?
Solved

Windows 7 custom WinLogon\Shell Registry question

Posted on 2011-10-11
11
Medium Priority
?
8,751 Views
Last Modified: 2012-06-27
Hello,

I am trying to lock down a Windows 7 machine (kiosk-type, for security reasons) and as a step to accomplish this, I have written a simple C# app to use instead of explorer.exe.  The app is called posshell.exe.  

To explain the issue, the easiest is to show the steps I have taken:

1) Login as user with admin rights
2) Using RegEdit, change the value of "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell" from "explorer.exe" to "C:\posshell\posshell.exe"
3) Log off
4) Log back in with same user.  It now uses the posshell.exe as the shell, as expected.
5) Run RegEdit and look at value for key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell".  Strangly enough, it is back to "explorer.exe", but it is still using posshell.exe as the shell.  
6) Now I want to revert back to explorer.exe, but how do I do that when the shell is already set to explorer.exe (but is not used)?

I have searched the entire registry for posshell.exe, and that string does not exist.  I have tried rebooting and logging back in, but it still uses my custom shell.  I have done a registry dump of right after I changed the value of "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell" from "explorer.exe" to "C:\posshell\posshell.exe" and then another dump of right after I logged out and then logged back in.  There are a bizzillion changes (apparently performed by Windows when first launching my .NET app as a shell).  

How can it be using my custom shell when it does not exist in the registry??  How can I revert back?

Thanks,
Lars

Ps. This is a fresh install of Windows 7 (64), no active directory, just local users.
0
Comment
Question by:Lars007
  • 5
  • 5
11 Comments
 
LVL 1

Expert Comment

by:rattlerant
ID: 36952957
Try clearing the profile settings of the user you tested with.

Log on to the computer as a different user (must be member of local administrator group) and delete the profile of the user you tested with.

r-click Computer>Properties>Advanced System Settings>Advanced>Settings(in user profile section)

choose the profile you were testing with and then delete.

reboot (may not be necessary) - login as the test user.
0
 
LVL 66

Accepted Solution

by:
johnb6767 earned 2000 total points
ID: 36953126
Different Shells for Different Users
http://msdn.microsoft.com/en-us/library/ms838576(v=winembedded.5).aspx

Should still apply to Windows 7 if not mistaken.....

Check these out....
0
 

Author Comment

by:Lars007
ID: 36953147
Thanks but the key in question is under HKEY_LOCAL_MACHINE, so it is not user-specific (=I don't believe it has anything to do with the user profile).  Nevertheless, I still tried deleting the profile (and it did not help).  

Suggestions welcome...
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
LVL 66

Expert Comment

by:johnb6767
ID: 36953275
Check the System.ini in the C:\windows dir......
0
 

Author Comment

by:Lars007
ID: 36953294
Johnb6767,

I tried adding a "shell" key under HKEY_Current_User\Software\Microsoft\Windows NT\CurrentVersion\Winlogon with the value "explorer.exe".  The effect is that it launched the file explorer (without a desktop).  However, this might solve my issue - I could just let the HKEY_LOCAL_MACHINE alone and only create the above key for the restricted user (the only issue is that you have to login as the restricted user in order to create this key).  

But I still want to know the answer to my original question, since there must be something very fundamental I am missing about this and I want to understand it:  If my custom shell does not exist anywhere in the registry, how can it still use it?  And how would I ever revert back if I set the shell under HKEY_LOCAL_MACHINE (since it by itself "reverts back" the value of the shell key to "explorer.exe", but still uses the custom shell)?

Thanks,
Lars
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 36953302
Think our posts crossed....
0
 

Author Comment

by:Lars007
ID: 36953308
Johnb6767,

Nope, no ini files have been modified for years (but your suggestion brought back memories from the good old days...)

0
 
LVL 66

Expert Comment

by:johnb6767
ID: 36953315
I have seen those modified in recent years,mainly from infections, but I believe that it is still a valid place to load a different shell...

Process Monitor
http://live.sysinternals.com/procmon.exe

Options>Enable Boot Logging>Reboot, and once logged on, launch it again and complie the logs.

Then hopefully you can see where it is loaded, and by what process....  (long shot).....
0
 

Author Comment

by:Lars007
ID: 36953451
I enabled boot logging with procmon.exe, but after that the computer blue screens with "BAD_POOL_CALLER" on boot.

However, I did some more testing:  
First off, this is a VM, so I have been rolling back to a default state when ever needed during this testing.  So I reverted back to default again, then I ran the posshell.exe application manually once, to make sure any .NET specific registry changes, etc. that apparently takes place when you run a .NET app for the first time on a machine gets done.  Then I repeated the test of making posshell.exe the Shell under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell, and this time it behaved as it should!  After re-logging in, the custom shell took effect and when I checked the key with RegEdit, it still had the custom shell (it had not reverted back to a phantom explorer.exe).  I changed it back to explorer.exe, and re-logged in, and the regular shell was back.

I am not sure if the issue with running a .NET app as a shell without having run a .NET app on the machine before is a bug, or what is going on with it, but I am not going to spend more time on it.  Problem solved.

Thanks.


0
 

Author Closing Comment

by:Lars007
ID: 36953461
Not exactly the answer to my question, but gave me a better way to solve the problem.
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 36953498
Glad I could nudge ya.....   :)
0

Featured Post

[Webinar] Database Backup and Recovery

Does your company store data on premises, off site, in the cloud, or a combination of these? If you answered “yes”, you need a data backup recovery plan that fits each and every platform. Watch now as as Percona teaches us how to build agile data backup recovery plan.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you're a modern-day technology professional, you may be wondering if certifications are really necessary. They are. Here's why.
Your business may be under attack from a silent enemy that is hard to detect. It works stealthily in the shadows to access and exploit your critical business information, sensitive confidential data and intellectual property, for commercial gain. T…
This Micro Tutorial will teach you how to change your appearance and customize your Windows 7 interface to your unique preference. This will be demonstrated using Windows 7 operating system.
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…
Suggested Courses
Course of the Month9 days, 15 hours left to enroll

569 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question