Discussion:
how to enforce parental controls in safe mode
(too old to reply)
jmagaram
2009-12-16 00:22:01 UTC
Permalink
I have built a parental control application that enforces time limits. It
works on Windows XP/Vista/7. It uses a Windows Service to track who is using
the computer when, and boots the kids off - a forced logoff - when their time
runs out. But when someone reboots into Safe Mode, my service isn't started,
so it is very easy for kids to bypass the time limits. Actually some of the
services my service depends on aren't started either so I can't even manually
start my service in Safe Mode. As a workaround, I attempted to put a separate
program in the user's Startup folder that would automatically log them off in
Safe Mode using the ExitWindows API but from tests I've run I don't think the
programs in the Startup folder get run in Safe Mode.

Is there a way to password protect safe mode without buying BitLocker? I
can't require all my users to upgrade to Ultimate.

How can I build a parental control application that works in Safe Mode?

Are programs in the Startup folder NOT started in Safe Mode?

If I use the Parental Control API in Windows 7/Vista, can I somehow get
around this problem?
jmagaram
2009-12-16 00:27:01 UTC
Permalink
Another idea: It would be helpful if I could block non-administrators from
logging on in Safe Mode. That would fix my problem.
Post by jmagaram
I have built a parental control application that enforces time limits. It
works on Windows XP/Vista/7. It uses a Windows Service to track who is using
the computer when, and boots the kids off - a forced logoff - when their time
runs out. But when someone reboots into Safe Mode, my service isn't started,
so it is very easy for kids to bypass the time limits. Actually some of the
services my service depends on aren't started either so I can't even manually
start my service in Safe Mode. As a workaround, I attempted to put a separate
program in the user's Startup folder that would automatically log them off in
Safe Mode using the ExitWindows API but from tests I've run I don't think the
programs in the Startup folder get run in Safe Mode.
Is there a way to password protect safe mode without buying BitLocker? I
can't require all my users to upgrade to Ultimate.
How can I build a parental control application that works in Safe Mode?
Are programs in the Startup folder NOT started in Safe Mode?
If I use the Parental Control API in Windows 7/Vista, can I somehow get
around this problem?
lelteto
2009-12-17 04:40:01 UTC
Permalink
It's not pretty but theoretically you can do this: You would need to write a
GINA (XP, or equivalent login control for Vista / Win7) and a serive. GINA
could check the service: if it doesn't start it could deny any non-admin
login.
As I said it's probably more trouble than you want to go into for your goal,
but it's one possible way to add the control you want.

Laszlo Elteto
SafeNet, Inc.
Post by jmagaram
Another idea: It would be helpful if I could block non-administrators from
logging on in Safe Mode. That would fix my problem.
Post by jmagaram
I have built a parental control application that enforces time limits. It
works on Windows XP/Vista/7. It uses a Windows Service to track who is using
the computer when, and boots the kids off - a forced logoff - when their time
runs out. But when someone reboots into Safe Mode, my service isn't started,
so it is very easy for kids to bypass the time limits. Actually some of the
services my service depends on aren't started either so I can't even manually
start my service in Safe Mode. As a workaround, I attempted to put a separate
program in the user's Startup folder that would automatically log them off in
Safe Mode using the ExitWindows API but from tests I've run I don't think the
programs in the Startup folder get run in Safe Mode.
Is there a way to password protect safe mode without buying BitLocker? I
can't require all my users to upgrade to Ultimate.
How can I build a parental control application that works in Safe Mode?
Are programs in the Startup folder NOT started in Safe Mode?
If I use the Parental Control API in Windows 7/Vista, can I somehow get
around this problem?
jmagaram
2009-12-18 17:32:01 UTC
Permalink
Here's how I fixed it. I created a new lightweight service and configured it
to run in Safe Mode by adding it to the registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\(Network|Minimal)\(ServiceNameHere).
The service only runs in Safe Mode; it stops immediately if it detects that
it is being run in Normal mode by checking the .net
SystemInformation.BootMode property. This service monitors who is using the
computer and logs off anyone who isn't on the "approved" list of users. The
approved list of users isn't defined based on membership in the Administrator
group because on Windows Vista/7 the user token doesn't contain the
Administrator group until elevation happens. So I provide some UI for the
user to pick the user accounts of people who can use the computer in Safe
Mode.

I'd prefer not to have to provide any UI for picking the list of approved
Safe Mode users. I'd rather just block Safe Mode access for
non-administrators. But I don't know how to determine who the administrators
are. The technique I had attempted to use was to call WTSQueryUserToken for
the WTSGetActiveConsoleSessionId. Then I use this .net code:

bool isAdministrator = new
WindowsPrincipal({identityBasedOnToken}).IsInRole(WindowsBuiltInRole.Administrator)

But as I said before this test fails on Windows Vista/7. Is there another
way to determine if the user has the potential to be an administrator?

