1.

Change HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFil

eMapping\system.ini\boot\Shell
Old value: String: "USR:Microsoft\Windows NT\CurrentVersion\Winlogon"
New value: String: "USR: Software\Microsoft\Windows NT\CurrentVersion\Winlogon"
2. HKCUUSERS \Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
Value: String: "notepad.exe" (The alt shell)
3. Set HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Separate
Process REG_DWord = 1 (Tells Explorer to launch as a new process)
4. Rebooted and Logged in as the test user and try.

Different Shells for Different Users

16 out of 26 rated this helpful - Rate this topic
Sean Liming
A7 Engineering
August 2003
Applies to:
Microsoft Windows XP Embedded
Summary:
The ability to make your application the shell is one of key features of Windows
XP Embedded. Devices can start in a custom shell instead of starting in the Exp
lorer shell, which provides two benefits. The first benefit is that the system w
ill start faster. The Explorer shell takes a significant amount of time to load
all of the support libraries and files, whereas a specific application will most
likely have fewer libraries to load. The second benefit is that access to a dev
ice's administrative functions can be limited, depending entirely on how the cus
tom shell application is written.
Limiting a user's access to administrative functions such as Control Panel can b
e a benefit, but there is a small drawback: The administrator is also limited un
less the administrator can start in a different shell.
The ideal solution would be to set up Windows XP Embedded so that the user accou
nt can start in the application shell and the administrator account can start in
an administrative shell. Security features built in to Windows XP Embedded woul
d then prevent users from accessing administrative functions. This article descr
ibes how this solution can be implemented.
Contents
Registry Is the Key
How It Works
Setup for Windows XP Embedded
Extra Notes
Conclusion
Registry Is the Key

Microsoft Windows XP has a feature that can provide the

try. The registry for each user account and administrator
to start a user-specific shell. There are three keys that
rst two are generic for all users. This article refers to
ey2," and "Key3" for simplicity.

solution through the regis

account can be set up
must be set up. The fi
the keys as "Key1," "K

Key1 is a string value. When Windows XP starts, Key1 is called and the default W
indows shell is started. However, if the default value is changed to USR:Softwar
e\Microsoft\Windows NT\CurrentVersion\Winlogon, Windows looks in the HKEY_Curren
t_User key to start a specific shell for the user logging on. If the specific us
er shell is not found, Key2 is called and a default shell is started.
Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\IniFile
Mapping\system.ini\boot\Shell
Type: REG_SZ
Value: SYS:Microsoft\Windows NT\CurrentVersion\Winlogon
Key2 provides a default shell if the user shell application cannot be found. Whe
n you select a shell component for a Microsoft Windows XP Embedded configuration
, Key 2 is set up to the shell application as the default shell.
Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogo
n\Shell
Type: REG_SZ
Value: Explorer.exe (or this can be a different default application)
Key3 sets up a shell for the current user or logged-on user. Thus, the only way
to change a particular user's shell is to log on to the user account and create
this registry entry.
Key: HKEY_Current_User\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
\Shell
Type: REG_SZ
Value: c:\windows\system32\account shell.exe, where account shell.exe is the
name of the application
How It Works
When the user logs on, Windows uses Key1 to determine which key holds the shell
information. Normally, Windows uses Key2 next. However, if the value of Key1 is
changed to USR:Software\Microsoft\Windows NT\CurrentVersion\Winlogon, Windows wi
ll use Key3 for the user logging on to start the user's specific shell.
Changing the registry key values in a system with a registry already set up is f
airly straightforward. The challenge is how to do this in Windows XP Embedded, w
here the registry is set up during the First Boot Agent (FBA) process.
HKLM keys can be set up in Target Designer because they are computer specific. S
etting up the HKCU keys, however, is impossible in Target Designer because the a
ccounts will not be created until after FBA runs. The user account and administr
ator account components create only the accounts, user names, and passwords. The
se components cannot be used to set up a specific shell. The only solution is to
set up the specific shells after the Windows XP Embedded image has completed th
e FBA process.

