Disable Ctrl+Alt+Del on Windows 7

Question

I know this question has been asked a few times and in a few different ways. However, across all the questions and answers, no one has been able to answer completely given my situation...

I work on medical devices and they run Windows. The application runs as the shell, users shouldn't be able to get behind the application, and ideally they wouldn't be able to do anything that indicates that the system is running Windows. Access to the full keyboard is necessary so disabling, damaging or remapping keys is not a solution. Given that, we need to disable SAS/CAD/Ctrl+Alt+Delete in specific; some others too, but those are easy with hooks.

Up until recently we've been using Windows XP Embedded and could replace GINA, but we're about to switch to Windows 7 (technically Windows Embedded Standard 7; but in our case they're essentially the same) and GINA is no longer an option. There must be a way to do this.

Since I've seen comments about this on other questions: I do believe this belongs on Stack Overflow. Replacing GINA is a programming question and there's no reason to assume this won't be too. While I'm open to a non-programming solution, I doubt MS would make this kind of change available in the registry, etc.

possible duplicate of [Disable Ctrl+Alt+Del Combination on windows7](http://stackoverflow.com/questions/9751579/disable-ctrlaltdel-combination-on-windows7) — Damian Leszczyński - Vash, Jul 11 '12 at 18:47
READ THE QUESTION. I know this is a duplicate, that's the first thing I said. — derGral, Jul 11 '12 at 18:51
read the duplicated post at the end you will find comment with "HKCU\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ System\DisableTaskMgr = dword:1" this dissable task manager if you ctrl+alt+del passes to logon screen then is a policy for this too. — Damian Leszczyński - Vash, Jul 11 '12 at 18:52
ctrl+shift+esc, windows keys, etc, can be discarded with hooks. Not so with CAD. — derGral, Jul 11 '12 at 18:52
CAD aka SAS isn't just about task manager. It does much more. — derGral, Jul 11 '12 at 18:53
I belive this is a duplicate of this: (wich actually handles CAD not task manager) http://superuser.com/questions/142176/how-can-i-disable-the-ctrl-alt-del-key-combination-completely-on-xp-vista-7 and yet I did read your question. Its just matter of how to search well in Stackexchange. — Raykud, Jul 11 '12 at 19:00
@Raykud The solution on superuser disables the ctrl key, which as I stated above, isn't a solution for us. — derGral, Jul 11 '12 at 19:03
@Ryan: As you know it's a duplicate, you should modify the original or start a bounty to get a better answer. — Deanna, Jul 12 '12 at 09:13
@Deanna I'm not sure what the exact critia are for questions to be the same. However, most other questions did allow for odd workarounds (destroying keys, remapping ctrl, etc.) and this is a case where that's not appropriate. So, perhaps that's too subtle of a distinction, but it's also not really exactly the same... Anyway, I probably will start a bounty, I have to wait 48 hours though. — derGral, Jul 12 '12 at 17:20
If you're programs is to run "as a shell", why are you not just making it the shell? — Nilpo, Jul 25 '12 at 21:03
@Nilpo "as the shell" is the same as being the shell; the difference is syntactical and the effect is identical. Regardless, handling of ctrl+alt+del is at a lower level than the shell. — derGral, Jul 26 '12 at 00:41
One option would be to suppress Windows keyboard input handling (with, for example, a filter driver, or by replacing the usual class driver) and feed the raw keyboard input directly into your application. The problem is that this would mean having to manually handle things like key mappings, alternate keyboard layouts (if applicable) and keyboard shortcuts (e.g., TAB to switch between fields). There's a lot of work there, and it might simply not be worth it. — Harry Johnston, Jul 26 '12 at 04:54
I wonder whether winlogon.exe has already registered control-alt-delete as a hotkey at the point at which startup scripts are run? :-) — Harry Johnston, Jul 26 '12 at 04:57

score 18 · Accepted Answer · edited May 23 '17 at 11:46

Except for remapping/disabling keys, it is not possible to prevent Ctrl + Alt + Delete handling outside of kernel level code. I think this is fundamental security design feature of windows NT (and all derivatives). (Reasoning here.)

I would suggest writing a custom keyboard filter or device driver (or looking for an existing one perhaps). Not an easy task, but doable. Example resources:

Keyboard Filter Driver for Windows Embedded Standard 7 - by Elbacom
Interception (source) - A programming interface for intercepting input device communication.
Writing a keyboard device driver

That first link to the Elbacom blog, in particular, could be useful since you are also targeting windows 7 embedded.

The second link, to Interception, is newer and might also be quite useful. It provides the kernel level module and abstracts some of the handling.

As a possible alternative, consider that though you can't disable the Ctrl + Alt + Delete hook without a device driver/filter, you can prevent all of the tasks that are accessible via that hook per changes to registry or with group policy editor. A previous edit of this answer linked to a utility called "Tweak Ctrl-Alt-Del Options" that made it very easy to disable all activities accessible via Ctrl-Alt-Del. That utility is no longer available from the original source, but is still find-able and there are others like it.

Last link down, found no cached version on Google Cache. Do you have a new link? — nixda, Mar 10 '14 at 11:34
The utility is called "Tweak Ctrl+Alt+Del Options Tool". The exe is named "editctaldl.exe". A google search shows it's still available on some moderately safe download sites. Example: http://www.softpedia.com/progDownload/Tweak-Ctrl-Alt-Del-Options-Tool-Download-188173.html — kaliatech, Mar 10 '14 at 12:16

score 1 · Answer 2 · edited Sep 07 '13 at 11:19

1

You can disable CAD through group policy: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon set this value to 1.

or, through the advanced user accounts menu:

Open the Start Menu.
In the search line, type netplwiz and press Enter.
Click on the Advanced tab.
To Enable Secure Log On A) Check the Require users to press Ctrl+Alt+Delete box. NOTE: If the setting is grayed out, then see OPTION THREE or OPTION TWO below.

B) Go to step 6. 5. To Disable Secure Log On A) Uncheck the Requires users to press Ctrl+Alt+Delete box. NOTE: If the setting is grayed out, then see OPTION THREE or OPTION TWO below. 6. Click on OK.

edited Sep 07 '13 at 11:19

Thomas

4,119
2
33
49

answered Jul 11 '12 at 18:54

Reacher Gilt

1,813
12
26

Thanks, but I covered this in the question, insofar as this isn't for login. – derGral Jul 11 '12 at 18:57
1

If you are completely insane, you can try trapping CAD along with this gpol: see http://www.codeproject.com/Articles/3978/Trap-CtrlAltDel-Hide-Application-in-Task-List-on-W for details. I won't reproduce the method here because (1) it hooks into winlogin.exe, which has pretty huge ramifications, (2) the methods are totally undocumented, (3) I don't know if the hooks still work in Window 7 and (4) you'd be insane to do this. But good luck, nevertheless. – Reacher Gilt Jul 11 '12 at 20:04

score 0 · Answer 3 · answered Jul 26 '12 at 20:06

This article http://www.codeproject.com/Articles/7392/Lock-Windows-Desktop seems to have some good guidance there. The one I think will likely work : a) Replace the shell for system in the registry. That will mean that Explorer is not the one running as the default desktop. That might let you handle Ctrl+Alt+Del b) Force your application to run in a different desktop than the default. That will prevent the user from switching from it until the application is done.

All this assumes that you have complete control over that machine.

Disable Ctrl+Alt+Del on Windows 7

3 Answers3

Linked

Related