I've recently done some development for a product which we're going to make available for free with some hardware that we've designed and sell, this software makes (in our eyes) buying our hardware a no-brainer.

Now this software runs under Windows (or linux & mac os if I were to recompile on those platforms) but has to run in a kiosk style mode, i.e prevent little fingers and "hackers" from obtaining access to the OS.

The basic premise is that I replace the shell for a particular user with our application (or rather a "launcher" which simply starts our application and restarts it should it happen to crash). Now the fun begins with the secure attention sequence (Ctrl+Alt+Del) which windows uses to always show an "authentic login window", I can understand the reasoning behind this in a corporate environment, but if you have admin privileges on a machine, then it really would be nice to disable it.

So I have a couple of solutions, one of which is to change the scan code map so that Alt is disabled. This has the effect of disabling the SAS with the minimum amount of impact on the users, menu shortcuts in the application won't work (although our application doesn't have a menu so that's not a problem!).

The second option is to write a keyboard filter driver, which tracks the key states and can stop Ctrl+Alt+Del getting through, this is the preferred option as it allows all keyboard functions to operate normally and the Ctrl+Alt+Del combo can be turned on or off from user mode by creating a device node.

Which got me thinking, that the whole point of the SAS was to ensure an authentic login screen, but if I were to install a keyboard filter and a user mode application I could fake the SAS screen anyway (Trap Ctrl+Alt+Del and send some other bizarre key sequence up the chain that only the target app could possibly be interested in). Sure I'd need admin privileges to do this, but it's possible.

So I don't see why providing a way to disable the SAS is such a "security hole" if you're an administrator on that machine (and you want to do it), given that as the administrator on that machine I could fake the SAS anyway. So is this just a way of increasing sales of XP embedded?

I think you could also do what, in the old days, used to be called "hooking into the GINA chain", but which is less invasive on more recent operating systems, IIRC. I don't know how we do it these days. In the old days you used to just write your own GINA and stick it in the registry. You just had to make sure to properly call the real GINA once you were done. If you messed it up, you hosed the system and made it unbootable. I think the newer procedures for this are better at presenting less risk for OS bricking than the old way, but I don't know what the procedures are.

It also occurs to me that Windows should already have features that allow for a Kiosk Mode setup, and don't require you do to anything fancy with key mapping. I don't know this for sure, but there's gotta be an official Microsoft-sanctioned way of doing this. I'd research to find out what that is.

I don't think Ctrl-Alt-Del was ever meant to be the end-all be-all security protector. Being able to disable it or hook it once you're an admin is a perfectly normal thing to want to do (you are one such example). It's just one layer of possible security.

Gina is not available under Vista and later and the replacement technology does not allow you to replace the "secure logon" process with your own, only to provide additional methods for authentication.

Replacing the shell for a user does allow you to operate windows in a kiosk like mode as there is no shell running, just your application, however the problem still remains with the SAS, you can by fiddling with many registry settings disable all the options in the SAS window so that the only valid response is cancel, but this is not really good enough in a kiosk application as it allows the "kiosk" to be put in a state which may well confuse potential users of the kiosk. (and if all the options are disabled, then why bother showing it anyway?)

And yes, being able to disable it is a perfectly reasonable thing to want to do if you have admin privileges, unfortunately Microsoft have not provided an option to do this. (well, you can use XP embedded) - I'm just musing that I can't figure out why seeing as it still is possible to fake the SAS using a Kernel mode + User mode combination.

Even though it's not really the "GINA" any more, here at our company we still call it that for shorthand.

I find it odd that Microsoft doesn't provide a true Kiosk mode. You'd think that would be something they'd want to make available.

If you decide to make your Kiosks run on an older OS that supports it, here's some articles on how to customize the GINA:
http://msdn.microsoft.com/en-us/magazine/cc163803.aspx
http://msdn.microsoft.com/en-us/magazine/cc163786.aspx

Yep, you and me both (and the thousands of other people on the web who keep asking how you disable it).

I've read many articles on gina, but we really need to support XP, Vista and Windows 7, so although gina would have provided a simple solution, it'd have only worked on XP, so that went out of the window.

I've already written the keyboard filter driver anyway so it's a moot point really, I guess I was just venting that blocking the SAS keystroke from ever getting to user mode applications offers no more or no less protection than allowing user mode applications to hook the keystroke or a registry setting to disable it. The fact that they (Microsoft) give away a full keyboard filter sample (in the windows DDK) that with the addition of a few extra lines of code could compromise the "security" of the SAS.

(Give us a HKLM registry setting to turn it off!)

Thanks for the links though

I love this place!

Replace WinInit?

One thing I will say that has improved in Vista and Windows 7 is the fact that you can now sign drivers yourself with an authenticode certificate, a big improvement as the previous signing process was a joke.