This is an issue that’s come up for some customers who deploy a kiosk with a standard keyboard facing the public.  In these scenarios, a keyboard is used to enter in a search criteria or personal information.  Occasionally, someone may come along and correctly guess that it’s Windows under the hood.  This knowledge prompts attempts to access the underlying operating system, most often by using known key combinations that could allow break-in.

To better secure these types of kiosks, it’s best to start with security tools such as Microsoft’s SteadyState to help lock down the system and File Based Write Filter (FBWF) to prevent unwanted updates.  However there’s one important detail not covered by those features- the world’s most famous 3 button combo, namely Ctrl + Alt + Del.

While nothing technically bad can happen as long as the options that appear are disabled, this looks unprofessional in a kiosk environment and really doesn’t provide a kiosk with any more security.

Below are instructions on how to disable this feature.  Note that this will only work with XP and XP Embedded operating systems such as POSReady.  Vista and the upcoming Windows 7 do not support this feature.

The steps are as follows:
  1. Switch Ctrl + Alt + Del to launch the Task Manager
  2. Disable the Task Manager
  3. Block the Task Manager from Running
Switch Ctrl + Alt + Del to Launch the Task Manager

This step is certainly not the most intuitive or obvious. By switching the NT-style logon screen to the more stylish XP themed logon, the system also transfers Ctrl + Alt + Delete to start the Task Manager instead. There is one catch: it won’t work on domain systems. If your kiosk must be on a domain, you’re not going to have much luck and will have to find a different route (the GINA might be able to help).

If you’re not on a domain, enable the Welcome Screen.

  1. From Start Menu, Control Panel, User Accounts, click Change the way users log on or off.
  2. A message box may appear that says that “Fast User Switching cannot be used because Offline Files is currently enabled”. If so, then
    1. Click OK, uncheck “Enable Offline Files” and press OK.
    2. Click “Change the way users log on or off again”.
  3. Check “Use the Welcome Screen” and click Apply Options.
  4. Close the User Accounts screen and close the Control Panel.

This will change the login screen to the fancier XP style but, luckily, automatic logon will still be possible. At this point, press Ctrl + Alt +Delete. The Task Manager should appear.

For more information on GINA: http://msdn.microsoft.com/en-us/magazine/cc163803.aspx

Disable the Task Manager

This step will prevent the Task Manager from running and appearing as an option when right-clicking on the Task Bar.

  1. Click Start, Run, RegEdit.
  2. Since this next step is per-user, you will need to browse to the HKEY_CURRENT_USER to change this setting. If you are changing it for another user, you will have to change their version of this key in HKEY_USERS.
  3. Assuming you are changing this for the current user, browse to
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies
  4. If a “System” key does not exist, create it.
  5. Within System, create a new REG_DWORD key called DisableTaskMgr, set it equal to 1.

Alternatively, we can achieve this using GPEdit.msc.

  1. Click Start, Run, GPEdit.msc.
  2. Under User configuration click Administrative Templates, System, Ctrl+Del+Options.

Double click on “Remove Task Manager” and Select enable option.

Block the Task Manager from Running

While the Ctrl + Alt + Del combo is effectively disabled, however a strange and unfortunate problem occurs:

Task manager popup message

While quite annoying, according the Spy++, it’s actually the Task Manager executable showing this message box. Knowing this, there are many ways to block this message, however only one Registry key is really all that’s required.

  1. In RegEdit, browse to
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
  2. Create a key called TaskMgr.exe. From this key, create a REG_SZ item called “Debugger”, set the value to “blank” (or some nonsense value).
The File Execution Options key is often used to debug applications that crash on start up. Less common, it is also used to work around application compatibility issues. Unfortunately this option is system wide. Administrators are going to have to find another way to look at the running processes. One way might be to run a copy of Task Manager by a different name, such as AdminTaskMgr.exe.

These settings should take effect immediately, so try it out.

Undo

If you ever want to revert back to the old way, undo each of the 3 steps above. Order isn’t important, but all are required.

-Brendan