Custom Shell and Account Switching

[YaronM]

Hi,

I'm working on a custom shell for my XPe system (written in VB6).
the system should automatically login to a limited-user account and run the
shell.
I need to add a button to the shell that when clicked will automatically
log-off the current limited-user and login again as the administrator.
I'm not sure how can it be done because the log-off process kills all
running processes so that the batch/script can't continue to load the
admin..
I thought maybe I should somehow use the Fast-User-Switching feature for
that purpose but I don't know how to do that.

my main purpose of doing that is to create a secure working environment
through a limited-user using a custom-shell, but still allowing an
Administrator
to easily switch back to the Explorer shell without having to log-off and
re-login.

If you have any ideas or tips I would really appreiciate your help.

thanks,

YaronM

 

[JC]

Not sure if you can do it in VB6, but here's an article on app development
for FUS in VB.net

http://support.microsoft.com/default.aspx?scid=kb;en-us;841291

here's a DG about FUS and app development.
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnwxp/html/winxpfus.asp

remember, if you are attaching to a domain, FUS is disabled...


HTH,
JC

 

[richard]

Hi,

I'm working on a custom shell for my XPe system (written in VB6).
the system should automatically login to a limited-user account and run the
shell.
I need to add a button to the shell that when clicked will automatically
log-off the current limited-user and login again as the administrator.
I'm not sure how can it be done because the log-off process kills all

running processes so that the batch/script can't continue to load the

admin..
I thought maybe I should somehow use the Fast-User-Switching feature for
that purpose but I don't know how to do that.

my main purpose of doing that is to create a secure working environment
through a limited-user using a custom-shell, but still allowing an
Administrator
to easily switch back to the Explorer shell without having to log-off and
re-login.

Is it possible to have custom shell for one user and Explorer shell for
another user without handling shell explicitly in our code???

regards
Richard

 

[Slobodan Brcin \(eMVP\)]

Hi Yaron,

How about:
1. You use winlogon with fast user-switching (If you need two accounts to execute in parallel) I think that this require graphic
logon.
2. http://msdn.microsoft.com/library/d.../html/tchDifferentShellsForDifferentUsers.asp

This should keep you going.

Also you have always a choice of "runas" this mean that with user name and password you can execute any program with different
credentials without logging in/out (This is more embedded way )

Regards,
Slobodan

 

[KM]

Yaron,

Do you want to log in to the Administartor account automatically?
If so, you can play with Autologon settings to switch the user/password to Administrator account.
Also make sure that [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon],"ForceAutoLogon"="1"

As soon as you logged on to Administator account, you can switch AutoAdmin setttings back to the User account.

KM

 

[YaronM]

Hi all,

thanks for your suggestions. it seems that the FUS feature is not relevant
in my case because it is not supported in a Domain environment.
the reason why I can't run the Explorere shell using RunAs from the User
logon is that I use local policies to disable the user environment.
therefore, the policies will effect the Explorer that I will execute.
I must do a full log-off and later logon again.
the autologon feature will not help in this case because it is read by the
system only on boot time and not after the system already booted, done
auto-logon to the user and then logged-off.
after re-thinking the situation, the limitation I have in the development is
actually not a problem. I will create another security-layer to the user
and Admin, where:
1. user works in a limited custom shell and can only operate application and
turn-off the machine.
2. a technical support technician can enter a "settings" menu where it can
change a few settings of the user's custom-shell and can log-off the user to
recieve the Ctrl-Alt-Delete logon screen. the Settings menu will only have a
"save changes" button to commit the changes using the EWF.
3. a network Administrator with the Administrator account password can enter
the local Admin account using its credentials and recieve a full-featured
Explorer Shell and the ability to enable/disable the EWF.

thanks for your help.
I hope my toughts will help someone else too.

Cheers,

YaronM

Yaron,

Do you want to log in to the Administartor account automatically?
If so, you can play with Autologon settings to switch the user/password to
Administrator account.
Also make sure that [HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon],"ForceAutoLogon"="1"

As soon as you logged on to Administator account, you can switch AutoAdmin
setttings back to the User account.

