Click here to Skip to main content
13,194,662 members (51,621 online)
Rate this:
Please Sign up or sign in to vote.
See more:
OK, here's my problem. (Sorry about the length of the question, but I want to give sufficient information so I don't get "noobie" answers!)

I'm writing some system management software to administer Win7 systems which my company has out on rental. The machines are all locked down with a "kiosk" style application launcher screen, which runs under reduced privileges in a Standard account.

For obvious reasons, we don't want the clients to ever get near an account with Administrator priveledges!

In the past, when machines have needed software updates or minor maintenance, it has been a case of rotating them through the workshop, but, as we're now approaching 50 machines out on rental, that has become a major headache, hence the need for a system management application which can be accessed on-site by our staff.

The system management software (which I'm coding in VB.Net, by the way, but is probably not pertinent to the question, except that if I need to implement code to do this VB.Net code would be preferable, as I don't have a clue in C# or C++!), by its very nature, requires to run in an environment with full Admin rights. I tried setting Admin permissions for it in a Standard Account, but unfortunately that hasn't worked, due to the software's requirement to get and set system settings and policies in protected areas of the registry. I don't want to leave a visible Admin account on the Windows Logon screen, and the old trick of using Alt/Ctrl/Del to get at hidden accounts is a) a bit too well-known and b) doesn't always work reliably in Win7.

My idea is to put some form of security key onto pendrives which I can issue to authorised staff. If the machine is booted with one of these drives plugged into a USB port, then the machine will automatically log in to a "hidden" administrator account, where the admin software will then present its own login screen, with each member of staff's login and password determining their level of access to the management software. (Some staff only need access to the backup and update features, whilst more senior ones need full system access. I've even built in a special access level for the company owner, who is completely computer-illiterate, but likes to feel he can "fix stuff"!)


1) Is it possible to hide a windows admin account so it can only be accessed with a USB key?

2) How? ;-)

Posted 11-Sep-12 8:08am
Sergey Alexandrovich Kryukov 11-Sep-12 14:17pm
Just a note: no need to apologize for the long question. Our problem is the opposite: the absolute majority of inquirers provide far insufficient information (and many put way longer questions, still supplying almost nothing relevant), so your size of the question is not a problem at all...
Rate this: bad
Please Sign up or sign in to vote.

Solution 1

1+2A) Every account that is not granted the interactive logon will be hidden from logon screen.
1+2B) There is a registry setting you can also use:[^]

0) You can use any user account to start an administrative process. You need only to change the thread impersonation, and probably also elevating the process.
This is a C# sample about impersonation, but will be not hard to transcribe it to VB.NET: User Impersonation in .NET[^].
Here you can find a sample how to self-elevate a process:[^]. You will also find several samples on google how to start elevated process wrom managed code.

0+) I would create a service (like WUA), that runs on those PC-s. When a pendrive is inserted, it would search for a special, signed archive. If the signature is matching the installed certificate, it would unpack it in a special folder, check for every executable hash based on a separately signed metafile, and start them as needed. As service it can run as system, and would have all necessary privileges to make updates in background, without the need to any interaction from the technician.

+You can also interact with WUA/WUS[^] if needed.

++You even can install SCCM client and use the Microsof's standard system management tools on client side without SCCM server. It is a little bit complicated, but not impossible.

One addition: you can even change built-in administrator account name:[^]. This way the account itself will exist, with the default SID, but with a random name if you wish. Thus a hacker trying to guess Admministrator password will have to guess it's name also.
Sergey Alexandrovich Kryukov 11-Sep-12 14:58pm
Very good answer, my 5.

There is one more thing OP can consider, but I'm unaware of the detail. My own Windows 7 system at work uses different authentication method features, and one of them is the authentication with a smart card which a user carries. I understand that theoretically it could be some other device like a USB key, but I don't know what's the API to implement such thing. Do you know about it?

