I'm using an alternative shell (a simple program that restarts a kiosk application if it dies) for a project I'm working on. I've set it via the Shell value in the registry, and I'm not using explorer.exe at all.
However, whenever the windows default file chooser opens, I can just right click on a directory and click open, then explorer will start up, even though I'm not using it as a shell. Is there any way to stop explorer from ever starting up? If I change its name to something like explorer.exe.bak, is there likely to be any negative side-effects?
On Windows,
explorer.exeis a program just like any other. It can be started, stopped and restarted, just like any other program. The only difference is that it's also capable of being used as a shell.Switching the shell will not prevent
explorer.exefrom being run, in much the same way as it won't preventnotepad.exefrom being run. You can hack around, but bear in mind that you're interfering with behaviour that is by design.I said it before, but it's worth repeating: a brute force approach is normally an indication that built-in functionality is not being used optimally.
For restarting a kiosk app if it dies, I think you're taking the wrong approach. I'd be writing a service that polls the app every few seconds (making sure to Sleep () between polls...!) that would accomplish the same. Consideration of how the whole setup would work if one was to reboot the computer (i.e. the kiosk app is dying, but this is intended behaviour) would also need to be taken.
From there, don't be looking to block
explorer.exefrom running, but instead investigate the "Prevent access to these drives from My Computer" GPO setting. It may also be worthwhile searching on Technet or elsewhere for recommendations relating to running Windows in a kiosk mode.This might do it.
Well, I would be in trouble if I didn't mention a coworker's (and friend's) project that does what you are asking for very very well. It is called Tiotha and can be found here. It is free to use, and is designed to replace the explorer shell with a customizable, secure interface. We use it for all student fat and, since it works very well in a TS environment, thin clients, as well as our fat clients in the agency. It is compatible with all MS products up to and incluiding Vista and Server 2008. Check it out if you like.
Use Windows SteadyState (formerly known as Shared Computer Toolkit) or any other dedicated application to lock down Windows for kiosk use. Don't roll your own, you'll miss something important ^^
we had to deploy a bunch of Kiosks and found that right clicking was an issue. so I just disabled it
Just wrap an EXE that does NOTHING, and Replace Explorer.exe with that!
What about using cacls.exe to revoke read & execute rights on explorer.exe for the user you're running as? Or maybe you'd have to revoke rights for SYSTEM as well...
Explorer is used for several things. It's linked to file browsing and web browsing as well as the shell.
If you rename it, then you need to make sure all the actions that call to it are dealt with in another way.
For instance. If you're in IE or Firefox and you type c:\ in the address bar, what should you expect your system to do?
I would use the "explorer started up again" as an indication to find out what cased it and change that. If you rename explorer you have a good chance of breaking something or crashing the system.