KM

Hi,

I'm working on a custom shell for my XPe system (written in VB6).
the system should automatically login to a limited-user account and run
the shell.
I need to add a button to the shell that when clicked will automatically
log-off the current limited-user and login again as the administrator.
I'm not sure how can it be done because the log-off process kills all
running processes so that the batch/script can't continue to load the
admin..
I thought maybe I should somehow use the Fast-User-Switching feature for
that purpose but I don't know how to do that.

my main purpose of doing that is to create a secure working environment
through a limited-user using a custom-shell, but still allowing an
Administrator
to easily switch back to the Explorer shell without having to log-off and
re-login.

If you have any ideas or tips I would really appreiciate your help.

thanks,

YaronM

 

[KM]

Yaron,

thanks for your suggestions. it seems that the FUS feature is not relevant in my case because it is not supported in a Domain
environment.
the reason why I can't run the Explorere shell using RunAs from the User logon is that I use local policies to disable the user
environment. therefore, the policies will effect the Explorer that I will execute.

I am not clear what you meant here. How policies of your user account can affect Explorer that is launched under Admin account?

I must do a full log-off and later logon again.
the autologon feature will not help in this case because it is read by the system only on boot time and not after the system
already booted, done auto-logon to the user and then logged-off.

This is not true. The autologon settings are read on every "logon" even which also happens when you do a log off.
Please test it on target device to see how it works. (just make sure you don't forget to set ForceAutoLogon value).

after re-thinking the situation, the limitation I have in the development is actually not a problem. I will create another
security-layer to the user and Admin, where:
1. user works in a limited custom shell and can only operate application and turn-off the machine.
2. a technical support technician can enter a "settings" menu where it can

And how technician can enter (see) the Setting menu?


KM

change a few settings of the user's custom-shell and can log-off the user to recieve the Ctrl-Alt-Delete logon screen. the
Settings menu will only have a "save changes" button to commit the changes using the EWF.
3. a network Administrator with the Administrator account password can enter the local Admin account using its credentials and
recieve a full-featured Explorer Shell and the ability to enable/disable the EWF.

thanks for your help.
I hope my toughts will help someone else too.

Cheers,

YaronM

Yaron,

Do you want to log in to the Administartor account automatically?
If so, you can play with Autologon settings to switch the user/password to Administrator account.
Also make sure that [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon],"ForceAutoLogon"="1"

As soon as you logged on to Administator account, you can switch AutoAdmin setttings back to the User account.

KM

Hi,

I'm working on a custom shell for my XPe system (written in VB6).
the system should automatically login to a limited-user account and run the shell.
I need to add a button to the shell that when clicked will automatically log-off the current limited-user and login again as the
administrator.
I'm not sure how can it be done because the log-off process kills all running processes so that the batch/script can't continue
to load the admin..
I thought maybe I should somehow use the Fast-User-Switching feature for that purpose but I don't know how to do that.

my main purpose of doing that is to create a secure working environment through a limited-user using a custom-shell, but still
allowing an Administrator
to easily switch back to the Explorer shell without having to log-off and re-login.

If you have any ideas or tips I would really appreiciate your help.

thanks,

YaronM

 

[YaronM]

Hi KM,

I use local policies for limiting the user environment. for example, disable
running the TaskManager. the local group policies do not differs between
user accounts like in a normal GPO in a domain- it is mandatory to everyone.
when I login as an Administrator I just block access to the GPO folder in
windows using NTFS permissions. than, when the admin login it gets a full
unlocked shell.
if I will launch the explorer without logging-off I will still have the
policies effect.

about the autologon- I need to test it. I might be wrong.

the Techinician can enter the Settings Menu through a small "Settings"
button which is secured by a password so that the user could not change the
menu settings.

thanks,

YaronM

Yaron,

thanks for your suggestions. it seems that the FUS feature is not
relevant in my case because it is not supported in a Domain environment.
the reason why I can't run the Explorere shell using RunAs from the User
logon is that I use local policies to disable the user environment.
therefore, the policies will effect the Explorer that I will execute.

I am not clear what you meant here. How policies of your user account can
affect Explorer that is launched under Admin account?

I must do a full log-off and later logon again.
the autologon feature will not help in this case because it is read by
the system only on boot time and not after the system already booted,
done auto-logon to the user and then logged-off.

This is not true. The autologon settings are read on every "logon" even
which also happens when you do a log off.
Please test it on target device to see how it works. (just make sure you
don't forget to set ForceAutoLogon value).

after re-thinking the situation, the limitation I have in the development
is actually not a problem. I will create another security-layer to the
user and Admin, where:
1. user works in a limited custom shell and can only operate application
and turn-off the machine.
2. a technical support technician can enter a "settings" menu where it
can

And how technician can enter (see) the Setting menu?


