Friday, July 5, 2013

Enable custom shell per user under WES7

Hi Folks,

We are going to change the default shell launched at user logon, the idea is to have a default shell like your product application to be executed when the default user is logged, and the explorer shell when an administrator starts a session.

Registry configuration

The following MSDN article describes the configuration required under Windows Embedded Standard 2009, but it require some adjustments under Windows Embedded Standard 7.
http://msdn.microsoft.com/en-us/library/ms838576.aspx

The following registry value :
Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\IniFileMapping\system.ini\boot\Shell
should be set to :
Value: USR:Microsoft\Windows NT\CurrentVersion\Winlogon

Security considerations

The explorer shell is more user friendly for platform maintenance but open the device to its settings. By launching your application for lambda users then you ensure that the user won't mess up the system, as your application will provide the minimal set of functionality required by your product.
For security reason you can understand that we must set your application as the default user shell. And per user account configure different shell like the explorer shell for the administrator user. In case of user being able to create new user account on the system through a back door of the system or using malicious code, then this hacker will also have to configure the user account to set a different shell in order to be able to make more damages onto your device.

- Nicolas

No comments:

Post a Comment