how to enforce parental controls in safe mode
jmagaram
works on Windows XP/Vista/7. It uses a Windows Service to track who is using
the computer when, and boots the kids off - a forced logoff - when their time
runs out. But when someone reboots into Safe Mode, my service isn't started,
so it is very easy for kids to bypass the time limits. Actually some of the
services my service depends on aren't started either so I can't even manually
start my service in Safe Mode. As a workaround, I attempted to put a separate
program in the user's Startup folder that would automatically log them off in
Safe Mode using the ExitWindows API but from tests I've run I don't think the
programs in the Startup folder get run in Safe Mode.
Is there a way to password protect safe mode without buying BitLocker? I
can't require all my users to upgrade to Ultimate.
How can I build a parental control application that works in Safe Mode?
Are programs in the Startup folder NOT started in Safe Mode?
If I use the Parental Control API in Windows 7/Vista, can I somehow get
around this problem?
jmagaram
logging on in Safe Mode. That would fix my problem.
lelteto
GINA (XP, or equivalent login control for Vista / Win7) and a serive. GINA
could check the service: if it doesn't start it could deny any non-admin
login.
As I said it's probably more trouble than you want to go into for your goal,
but it's one possible way to add the control you want.
Laszlo Elteto
SafeNet, Inc.
jmagaram
to run in Safe Mode by adding it to the registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\(Network|Minimal)\(ServiceNameHere).
The service only runs in Safe Mode; it stops immediately if it detects that
it is being run in Normal mode by checking the .net
SystemInformation.BootMode property. This service monitors who is using the
computer and logs off anyone who isn't on the "approved" list of users. The
approved list of users isn't defined based on membership in the Administrator
group because on Windows Vista/7 the user token doesn't contain the
Administrator group until elevation happens. So I provide some UI for the
user to pick the user accounts of people who can use the computer in Safe
Mode.
I'd prefer not to have to provide any UI for picking the list of approved
Safe Mode users. I'd rather just block Safe Mode access for
non-administrators. But I don't know how to determine who the administrators
are. The technique I had attempted to use was to call WTSQueryUserToken for
the WTSGetActiveConsoleSessionId. Then I use this .net code:
bool isAdministrator = new
WindowsPrincipal({identityBasedOnToken}).IsInRole(WindowsBuiltInRole.Administrator)
But as I said before this test fails on Windows Vista/7. Is there another
way to determine if the user has the potential to be an administrator?
I wanted to simply mark my original service to work in Safe Mode but
couldn't do this because it has a dependency on the Terminal Service
(termservice), which does not work in Safe Mode. I considered adding
termservice to the list of Safe Mode services but this seemed risky because I
don't know if it can work in Safe Mode, even if all its explicitly defined
dependent services are also running. The reason I need termservice is because
I use it to log off or do a switch user of the current interactive user. The
following APIs seem to work on Windows Vista/7 even if termservice isn't
running but they do NOT appear to work on Windows XP. In other words:
WTSDisconnectSession
WTSLogoffSession
I can't figure out how to log off or disconnect the current interactive user
on Windows XP when termservice isn't running. So my lightweight service does
this instead on Windows XP: Process.Start("shutdown", "-r -f -t 0")
Bogdan White
I have the same problem.My Service checks who is logged,then it counts logged time ( if the user is logged off or ulocked - the timer stops).If cumulative logged time exceeds the permitted time, the force logoff/shutdown occurs but before this my service removes the user's Logon screen so it is not possible to logon for the user both in Normal and Safe Mode.This
is achieved by making changes in registry.If DayOfWeek changes the service restores Registry to enable the logon.It works well when the user is logged - the Logon screen disappear but it is not back next day after start up of the machine.If Some other user logs on then the Logon screen appears.The record provided by my service proves that changes in Registry are performed correctly everytime.
I am amateur in programming (C#).If you've got some suggestion to solve the problem with restoring the Logon screen on Startup you could use the method for your service as well.