KM

change a few settings of the user's custom-shell and can log-off the user
to recieve the Ctrl-Alt-Delete logon screen. the Settings menu will only
have a "save changes" button to commit the changes using the EWF.
3. a network Administrator with the Administrator account password can
enter the local Admin account using its credentials and recieve a
full-featured Explorer Shell and the ability to enable/disable the EWF.

thanks for your help.
I hope my toughts will help someone else too.

Cheers,

YaronM

Yaron,

Do you want to log in to the Administartor account automatically?
If so, you can play with Autologon settings to switch the user/password
to Administrator account.
Also make sure that [HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon],"ForceAutoLogon"="1"

As soon as you logged on to Administator account, you can switch
AutoAdmin setttings back to the User account.

KM

Hi,

I'm working on a custom shell for my XPe system (written in VB6).
the system should automatically login to a limited-user account and run
the shell.
I need to add a button to the shell that when clicked will
automatically log-off the current limited-user and login again as the
administrator.
I'm not sure how can it be done because the log-off process kills all
running processes so that the batch/script can't continue to load the
admin..
I thought maybe I should somehow use the Fast-User-Switching feature
for that purpose but I don't know how to do that.

my main purpose of doing that is to create a secure working environment
through a limited-user using a custom-shell, but still allowing an
Administrator
to easily switch back to the Explorer shell without having to log-off
and re-login.

If you have any ideas or tips I would really appreiciate your help.

thanks,

YaronM

 

[KM]

Yaron,

I see. Thanks for the clarifications.

Yup, give it a try wtih Autologon. It may be what you were looking for (I used that similar way on some platforms here).

KM

Hi KM,

I use local policies for limiting the user environment. for example, disable running the TaskManager. the local group policies do
not differs between user accounts like in a normal GPO in a domain- it is mandatory to everyone. when I login as an Administrator
I just block access to the GPO folder in windows using NTFS permissions. than, when the admin login it gets a full unlocked shell.
if I will launch the explorer without logging-off I will still have the policies effect.

about the autologon- I need to test it. I might be wrong.

the Techinician can enter the Settings Menu through a small "Settings" button which is secured by a password so that the user
could not change the menu settings.

thanks,

YaronM

Yaron,

thanks for your suggestions. it seems that the FUS feature is not relevant in my case because it is not supported in a Domain
environment.
the reason why I can't run the Explorere shell using RunAs from the User logon is that I use local policies to disable the user
environment. therefore, the policies will effect the Explorer that I will execute.

I am not clear what you meant here. How policies of your user account can affect Explorer that is launched under Admin account?

I must do a full log-off and later logon again.
the autologon feature will not help in this case because it is read by the system only on boot time and not after the system
already booted, done auto-logon to the user and then logged-off.

This is not true. The autologon settings are read on every "logon" even which also happens when you do a log off.
Please test it on target device to see how it works. (just make sure you don't forget to set ForceAutoLogon value).

after re-thinking the situation, the limitation I have in the development is actually not a problem. I will create another
security-layer to the user and Admin, where:
1. user works in a limited custom shell and can only operate application and turn-off the machine.
2. a technical support technician can enter a "settings" menu where it can

And how technician can enter (see) the Setting menu?


KM

change a few settings of the user's custom-shell and can log-off the user to recieve the Ctrl-Alt-Delete logon screen. the
Settings menu will only have a "save changes" button to commit the changes using the EWF.
3. a network Administrator with the Administrator account password can enter the local Admin account using its credentials and
recieve a full-featured Explorer Shell and the ability to enable/disable the EWF.

thanks for your help.
I hope my toughts will help someone else too.

Cheers,

YaronM


Yaron,

Do you want to log in to the Administartor account automatically?
If so, you can play with Autologon settings to switch the user/password to Administrator account.
Also make sure that [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon],"ForceAutoLogon"="1"

As soon as you logged on to Administator account, you can switch AutoAdmin setttings back to the User account.

KM

Hi,

I'm working on a custom shell for my XPe system (written in VB6).
the system should automatically login to a limited-user account and run the shell.
I need to add a button to the shell that when clicked will automatically log-off the current limited-user and login again as
the administrator.
I'm not sure how can it be done because the log-off process kills all running processes so that the batch/script can't
continue to load the admin..
I thought maybe I should somehow use the Fast-User-Switching feature for that purpose but I don't know how to do that.

my main purpose of doing that is to create a secure working environment through a limited-user using a custom-shell, but still
allowing an Administrator
to easily switch back to the Explorer shell without having to log-off and re-login.

