none
Locking down an embedded device in WES 7 RRS feed

  • Question

  • Hello,

    Can any pleae give me some adivice on how best to lock down a device so that only the windows shell interface is not visible to the end user in this case windows media center. The user must not see or have any inclinaton that a desktop shell exsists.

    I will still however want to access the device using RDB with a secured admin account.

    I also want the device to boot into Windows Media center when the device is switched on by the the user.

    Best regards,

    Abby_Doc

     

     

    Monday, April 18, 2011 8:41 PM

All replies

  • Would making Windows Media Center the shell work?

    -Sean


    www.sjjmicro.com / www.seanliming.com / www.annabooks.com, Book Author - ProGuide to WES 7, XP Embedded Advanced, WEPOS / POS for .NET Step-by-Step
    Tuesday, April 19, 2011 3:48 AM
    Moderator
  • Thank you Sean for your reply but can you please give some insight on how to get his working.

    BR,

    Abby

    Tuesday, April 19, 2011 12:07 PM
  • My question was looking for a yes or no. I am guessing this is a yes. If you look at the Command Prompt Shell with custom Shell Support, you can change the setting to point to any application you want as the shell.

    The online help also discusses this.

    -Sean


    www.sjjmicro.com / www.seanliming.com / www.annabooks.com, Book Author - ProGuide to WES 7, XP Embedded Advanced, WEPOS / POS for .NET Step-by-Step
    Tuesday, April 19, 2011 3:03 PM
    Moderator
  • Thank you Sean.

    I did set it to pint to the application I want in this case

    c:\windows\ehome\ehshell.exe /controlbox:none /noshutdownui /nochrome /directmedia:general

    However, when I boot the device the "Windows Explorer Shell" still shows up first then MediaCenter is invoked.

    I will liketo hide the "Windows Explorer Shell" from the user but still be able to RDP to the device.

    BR

    Abby

     

    Tuesday, April 19, 2011 3:17 PM
  • That sounds strange... you shouldn't see the Explorer shell at all with it configured that way. Are you referring to the messages such as "Welcome" that you see as it logs in? Unfortunately I don't think there is a supported way to hide those. I think KNARZ has posted some tips in the past, but it involves hacking up resources if I remember right. You might be able to get away with something like HORM, but I don't know what the resume from hibernate process looks like - I haven't used it.
    Thursday, May 5, 2011 3:39 PM
  • It is possible to Hide the Welcome Message by Registry (someone posted the data/value). And if he uses the Command Prompt Shell with custom Shell Support he shouldn't see the explorer shell. therefore i think there are some failures in the configuration.
    "Mark/Propose As Answer" if you got one.
    Thursday, May 5, 2011 4:22 PM
  • @Jonathan: We are using the exploer shell becaause we could only istall some specific applications this way. We also need to create an auto login account as wee need to run some specialised scripts and configs from the startup folder every time the device boots. In addition we also need to have admin RDP access to manage the device.

    @KNARZ in WES 7 its not an issue to get rid of the welcome screen so that not an issue an we tried the command prompt shell but it did not work for us.

    I am open to ideas on how to archive our goal.

     

    Thanks for you response :)

     

    Thursday, May 5, 2011 4:39 PM
  • You can change the "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell" key to change your shell after setting up your applications in the Explorer shell. You may need to make a custom launcher to run your startup apps and the Media Center shell - I think the startup items are processed by the Explorer shell. You might be able to get away by adding run entries to the registry.
    Thursday, May 5, 2011 4:45 PM
  • Hi Jonathan,

    I found some information on that but my issue at the moment is what is the best way to implement these.

    1. Auto Login for user.
    2. Start up app for shell.
    3. Configure RDP access for admin.

    I suppose my question is if I change the registry key to hide the shell and say i want to login as admin either at the device or through RDP. How do I accomplish that?

    How does the device difffrentiate the diffrent logins?

    cheers

     

     

    Thursday, May 5, 2011 4:55 PM
  • Hmm... I'm not sure about the best approach. Our custom shell is set up so our support staff can enter in a password to set Explorer as the shell, and we don't use RDP. Once the shell is switched, Ctrl+Alt+Delete can be used to log out then in as an admin. As far as I know, there is no way to change specify that RDP should use a different shell than a regular login.

    Because changing the shell doesn't require a reboot, maybe you can come up with a solution that allows your admins to change the key remotely. After that, an RDP connection should bring up a normal Explorer session and the key can be changed back immediately.

    It doesn't sound like the cleanest solution, but it should work. It would certainly be important to make sure that you don't cause security problems with the remote registry tweak, and if a user rebooted before you set the shell back they would have full access to the explorer shell.

    Thursday, May 5, 2011 5:10 PM
  • Jonathan,

    Your solution of allowing admins to to enter a password to access the explorer shell sounds like an interesting solution. Can you tell me how I can implement this for testing please?

    Also, does that then mean that the users also have to login or can still use auto login for the user?

    Cheers

    Thursday, May 5, 2011 5:16 PM
  • We don't use the Windows Media Center shell. Our product is an industrial controller, and the shell is the control software we have written. There is a password interface used to allow users to control access to certain features - for example, locking out settings that could destroy equipment. We simply added a password that executes the code needed to change the registry. I'm not sure if there is a way to do anything like that through the media center shell, which is why I suggested some sort of remote solution.

    I know that XP Media Center supported plugins, so you may be able to write a plugin that gives administrators a way to change the shell. It could also log the user out automatically.

    We use auto-login on our systems. I can log out via ctrl+alt+delete then log in as any user on the system. Auto-login only applies on bootup.

    Thursday, May 5, 2011 5:23 PM
  • Thanks Jonathan, I am working on it this weekend and willl give feedback once I figure something out.

    Thanks a lot for your input.

    Thursday, May 5, 2011 5:36 PM