Here's how I fixed it. I created a new lightweight service and configured it
to run in Safe Mode by adding it to the registry key
The service only runs in Safe Mode; it stops immediately if it detects that
it is being run in Normal mode by checking the .net
SystemInformation.BootMode property. This service monitors who is using the
computer and logs off anyone who isn't on the "approved" list of users. The
approved list of users isn't defined based on membership in the Administrator
group because on Windows Vista/7 the user token doesn't contain the
Administrator group until elevation happens. So I provide some UI for the
user to pick the user accounts of people who can use the computer in Safe
I'd prefer not to have to provide any UI for picking the list of approved
Safe Mode users. I'd rather just block Safe Mode access for
non-administrators. But I don't know how to determine who the administrators
are. The technique I had attempted to use was to call WTSQueryUserToken for
the WTSGetActiveConsoleSessionId. Then I use this .net code:
bool isAdministrator = new
But as I said before this test fails on Windows Vista/7. Is there another
way to determine if the user has the potential to be an administrator?
I wanted to simply mark my original service to work in Safe Mode but
couldn't do this because it has a dependency on the Terminal Service
(termservice), which does not work in Safe Mode. I considered adding
termservice to the list of Safe Mode services but this seemed risky because I
don't know if it can work in Safe Mode, even if all its explicitly defined
dependent services are also running. The reason I need termservice is because
I use it to log off or do a switch user of the current interactive user. The
following APIs seem to work on Windows Vista/7 even if termservice isn't
running but they do NOT appear to work on Windows XP. In other words:
I can't figure out how to log off or disconnect the current interactive user
on Windows XP when termservice isn't running. So my lightweight service does
this instead on Windows XP: Process.Start("shutdown", "-r -f -t 0")
Post by lelteto
It's not pretty but theoretically you can do this: You would need to write a
GINA (XP, or equivalent login control for Vista / Win7) and a serive. GINA
could check the service: if it doesn't start it could deny any non-admin
As I said it's probably more trouble than you want to go into for your goal,
but it's one possible way to add the control you want.
Post by jmagaram
Another idea: It would be helpful if I could block non-administrators from
logging on in Safe Mode. That would fix my problem.
Post by jmagaram
I have built a parental control application that enforces time limits. It
works on Windows XP/Vista/7. It uses a Windows Service to track who is using
the computer when, and boots the kids off - a forced logoff - when their time
runs out. But when someone reboots into Safe Mode, my service isn't started,
so it is very easy for kids to bypass the time limits. Actually some of the
services my service depends on aren't started either so I can't even manually
start my service in Safe Mode. As a workaround, I attempted to put a separate
program in the user's Startup folder that would automatically log them off in
Safe Mode using the ExitWindows API but from tests I've run I don't think the
programs in the Startup folder get run in Safe Mode.
Is there a way to password protect safe mode without buying BitLocker? I
can't require all my users to upgrade to Ultimate.
How can I build a parental control application that works in Safe Mode?
Are programs in the Startup folder NOT started in Safe Mode?
If I use the Parental Control API in Windows 7/Vista, can I somehow get
around this problem?