AnsweredAssumed Answered

vrf Starting a Vee program with no desktop interaction

Question asked by VRFuser on Feb 8, 2004
Hi,

I have cut and pasted below, all the messages relating to this
question.  If you want the answers, you may want to read the emails before
reposting your question four times.

Regards,

Graeme Hilton



Subject: [vrf] Fw:
To: VRF <vrf@agilent.com>


----- Original Message -----
From: Wisam Alyan
To: VRF
Sent: Tuesday, February 03, 2004 5:05 PM

hi all :

i have question :

I want to put my main program  at start up folder ... when i turn on the pc
this program will be automaticlly loaded ... my question is . can i control
on all the  desktop what i mean is not to allow any one to do any thing
before the my program run..

can i do this or not

thanks



Subject: [vrf] RE: [vrf]
To: VRF <vrf@agilent.com>

> when i turn on the pc this program will be automaticlly
> loaded

Ok...

> what i mean is not to allow any one to do any thing before
> the my program run.

> can i do this or not

Yes - it's risky but yes. If anything goes wrong you'll have to use the
recovery console to straighten things out. In the registry, navigate to the
key HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon
and change the string value "Shell" to point to vee.exe and append a command
line to start your .vee program. The default location for VEE is not
acceptable though as you should stay away from spaces. Or at least I would
anyway. Theoretically you can pass spaces as long as they're enclosed in
quotes but getting it right can be a real pain in the neck as we saw with
the recent commmand shell topic.

The result might look something like:

c:swAgilentVEEPro6.2vee.exe c:path     omyprogram.vee

If you do this, then there are several things to consider. First, if the
machine is part of a Domain then it won't work unless the Domain
administrator explicitly allows it. Second, Explorer will not be the shell -
VEE will - so anything Explorer does for you you'll have to have VEE do for
you. Such things include starting monitor programs, running extraneous
services, reconnecting mapped drives... basically you have to duplicate the
Run and RunServices keys of Explorer.

Third (and it bears repeating) - Explorer will not be the shell. There's no
task bar, no Start button and no way to exit Windows. You'll have to have
VEE do that for you by calling ExitWindowsEx. Fourth - there's no default
Ctrl-Alt-Del handler unless you explicitly install one, so Ctrl-Alt-Del will
do nothing.

Fifth is something that almost always slips by when people do this: you
can't exit the shell. In the same key there's a value named
AutoRestartShell. If it's set to 1 (default) and you exit VEE it will
automatically restart. This carries implications of it's own. You can't exit
a running VEE program, so when you call ExitWindowsEx from VEE you *must*
use the EWX_FORCE flag or all that will happen is you'll get the VEE warning
that you can't exit a running program.

This is just a sampling of the issues you'll run into if you choose to
replace the shell. A less drastic way to do this would be to disallow
certain functions from the shell. You can disallow opening specific program
groups (Like "All Programs" for instance), the Run box, Control Panel.. the
list is huge. None of this will guarantee that somebody won't be able to
execute a particular program though. The most often overlooked facility in
this case is the task manager. It has a Run item on the file menu that will
allow anybody to start any executable they wish. That must be explicitly
disabled also.

In general it's almost always a pretty bad idea to replace the shell. People
will always come up with stuff like "how come I can't get to the Internet?"
or "how do I copy files?". It doesn't matter if that's what you're
explicitly asked to do either. Once you turn a computer into a
single-purpose machine whoever administers that computer will *always*
regret it and will *always* complain and you will always end up looking bad.
Remember that the management mind-set is "do what I want you to do, not what
I asked you to do"

Oh, and it's worth mentioning also that the old Ctrl-Alt-Shift trick while
booting will NOT default back to the Explorer shell. That's why you'd have
to use the recovery console to reverse this change. Alternatively you could
use remote administration to get things back to normal and that's a lot
easier than trying to use regedit from the command line in the recovery
console, but again it depends on having Administrator level access to the
machine so be sure you have a logon account set up for it before you try it.

At any rate, you can lock down the desktop in many ways. If the machine is
part of a Domain, then use the server's Active Directory. If it's a stand
alone, use Group or User policies. Run gpedit.msc. This isn't installed in
the MMC list shown in Control Panel->Administrative Tools, so you either
have to run it directly to create a shortcut to it in that folder. Anyway,
from here you can control something like 500 different items that specify
what users and / or groups of users can and can't do. Basically you're after
Administrative Templates for Groups (if you want to control groups) or Users
(if you want to control individual users).
-SHAWN-



Subject: [vrf] Re: Start PC with VEE and block the rest
To: VRF <vrf@agilent.com>

I understand Shawn's hesitation.  There may be another way.
You can auto-log to a specific user.  Just put the following in the
registry (in my example, the user is "my_user" with the password
"my_password"):

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon]
"DefaultUserName"="my_user"
"AutoAdminLogon"="1"
"DefaultPassword"="my_password"

Then limit the action that could be done in the user's account using
poledit (like locking the desktop and part of the start menu).  Finally,
add your Vee program in the startup menu to auto start it at logon.

To bypass the auto-log, just hold the <Shift> key when the login screen
normally appears and it will prompt you normally.

This method is currently implemented on two testers here without the
poledit limitations.  On another tester, I have only the poledit
limitation.  So I guess that it should work all togheter...




Subject: [vrf] RE: [vrf]
To: VRF <vrf@agilent.com>

Would something less drastic, like putting the program in the startup
folder, and using -disallowclose work for you?

Reiner




Subject: [vrf] RE: [vrf]
To: VRF <vrf@agilent.com>

If you want the PC locked down without the hassle of learning how
to manipulate each of the hundreds of policy settings, there are
commercial products available that can lock down the PC for you.
One of the most popular with schools is Deep Freeze. Their website
www.deepfreezeusa.com offers a 60-day trial version.

Teachers love it, kids hate it. Easy to setup and use, but quite
hard to crack when set up properly. Very effective against users
changing the PC's settings and/or running programs they are not
allowed to run, at the same time offering full functionality of
the programs YOU allow to be run. Something like this might be
worth a look for your situation.

Cheers!
Mike


---
You are currently subscribed to vrf as: rsb@soco.agilent.com
To subscribe send a blank email to "join-vrf@it.lists.it.agilent.com".
To unsubscribe send a blank email to "leave-vrf@it.lists.it.agilent.com".
To send messages to this mailing list,  email "vrf@agilent.com". 
If you need help with the mailing list send a message to "owner-vrf@it.lists.it.agilent.com".
Send your favorite VEE example to "VRF-EXAMPLES@agilent.com" for possible inclusion in VEE 7.0!

Outcomes