Thursday, May 10, 2012

Creating a Kiosk Machine with Windows 7 and Two Free Applications.

A kiosk machine is a very locked down PC that allows public users (in our case, students) to perform one simple task, such as running one application, or browsing to one, or a limited set of websites.

We operate kiosk machines in our library, allowing students to use the machine - which is always on - to search the Library Catalogue (a web-based application) and find a book they're looking for.  The idea is that they can walk up to the machine, search and walk away with the location of the book, only having used the machine for a few minutes.

After many years of using a ThinStation image to do this, we've opted to build a Windows 7 image to do the same thing.  We found it's not at all difficult, and you can lock the machine down sufficiently to prevent tampering.  Our machine has almost nothing installed on it apart from Windows and drivers, so it boots lightning fast (practically as fast as the network booting thinstation images we were using), and it was quick and easy to build.  Being Windows, it's also easy for our library staff to understand, and for anybody to maintain.

The three main components of the kiosk machine are:

 

Configuring Windows and IE

Windows itself only requires basic configuration and some group policy changes.  We haven't joined these machines to our domain, so group policy changes were done locally.  We made all the obvious changes, like disabling screensavers, power saving, and disabling CTRL+ALT-DEL options like task manager, fast-user-switching etc.

We use two Windows options to launch our browser in place of the normal explorer shell.  We use Internet Explorer's kiosk mode switch:

iexplore.exe -k

We also launch Internet Explorer using the custom user interface group policy option in Windows.  This allows internet explorer to be run instead of the normal explorer interface (the taskbar, start menu and desktop).

Locking it Down

With the aforementioned changes made, Windows will boot into IE and display the start page (the library catalogue in our case) displaying no buttons, no address bar or menus.  If you were to quit IE you would be presented with a blank background and no option to launch any other programs.
That all seems good, except there are innumerable ways to get into the system and start messing around.  Pressing ALT+F4 will kill IE, CTRL+O will allow you to browse to any other address, and of course the good old right-click context menu opens up all sorts of options we don't want users to see.  This is where AutoHotKey comes in.

AutoHotKey allows you to do a lot of crazy things with input devices, from launching programs with a key combination, to remapping mouse and keyboard keys or key combinations.  The program is free and its scripting language is very easy to learn using its comprehensive help file littered with examples.
By writing an AutoHotKey script, and replacing the explorer shell with AutoHotKey (which in turn runs IE in kiosk mode), I can remove access to right and middle mouse-buttons, CTRL+anything and any other way to circumvent my IE kiosk setup.  I can also slip in some secret key combinations that launch various tools to help troubleshoot the system, or to get back to the explorer desktop.  After all, our support techs need to be able to work with it too.

 

Process Explorer

One of the side-effects of locking the machine down is that if you want to remove everything from the CTRL+ALT+DEL menu, you need to disable Task Manager.  In their infinite wisdom, Microsoft have provided the ability to remove Task Manager from the CTRL+ALT+DEL options.  However what this really does is disable the feature completely, even typing taskmgr in a command prompt won't work.
However, in troubleshooting the machine one of the first things you want to do is kill AutoHotKey to get back your shortcut keys, and right mouse button.  Also, task manager has a handy run menu that you can use to launch explorer and get your start menu back.  So, given that we can't use Task manager, we've installed Process Explorer, which is better anyway, allowing us to do everything we could with taskmgr.exe and then some.  We just assign it to the most bizarre and hard to guess key combination imaginable in our script, and we're done, aside from maybe also assigning keys to cmd.exe and anything else we might need access to.

UPDATE:

I didn't get around to fully documenting the Group Policies used here, so I've added a link below showing the output from the command gpresult /v which identifies the local policies enabled in the configuration.

Resources

  • Our AutoHotKey script (with key combinations for process explorer etc. censored).
  • Disable_sleep.reg (registry hack to remove the sleep option from the shutdown menu).
  • Gpresult.txt (the output of gpresult, showing the group policies used in this setup).


24 comments:

Rodney said...

Is there any way you can send me or post exactly what group policy elements that you instituted locally. I need to do a machine just like this and could use all the help I can get. My email address is rodneybrooks@dcccd.edu. Thanks in advance.

Aeglaeca said...

You could take it a step further and make a small gui input for a password to access the tech tools instead of having readily accessible shortcuts that someone could potentially discover. I use AutoIt instead of AutoHotKey which can do everything AutoHotKey can and then some.

Unknown said...