> On Tuesday, December 15, 2009 7:22 PM jmagaram wrote:
> I have built a parental control application that enforces time limits. It
> works on Windows XP/Vista/7. It uses a Windows Service to track who is using
> the computer when, and boots the kids off - a forced logoff - when their time
> runs out. But when someone reboots into Safe Mode, my service is not started,
> so it is very easy for kids to bypass the time limits. Actually some of the
> services my service depends on are not started either so I cannot even manually
> start my service in Safe Mode. As a workaround, I attempted to put a separate
> program in the user's Startup folder that would automatically log them off in
> Safe Mode using the ExitWindows API but from tests I have run I do not think the
> programs in the Startup folder get run in Safe Mode.
>
> Is there a way to password protect safe mode without buying BitLocker? I
> cannot require all my users to upgrade to Ultimate.
>
> How can I build a parental control application that works in Safe Mode?
>
> Are programs in the Startup folder NOT started in Safe Mode?
>
> If I use the Parental Control API in Windows 7/Vista, can I somehow get
> around this problem?
>> On Tuesday, December 15, 2009 7:27 PM jmagaram wrote:
>> Another idea: It would be helpful if I could block non-administrators from
>> logging on in Safe Mode. That would fix my problem.
>>
>> "jmagaram" wrote:
>>> On Wednesday, December 16, 2009 11:40 PM lelteto wrote:
>>> it is not pretty but theoretically you can do this: You would need to write a
>>> GINA (XP, or equivalent login control for Vista / Win7) and a serive. GINA
>>> could check the service: if it does not start it could deny any non-admin
>>> login.
>>> As I said it is probably more trouble than you want to go into for your goal,
>>> but it is one possible way to add the control you want.
>>>
>>> Laszlo Elteto
>>> SafeNet, Inc.
>>>
>>> "jmagaram" wrote:
>>>> On Friday, December 18, 2009 12:32 PM jmagaram wrote:
>>>> Here is how I fixed it. I created a new lightweight service and configured it
>>>> to run in Safe Mode by adding it to the registry key
>>>> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\(Network|Minimal)\(ServiceNameHere).
>>>> The service only runs in Safe Mode; it stops immediately if it detects that
>>>> it is being run in Normal mode by checking the .net
>>>> SystemInformation.BootMode property. This service monitors who is using the
>>>> computer and logs off anyone who is not on the "approved" list of users. The
>>>> approved list of users is not defined based on membership in the Administrator
>>>> group because on Windows Vista/7 the user token does not contain the
>>>> Administrator group until elevation happens. So I provide some UI for the
>>>> user to pick the user accounts of people who can use the computer in Safe
>>>> Mode.
>>>>
>>>> I'd prefer not to have to provide any UI for picking the list of approved
>>>> Safe Mode users. I'd rather just block Safe Mode access for
>>>> non-administrators. But I do not know how to determine who the administrators
>>>> are. The technique I had attempted to use was to call WTSQueryUserToken for
>>>> the WTSGetActiveConsoleSessionId. Then I use this .net code:
>>>>
>>>> bool isAdministrator = new
>>>> WindowsPrincipal({identityBasedOnToken}).IsInRole(WindowsBuiltInRole.Administrator)
>>>>
>>>> But as I said before this test fails on Windows Vista/7. Is there another
>>>> way to determine if the user has the potential to be an administrator?
>>>>
>>>> I wanted to simply mark my original service to work in Safe Mode but
>>>> could not do this because it has a dependency on the Terminal Service
>>>> (termservice), which does not work in Safe Mode. I considered adding
>>>> termservice to the list of Safe Mode services but this seemed risky because I
>>>> do not know if it can work in Safe Mode, even if all its explicitly defined
>>>> dependent services are also running. The reason I need termservice is because
>>>> I use it to log off or do a switch user of the current interactive user. The
>>>> following APIs seem to work on Windows Vista/7 even if termservice is not
>>>> running but they do NOT appear to work on Windows XP. In other words:
>>>>
>>>> WTSDisconnectSession
>>>> WTSLogoffSession
>>>>
>>>> I cannot figure out how to log off or disconnect the current interactive user
>>>> on Windows XP when termservice is not running. So my lightweight service does
>>>> this instead on Windows XP: Process.Start("shutdown", "-r -f -t 0")
>>>> Submitted via EggHeadCafe - Software Developer Portal of Choice
>>>> SharePoint WorkFlow Basics
>>>> http://www.eggheadcafe.com/tutorials/aspnet/1fa263fb-d7a6-40f5-8875-356f75d9fca9/sharepoint-workflow-basics.aspx