How to run an application as shell replacement on Windows 10 Enterprise

Question

I need to create a special account on a computer running Windows 10 Enterprise. This account would launch an application directly on login instead of the default shell and exiting the application should force the computer to restart.

I was able to do this easily on Windows 8.1 Embedded Industry Pro using the configuration console and lockdown features.

Now, on Windows 10 I try to follow the two tutorials on technet WESL_UserSetting and Set up a kiosk on Windows 10 Pro, Enterprise, or Education

However, neither of the tutorials work. I have managed to execute the scripts described in them but they have no effect (I've modified them so they do not remove the shells set).

Finally I've ended up with the following code:

$COMPUTER = "localhost"
$NAMESPACE = "root\standardcimv2\embedded"
$ACCOUNT_NAME = "cmp"

$ShellLauncherClass = [wmiclass]"\\$COMPUTER\${NAMESPACE}:WESL_UserSetting"


$NTUserObject = New-Object System.Security.Principal.NTAccount($ACCOUNT_NAME)
$NTUserSID = $NTUserObject.Translate([System.Security.Principal.SecurityIdentifier]).Value

$NTUser_Shell = Get-WmiObject -namespace $NAMESPACE -computer $COMPUTER -class WESL_UserSetting | 
    where {$_.Sid -eq $NTUserSID}

if ($NTUser_Shell) {
    "`Custom shell already set for [$ACCOUNT_NAME] removing it"
    $ShellLauncherClass.RemoveCustomShell($NTUserSID)
}

$restart_shell = 0
$restart_device = 1
$shutdown_device = 2

$ShellLauncherClass.SetCustomShell($NTUserSID, "cmd.exe", ($null), ($null), $restart_device)

"`nCurrent settings for custom shells:"
Get-WmiObject -namespace $NAMESPACE -computer $COMPUTER -class WESL_UserSetting | Select Sid, Shell, DefaultAction

Executing this script in an admin powershell produces the desired output:

Custom shell already set for [cmp] removing it

Current settings for custom shells:

Sid                                            Shell   DefaultAction
---                                            -----   -------------
S-1-5-21-3842421150-1098587697-2315725148-1002 cmd.exe             1

However logging as the 'cmp' user simply shows the standard Windows 10 shell.

What should I change in order to be able to run a program instead of a standard shell?

Answer 1

I had the same problem right now. And yes, Microsoft has changed the way to do a shell replacement. You can install and use the Embedded Shell Launcher to customize windows as you like it for kiosk mode. But this is only available for Enterprise and Education.

If you don't want to buy the Enterprise version you can use the already known registry locations in HKCU and HKLM. https://msdn.microsoft.com/en-us/library/ms838576(v=WinEmbedded.5).aspx

But wait, oh no since Windows 10 it is only possible to use Microsoft signed applications, so your normal .net application isn't started and the screen keeps being black after login. But we've figured out a workaround.

Just use a Batch-File as bootstrapping. If you set the registry keys you like to a Batch-File and the Batch-File starts the real application, then it works like a charm.

@echo off
echo Bootstrapping, please wait ...
start /b "Bootstrap" "C:\vmwatcher\VMViewClientWatcher.exe"

Answer 2

Have you tried changing the users shell?

https://msdn.microsoft.com/en-us/library/ms838576(v=WinEmbedded.5).aspx

There are a few registry keys you need to set. First one enables the ability to give the user a unique shell, the second one defines the executable that starts instead of explorer.

Answer 3

I wanted to do something similar, and I borrowed heavily from other answers, but none of them were a complete working answer for me. Here's what I ended up doing.

1. Create a new user account
2. Setup the following vbs script (largely inspired by this thread) to launch the shell application and name it something like "launch.vbs"

set oShell=createobject("wscript.shell") 
sCmd="d:\launchbox\launchbox.exe" 
oShell.run sCmd,,true 'true forces it to wait for process to finish 
sCmd="shutdown /r /t 0" 
oShell.run sCmd

3. Login as the new user

4. Run regedit

5. Add a new string value named Shell to HKEY_Current_User\Software\Microsoft\Windows NT\CurrentVersion\Winlogon with a value of the command that you need to run to execute your script:

wscript d:\launchbox\launch.vbs

6. Logoff and log back on as the user to see it in action

Answer 4

I battled with this one myself. If you look at the notes for Windows 10 Shell Launcher, it only works in the Enterprise or Education version. If you try using this in Home or Pro versions it simply boots to a blank screen. Using the same script in Enterprise, I confirmed works perfectly...

Answer 5

I think you set up correctly the custom shell for the user, but maybe you need to activate the ShellLanuncher behaviour. Try this (at the end of your script):

$ShellLauncherClass.SetEnabled($TRUE)

This way the standard windows 10 shell is not launched when you log on with the other account, but (at least in my case) the command line does not start and the result is a black screen.

You can still run the task manager and run a new task from there, but I don't understand why the command line does not automatically start.