Wow !! Many thanks for this ! I was looking for an easy way to do the same things in my library.



Epic setup !!

Anonymous said...

You might also find this software interesting: http://intiles.com

Tom Edwards said...

Thanks very much for this great tutorial.

A couple of things:

- I noticed that the block to Alt+F4 (i.e. !F4) wasn't actually in your pastebin script?

- I was playing around with the idea of refreshing the kiosks if they have been inactive for 10 minutes or so. There are situations where this would be advantageous - eg. if someone has logged in to your catalogue but forgotten to log out etc. Anyhow, the following addition to the authotkey script will check (every 5 minutes) to see if the PC has been idle for 10 minutes or more and then close/re-open any browser windows.

GroupAdd, IEwindows, ahk_class IEFrame

#persistent
SetTimer, RefreshKiosk, 300000, 0

RefreshKiosk:
if (A_TimeIdle > 600000)
{
WinClose, ahk_group IEwindows
Run, C:\Program Files\Internet Explorer\iexplore.exe -k
}
return

Thanks again for sharing a great solution

System Administrivia said...

Nice work, thanks for that contribution, I'll give it a try on our implementation! :)

Manuel Filipe said...

Help me please ! were and How I made the scripts ?? For example the script that Gwyn Edwards made How I do to work? and the other in the registry ?

Thanks a Lot

Filipe

System Administrivia said...

I'll let gwyn comment on that specific addition to the scripts as I haven't tested it myself yet Manuel.
It might help if you give us some more details on what's failing and how though.

Thanks.

Manuel Filipe said...

I just want to know how to use the script gwyn edwards wrote but to use with the crome not internet explorer. Because I use chrome to public use in kiosk mode of my web page but after a few minutes the page reloads to off line.... Please help me !

Tom Edwards said...

Hey Manuel,

I looked at this post: http://stackoverflow.com/questions/13500018/unable-to-identify-google-chrome-window-using-autohotkey

...and made a little edit: This seemed to work okay for Chrome (maybe change the timing so it's not checking every 5 seconds)?


GroupAdd, ChromeWindows, ahk_exe chrome.exe

#persistent
SetTimer, RefreshKiosk, 5000, 0

RefreshKiosk:
if (A_TimeIdle > 10000)
{
WinClose, ahk_exe ChromeWindows
Run, "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"
}
return

Tom Edwards said...

Meanwhile, I just realised there was an error in my script for IE, forgot to enclose the directory path to iexplore in quotation marks, it should be as follows:

GroupAdd, IEwindows, ahk_class IEFrame

#persistent
SetTimer, RefreshKiosk, 300000, 0

RefreshKiosk:
if (A_TimeIdle > 600000)
{
WinClose, ahk_group IEwindows
Run, "C:\Program Files\Internet Explorer\iexplore.exe" -k
}
return

andyw35 said...
This comment has been removed by the author.
andyw35 said...

Thanks, I have worked on the same thing but without extra software, I have posted the instructions here

http://windowsandyw35.blogspot.com/2014/06/building-windows-7-kiosk-pc.html

RandyD said...

Great article. I followed the instructions like disabling the screensaver, "lock computer", "logoff", user-switching, the Custom User Interface for iexplore.exe -k and the disable sleep registry. I used the Autohotkey and Process Explorer program. I use the Autohotkey Kiosk file.

Everything appears to work fine, except, the user can still press the "Windows" logo key and the Ctrl-Esc keys to access the start menu.

I am running a Windows 7 Pro 64-bit OS.

I tried adding to the autohotkey script these 2 commands:

#::Return
^+Escape::Return

This didn't work either. Anybody got any suggestions?!

Thanks in advance for you help.

System Administrivia said...

Hi Randy,

If you run your kiosk executable (iexplore in my case) as an alternative Windows shell, there will be no start menu because explorer.exe will never be loaded. Have you tried doing that?

L8r.

RandyD said...

My second line in my Autohotkey script includes this line: C"\Program Files\Internet Explorer\iexplore.exe" -k and I have IE set to open a particular website. When user logs in IE opens up to that website, with no menu bars or navigation bars or buttons.

Sometimes the taskbar will show up at the bottom of the screen and sometimes not. If it does, once a user click on the webpage the taskbar goes away. But the user can still do Windows key or Ctrl-Esc.

