windows 7 - How would I prevent users from logging in a PC while software is installing?
2014-07
user333121
So I currently am looking for a solution to keeping users logged out while software is installing or activating a pop-up message that cannot be moved, closed, and is always on top, because sometimes when we deploy software to users (via SCCM), the parameters of the install require the user to be logged out for the duration of the installation. I've looked at trying to customize the group policy for account lockout but with no luck. Anyone know of any programs or scripts that do this?
Thank you!
user333121
I just wanted to let anyone who ended up seeing this question to know that I solved my problem a different way. Basically, I ended up using PSTools, and AutoIt3 scripting.
I first wrote a script in powershell to display an HTA splash screen on the login screen informing the user that there was an installation going on like so:
#Set-ExecutionPolicy -ExecutionPolicy Bypass -Force
#$ErrorActionPreference = 0
$args = @('-accepteula', '-s', '-h', '-x', 'mshta.exe "c:\temp\splash.hta"')
$thisfolder = Split-Path -Parent $MyInvocation.MyCommand.Definition #Get's the folder you are currently in
$installpath = "C:\GOOGLE_SKETCHUP_PRO_14p0p4900\Install-Sketchup2014.cmd" #path to install (msi, exe, cmd, etc...)
Copy-Item $thisfolder\* C:\temp -Exclude *.ps1 -Recurse -Force
start-process -file c:\temp\pstools\psexec.exe -ArgumentList $args -WindowStyle Minimized #opens login splash screen
#Start-process $installpath -NoNewWindow -Wait -WindowStyle Hidden #starts the install and waits until its finished to close the splash screen
Start-Sleep 10 #To simulate an installation..
Get-Process mshta | Stop-Process -Force #closes the splash screen
Get-Process PSEXESVC | Stop-Process -Force #closes the PSExec
cmd.exe /c "rd C:\TEMP\PSTools /s /q" #removes pstools from computer
cmd.exe /c "del C:\TEMP\splash.hta /q /f" #removes splash screen files from computer
Then I used an autoIt3 script to lock the mouse and keyboard for the duration of the install by using the BlockInput() function of AutoIt3. I turned the script into an EXE so that it could be ran without autoit being installed on the machine.
Hope that helps anyone else looking for a solution to preventing user logon.
mrTomahawk
You can look at changing the following registry value:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
This value controls what happens when a user logons to a system. By default it typically has a value like the following:
C:\windows\system32\userinit.exe
but it can be changed to do just about anything you want. For example we have some systems which we want to act as dump terminals connecting to our Citrix terminal server farm. we do this by changing this value to be the following:
c:\\windows\\system32\\wscript.exe c:\\someFolder\\somescript.vbs
this doesn't prevent the user from logging onto the system, but instead stops the user's environment from being initiated after they'e logged on. You could do something similar where a script would rename the current Userinit value to something like Original_Userinit and then create a new one which would point to a script which would just log them back off once they logged back on. Then once you are done doing what ever you are doing you rename this value to something else like Logoff_Userinit, and then rename the original back.
Again this won t prevent the user from logging on, but it will prevent the logon session from being being initiated and immediately log them back off.
tvanover
So I have a Windows 7 home machine with 2 user accounts. One is a standard user account and one is an administrator account. Now this is going to be put in the hands of a very low-tech user so I don't want them to be able to see the administrator account on logon, but they want to have a password to prevent someone else from using the machine.
My goal is that when the user turns on the computer, they are presented with their login. After logging in to their non-administrator account, if something needs to be installed then the administrator account can be used through UAC.
I have tried creating the reg key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList and adding a dword of the account name and set it to 0. It succeeded in hiding the account from th login screen. As well as hiding it from UAC. So it fails the second requirement, of being able to run things as administrator through UAC.
Also since I didn't set an administrator password (left it blank) it seems that I have completely locked myself out of the machine since runas doesn't accept blank passwords. So I also cannot undo it, and have quite effectively bricked the install, prompting an OS reinstall.
This is Windows 7 Home, so there is no Users management console.
nhinkle
The original question was different, but I have actually provided an answer to this question before. See my post in the question "Always display the last / default user Windows 7 welcome screen" - it explains how to set up UAC and hidden accounts together so you can authenticate to the account via UAC but not log into it from the welcome screen.
Essentially, what you need to do is configure UAC to prompt for the user to enter both their username and password manually, allowing you to enter a username which is hidden from the login screen but still enabled. Instructions on how to do this are on the linked post.
In the meantime, it should still be possible for you to recover the account without doing a full reinstall. Open a command prompt (cmd.exe), and type runas /user:USERNAME regedit.exe, where USERNAME is the name of the administrative account. It will prompt you for that user's password; enter it and hit enter. This will open the registry editor running as that user, from which you can go in and revert the changes you made, adding back the account to the login screen.
Re-read your question and noticed that you said run-as won't work. What happens when you try booting into safe mode? I seem to recall that with Windows 7 Home Premium, the built-in administrator account is disabled by default, but is enabled in safe mode, allowing you to log into it and make changes. Unless you have hidden the built-in account in addition to whatever account you set up, this may work.
Finally, if all else fails, you could try running a system restore from the recovery console. Boot onto your Windows 7 installation disk, and choose to "repair a windows installation" instead of install. You can select your installation, then will eventually get to a screen where you can choose to do a restore. This should change the registry back to how it was before you made the change, if it has an old enough restore point. Your files will not be modified by a system restore, although some system settings might be.
harrymc
(as the question has changed, so must my answer.)
My idea is that one does not need to unhide the administrator account in order to use it. This account can stay hidden from the Welcome screen through the mechanism of Winlogon\SpecialAccounts\UserList.
This is based on the fact that one can always issue in a Command Prompt (or Run box) any command as administrator by using RunAs :
RunAs /user:admin "control userpasswords2"
RunAs /user:admin regedit
You can also in this way import a pre-prepared .reg file that will unhide the administrator account for your own use, then use another .reg file to hide it again when you finish with this computer.
RunAs /user:admin regedit c:\secret\directory\unhide_admin.reg
RunAs /user:admin regedit c:\secret\directory\hide_admin.reg
This way you can automate the hiding and unhiding of the administrator account.
djhowell
The process described in this article discusses XP but will work in Vista and Windows 7.