and logging back in, but it still uses my custom shell. I have done a registry dump of right after I changed the value of "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell" from "explorer.exe" to "C:\posshell\posshell.exe" and then another dump of right after I logged out and then logged back in. There are a bizzillion changes (apparently performed by Windows when first launching my .NET app as a shell).
How can it be using my custom shell when it does not exist in the registry?? How can I revert back?
Ps. This is a fresh install of Windows 7 (64), no active directory, just local users.