If you have any ideas or tips I would really appreiciate your help.

thanks,

YaronM

 

[Benjamin Madsen]

KM and Yaron,

I disagree with the auto-logon assessment. Else, the system would never
be able to log back out and let the user choose a new username and
password. The auto-logon function is there for boot-up only, from my
experience.

So, I'm betting to get this function you will probably have to write
some kind of GINA replacement that queries a system service for the new
user to logon automatically. This is sort-of a do-it-yourself fast user
switching, but it doesn't do running two users' processes at the same
time. If you really need that kind of function, it's best to look at
writing your own windows services to run in the background.

Hope this helps.
Regards,
Ben Madsen

Systems Engineer
Massie Laboratories, Inc.
http://www.massie-labs.com

Yaron,

I see. Thanks for the clarifications.

Yup, give it a try wtih Autologon. It may be what you were looking for (I used that similar way on some platforms here).

KM

Hi KM,

I use local policies for limiting the user environment. for example, disable running the TaskManager. the local group policies do
not differs between user accounts like in a normal GPO in a domain- it is mandatory to everyone. when I login as an Administrator
I just block access to the GPO folder in windows using NTFS permissions. than, when the admin login it gets a full unlocked shell.
if I will launch the explorer without logging-off I will still have the policies effect.

about the autologon- I need to test it. I might be wrong.

the Techinician can enter the Settings Menu through a small "Settings" button which is secured by a password so that the user
could not change the menu settings.

thanks,

YaronM

Yaron,


thanks for your suggestions. it seems that the FUS feature is not relevant in my case because it is not supported in a Domain
environment.
the reason why I can't run the Explorere shell using RunAs from the User logon is that I use local policies to disable the user
environment. therefore, the policies will effect the Explorer that I will execute.

I am not clear what you meant here. How policies of your user account can affect Explorer that is launched under Admin account?


I must do a full log-off and later logon again.
the autologon feature will not help in this case because it is read by the system only on boot time and not after the system
already booted, done auto-logon to the user and then logged-off.

This is not true. The autologon settings are read on every "logon" even which also happens when you do a log off.
Please test it on target device to see how it works. (just make sure you don't forget to set ForceAutoLogon value).


after re-thinking the situation, the limitation I have in the development is actually not a problem. I will create another
security-layer to the user and Admin, where:
1. user works in a limited custom shell and can only operate application and turn-off the machine.
2. a technical support technician can enter a "settings" menu where it can

And how technician can enter (see) the Setting menu?


KM


change a few settings of the user's custom-shell and can log-off the user to recieve the Ctrl-Alt-Delete logon screen. the
Settings menu will only have a "save changes" button to commit the changes using the EWF.
3. a network Administrator with the Administrator account password can enter the local Admin account using its credentials and
recieve a full-featured Explorer Shell and the ability to enable/disable the EWF.

thanks for your help.
I hope my toughts will help someone else too.

Cheers,

YaronM


Yaron,

Do you want to log in to the Administartor account automatically?
If so, you can play with Autologon settings to switch the user/password to Administrator account.
Also make sure that [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon],"ForceAutoLogon"="1"

As soon as you logged on to Administator account, you can switch AutoAdmin setttings back to the User account.

KM

Hi,

I'm working on a custom shell for my XPe system (written in VB6).
the system should automatically login to a limited-user account and run the shell.
I need to add a button to the shell that when clicked will automatically log-off the current limited-user and login again as
the administrator.
I'm not sure how can it be done because the log-off process kills all running processes so that the batch/script can't
continue to load the admin..
I thought maybe I should somehow use the Fast-User-Switching feature for that purpose but I don't know how to do that.

my main purpose of doing that is to create a secure working environment through a limited-user using a custom-shell, but still
allowing an Administrator
to easily switch back to the Explorer shell without having to log-off and re-login.

If you have any ideas or tips I would really appreiciate your help.

thanks,

YaronM

 

[KM]

Benjamin,

I disagree with the auto-logon assessment.

You can easily test it on XP Pro and it works there

Else, the system would never
be able to log back out and let the user choose a new username and
password. The auto-logon function is there for boot-up only, from my
experience.

