If you create an application to run on a dedicated kiosk you can easily disable any key on Windows 95, 98 and ME in code, even the infamous "three finger salute", CTL+ALT+DEL, can be blocked. However, CTL+ALT+DEL is a special key sequence on Windows NT based operating systems (NT, 2000 and XP). On these systems CTL+ALT+DEL is called the special attention sequence (or SAS) and it has hooks deep into the NT security system which make it impossible to block this sequence in code. So in order to secure a Windows workstation for kiosk duty, we have to dig a little deeper.

Keyboards and other input devices generate scan codes every time you press and release a key. These scan codes are converted into virtual keys, that are propagated through the system in the form of Windows messages. This abstraction of the input device provides absolute control over the keyboard making it possible to add a key not generally available on a keyboard, to remove a key that is never used (or should not be used), or map the functionality of one key to another.

Important This article contains information about how to modify the registry. Make sure to back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. I highly recommend reading the following Microsoft Knowledge Base articles before you continue.

Description of the Microsoft Window Registry
How to backup, edit and restore the registry

Windows NT, 2000 and XP systems include a Scan Code Mapper, which allows for mapping of scan codes. The scan code mappings are stored in the registry at

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout\Scancode Map
If the Scancode Map value doesn't exist it must be added. This value is of type REG_BINARY and has the data format specified in the following table (sizes and offsets are given in bytes).

The first and second double word values (DWORDS) store header information and should be set to all zeroes for the current version of the Scan Code Mapper. The third DWORD entry holds a count of the total number of mappings that follow, including the null terminating mapping. The minimum count would therefore be 1 (no mappings specified). The individual mappings follow the header. Each mapping is one DWORD in length and is divided into two WORD length fields. Each WORD field stores the scan code for a key to be mapped.

Each mapping DWORD consists of two parts the output scancode, and an input scancode. To disable a key set the output scan code to 00 00.

To disable the list of keys above save the following lines to a file called "SCANCODE.REG". Right click on the REG file and selecte "Merge" to add the specified key and vlaue to your registry. After you reboot, the keys will be disabled.

REGEDIT4 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout]
"Scancode Map"=hex:00,00,00,00,00,00,00,00,09,00,00,00,00,00,5b,e0,00,00,5c,e0,00,00,5d,e0,00,00, 44,00,00,00,1d,00,00,00,38,00,00,00,1d,e0,00,00,38,e0,00,00,00,00

This list of keys was chosen specifically to demonstrate how to prevent anyone from using CTRL+ALT+DEL, the Windows keys or a popup menu to reboot a computer running Windows NT, 2000 or XP, a useful thing to know if you're creating kiosk applications.

Delete the Scancode Map key from the registry and reboot to return your system to normal, just don't try to use CTRL+ALT+DEL to get there.

Important Notes

Once the map is stored in the registry, a system reboot is required to activate it.

The mappings stored in the registry work at system level and apply to all users, they cannot be set to work differently for each user (which is not a problem in a dedicated kiosk application).

The mappings always apply to all keyboards connected to the system so it is not possible to create a map on a per-keyboard basis.