Securing Windows For Use As A Kiosk

 Posted on Wed Jul 25 2007 in Windows by Tim

If you create an application to run on a dedicated kiosk you can easily disable any key on Windows 95, 98 and ME in code, even the infamous "three finger salute", CTL+ALT+DEL, can be blocked. However, CTL+ALT+DEL is a special key sequence on Windows NT based operating systems (NT, 2000 and XP). On these systems CTL+ALT+DEL is called the special attention sequence (or SAS) and it has hooks deep into the NT security system which make it impossible to block this sequence in code. So in order to secure a Windows workstation for kiosk duty, we have to dig a little deeper.

Keyboards and other input devices generate scan codes every time you press and release a key. These scan codes are converted into virtual keys, that are propagated through the system in the form of Windows messages. This abstraction of the input device provides absolute control over the keyboard making it possible to add a key not generally available on a keyboard, to remove a key that is never used (or should not be used), or map the functionality of one key to another.

Important This article contains information about how to modify the registry. Make sure to back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. I highly recommend reading the following Microsoft Knowledge Base articles before you continue.

Description of the Microsoft Window Registry
How to backup, edit and restore the registry

Windows NT, 2000 and XP systems include a Scan Code Mapper, which allows for mapping of scan codes. The scan code mappings are stored in the registry at

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout\Scancode Map

If the Scancode Map value doesn't exist it must be added. This value is of type REG_BINARY and has the data format specified in the following table (sizes and offsets are given in bytes).

OffsetBytesDescription of data
04header: version information
44header: flags
84header: number of mappings
124individual mappings
last44null terminator (00 00 00 00)

The first and second double word values (DWORDS) store header information and should be set to all zeroes for the current version of the Scan Code Mapper. The third DWORD entry holds a count of the total number of mappings that follow, including the null terminating mapping. The minimum count would therefore be 1 (no mappings specified). The individual mappings follow the header. Each mapping is one DWORD in length and is divided into two WORD length fields. Each WORD field stores the scan code for a key to be mapped.

Each mapping DWORD consists of two parts the output scancode, and an input scancode. To disable a key set the output scan code to 00 00.

ScancodeDescription
5c e0Windows Key
5c e0Windows Key
5d e0Windows Menu Key
44 00F10
1d 00Left Ctrl
38 00Left Alt
1d e0Right Ctrl
38 e0Right Alt

To disable the list of keys above save the following lines to a file called "SCANCODE.REG". Right click on the REG file and selecte "Merge" to add the specified key and vlaue to your registry. After you reboot, the keys will be disabled.

REGEDIT4 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout]
"Scancode Map"=hex:00,00,00,00,00,00,00,00,09,00,00,00,00,00,5b,e0,00,00,5c,e0,00,00,5d,e0,00,00, 44,00,00,00,1d,00,00,00,38,00,00,00,1d,e0,00,00,38,e0,00,00,00,00


This list of keys was chosen specifically to demonstrate how to prevent anyone from using CTRL+ALT+DEL, the Windows keys or a popup menu to reboot a computer running Windows NT, 2000 or XP, a useful thing to know if you're creating kiosk applications.

Delete the Scancode Map key from the registry and reboot to return your system to normal, just don't try to use CTRL+ALT+DEL to get there.

Notes

  • once the map is stored in the registry, a system reboot is required to activate it


  • the mappings stored in the registry work at system level and apply to all users, they cannot be set to work differently for each user (which is not a problem in a dedicated kiosk application)


  • the mappings always apply to all keyboards connected to the system so it is not possible to create a map on a per-keyboard basis

  • Comments



    hi great info
    is there a way to load it when a user logs in
    and to unload it when another user logs in
    that way you could get user control :)
    Cheers
    Greg
    Posted by Greg Clement on 9 Sep 2009 at 6:53pm
    The scancode map is stored in HKEY_LOCAL_MACHINE so you'd have to do change it back to non-kiosk mode before the user logged out to disable it. The more difficult problem is enabling it again for the user you want it enabled for. I haven't got a good solution for that.
    Posted by Tim on 9 Sep 2009 at 7:13pm
    if CTRL+ALT+DEL is disabled.... How does one (such as administrator) logIn ! ! ! ?
    Posted by Robt on 18 Nov 2010 at 9:47pm
    If you're using this as a kiosk you don't want anyone to have to logon so you'd set the system up for auto-logon and/or Disable the CTL+ALT+DEL sequence.
    Posted by Tim on 18 Nov 2010 at 11:13pm
    Hi there, i'm currently reviewing swfstudio to see if it can help me secure my flash app to run in kiosk mode. Is the above article about registry edit still valid for Windows 7? I'm deploying the kiosk in Win 7 Home Premium 64 bit and i know this post is quite dated so not sure if any changes in that end that i need to know.
    Posted by flashkiosk on 18 Apr 2011 at 12:57pm
    The scan code map is a pretty basic feature and I've seen other references using it to remap scan codes on Windows 7 so it should work fine.
    Posted by Tim on 18 Apr 2011 at 2:06pm
    is there any way to do this in windows 7 ?
    Posted by Raj on 27 Jul 2011 at 1:41pm
    It should work exactly the same in all versions of Windows from 2000 up.
    Posted by Tim on 27 Jul 2011 at 2:06pm
    It works well on Windows 7 (both 32 and 64 bits) just tested it right now.

    To block :

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout]
    "Scancode Map"=hex:00,00,00,00,00,00,00,00,09,00,00,00,00,00,5b,e0,00,00,5c,e0,00,00,5d,e0,00,00, 44,00,00,00,1d,00,00,00,38,00,00,00,1d,e0,00,00,38,e0,00,00,00,00




    To unblock :
    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout]
    "Scancode Map"=





    Remember, you need to reboot in order to make the changes work
    Posted by CardinaJo on 23 Dec 2011 at 4:40am

    Leave a Comment



    Comments are now closed for this post.



    ← Back
     

    copyright © 2000-2012 Northcode Inc  ·  all rights reserved  ·  contact us  ·  report piracy  ·  privacy policy