I wanted to simply mark my original service to work in Safe Mode but
couldn't do this because it has a dependency on the Terminal Service
(termservice), which does not work in Safe Mode. I considered adding
termservice to the list of Safe Mode services but this seemed risky because I
don't know if it can work in Safe Mode, even if all its explicitly defined
dependent services are also running. The reason I need termservice is because
I use it to log off or do a switch user of the current interactive user. The
following APIs seem to work on Windows Vista/7 even if termservice isn't
running but they do NOT appear to work on Windows XP. In other words:

WTSDisconnectSession
WTSLogoffSession

I can't figure out how to log off or disconnect the current interactive user
on Windows XP when termservice isn't running. So my lightweight service does
this instead on Windows XP: Process.Start("shutdown", "-r -f -t 0")
Post by lelteto
It's not pretty but theoretically you can do this: You would need to write a
GINA (XP, or equivalent login control for Vista / Win7) and a serive. GINA
could check the service: if it doesn't start it could deny any non-admin
login.
As I said it's probably more trouble than you want to go into for your goal,
but it's one possible way to add the control you want.
Laszlo Elteto
SafeNet, Inc.
Post by jmagaram
Another idea: It would be helpful if I could block non-administrators from
logging on in Safe Mode. That would fix my problem.
Post by jmagaram
I have built a parental control application that enforces time limits. It
works on Windows XP/Vista/7. It uses a Windows Service to track who is using
the computer when, and boots the kids off - a forced logoff - when their time
runs out. But when someone reboots into Safe Mode, my service isn't started,
so it is very easy for kids to bypass the time limits. Actually some of the
services my service depends on aren't started either so I can't even manually
start my service in Safe Mode. As a workaround, I attempted to put a separate
program in the user's Startup folder that would automatically log them off in
Safe Mode using the ExitWindows API but from tests I've run I don't think the
programs in the Startup folder get run in Safe Mode.
Is there a way to password protect safe mode without buying BitLocker? I
can't require all my users to upgrade to Ultimate.
How can I build a parental control application that works in Safe Mode?
Are programs in the Startup folder NOT started in Safe Mode?
If I use the Parental Control API in Windows 7/Vista, can I somehow get
around this problem?
Bogdan White
2010-10-19 10:28:52 UTC
Permalink
Jmagaram,

I have the same problem.My Service checks who is logged,then it counts logged time ( if the user is logged off or ulocked - the timer stops).If cumulative logged time exceeds the permitted time, the force logoff/shutdown occurs but before this my service removes the user's Logon screen so it is not possible to logon for the user both in Normal and Safe Mode.This
is achieved by making changes in registry.If DayOfWeek changes the service restores Registry to enable the logon.It works well when the user is logged - the Logon screen disappear but it is not back next day after start up of the machine.If Some other user logs on then the Logon screen appears.The record provided by my service proves that changes in Registry are performed correctly everytime.
I am amateur in programming (C#).If you've got some suggestion to solve the problem with restoring the Logon screen on Startup you could use the method for your service as well.
Post by jmagaram
I have built a parental control application that enforces time limits. It
works on Windows XP/Vista/7. It uses a Windows Service to track who is using
the computer when, and boots the kids off - a forced logoff - when their time
runs out. But when someone reboots into Safe Mode, my service is not started,
so it is very easy for kids to bypass the time limits. Actually some of the
services my service depends on are not started either so I cannot even manually
start my service in Safe Mode. As a workaround, I attempted to put a separate
program in the user's Startup folder that would automatically log them off in
Safe Mode using the ExitWindows API but from tests I have run I do not think the
programs in the Startup folder get run in Safe Mode.
Is there a way to password protect safe mode without buying BitLocker? I
cannot require all my users to upgrade to Ultimate.
How can I build a parental control application that works in Safe Mode?
Are programs in the Startup folder NOT started in Safe Mode?
If I use the Parental Control API in Windows 7/Vista, can I somehow get
around this problem?
Post by jmagaram
Another idea: It would be helpful if I could block non-administrators from
logging on in Safe Mode. That would fix my problem.
it is not pretty but theoretically you can do this: You would need to write a
GINA (XP, or equivalent login control for Vista / Win7) and a serive. GINA
could check the service: if it does not start it could deny any non-admin
login.
As I said it is probably more trouble than you want to go into for your goal,
but it is one possible way to add the control you want.
Laszlo Elteto
SafeNet, Inc.
Here is how I fixed it. I created a new lightweight service and configured it
to run in Safe Mode by adding it to the registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\(Network|Minimal)\(ServiceNameHere).
The service only runs in Safe Mode; it stops immediately if it detects that
it is being run in Normal mode by checking the .net
SystemInformation.BootMode property. This service monitors who is using the
computer and logs off anyone who is not on the "approved" list of users. The
approved list of users is not defined based on membership in the Administrator
group because on Windows Vista/7 the user token does not contain the
Administrator group until elevation happens. So I provide some UI for the
user to pick the user accounts of people who can use the computer in Safe
Mode.
I'd prefer not to have to provide any UI for picking the list of approved
Safe Mode users. I'd rather just block Safe Mode access for
non-administrators. But I do not know how to determine who the administrators
are. The technique I had attempted to use was to call WTSQueryUserToken for
bool isAdministrator = new
WindowsPrincipal({identityBasedOnToken}).IsInRole(WindowsBuiltInRole.Administrator)
But as I said before this test fails on Windows Vista/7. Is there another
way to determine if the user has the potential to be an administrator?
I wanted to simply mark my original service to work in Safe Mode but
could not do this because it has a dependency on the Terminal Service
(termservice), which does not work in Safe Mode. I considered adding
termservice to the list of Safe Mode services but this seemed risky because I
do not know if it can work in Safe Mode, even if all its explicitly defined
dependent services are also running. The reason I need termservice is because
I use it to log off or do a switch user of the current interactive user. The
following APIs seem to work on Windows Vista/7 even if termservice is not
WTSDisconnectSession
WTSLogoffSession
I cannot figure out how to log off or disconnect the current interactive user
on Windows XP when termservice is not running. So my lightweight service does
this instead on Windows XP: Process.Start("shutdown", "-r -f -t 0")
Submitted via EggHeadCafe - Software Developer Portal of Choice
SharePoint WorkFlow Basics
http://www.eggheadcafe.com/tutorials/aspnet/1fa263fb-d7a6-40f5-8875-356f75d9fca9/sharepoint-workflow-basics.aspx
Loading...