Thank you.
Zoltán Zörgő 11-Sep-12 15:04pm
Thank you!
As I know, only crypto devices can be used, thus it is unlikely that a legacy USB key would be enough. But might exist a combination of them.
Sergey Alexandrovich Kryukov 11-Sep-12 17:06pm
All right, so we don't have a solution of this sort for OP (but they might choose to use an existing one, with a smart card or not). In principle, one can write a specialized device driver for any device, but I don't know how to hook it into the logon procedure of the OS...
ledtech3 12-Sep-12 1:44am
I have a sample program written (VB.Net) for Viewing if there is a Hidden account on a system, it also has the ability to create the registry section and add users to the hidden list.Then hide or unhide the user. That is just a matter of changing a setting to un hide the account.
If that would be of any help.
As far as using a USB key, normally those are locked down to keep just anyone from walking up and plugging it in.
You could possibly subscribe to the usb insertion event, then once the drive is ready then check the drive for a Certificate as mentoned above. If it matches then enable the account that matches. You would still need to disable it on completion or on removal event disable the account. One other problem I can think of is Security for the USB key. You may also tie It to the Serial number of the USB key so the cert can't just be copied to another key and used.
djdynamix 12-Sep-12 8:21am
Thank you for all your input, everyone. Have to say, TCP has some of the most helpful members on the net! :-)

Anyway, Zoltan and Sergey, I looked up the Smart Card login idea on MSDN. It's a HUGE topic, and probably a bit above my head, but worth following up, especially given that I have a part-time collaborator on the project who is a software security specialist who will probably know what things like "ECDSA logon requires an associated ECDH key" means!!! (Unfortunately, whilst he is a total wizard with security protocols, he tends to be more at home in proprietary OS's than in Windows, so Win7 logon issues will be down to yours truly.)

In theory there would be nothing to stop us using cards instead of pen-drives, so long as the cost of the necessary hardware isn't prohibitive. (Remember that anything we install to the machines, we'll need 50 off, so the card readers will need to be cheap as chips!)

Another option sprang to mind having read ledtech's comment. That would be a service that ran on boot-up, prior to the Windows Logon screen, which switches the regular account from Standard to Administrator when it detects that an authorised pen-drive is present. That way, everyone (clients and staff) would log in to the same account, but staff would be logging in with Admin privileges. I wonder if your sample program could be adapted to acheive that, ledtech?

Just an addendum here. I want the whole login process for both clients and authorised staff to be as simple and automatic as possible. Ideally, the fact that the pendrive is installed would just take the user straight to a login/password form, and then to the Admin desktop. The only person who'll be accessing those machines with any amount of "computer savvy" is me. The other staff are really no more than data-entry guys. The perfect solution would be one where a "licensed updater" (which is what I've called them in the software logon form) will put a pen drive (or a card), which I've previously prepared, into the machine before booting it, switch it on, enter their login and password and simply be asked "Do you want to update or restore - Y/N"! (There is a bit more to it than that, because there are also buttons to cope with different screen resolutions and stuff, but the bottom line is that I need it idiot-proof.)
Rate this: bad
Please Sign up or sign in to vote.

Solution 3

I'd like to thank everyone who gave their time and thought to this, especially ledtech3, who probably now has less hair than when we started, thanks to trying to sort out the API calls on MSDN!

I have now worked out a solution. It wasn't the one I'd originally intended, but in many ways it does the job better than my original solution.

I used the sample code from to build a service which raises the user account to the Administrators group on boot-up if it detects a correctly formatted pen-drive on the USB bus, and "re-locks" the machine on next boot-up if the pendrive has been removed.

I then placed all the admin and management buttons directly onto the "secure kiosk" desktop, and injected code which hides and disables them if it detects that the user is not in the Administrators Group. I'm also working on a neat little trick to switch the "Parental Controls" on and off in the same way, and I'm going to publish some of the code for that in another thread.

I don't want to use the "I've solved this myself" button, because I didn't! Without the input from all of you, and from the MSDN website, I'd have had no chance. Maybe the Code Project people should think about putting a new button on here, something like "Problem solved with help from Code Project users"... ?

If anyone wants any further details on how I did it, or any code-snippets of the solution, please feel free to ask, and I'll happily e-mail them to you. Unfortunately, I can't post the entire code here, as it is part of a bigger commercial project with security implications.

