none
Stopping Alt+Ctrl+Del

    Question

  • Hi all

    I'm writting a program for public payable networked computers for playing games.
    I've got the server/client billing and other stuff like that done.

    Problem is, when my program boots up, it displays a full screen form (on top of everything), which holds the login/programs they can use/play.

    I've managed to remove the Alt+Tab, Alt+F4 and other key combinations like that.  Although, i'm finding that Alt+Ctrl+Del still brings up task manager no matter what i do.

    I have a solution, that on program startup, it renames taskmgr.exe, (and the backup in dllcache), and it works (Doesn't launch taskmgr),  however, there is a windows warnign saying files are missing. (No big deal, i rename on program shutdown).

    Is there a way around this other then what i'm doing?  I want to remove ALL key combinations that will shutdown or allow user to switch out of the program. (Other then the ones i set focus to).

    Using VB2005.

    Dustin
    Sunday, October 16, 2005 8:02 PM

Answers

  • Hi Dustin,

    I’m not being facetious, I’m surprised to see you ask a question because I thought you knew everything and that’s a compliment.

    I always cringe when I see proposed mods like removing or renaming the taskmanager. There are some interesting registry entries that may interest you as a partial solution:

    Software\Microsoft\Windows\CurrentVersion\Policies\System

    Subkey: DisableTaskMgr  - 1 = disable

    As a matter of fact you can individually disable each button on the form that comes up.

     

    Somewhere in the back of my mind… I think I remember a Cntrl-ALT-DEL API trap. If I remember, I’ll let you know.

    Sunday, October 16, 2005 10:30 PM
  • ReneeC definately has the correct answer in that it must be set in the registry.  But the settings should be made by using the Local Security Policy, rather than a straight reg-edit.

    As far as all the other posts about "how will you stop this and how will you stop that" - the answer is the same:  Windows Security Policy.  You can prevent the user account group that normally logs on from doing about anything - shuting down, running specified apps, accessing network resources - all kinds of stuff.  If you want to stop them from unplugging the computer - buy locking power cords - or hardwire to a dedicated circuit.  An admin account with a strong password would then have the ability to bypass the lockdowns for maintenance purposes.

    Since it sounds like there will be several of these machines in a given location, and you want such strict user control, it might be worth running a very small Windows 2003 server so that each client can be part of a domain.  Via the Domain security policy you can control even more settings...  to the point that the computer can only do exactly what you say and the users can't get around it.  Plus you set the policy one time in one place and all the clients pull it.

    I make good use of the domain security policy and group policy at the office.  I have a signon that when used only gives the user access to a single SharePoint workspace - they don't even get a desktop or taskbar.  And the app isn't "hiding" them - windows simply did not run shell32 and so no desktop was loaded.  This stuff is easy to configure and gives you truely what you want.  Your app IS the desktop, so the user can only do what you let them do from your app.  Disable the taskmanager and they are stuck with a stripped down version of XP that only does what you intend for it to do.

    Wednesday, August 23, 2006 9:12 PM

All replies

  • Hi Dustin,

    I’m not being facetious, I’m surprised to see you ask a question because I thought you knew everything and that’s a compliment.

    I always cringe when I see proposed mods like removing or renaming the taskmanager. There are some interesting registry entries that may interest you as a partial solution:

    Software\Microsoft\Windows\CurrentVersion\Policies\System

    Subkey: DisableTaskMgr  - 1 = disable

    As a matter of fact you can individually disable each button on the form that comes up.

     

    Somewhere in the back of my mind… I think I remember a Cntrl-ALT-DEL API trap. If I remember, I’ll let you know.

    Sunday, October 16, 2005 10:30 PM
  • Dustin,

    I remember now.....

    I did my Alt+Ctrl+Del trapping before the NT world. This key sequence is highly protected. The way I recommended earlier is the only easy way.

    Other ways involve either interacting with the keyboard driver at driver level or replacing gina.dll which is the logon stub DLL, injecting subclassing code into other processes and managing this through a remote process or running a peudodestop in which the key combination really is trapped probably through subclassing.

    In the NT world there really isn't any way to do this that doesn't require some rather extraordinary measures.
    Monday, October 17, 2005 2:05 AM
  • I'll try the registry way.  It seems alot easier then what i'm doing now.

    Thanks for your help :)

    Dustin
    Monday, October 17, 2005 7:56 AM
  • Dustin....

    That hyphen in front of the "1"  is a hyphen, not a minus sign. The disable value should be 1.

    Good Luck !!
    Monday, October 17, 2005 10:41 AM
  • Hi Dustin

    Not sure if this will help.

    I saw a "simple" trick to stop CRTL+ALT+DEL, but not sure if it will work with NT and your app, but try it anyway.