Setup for Windows XP Embedded

The trick to making different shells for different users in Windows XP Embedded
is in the setup. There are a few components that need to be part of the configur
ation so that Key3 can be set up for the user's account:
Windows Logon. Because different accounts will be part of the image, Windows
Logon (Standard) is a required component for the configuration. Windows Logon s
upports the ability to log on to different accounts locally and remotely. By con
trast, the Minlogon component supports only logon to a single administrator acco
unt.
Two User Account components. Two computer accounts are required at a minimum
; at least one account must be an administrator account. The User Account compon
ent can be set up to be an administrator account through the Extended Properties
page. When a user account is set up as an administrator account, it replaces th
e generic "Administrator" account, just as in other versions of Windows XP. Beca
use of the elimination of the administrator account, you may want to consider us
ing two instances of the User Account component. You can set up one component as
an administrator (which will have the administrator shell), and you can set up
the other component as a regular user (which will have the system shell).
Automatic Logon. Most original equipment manufacturers (OEMs) want their sys
tems to start directly in the application. The Automatic Logon component can be
added to the configuration to start directly in the user account, whose shell wi
ll be the system's application.
Default Shell. Windows XP Embedded comes with several shells: Explorer, Task
Manager, and Command. You can also create a custom shell. A shell component is
required in the configuration. When you select a shell component for the configu
ration, the shell will be the default shell for the Windows XP Embedded image, s
o you do not need to set up Key2.
For setting up different shells for different users, the chosen shell compon
ent will be the administrator shell, and the shell must allow access to configur
e the registry to set up Key3. Task Manager may be a good choice. TaskManager is
small shell that you can use to start other applications, such as Control.exe (
Control Panel) or Regedit.exe (Registry Editor). You may want to create your own
administrative shell if the TaskManager shell is not appropriate. After the FBA
process is completed, all accounts will have the same administrator shell. You
can then log on to any account and set Key3.
User Shell. The last component is the user or system application, which will
be the second shell. Your second shell component should not be set up as a shel
l component or be grouped with the other shell components. Rather, the second sh
ell component should be treated like any other application component, such as Wi
ndows Accessories or Transmission Control Protocol/Internet Protocol (TCP/IP) ut
ilities. After the FBA is completed, you can log on to the user account and set
up Key3 to point to the application. If the application component is missing, th
e default administrator shell component will appear.
Other components. Windows Script Engine and Registry Editor can be included
to help with creating Key3. You can create a custom application to perform this
task.
Setting Up Key1
You must set up Key1. In the Extra Registry Data, found at the top of the config
uration, add Key1 as described earlier, with the value set for USR:Software\Micr
osoft\Windows NT\CurrentVersion\Winlogon. To see the Extra Registry Data resourc
e, you may have to enable resources by clicking View, pointing at Resources, and
then clicking Target Designer.
After the configuration has been set up, built, and downloaded to the target, an

d after the FBA process is completed, the last step is to set up the user accoun
t for the system shell. Because you initially set up the image to start in the a
dministrator shell, you should be able to access the registry.
Setting Up Key3
To set up the user account with the unique shell, you must log on to the user ac
count and add Key3 to set the path to the system application. Note that you cann
ot log on to the administrator account to change the user account's shell. After
you log on to the user account, you can use Regedit.exe, Windows Script, or ano
ther application to create Key3 and set the path to the application.
The following is an example of WScript.
'Windows Script to set a user shell
set shell = CreateObject("WScript.shell")
shellpath = InputBox ("Enter the path and name of the EXE application
to be this user's shell. Example: c:\windows\system32\cmd.exe:")
if shellpath <> "" then Shell.RegWrite
"HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell", shellpath, "
REG_SZ"
The following is an example of CScript.
'Windows Script to set a user shell
set shell = CreateObject("WScript.shell")
wscript.stdout.WriteLine "Change the Shell for this user."
wscript.stdout.WriteLine
ChangeReg
sub ChangeReg
wscript.stdout.WriteLine "Enter the path and name of the EXE application to be t
his user's shell."
wscript.stdout.WriteLine "Example: c:\windows\system32\cmd.exe or type QUIT to e
xit: "
if wscript.stdin.AtEndOfStream then exit sub
shellpath = wscript.stdin.ReadLine
if ucase(shellpath) = "QUIT" then exit sub
Shell.RegWrite "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
", shellpath, "REG_SZ"
wscript.stdout.WriteLine "User will now have a new shell"
wscript.stdout.WriteLine
end sub
After you set Key3, you can log off and log on again to the user account and/or
the administrator account. The user account's specific shell will be started whe
n you log on to the user account. The default/administrator shell will be starte
d when you log on to the administrator account.
Extra Notes
By default, Windows Script engine is set up for WScript. WScript uses dialog box
es for input and output messages. CScript uses only a command prompt, which is i
deal for headless systems. You can change to CScript only from an administrator
account. If you decide to use a Windows Script Engine, you must modify the regis
try data for the Windows Script Engine component for the Microsoft Visual Basic S

