James Thew - Fotolia

Windows kiosk mode locks down PCs, but note workarounds

Switching from the Windows Explorer shell to a particular app can be useful for single-purpose devices, but users can still foil Windows kiosk mode.

Several operating system modules work together to initialize Windows. When a user logs on, these OS modules are loaded, and a Windows shell is loaded. Starting with Windows 3.1, two types of shells have been available: command and Windows Explorer.

When a user logs on to a Windows PC, the Windows Explorer shell is loaded. The Windows Explorer shell is configured to start at the HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon registry location.

A registry entry called "Shell" is configured to start Explorer.exe. This executable is the Windows desktop environment. The OS allows you to run your application in place of the Windows Explorer shell.

Once the app's EXE path is specified in the above registry key location and the next time a user logs on to the Windows PC, the OS runs the app rather than launching the Windows Explorer shell. Replacing Explorer.exe with a choice of application EXE to start when a user logs on to the computer is sometimes referred to as "kiosk mode."

Windows kiosk mode allows you to set up a workstation so that any user who logs on to the system can use only an application that is configured in place of Explorer.exe.

You might want to configure a workstation in kiosk mode for a couple of reasons:

  • You are a banking organization, and you want your customers to use an automated teller machine app to perform financial transactions.
  • You set up a workstation to allow customers to book airline tickets and check the status of flights.
  • You set up an endpoint device in a library where students can search for and read books.

But there are a lot of issues to consider if you configure a workstation in kiosk mode:

  • Since the kiosk mode is configured per machine, you don't have control over which users can access which applications. For example, the configuration approach described above also applies to local administrator accounts.
  • Users with administrative rights can launch the Windows Registry Editor via Task Manager and modify the registry entry value to run any other application.
  • Users can switch to the desktop by pressing the ALT+ESC key combination.
  • Users can also close the application by pressing the ALT+F4 key combination.
  • Users can kill the application using Task Manager and launch Explorer.exe via Task Manager > Run, which in turn allows users to access the desktop.

If you wanted to completely lock down a workstation -- making sure, for example, that users do not use the ALT+CTRL+DEL key combination to kill an application -- you could configure various Group Policy settings to disable Task Manager, etc. However, this will not help in a complete lockdown of a workstation. A smart user could always break this functionality by using a number of techniques.

Fortunately, Windows 8.1 simplifies the process of configuring workstations in kiosk mode with a new feature. Assigned Access enables desktop admins to set up endpoint devices and maintain security by prohibiting users from accessing other OS components. I'll explain the benefits and how to use Assigned Access in my next article.

About the author:
Nirmal Sharma is a MCSEx3, MCITP and was awarded Microsoft MVP award in Directory Services. He specializes in Directory Services, Microsoft Clustering, Hyper-V, SQL and Exchange and has been involved in Microsoft technologies since 1994. Sharma can be reached at [email protected].

Next Steps

Which is better for quick Windows 8 startup -- UEFI or BIOS?

Hidden files can hinder the Windows startup process

Windows 8.1 includes boot to desktop and other timesavers

Expand Windows Explorer's ability to create thumbnails

What's new for the enterprise in Windows 8.1

Image Resizer is a free Windows Explorer shell extension

Dig Deeper on Windows OS and management

Virtual Desktop
SearchWindowsServer
Close