Thanks once again!

ledtech3 19-Sep-12 22:58pm
I'm glad you were able to work it out. I got sidetracked once I Found the API calls for getting the Serial number From a USB device that way.There were so many wasy listed on the internet I wasn't sure what the real serial number was supposed to look like.Here is the link if you are interested.
I would love to see the code. I have been searching thru C++, C#, and code to see what others have done.
djdynamix 21-Sep-12 8:32am
I finally found out the problem with the USB pendrive serial numbers. There's no industry standard! The particular one that I was using for testing didn't even have one. I've ditched that idea, in favour of having a hashed security file on the machine and pendrive, and a user "key" which must all match. Which bit of the code are you most interested in?
ledtech3 21-Sep-12 9:47am
I was looking for the serial, even if it returns "Null" or "Nothing".
So many say it is part of the PNP Device ID Or something like that. But I still havent gotten Corsair to reply back yet on What the serial numer IS supposed to look like.
And how you got it to launch another app.
I got side tracked and din't get to test out any of the code I found.
ledtech3 22-Sep-12 17:35pm
I found a real interesting C# Download that will Enum the USB hubs then the connected devices to a treeview controll.
the C# worked great on my system, but the version didn't work after the upgrade.
Another thing I just realized is the PC Wizard shows a "Serial Number" for usb devices but it is not a "Serial Number" it is a "Volume Serial Number" which can be found using the Win32_LogicalDisk class.
I sent them a Email to let them know.
Just wanted to pass that along.
djdynamix 26-Sep-12 23:10pm
Thanks for the info. Out of interest, the best bit of software I've found for turning C# into VB.NET is a Freeware called "Sharp Develop". I've run entire projects through it and not had to correct a single line of code! (It can also cope with F#, J# and Java.)
ledtech3 5-Nov-12 20:54pm
Thanks, Just found this and looked it up.I may have to try it out for converting some C# projects.I have one I need to get done than has been on and off the burner for a couple of years.
Hope your project completed well.
BTW Corsair never did return my email about the serial number format.
Rate this: bad
Please Sign up or sign in to vote.

Solution 2

Is the screen that is normally shown, just a locked down desktop or it it a screen like you would see on a point of sale system ?
When i think Kiosk i'm thinking of those free standing devices in a mall somewhere where there is a special screen that shows and interacts with people.

you could set up a Logon script but I have never had a need to work with those.
Also you may have to reboot the system every time for it to work.

The way my program works is it just writes the values to the registry as the article mentioned above shows.This one[^]
Once the Computers are prepaired for the New account and you want to "Un Hide" them, then just Change the registry setting for that account. It has been a while since I worked with it,I'm thinking the system has to be rebooted for the setting to take affect.
If you would like the source code for my App you can Email me at
It is still a work in progress but does do what you need done.
ledtech3 12-Sep-12 10:38am
OOps, This was supposed to be in the comments above.
djdynamix 12-Sep-12 12:22pm
No problem, ledtech. We all make mistakes, as the hedgehog said to the toilet brush!

Anyway, for the sake of interest, the user desktop looks like this>

As you can see, there's not much to it, but it still caused me problems when we started implementing Win7 SP1, because it was running as an explorer-replacement shell, in a reduced-privilege environment, trying to write its settings to %ProgramFiles%, and I didn't have the source code to move the settings files and logs to %AppDataLocal%!... File-Write-Permissions-Hell again! As it happens, my next job after this system management software (or maybe even as part of it...) is to rewrite that App Launcher and bring both the code and the "look" up to date. It's actually a bit more complex than it looks, as it is driving an extended desktop with rolling backgrounds on Display 2. The rental systems are intended as complete bar/venue entertainment systems with Karaoke, Video, Background music, Bingo, Pub quiz and rolling advertising, all in one box with a simple point/click interface. All the bars have different TV systems, so the installers need access to the Screen Resolution settings, some of the clients moan if they don't have the latest top 40, so the updaters need access to the mp3 files (and access to an open USB port to update them), and we're doing the whole thing on an island (Tenerife) where the power stability can be worse than 3rd world, so all of us need a one-button system-restore (ours, not Microsoft's) for when the voltage spikes in the middle of a disk-write!

