AnsweredAssumed Answered

vrf Start PC with VEE and block the rest

Question asked by VRFuser on Feb 4, 2004
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"><HTML><HEAD><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1"><META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2654.45"><TITLE>Re: [vrf] Start PC with VEE and block the rest</TITLE></HEAD><BODY><P><FONT SIZE=2>I understand Shawn's hesitation.  There may be another way.</FONT><BR><FONT SIZE=2>You can auto-log to a specific user.  Just put the following in the registry (in my example, the user is "my_user" with the password "my_password"):</FONT></P><P><FONT SIZE=2>[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon]</FONT><BR><FONT SIZE=2>"DefaultUserName"="my_user"</FONT><BR><FONT SIZE=2>"AutoAdminLogon"="1"</FONT><BR><FONT SIZE=2>"DefaultPassword"="my_password"</FONT></P><P><FONT SIZE=2>Then limit the action that could be done in the user's account using poledit (like locking the desktop and part of the start menu).  Finally, add your Vee program in the startup menu to auto start it at logon.</FONT></P><P><FONT SIZE=2>To bypass the auto-log, just hold the |Shift> key when the login screen normally appears and it will prompt you normally.</FONT></P><P><FONT SIZE=2>This method is currently implemented on two testers here without the poledit limitations.  On another tester, I have only the poledit limitation.  So I guess that it should work all togheter...</FONT></P><P><FONT SIZE=2>-----Message d'origine-----</FONT><BR><FONT SIZE=2>De: Shawn Fessenden [<A HREF="mailto:shawn@testech-ltd.com">mailto:shawn@testech-ltd.com</A>]</FONT><BR><FONT SIZE=2>Date: 4 fvrier 2004 12:46</FONT></P><P><FONT SIZE=2>> when i turn on the pc this program will be automaticlly</FONT><BR><FONT SIZE=2>> loaded</FONT></P><P><FONT SIZE=2>Ok...</FONT></P><P><FONT SIZE=2>> what i mean is not to allow any one to do any thing before</FONT><BR><FONT SIZE=2>> the my program run.</FONT></P><P><FONT SIZE=2>> can i do this or not</FONT></P><P><FONT SIZE=2>Yes - it's risky but yes. If anything goes wrong you'll have to use the</FONT><BR><FONT SIZE=2>recovery console to straighten things out. In the registry, navigate to the</FONT><BR><FONT SIZE=2>key HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon</FONT><BR><FONT SIZE=2>and change the string value "Shell" to point to vee.exe and append a command</FONT><BR><FONT SIZE=2>line to start your .vee program. The default location for VEE is not</FONT><BR><FONT SIZE=2>acceptable though as you should stay away from spaces. Or at least I would</FONT><BR><FONT SIZE=2>anyway. Theoretically you can pass spaces as long as they're enclosed in</FONT><BR><FONT SIZE=2>quotes but getting it right can be a real pain in the neck as we saw with</FONT><BR><FONT SIZE=2>the recent commmand shell topic.</FONT></P><P><FONT SIZE=2>The result might look something like:</FONT></P><P><FONT SIZE=2>c:swAgilentVEEPro6.2vee.exe c:path     omyprogram.vee</FONT></P><P><FONT SIZE=2>If you do this, then there are several things to consider. First, if the</FONT><BR><FONT SIZE=2>machine is part of a Domain then it won't work unless the Domain</FONT><BR><FONT SIZE=2>administrator explicitly allows it. Second, Explorer will not be the shell -</FONT><BR><FONT SIZE=2>VEE will - so anything Explorer does for you you'll have to have VEE do for</FONT><BR><FONT SIZE=2>you. Such things include starting monitor programs, running extraneous</FONT><BR><FONT SIZE=2>services, reconnecting mapped drives... basically you have to duplicate the</FONT><BR><FONT SIZE=2>Run and RunServices keys of Explorer.</FONT></P><P><FONT SIZE=2>Third (and it bears repeating) - Explorer will not be the shell. There's no</FONT><BR><FONT SIZE=2>task bar, no Start button and no way to exit Windows. You'll have to have</FONT><BR><FONT SIZE=2>VEE do that for you by calling ExitWindowsEx. Fourth - there's no default</FONT><BR><FONT SIZE=2>Ctrl-Alt-Del handler unless you explicitly install one, so Ctrl-Alt-Del will</FONT><BR><FONT SIZE=2>do nothing.