Search code examples
windowsshellpowershellwindows-10

How to run an application as shell replacement on Windows 10 Enterprise

I need to create a special account on a computer running Windows 10 Enterprise. This account would launch an application directly on login instead of the default shell and exiting the application should force the computer to restart.

I was able to do this easily on Windows 8.1 Embedded Industry Pro using the configuration console and lockdown features.

Now, on Windows 10 I try to follow the two tutorials on technet WESL_UserSetting and Set up a kiosk on Windows 10 Pro, Enterprise, or Education

However, neither of the tutorials work. I have managed to execute the scripts described in them but they have no effect (I've modified them so they do not remove the shells set).

Finally I've ended up with the following code:

$COMPUTER = "localhost"
$NAMESPACE = "root\standardcimv2\embedded"
$ACCOUNT_NAME = "cmp"

$ShellLauncherClass = [wmiclass]"\\$COMPUTER\${NAMESPACE}:WESL_UserSetting"


$NTUserObject = New-Object System.Security.Principal.NTAccount($ACCOUNT_NAME)
$NTUserSID = $NTUserObject.Translate([System.Security.Principal.SecurityIdentifier]).Value

$NTUser_Shell = Get-WmiObject -namespace $NAMESPACE -computer $COMPUTER -class WESL_UserSetting | 
    where {$_.Sid -eq $NTUserSID}

if ($NTUser_Shell) {
    "`Custom shell already set for [$ACCOUNT_NAME] removing it"
    $ShellLauncherClass.RemoveCustomShell($NTUserSID)
}

$restart_shell = 0
$restart_device = 1
$shutdown_device = 2

$ShellLauncherClass.SetCustomShell($NTUserSID, "cmd.exe", ($null), ($null), $restart_device)

"`nCurrent settings for custom shells:"
Get-WmiObject -namespace $NAMESPACE -computer $COMPUTER -class WESL_UserSetting | Select Sid, Shell, DefaultAction

Executing this script in an admin powershell produces the desired output:

Custom shell already set for [cmp] removing it

Current settings for custom shells:

Sid                                            Shell   DefaultAction
---                                            -----   -------------
S-1-5-21-3842421150-1098587697-2315725148-1002 cmd.exe             1

However logging as the 'cmp' user simply shows the standard Windows 10 shell.

What should I change in order to be able to run a program instead of a standard shell?

Solution

  • Have you tried changing the users shell?

    https://msdn.microsoft.com/en-us/library/ms838576(v=WinEmbedded.5).aspx

    There are a few registry keys you need to set. First one enables the ability to give the user a unique shell, the second one defines the executable that starts instead of explorer.