The problem with code which changes system settings in the registry is the same one I've had all along, and that is that, as far as I know and have experienced, it will fail with "Access Denied" under a standard Windows Account, even when "Run As Admin". I need something which will run like a service with elevated permissions prior to logon and either enable and open an Administrator account, or apply Administrator permissions to the existing account.

I don't suppose you know where Windows 7 keeps its Account User Type switches? If I could find those in the registry, I could just raise and lower the main account's user type with a service on boot-up.
djdynamix 12-Sep-12 12:25pm
PS: In case you were wondering, the "Win Explorer" button is removed from the desktop before deployment, and the "Admin" button is passworded and hidden.
ledtech3 12-Sep-12 13:30pm
As far as running prior to logon, that is normaly a logon script, which can do almost anything.
Look at this TechEd 2012 Video also.
Total Desktop Lockdown: Your Action Plan
He shows some intersting things that might give you more ideas.

Here is some UAC info.
Let me know if there is something I missed.
the user account type is set when the account is created and don't believe that it can be changed.
Still looking into that part, but you would still need admin or system rights to change the setting.
ledtech3 16-Sep-12 11:36am
I discovered that the Link I gave for the Desktop Dosent have links on the page to go to the video.
Here is a Direct link to the Video.
djdynamix 12-Sep-12 17:15pm
Aha... I think I've got it! A command-line function, "net localgroup", which can be run from any elevated account. If I can get a service to start on boot and before logon, it can poll the USB ports for a pendrive with the correct encrypted key. It can then use "process.start" to call "net localgroup "username" administrators /add" and turn the regular client account into an Administrator account prior to logon. When the USB key is removed, the service will then call "net localgroup "username" administrators /delete" to restore the account to Standard User. It will have to do a bit of other "housekeeping" as well, like toggling the "Removable Storage\DenyAllAccess" DWord in the HKCU\Policies hive and creating a few necessary log files and registry keys, but that is stuff I've already coded.

If I get it to work, I'll stick a bit of sample code below in case anyone else ever needs to do anything similar. Otherwise, expect more questions from a guy with less hair! ;-)
ledtech3 12-Sep-12 17:29pm
After looking at changing the User Account type. You can run into problems, if that ends up being the last Admin Account on the system. I think it would be Less trouble to just Enable and disable the account rather than having the overhead of changing the account type. If I am not Mistaken the Delete command would delete the entire account.
your service could enable the Admin account, then show it on the login screen. Do what needs to be done Log out of the account and then on removing the drive disable and hide the account.
Hows that ?
djdynamix 13-Sep-12 12:45pm
I take your point, ledtech, but there is always the fall-back of the inbuilt system Administrator account, which can be accessed through safe-mode. What I'm trying to accomplish here is a single, straightforward boot process which happens (automatically) in different ways depending on whether an authorised pendrive is detected. I should also mention that all the systems are identical, with no important user data on them, and, in the event of a catastrophic failure, the fix is merely replacement of the hard drive with a stock clone and reactivation. Hence, if we lose access to the Admin accounts, it just means a 20 min trip to the workshop at some convenient time before the next planned update.
djdynamix 13-Sep-12 12:48pm
Oh, btw, an Administrator account is always declared in both the Administrators group and the Users group. By deleting the reference in the Administrators group, it automatically falls back to a standard-permissions account. Only by deleting it from the Users group do you lose the account altogether.
ledtech3 13-Sep-12 12:51pm
Ok it has been a while since I've work with those commands
Zoltán Zörgő 15-Sep-12 4:59am
See my update.
ledtech3 13-Sep-12 12:50pm
Rather than worrying about the user account for that matter if the service is running as "System" then it can do what ever it wants, So let the service run the update As was suggested above and not even have to worry about swapping the User type. I have never Successufly built a 'Service so I have been researching it to See if I can build Something to demonstrate what I am thinking of.
ledtech3 13-Sep-12 23:18pm
I found a project here that may be close to what you may want.
I have converted the code to vb and am looking at how it may be used.
ledtech3 14-Sep-12 10:35am
I discovered last night why I can't get a service to work, it is not supported in VS 2008 Standard edition, which I got as a MS partner. in my action pack Subscription.As it says in the top here.
I will have to set up a trial of the pro or other version in a vm.
djdynamix 15-Sep-12 15:38pm
As I understand it, VB2008, even the pro version, has a few "known issues" when it comes to service programming. Much of the sample code for VB2005 doesn't work, stuff for VB2010 and above uses a completely different .NET package (3.5 & 4.0 are significantly different animals to 2.0!), and things like the service timers have now been replaced with threaded versions which are tricky to get working in anything below VB2010. I finally bit the bullet and downloaded a copy of Visual Studio 2012 Ultimate, which is free for 90 days from the MSDN website.