Here is the whole script that I am using:

#MaxHotkeysPerInterval 500
Run "C:\Program Files\Internet Explorer\iexplore.exe" -k
RButton::Return
MButton::Return
^MButton::Return
!MButton::Return
+MButton::Return
^RButton::Return
!RButton::Return
+RButton::Return
^LButton::Return
!LButton::Return
+LButton::Return
^J::Return
^H::Return
^W::Return
^G::Return
^S::Return
^B::Return
^O::Return
^I::Return
+F10::Return
^+Delete::Return
^!Delete::Return
^NumpadAdd::Return
^NumpadSub::Return
^=::Return
^-::Return
^WheelUp::Return
^WheelDown::Return
#::Return
^+Escape::Return
^+c::Run cmd
^+e::Run "C:\Program Files\ProcessExplorer\procexp.exe"
^+s::Run cmd /C "shutdown -r -t 0"

I followed everything else in the article, like removing screensaver, "Lock computer", "Logoff", Task Manager, Disable Sleep registry, etc.

Am I missing something? Do I need to also use the "Custom User Interface", even though it is in the second line of the Autohotkey script?

System Administrivia said...

Hi,

Yes, the custom user interface will replace the Windows Shell (explorer.exe - the program that is responsible for starting the start menu and taskbar) with whatever program you choose. In this case that would be autohotkey, and your script. You can do this from gpedit or by editing the registry.

Once the shell is replaced you will have no start menu or taskbar so make sure you have a way to access the system for troubleshooting. That's where having secret hotkeys for CMD and process explorer come in. They give you access to run explorer.exe or control (or any other program) manually.

L8r.

RandyD said...

I am back to working on getting our Kiosk going. I have everything working like I want except for my boss want the user to be able to be able to have access to the address bar (URL). He gave me an article that has registry entries to turn on and off different things in IE.

Here is the link: http://www.ingenuityworking.com/knowledge/w/knowledgebase/internet-explorer-kiosk-mode.aspx

I tried doing what it said with no luck.

I was wandering if anybody else knows how to just turn on the address bar, because if you just use this: Run "C:\Program Files\Internet Explorer\iexplore.exe" -k

all I get is a web page with no bars of any kind.

Any help or suggestions would be great, since I am being pushed to roll out 3 Kiosk PC. Thanks

System Administrivia said...

Hiya RandyD,

I'm thinking the link you refer to is for IE6 and that era of browser. I don't think Kiosk Mode was meant to be controlled via the registry, but regardless I tried those registry entries myself (with IE11) and they don't do anything.

I have seen some people suggesting a bit of vb script to launch IE with certain elements on or off. That might be your best way to control it, there seem to be lots of different methods in use (from what I can Google, anyway), so one may work for you.

Anonymous said...

This is a very helpful start, but I have come across an issue that I am hoping somebody can help me with.

I'm using IE9 on W7e, and the web site I go to has the login screen. But when you log in, it opens another IE window, and this one is not in kiosk mode. Is there a way to force IE to open the new window in kiosk mode without having access to the link? (plus this app needs to run on unlocked PCs also).

thank you.

System Administrivia said...

James,

When you say the new window is not in kiosk mode - what exactly does it display? Toolbars, menus, status bars,etc?

Thanks.

Anonymous said...

Just ran it again to see...
Not sure what it is doing. Under normal use, it would pop up a new IE window that has the app running in it, but doing it this way, there is only the one window. This window has the title bar, the address bar, and the dash/box/X (minimize/close buttons); and if I minimize it, it will minimize to the bottom left of the screen and the rest of the screen is a featureless black blank (and the secret keys can then bring up the CMD box etc).
If I log out of the application, it takes me back to the login screen, but the IE elements already mentioned stay.
It's not the end of the world with this behavior as the user won't be able to go anywhere anyway, just a quirk I would rather avoid if possible.

System Administrivia said...

Hi James,

It sounds like some weirdness unique to that application, so it might be hard to work around. I notice in my own testing that IE ignores the settings to to open popups in new tabs rather than new windows when in Kiosk mode (probably because you can't see the tabs UI).
Anyway, one workaround might be to have AutoHotKey set to wait until it sees a window with the title of your popup and send the F11 key. This will put the popup in fullscreen mode, which isn't the same as Kiosk mode but should at least look more consistent.

Sorry, I can't think of a better solution for you, short of modifying your actual application.

Digital Signage Solutions said...

Nice blog... This is an interesting information on how creating a Kiosk Machine with Windows 7 and Two Free Applications. Here you find more information on chrome kiosk mode. Thanks for sharing