Conditions of Use dialog for Windows logins

Question

I need to design a "Conditions of Use" dialog that is presented to users after they logon to Windows XP. It must not allow the user to proceed until they check an "I agree" box. It must not be possible to shut it using Task Manager or any other method. And it should be fullscreen and modal. The "I agree" will remain checked automatically during subsequent logins for the duration of 1 month, after which the user will need to check it again. Also HR want to track who has checked the checkbox.

Is such a thing possible using .Net? I can use C# to design it but I'm not sure about how to prevent users from bypassing the dialog.

I know Windows Group Policy allows a dialog to be presented before login, but that does not allow a checkbox or any customization.

Any thoughts?

Answer 1

There are ways of disabling the task manager and taskbar.

Setting the following key value to dword:1 will disable the task manager:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr

I found the following snippet, giving the general impression on how to disable the task bar using FindWindow and ShowWindow. It should be easy enough for you to translate this to C#:

void CClass::HideTaskBar(BOOL Show)
{
CWnd* pWnd = CWnd::FindWindow("Shell_TrayWnd","");
if(!pWnd)
{
TRACE("Error getting shellwindow\n");
return; 
}

if(Show==FALSE)
{
pWnd->ShowWindow(SW_HIDE);//SW_SHOWMINIMIZED);
}
else
{
pWnd->ShowWindow(SW_SHOW);
}
}

The same methods can be used to enable the task manager and display the task bar, once your application closes.

I haven't tested these methods myself. I found the above examples here.

Answer 2

Perhaps this alternative may make things simpler... It has no checkbox.. no code...but you still force the user to acknowledge the policy and you still get to see who logs on (via the security log)

Alter the following Local Security Policies on the machine (via secpol.msc)

Set Interactive Login:Message Text For Users attempting to Log on to your warning

Set Interactive Login:Message Title For Users attempting to Log on to the title of your warning

These can be found in Security Settings\Local Policies\Security Options

Also consider Interactive Login:Do not display user last name and adjust your logging policy accordingly...

Hope that helps..

Answer 3

In older versions of Windows, it used to be possible to implement your own winlogon.exe, that's the application that presents the log-in user-interface. It's not so easy now, and for good reasons, Microsoft have invested a lot more effort in security than the average Joe Coder would!

Once you are past the login, the operating system becomes a little bit of a free-for all, but only because winlogon's first task is is spawn EXPLORER.EXE, if you replace the shell with your own that in turn spawns explorer when your entry criteria have been met, you will get the behaviour your want. You will, as you commented, need to disable the task-manager as this gives an opportunity to launch other applications.

Changing the default shell (all users):

1. open regedit (start menu > run, and type in regedit)
2. go to: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon.
3. Change Shell from explorer.exe to the new shell path e.g your application
4. log out and log back in.

Changing the default shell (only current user):

1. open regedit (start menu > run, and type in regedit).
2. go to: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon.
3. add a new string value (Edit > New > String Value) called shell. and set the value to the path of the new shell e.g your application.
4. log out and log back in.

Answer 4

You should try to substitute a windows shell program (explorer.exe). It possible to do in system registry. And do any interaction with user from your program, and then run a standard shell.