cripting Edition (VBScript) file. Change HKEY_CLASSES_ROOT\VBSFile\Shell\Open\Co

mmand and add %1 to the end of the value %11%\WScript.exe, as shown in Figure 1.
ms838576.shellsfig01(en-US,WinEmbedded.5).gif
Figure 1. Changing the registry value for the Windows Script Engine component
After Key3 has been created, you can log on again to the user account and see th
e new shell for the account. When you log on to the administrator account, the d
efault or administrator shell will still be started.
If you are using remote administration features, be aware that Telnet allows mor
e than one user to be logged on to the same computer, but Remote Desktop Connect
ion or Microsoft NetMeeting allows only one user to be logged on to the computer.
Remote Desktop Connection takes control of the desktop and logs off users from
a system. If you plan to use Remote Desktop Connection, your system must not be
affected by an administrator logon and a logoff of the user account.
In addition, after Key3 has been set up, you can use FBreseal found with the Cloni
ng component to reseal the image for duplication. The registry key information for
the user account will be preserved.
Conclusion
Windows XP Embedded provides a flexible way to deploy the popular Windows XP ope
rating system into a number of embedded devices. The ability to have two account
s with different shells allows OEMs to build systems that prevent users from acc
identally accessing administrative functions. The solution is to define the admi
nistrative shell as the default shell in the system and change the user account'
s registry keys to point to a second shell.
Microsoft Corporation. All rights reserved.

AutoLOGON
You can use Registry Editor to add your log on information. To do this, follow t
hese steps:
Click Start, click Run, type regedit, and then click OK.
Locate the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Using your account name and password, double-click the DefaultUserName entry
, type your user name, and then click OK.
Double-click the DefaultPassword entry, type your password under the value d
ata box, and then click OK.
If there is no DefaultPassword value, create the value. To do this, follow t
hese steps:
In Registry Editor, click Edit, click New, and then click String Value.
Type DefaultPassword as the value name, and then press ENTER.
Double-click the newly created key, and then type your password in the V
alue Data box.
Note: If the DefaultPassword registry entry does not exist, Windows XP autom
atically changes the value of the AutoAdminLogonregistry key from 1 (true) to 0
(false) to turn off the AutoAdminLogon feature after the computer is restarted.
Double-click the AutoAdminLogon entry, type 1 in the Value Data box, and the
n click OK.

If there is no AutoAdminLogon entry, create the entry. To do this, follow th

ese steps:
In Registry Editor, click Edit, click New, and then click String Value.
Type AutoAdminLogon as the value name, and then press ENTER.
Double-click the newly created key, and then type 1 in the Value Data bo
x.
Exit Registry Editor.
Click Start, click Restart, and then click OK.
After your computer restarts and Windows XP starts, you can log on automatically
.
If you want to bypass the automatic logon to log on as a different user, hold do
wn the SHIFT key after you log off or after Windows XP restarts. Note that this
procedure applies only to the first logon. To enforce this setting for future lo
goffs, the administrator must set the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Value:ForceAutoLogon
Type: REG_SZ
Data: 1