</FONT></P><P><FONT SIZE=2>Fifth is something that almost always slips by when people do this: you</FONT><BR><FONT SIZE=2>can't exit the shell. In the same key there's a value named</FONT><BR><FONT SIZE=2>AutoRestartShell. If it's set to 1 (default) and you exit VEE it will</FONT><BR><FONT SIZE=2>automatically restart. This carries implications of it's own. You can't exit</FONT><BR><FONT SIZE=2>a running VEE program, so when you call ExitWindowsEx from VEE you *must*</FONT><BR><FONT SIZE=2>use the EWX_FORCE flag or all that will happen is you'll get the VEE warning</FONT><BR><FONT SIZE=2>that you can't exit a running program.</FONT></P><P><FONT SIZE=2>This is just a sampling of the issues you'll run into if you choose to</FONT><BR><FONT SIZE=2>replace the shell. A less drastic way to do this would be to disallow</FONT><BR><FONT SIZE=2>certain functions from the shell. You can disallow opening specific program</FONT><BR><FONT SIZE=2>groups (Like "All Programs" for instance), the Run box, Control Panel.. the</FONT><BR><FONT SIZE=2>list is huge. None of this will guarantee that somebody won't be able to</FONT><BR><FONT SIZE=2>execute a particular program though. The most often overlooked facility in</FONT><BR><FONT SIZE=2>this case is the task manager. It has a Run item on the file menu that will</FONT><BR><FONT SIZE=2>allow anybody to start any executable they wish. That must be explicitly</FONT><BR><FONT SIZE=2>disabled also.</FONT></P><P><FONT SIZE=2>In general it's almost always a pretty bad idea to replace the shell. People</FONT><BR><FONT SIZE=2>will always come up with stuff like "how come I can't get to the Internet?"</FONT><BR><FONT SIZE=2>or "how do I copy files?". It doesn't matter if that's what you're</FONT><BR><FONT SIZE=2>explicitly asked to do either. Once you turn a computer into a</FONT><BR><FONT SIZE=2>single-purpose machine whoever administers that computer will *always*</FONT><BR><FONT SIZE=2>regret it and will *always* complain and you will always end up looking bad.</FONT><BR><FONT SIZE=2>Remember that the management mind-set is "do what I want you to do, not what</FONT><BR><FONT SIZE=2>I asked you to do" </FONT></P><P><FONT SIZE=2>Oh, and it's worth mentioning also that the old Ctrl-Alt-Shift trick while</FONT><BR><FONT SIZE=2>booting will NOT default back to the Explorer shell. That's why you'd have</FONT><BR><FONT SIZE=2>to use the recovery console to reverse this change. Alternatively you could</FONT><BR><FONT SIZE=2>use remote administration to get things back to normal and that's a lot</FONT><BR><FONT SIZE=2>easier than trying to use regedit from the command line in the recovery</FONT><BR><FONT SIZE=2>console, but again it depends on having Administrator level access to the</FONT><BR><FONT SIZE=2>machine so be sure you have a logon account set up for it before you try it.</FONT></P><P><FONT SIZE=2>At any rate, you can lock down the desktop in many ways. If the machine is</FONT><BR><FONT SIZE=2>part of a Domain, then use the server's Active Directory. If it's a stand</FONT><BR><FONT SIZE=2>alone, use Group or User policies. Run gpedit.msc. This isn't installed in</FONT><BR><FONT SIZE=2>the MMC list shown in Control Panel->Administrative Tools, so you either</FONT><BR><FONT SIZE=2>have to run it directly to create a shortcut to it in that folder. Anyway,</FONT><BR><FONT SIZE=2>from here you can control something like 500 different items that specify</FONT><BR><FONT SIZE=2>what users and / or groups of users can and can't do. Basically you're after</FONT><BR><FONT SIZE=2>Administrative Templates for Groups (if you want to control groups) or Users</FONT><BR><FONT SIZE=2>(if you want to control individual users).</FONT><BR><FONT SIZE=2>-SHAWN-</FONT></P>---<BR>You are currently subscribed to vrf as: rsb@soco.agilent.com<BR>To subscribe send a blank email to "join-vrf@it.lists.it.agilent.com".<BR>To unsubscribe send a blank email to "leave-vrf@it.lists.it.agilent.com".<BR>To send messages to this mailing list,  email "vrf@agilent.com".  <BR>If you need help with the mailing list send a message to "owner-vrf@it.lists.it.agilent.com".<BR>Send your favorite VEE example to "VRF-EXAMPLES@agilent.com" for possible inclusion in VEE 7.0!</BODY></HTML>  

Outcomes