I have run into a few scenarios where people want to be able to block access to Windows Explorer so that they can do something such as update the system in a machine that is otherwise publicly facing. One possibility is to create a desktop all your own.

The underlying architecture of Windows allows for something that may provide for this. Every instance of the operating system contains a collection of Sessions. Services run in Session 0, and interactive users run in Sessions 1, 2, 3, etc. (This is on Windows Vista - on Windows XP and earlier, the first interactive login shared Session 0 with services.) Each session contains a collection of Window Stations. Only one of these, WinSta0, is given access to display output, keyboard, and mouse. (Consequently, I haven't come up with any use in anything I have developed for the ability to create more.) Each Window Station contains a collection of Desktops.

You can already see multiple desktops just by using Windows. When you get to the login screen, that is a desktop. When your screen saver activates (assuming you are using a secure secreen saver), that has its own desktop. When you are prompted with a UAC dialog in Windows Vista, by default that has its own desktop. And you can create more. You can use the CreateDesktop API to create a new one, and then the SetThreadDesktop and SwitchDesktop APIs to switch to it. Here is a very simple example:

 

#include <windows.h>

int APIENTRY WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nShowCmd) {
  HDESK hdeskOriginalThread = GetThreadDesktop(GetCurrentThreadId());
  HDESK hdeskOriginalInput = OpenInputDesktop(0, FALSE, DESKTOP_SWITCHDESKTOP);
  HDESK hdeskNewDesktop = CreateDesktop(TEXT("PrivateDesktop"), NULL, NULL, 0, GENERIC_ALL, NULL);
  SetThreadDesktop(hdeskNewDesktop);
  SwitchDesktop(hdeskNewDesktop);
  MessageBox(NULL, TEXT("MessageBox on private desktop"), TEXT("Private Desktop"), MB_OK);
  SwitchDesktop(hdeskOriginalInput);
  SetThreadDesktop(hdeskOriginalThread);
  CloseDesktop(hdeskNewDesktop);
  return 0;
}

 

This may immediately give you some ideas about kiosk applications. However, the desktop window manager (DWM) only runs on the primary desktop, so you won't be able to use Glass on any additional desktops you create. (Incidentally, that's also why UAC prompts are not rendered using glass.) So, if that's a consideration, then you may want to think of other approaches. But for some edge case scenarios, it's nice to know that you have this option available.