    Call this line in form_load:

    Shell("c:\windows\system32\taskmgr.exe", AppWinStyle.Hide)

    The trick is that the taskmanager is actually loaded, but hiden into the backgroud, so when the user pressed CTL+ALT+DEL, nothing happens, coz it is already on the screen, but just hidden.

    Ofcourse, you may have to change the path of task manager for NT.

    Good luck.

    Tuesday, May 23, 2006 12:33 PM
  • These kind of questions always make me cringe.

    Really, if you are trying to make a secure application (e.g. a kiosk application) this is the totally wrong way to go about it - especially if money is involved!

    There are always ways around what you are doing - simplest one is reboot in safe mode. Don't bother physically locking up the computer, there are some pretty basic tools around that that don't need a high school diploma to employ. Have you trapped all the key combinations?

    Your best bet, I think, is to implement the built in security - no matter how 'secure' you feel windows is/can be, it sure as heck much better than anything you or I could implement. Alternatively, there are companies (not many - the liability is very high - which should tell you something) that specialize in securing workstations, and especially if you are dealing with money, this is the best way to go.

    As an additional point, how much support do you intend to provide for such an application? If you lock out all these key combinations and something goes wrong, how are you going to fix it? Since all the key combinations you need to fix it are locked out...( ah, the good old back door - unfortunately, everyone will start using it - don't kid yourself).

    Just adding some food for thought (especially since I can be pretty obtuse at times - and basically see such programs as broken, and spend quite a bit of time 'fixing' them, if you know what I mean - treat users as incapable dolts and they will act like them). Sorry for the rant - I'd just like you to explore all the avenues and consequences.

    Tuesday, May 23, 2006 12:52 PM
  •  

     

    I thinik you're so cute when you're angry. You're right of course and cute!

    Tuesday, May 23, 2006 2:54 PM
  • Dear Dustin

    Can you please help me, I am working on a project, it needed that the form on the startup must stay on the top of all forms, and also disable, Alt + TAB, ALT + F4 ,.....

    So can you help me writing that how to do that,

    my email address is awwardak@gmail.com

    Looking forward to hea ryou soon

     

    Walid

    Thursday, June 29, 2006 7:44 AM
  • Well Dustin
    I'm working in a very similar project, i have done all the requirements for this project except the stuff about making my program in top of all programs and disabling all keys shortcuts, so plz help me in this or give some guidance or links which can help, thank u
    my mail is
    yosif4444@gmail.com
    Wednesday, August 23, 2006 10:02 AM
  • I remember from years ago that the "3-finger-salute", ctrl-alt-del is coded in at a very low-level in NT.

    I don't think your approach of locking down an app will work.  How are you planning on stopping users unplugging a machine?

    Wednesday, August 23, 2006 10:10 AM
  • There is already lots of programs which do the same functionality -most of network control programs- , this stuff can be handdled with windows API -with C++ of course- , but i was searching for the same solution under .NET
    Wednesday, August 23, 2006 6:11 PM
  • ReneeC definately has the correct answer in that it must be set in the registry.  But the settings should be made by using the Local Security Policy, rather than a straight reg-edit.

    As far as all the other posts about "how will you stop this and how will you stop that" - the answer is the same:  Windows Security Policy.  You can prevent the user account group that normally logs on from doing about anything - shuting down, running specified apps, accessing network resources - all kinds of stuff.  If you want to stop them from unplugging the computer - buy locking power cords - or hardwire to a dedicated circuit.  An admin account with a strong password would then have the ability to bypass the lockdowns for maintenance purposes.

    Since it sounds like there will be several of these machines in a given location, and you want such strict user control, it might be worth running a very small Windows 2003 server so that each client can be part of a domain.  Via the Domain security policy you can control even more settings...  to the point that the computer can only do exactly what you say and the users can't get around it.  Plus you set the policy one time in one place and all the clients pull it.

    I make good use of the domain security policy and group policy at the office.  I have a signon that when used only gives the user access to a single SharePoint workspace - they don't even get a desktop or taskbar.  And the app isn't "hiding" them - windows simply did not run shell32 and so no desktop was loaded.  This stuff is easy to configure and gives you truely what you want.  Your app IS the desktop, so the user can only do what you let them do from your app.  Disable the taskmanager and they are stuck with a stripped down version of XP that only does what you intend for it to do.

    Wednesday, August 23, 2006 9:12 PM
  • Reed has the way it should be done: any other way and you shouldn't be doing it.

    Wednesday, August 23, 2006 10:25 PM
  • yeah thank u,
    i will c wat i can do with windows server
    Wednesday, August 23, 2006 10:52 PM
  • Well, disabling Ctrl+Alt+Del using registry does bring up a message box telling that taskmanager had been disabled, what if I don't want the dialog to be brought up? As it is nothing happen when pressed Ctrl+Alt+Del.
    Thursday, November 30, 2006 6:15 AM