Building a Windows 7 Kiosk PC

Sometimes you need to build a PC that can only be used for one task, and that is usually Internet Browsing.
This is commonly known as a Kiosk PC and is fairly easy to achieve in Windows 7 without extra software. Following the instructions below should give you the results you need. I am making some assumptions that you know how to carry out basic administration tasks in Window 7.



Create a local user and give it a password, call it something descriptive like 'Kiosk'
Log on as that user
Go to Programs and Features and remove any software that is not needed, if you have created a clean build this should not be necessary.
Change IE Homepage to whatever you would like it to open by default.
Install Flash or whatever plugins users will require.

Fire up notepad and insert the following code into it

On Error Resume Next
strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set colItems = objWMIService.ExecQuery("Select * from Win32_Process where Name = 'iexplore.exe'",,48)

Count = 0
For Each objItem in colItems
 Count = Count + 1   
Next
If Count = 0 then
 Set OShell = CreateObject("wscript.Shell")
 oShell.Run (chr(34) & "C:\Program Files\Internet Explorer\iexplore.exe" & chr(34))
End if


Save it out as checkie.vbs

This checks to see if a process called iexplore.exe is running and restarts it if not, you can of course change it to any process, but for the purposes of this exercise, IE is the one we need to check.

Import the scheduled task checkie.vbs as the user, this will restart IE if the user kills it, set it to run every minute, I am assuming you know how to create a scheduled task, if not, google it.



 Set PC to Auto Login:
Run regedit and browse to:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon

Set DefaultUserName entry, type kiosk (or whatever you called the account created earlier)
Set DefaultPassword entry, type the password you created earlier
Set AutoAdminLogon entry, type 1 in the Value Data box, and then click OK



If there is no DefaultPassword value, follow these steps to create the value: 


On the Registry Editor menu, click Edit, click New, and then click String Value.
Type DefaultPassword as the value name, and then press ENTER.
Double-click the newly created key, and then type your password in the Value Data box. 


Search for 'gpedit.msc' and run it as an Administrator
 

 
 
 
 
Edit local policy with the following settings:
User Configuration\Administrative Templates\windows components\internet Explorer
Set Enforce Full Screen Mode to ‘Enabled
User Configuration\Administrative Templates\windows components\internet Explorer/
Toolbars
Set Turn Off Developer Tools “Enabled
User Configuration\Administrative Templates\windows components\internet Explorer
Set Turn On menu Bar by Default to “Disabled
User Configuration\Administrative Templates\windows components\internet Explorer\internet Control panel\Advanced Page
Set Empty Temporary Internet files folder when browser is closed to ‘Enabled
User Configuration\Administrative Templates\windows components\internet Explorer\browser menus
Set Disable Context menu to ‘Enabled
User Configuration\Administrative Templates\windows Components\windows Explorer
Set Turn off windows+x hotkeys to “Enabled
User Configuration\Administrative Templates\control panel
Set ‘show only specified control panel items to “enabled” and add mouse as an option
User Configuration\Administrative Templates\System\Ctrl+Alt+Del options Set :
· Remove Change Password – “Enabled
· Remove Lock Computer – “Enabled
· Remove Task Manager – “Enabled
· Remove Logoff – “Enabled"
User Configuration\Administrative Templates\System – Set:
· Don’t Display the getting Started Welcome Screen at logon - “Enabled
· Prevent Access to the Command prompt – “Enabled
· Prevent Access to registry editing tools – “Enabled
 
Replace Explorer.exe as the shell with Internet Explorer by placing the path “C:\Program Files\Internet Explorer\iexplore.exe -k” in the registry key below:
Warning !! Once you do this you will no longer have an explorer shell to reverse it, so make sure this is the last thing you do, if you wish to reverse it you will need to run gpedit.msc from another PC on the same Lan and browse to remote machine.
 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon: Shell = “C:\Program Files\Internet Explorer\iexplore.exe -k”


The -k will put IE in Kiosk mode, i.e full screen, but you can replace this with whatever program you prefer.




Comments

  1. Just read your comment at another site, which led me here.

    I like the possibility of doing this without anything for GP entries. However, I *do* want a backdoor.

    My company uses TeamViewer to remote into machines, and for machines that we leave unattended, we have continuous backdoor availability with TV (corporate licenses, locked down settings, running as a service, etc.). What I need is a secrete way to be able to run Explorer / Task Manager / CMD.

    My thoughts were this: if I make the auto login profile a luser, and set CMD to only run with admin privileges, the nI could remote into the machine at any time, and be able to run CMD with elevation, and be able to accomplish anything that I might need to.

    Anything that you can see as possibly hampering this?

    ReplyDelete
  2. you can use command prompt before login to the user session ; ;)

    ReplyDelete
  3. Thank you for sharing your valuable information. It is very useful for us, Visit us: touch screen kiosk

    ReplyDelete

Post a comment

Popular Posts