Thursday, May 10, 2012

Creating a Kiosk Machine with Windows 7 and Two Free Applications.

A kiosk machine is a very locked down PC that allows public users (in our case, students) to perform one simple task, such as running one application, or browsing to one, or a limited set of websites.

We operate kiosk machines in our library, allowing students to use the machine - which is always on - to search the Library Catalogue (a web-based application) and find a book they're looking for.  The idea is that they can walk up to the machine, search and walk away with the location of the book, only having used the machine for a few minutes.

After many years of using a ThinStation image to do this, we've opted to build a Windows 7 image to do the same thing.  We found it's not at all difficult, and you can lock the machine down sufficiently to prevent tampering.  Our machine has almost nothing installed on it apart from Windows and drivers, so it boots lightning fast (practically as fast as the network booting thinstation images we were using), and it was quick and easy to build.  Being Windows, it's also easy for our library staff to understand, and for anybody to maintain.

The three main components of the kiosk machine are:

 

Configuring Windows and IE

Windows itself only requires basic configuration and some group policy changes.  We haven't joined these machines to our domain, so group policy changes were done locally.  We made all the obvious changes, like disabling screensavers, power saving, and disabling CTRL+ALT-DEL options like task manager, fast-user-switching etc.

We use two Windows options to launch our browser in place of the normal explorer shell.  We use Internet Explorer's kiosk mode switch:

iexplore.exe -k

We also launch Internet Explorer using the custom user interface group policy option in Windows.  This allows internet explorer to be run instead of the normal explorer interface (the taskbar, start menu and desktop).

Locking it Down

With the aforementioned changes made, Windows will boot into IE and display the start page (the library catalogue in our case) displaying no buttons, no address bar or menus.  If you were to quit IE you would be presented with a blank background and no option to launch any other programs.
That all seems good, except there are innumerable ways to get into the system and start messing around.  Pressing ALT+F4 will kill IE, CTRL+O will allow you to browse to any other address, and of course the good old right-click context menu opens up all sorts of options we don't want users to see.  This is where AutoHotKey comes in.

AutoHotKey allows you to do a lot of crazy things with input devices, from launching programs with a key combination, to remapping mouse and keyboard keys or key combinations.  The program is free and its scripting language is very easy to learn using its comprehensive help file littered with examples.
By writing an AutoHotKey script, and replacing the explorer shell with AutoHotKey (which in turn runs IE in kiosk mode), I can remove access to right and middle mouse-buttons, CTRL+anything and any other way to circumvent my IE kiosk setup.  I can also slip in some secret key combinations that launch various tools to help troubleshoot the system, or to get back to the explorer desktop.  After all, our support techs need to be able to work with it too.

 

Process Explorer

One of the side-effects of locking the machine down is that if you want to remove everything from the CTRL+ALT+DEL menu, you need to disable Task Manager.  In their infinite wisdom, Microsoft have provided the ability to remove Task Manager from the CTRL+ALT+DEL options.  However what this really does is disable the feature completely, even typing taskmgr in a command prompt won't work.
However, in troubleshooting the machine one of the first things you want to do is kill AutoHotKey to get back your shortcut keys, and right mouse button.  Also, task manager has a handy run menu that you can use to launch explorer and get your start menu back.  So, given that we can't use Task manager, we've installed Process Explorer, which is better anyway, allowing us to do everything we could with taskmgr.exe and then some.  We just assign it to the most bizarre and hard to guess key combination imaginable in our script, and we're done, aside from maybe also assigning keys to cmd.exe and anything else we might need access to.

UPDATE:

I didn't get around to fully documenting the Group Policies used here, so I've added a link below showing the output from the command gpresult /v which identifies the local policies enabled in the configuration.

Resources

  • Our AutoHotKey script (with key combinations for process explorer etc. censored).
  • Disable_sleep.reg (registry hack to remove the sleep option from the shutdown menu).
  • Gpresult.txt (the output of gpresult, showing the group policies used in this setup).


14 comments:

Rodney said...

Is there any way you can send me or post exactly what group policy elements that you instituted locally. I need to do a machine just like this and could use all the help I can get. My email address is rodneybrooks@dcccd.edu. Thanks in advance.

mahasiswa teladan said...

hi..Im student from Informatics engineering, this article is very informative, thanks for sharing :)

Aeglaeca said...

You could take it a step further and make a small gui input for a password to access the tech tools instead of having readily accessible shortcuts that someone could potentially discover. I use AutoIt instead of AutoHotKey which can do everything AutoHotKey can and then some.

Frédéric Aussant said...

Wow !! Many thanks for this ! I was looking for an easy way to do the same things in my library.



Epic setup !!

Yves Mailhot said...

You might also find this software interesting: http://intiles.com

gwyn edwards said...

Thanks very much for this great tutorial.

A couple of things:

- I noticed that the block to Alt+F4 (i.e. !F4) wasn't actually in your pastebin script?

- I was playing around with the idea of refreshing the kiosks if they have been inactive for 10 minutes or so. There are situations where this would be advantageous - eg. if someone has logged in to your catalogue but forgotten to log out etc. Anyhow, the following addition to the authotkey script will check (every 5 minutes) to see if the PC has been idle for 10 minutes or more and then close/re-open any browser windows.

GroupAdd, IEwindows, ahk_class IEFrame

#persistent
SetTimer, RefreshKiosk, 300000, 0

RefreshKiosk:
if (A_TimeIdle > 600000)
{
WinClose, ahk_group IEwindows
Run, C:\Program Files\Internet Explorer\iexplore.exe -k
}
return

Thanks again for sharing a great solution

System Administrivia said...

Nice work, thanks for that contribution, I'll give it a try on our implementation! :)

Manuel Filipe said...

Help me please ! were and How I made the scripts ?? For example the script that Gwyn Edwards made How I do to work? and the other in the registry ?

Thanks a Lot

Filipe

System Administrivia said...

I'll let gwyn comment on that specific addition to the scripts as I haven't tested it myself yet Manuel.
It might help if you give us some more details on what's failing and how though.

Thanks.

Manuel Filipe said...

I just want to know how to use the script gwyn edwards wrote but to use with the crome not internet explorer. Because I use chrome to public use in kiosk mode of my web page but after a few minutes the page reloads to off line.... Please help me !

gwyn edwards said...

Hey Manuel,

I looked at this post: http://stackoverflow.com/questions/13500018/unable-to-identify-google-chrome-window-using-autohotkey

...and made a little edit: This seemed to work okay for Chrome (maybe change the timing so it's not checking every 5 seconds)?


GroupAdd, ChromeWindows, ahk_exe chrome.exe

#persistent
SetTimer, RefreshKiosk, 5000, 0

RefreshKiosk:
if (A_TimeIdle > 10000)
{
WinClose, ahk_exe ChromeWindows
Run, "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"
}
return

gwyn edwards said...

Meanwhile, I just realised there was an error in my script for IE, forgot to enclose the directory path to iexplore in quotation marks, it should be as follows:

GroupAdd, IEwindows, ahk_class IEFrame

#persistent
SetTimer, RefreshKiosk, 300000, 0

RefreshKiosk:
if (A_TimeIdle > 600000)
{
WinClose, ahk_group IEwindows
Run, "C:\Program Files\Internet Explorer\iexplore.exe" -k
}
return

andyw35 said...
This comment has been removed by the author.
andyw35 said...

Thanks, I have worked on the same thing but without extra software, I have posted the instructions here

http://windowsandyw35.blogspot.com/2014/06/building-windows-7-kiosk-pc.html