What Windows shortcuts should be blocked on a kiosk-mode PC

Assume a normal Windows 7 PC and a custom application running in kiosk mode. It's not possible to quit the application without a password. Now I want to block all Windows 7 key combinations which potentially could switch the focus to get access to the file system

Do you know more key combinations than listed below?

Win+D          » Show Desktop)
Win+M          » Minimize all
Win+L          » Lock desktop
Ctrl+Shift+ESC » Open Task Manager
Ctrl+Alt+Del   » Secure attention key
Alt+Tab        » Switch window
Shift+Alt+Tab  » Switch window
Alt+Esc        » Switch window
Shift+Alt+Esc  » Switch window
Win+Tab        » Switch window (3D view)
Win+R          » Open run prompt
Win            » Open Start menu
Win+F          » Open Explorer (focus on search)
Win+E          » Open Explorer
Alt+F4         » Close active window
Win+Down       » Minimize active window
Win+{1..9}     » Switch to window (number on taskbar)
Win+Space      » Peak at desktop
Win+U          » Utility manager

I am aware of the following problem. But this will be another question

Ctrl-Alt-Del and Win+L cannot be intercepted by Autohotkey, or any other program which installs a keyboard hook. This is by design on Microsoft's part to prevent credential stealing via login screen spoofing

Question: What key combinations do I have to block (via AutoHotKey) to prevent a user from quitting a kiosk application?


Solution 1:

I wouldn't use AutoHotKey for such task, bur rather rely on the built-in Scan Code Mapper feature which has been available since Windows 2000. This way you can fully disable the Win keys, as well as prevent the Secure Attention Sequence (SAS) (that is, Ctrl+Alt+Del) by disabling e.g the Alt keys. The registry value is called Scancode Map and is located at:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout

It's not exactly human-friendly, but SharpKeys can be used to handle it with ease. Other features such as the Flip 3D can be selectively disabled by using related registry keys/policies.

Anyway, other shortcuts you should take into account:

F1 - Display Help.
Shift+F10 - Display the shortcut menu for the selected item.
Ctrl+Esc - Open the Start menu.
Esc - Cancel the current task.
Win+F1 - Open Windows Help and Support.
Win+Pause - Display the System Properties dialog box.
Win+Shift+M - Restore minimized windows to the desktop.
Ctrl+Win+F - Search for computers (if you're on a network).
Win+T - Cycle through programs on the taskbar.
Win+Shift+T - Cycle through programs on the taskbar backwards.
Shift+Win+1 to 9 - Start a new instance of the program pinned to the taskbar in the position indicated by the number.
Ctrl+Win+1 to 9 - Switch to the last active window of the program pinned to the taskbar in the position indicated by the number.
Alt+Win+1 to 9 - Open the Jump List for the program pinned to the taskbar in the position indicated by the number.
Ctrl+Win+Tab - Cycle through programs on the taskbar by using Aero Flip 3D.
Win+B - Switch to the program that displayed a message in the notification area.
Win+ - Maximize the window.
Win+ - Maximize the window to the left side of the screen.
Win+ - Maximize the window to the right side of the screen.
Win+Home - Minimize all but the active window.
Win+Shift+ - Stretch the window to the top and bottom of the screen.
Win+P - Choose a presentation display mode.
Win+G - Cycle through gadgets.
Win+X - Open Windows Mobility Center.

Source: Keyboard shortcuts, Disable Global Hot Keys

See the link below for further shortcuts I might have missed.

Further reading

  • Keyboard shortcuts
  • Keyboard and mouse class drivers

Solution 2:

Lock Down Your Kiosk by Changing the Default Shell

As an alternative to changing the many keyboard combinations required to lock down your kiosk, you can replace the default shell Explorer.exe with your custom program. When the kiosk user account is logged in, Windows starts your custom executable instead of Windows Explorer. Because Explorer isn't even running, it's not possible for your user to switch to it or take advantage of any of the capabilities is provides, including responding to the Win+X keyboard shortcuts.

The only way the user can escape your application is to quit it (which you've prevented by requiring a password). Once they enter the correct password and your application quits, Windows logs off the user account further ensuring no unwanted access to the machine.

To replace the default shell:

  1. Run regedit
  2. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
  3. Edit the Shell value to point to the full path name of your executable.

Then, assuming you have a Professional edition of Windows, use Group Policy to lock down the few remaining exit paths (and the unwanted Lock action) via the keyboard.

Enable all of the following policies:

User Configuration/Policies/Administrative Templates/System/Ctrl+Alt+Del Options
  • Remove Task Manager
  • Remove Lock Computer
  • Remove Logoff

Caution:

Changing the default shell affects all users of the computer. For that reason, you need a way to change it back to the default value of Explorer.exe. One way to do this is enable the Remote Registry Service and then make the change remotely.