I've now managed to get the service to recognise when a pen-drive is inserted, and it does it even before logon, so that part is now sorted. I finally did it with the "SERVICE_TRIGGER_INFO" class, which can trigger one service from a polled event in another. Hence, I've effectively nested a service within a service, had the outer service poll for the system event (USB storage device connected) and then trigger the nested service. I don't totally understand what I'm doing with it, as I've copied and pasted much of the code from an MSDN example project, but for now, that bit works!

The problems I now have are firstly to get the service to read the pendrive and secondly to move the user account from "Users" to "Administrators". I thought the latter would be easy, as I could call "net.exe" with the "localgroups" function, but it doesn't work, due to the fact that the service is running in a special "System" account, which can't natively run console apps. I tried using "Active Directory" to do it, but I keep getting "Access Denied" errors. Frankly, at the moment, I'm stuck!

Later tonight, I think I'll post a more specific question about how to change local user permissions with a service.
ledtech3 15-Sep-12 15:46pm
Do you have the link to that Info that you were able to get the service to work.
I've installed the VS 2012 Pro version to a 64 Bit Win7 Ultimate VM and changed the target .Net version to 3.5 and was able to build, install and control the service. I havent added any real things to do with it yet.
It looks like most things that you can do from a service would need to be a result of some kind of Event.
ledtech3 15-Sep-12 16:02pm
Just found this, not sure why I haven't read it before now.
It is about the Privilages for LocalSystem.
djdynamix 15-Sep-12 19:58pm
You can get the sample code and info from

To be honest, I've used it pretty much "as is", except for removing the Network ÏP connection stuff and the Microsoft licensing junk.

The link you gave to the service privilege stuff is very interesting. I think it might give me a part of my answer because I didn't realise that my service could be running under "Local Service" instead of "Local System". If it is, then that would explain all the "Access Denied" errors I keep getting.
ledtech3 15-Sep-12 20:02pm
I was hoping that might help.
I just found that Link about 20 minuets ago in a search and have been studying the code.
Thanks. I have been wanting to do this for some time. I also found the API references for getting the Serial number of the usb device and was looking into how i might slide that in somewher too.
ledtech3 16-Sep-12 0:50am
@djdynamix That version did not have the usb code in it. This one does.
In the mean time I had to Dump the VM after it went crazy, plus the the USB would not work like it was suposed to. So I moved over to the Win 7 Partition and Updated it, tweaked the task bar to look Like Vista (mostly) upgraded messenger and tweaked it so it would get out of the task bar and back to the notification area.
So I got the new version to install and it actually worked. Now to get it to do something besides write logs.But the event Log Shows a strange Error I have never Seen before. "The driver detected a controller error on \Device\Harddisk4\DR8" That is the USB Device.
ledtech3 16-Sep-12 1:35am
That Event, Event ID 11 is being logged in the System log because of removing the usb drive with out "Ejecting" it first. If you eject it and then removed the USB Drive the Entry is not set.My starts are logged in the Application Log.
ledtech3 16-Sep-12 14:01pm
Here Is another Link that you May find Usefull.
Interactive Services:

I am piecing together a List of Helpful Link for Building Services.
ledtech3 18-Sep-12 11:04am
I don't know about you but i'm starting to go cross eyed trying to sort out all of the different API calls to do different things.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month

Advertise | Privacy |
Web03 | 2.8.171018.2 | Last Updated 19 Sep 2012
Copyright © CodeProject, 1999-2017
All Rights Reserved. Terms of Service
Layout: fixed | fluid

CodeProject, 503-250 Ferrand Drive Toronto Ontario, M3C 3G8 Canada +1 416-849-8900 x 100