Please remember about the value I mentioned a few times - ForceAutoLogon. You know what you are doing when you set the value.
Also, you can press Shift during Logon time to force Winlogon to show the Gina screen.

--
Regards,
KM, BSquare Corp.

So, I'm betting to get this function you will probably have to write
some kind of GINA replacement that queries a system service for the new
user to logon automatically. This is sort-of a do-it-yourself fast user
switching, but it doesn't do running two users' processes at the same
time. If you really need that kind of function, it's best to look at
writing your own windows services to run in the background.

Hope this helps.
Regards,
Ben Madsen

Systems Engineer
Massie Laboratories, Inc.
http://www.massie-labs.com

Yaron,

I see. Thanks for the clarifications.

Yup, give it a try wtih Autologon. It may be what you were looking for (I used that similar way on some platforms here).

KM

Hi KM,

I use local policies for limiting the user environment. for example, disable running the TaskManager. the local group policies do
not differs between user accounts like in a normal GPO in a domain- it is mandatory to everyone. when I login as an Administrator
I just block access to the GPO folder in windows using NTFS permissions. than, when the admin login it gets a full unlocked shell.
if I will launch the explorer without logging-off I will still have the policies effect.

about the autologon- I need to test it. I might be wrong.

the Techinician can enter the Settings Menu through a small "Settings" button which is secured by a password so that the user
could not change the menu settings.

thanks,

YaronM


Yaron,


thanks for your suggestions. it seems that the FUS feature is not relevant in my case because it is not supported in a Domain
environment.
the reason why I can't run the Explorere shell using RunAs from the User logon is that I use local policies to disable the user
environment. therefore, the policies will effect the Explorer that I will execute.

I am not clear what you meant here. How policies of your user account can affect Explorer that is launched under Admin account?


I must do a full log-off and later logon again.
the autologon feature will not help in this case because it is read by the system only on boot time and not after the system
already booted, done auto-logon to the user and then logged-off.

This is not true. The autologon settings are read on every "logon" even which also happens when you do a log off.
Please test it on target device to see how it works. (just make sure you don't forget to set ForceAutoLogon value).


after re-thinking the situation, the limitation I have in the development is actually not a problem. I will create another
security-layer to the user and Admin, where:
1. user works in a limited custom shell and can only operate application and turn-off the machine.
2. a technical support technician can enter a "settings" menu where it can

And how technician can enter (see) the Setting menu?


KM


change a few settings of the user's custom-shell and can log-off the user to recieve the Ctrl-Alt-Delete logon screen. the
Settings menu will only have a "save changes" button to commit the changes using the EWF.
3. a network Administrator with the Administrator account password can enter the local Admin account using its credentials and
recieve a full-featured Explorer Shell and the ability to enable/disable the EWF.

thanks for your help.
I hope my toughts will help someone else too.

Cheers,

YaronM


Yaron,

Do you want to log in to the Administartor account automatically?
If so, you can play with Autologon settings to switch the user/password to Administrator account.
Also make sure that [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon],"ForceAutoLogon"="1"

As soon as you logged on to Administator account, you can switch AutoAdmin setttings back to the User account.

KM

Hi,

I'm working on a custom shell for my XPe system (written in VB6).
the system should automatically login to a limited-user account and run the shell.
I need to add a button to the shell that when clicked will automatically log-off the current limited-user and login again as
the administrator.
I'm not sure how can it be done because the log-off process kills all running processes so that the batch/script can't
continue to load the admin..
I thought maybe I should somehow use the Fast-User-Switching feature for that purpose but I don't know how to do that.

my main purpose of doing that is to create a secure working environment through a limited-user using a custom-shell, but still
allowing an Administrator
to easily switch back to the Explorer shell without having to log-off and re-login.

If you have any ideas or tips I would really appreiciate your help.

thanks,

YaronM

 

[Benjamin Madsen]

Benjamin,




You can easily test it on XP Pro and it works there




Please remember about the value I mentioned a few times - ForceAutoLogon. You know what you are doing when you set the value.
Also, you can press Shift during Logon time to force Winlogon to show the Gina screen.

You're right. I was mistaken. I can't believe I didn't remember that
option. When we used the auto-logon we even distinctly chose not to use
that option because we wanted to be able to log out of our auto-logon
user and login as another user.

ForceAutoLogon is the way you want to go.

-Ben