Topics In Demand
Notification
New

No notification found.

Implementation of Custom Kiosk Mode on Windows 10 IoT Enterprise 
Implementation of Custom Kiosk Mode on Windows 10 IoT Enterprise 

24

0

Windows 10 Internet of Things (IoT) is widely used in embedded devices across various domains, including point-of-sale terminals, medical devices, banking, and automotive systems. One of the important features of Windows 10 is “Kiosk mode” for Universal Windows Platform (UWP) and Window Desktop Application that is widely used in embedded devices. Kiosk mode is a feature in Windows operating system that allows a device to run only specified applications and settings. An administrator can use Kiosk mode to configure a device to allow only one specific application to run, ensuring a focused and secure user experience. Kiosk mode helps developers create a dedicated and locked down user experience on these fixed purpose devices like ATM machines, point-of-sale terminals, and medical devices. 

Windows 10 IoT Enterprise does not natively support multiple dependent applications in the Kiosk mode and has security concerns with desktop applications. Let’s take an example of a medical device that requires multiple applications in Kiosk mode. Application1 is responsible for checking the integrity of various peripherals, validating the database, performing database clean-up if necessary, and managing pending application update processes. Once all validations and pending tasks are completed, the system launches Application2, which serves as the primary application. There are a few technical challenges that the developer faces while designing this architecture. They are as follows: 

Problem 1: Natively, Windows 10 IoT Enterprise does not support multiple applications in the Kiosk mode. 

 

Problem 2: The native application in Kiosk mode permits the use of CTRL + ALT + DEL that provides access to various options like “Task Manager”, “Change Password”, and others. Through the Task Manager, a user can gain access to Windows, browse files, and potentially install malicious software or drivers, compromising system security. In the context of a medical device, this poses significant security risks, as such features should not be accessible to regular users. 

 

Problem 3: If the device has USB access, regular users can connect a keyboard and mouse to gain access to the Operating System (OS). 

Then what’s the solution? Well, here is the answer… 

This article covers technical details to support multiple dependent applications to run in Kiosk mode along with the locked-down user experience that restricts access to specific applications and system functionalities. This development technique is referred to as Custom Kiosk Mode in this whitepaper.  

Let’s tackle Problem 1 – Multiple applications in Kiosk mode   

Implement Custom Kiosk Mode: 

  •  Create a user with a blank password so that Windows automatically logs in to this account as soon as it boots up. 

Develop a lightweight MFC (Microsoft Foundation Class Library)/WinForms application that can be set as a user initialization startup. This ensures that the application launches automatically as soon as Windows performs the auto-login. The application should be lightweight, so it loads quickly and is able to display any information like company branding or product loading information when it launches. 

  •  Then, make the following registry changes to the Windows shell so that the custom application is launched on the startup instead of the desktop. 

 

 

 

  • Once the application is loaded, you can create a thread to handle the sequential or dependent launch of applications. The first application initializes interfaces, the second validates the database, and finally, the main application is launched. Create an array of applications to be launched, use CreateProcess and WaitForSingleObject in C++ OR Process. Start and WaitForExit in C# to launch the application. The process waits for the application to exit and then only it starts another application.   

  • This configuration restricts the desktop and task bar access of Windows 10 IoT Enterprise. 

 

Please note:  

  1. As you have noted, we are changing the “Shell” registry not “Userinit”. If you change your custom application in the “Userinit” registry, Windows may not initialize essential services like network connectivity and time synchronization. This could cause issues if your application requires these services. Therefore, it is preferable to change the “Shell” entry in Winlogon instead. 

  1. If the administrator wants to initiate Windows desktop for maintenance purposes, you can change the “Shell” value to “explorer.exe” and call “userinit.exe” from “C:\Windows\System32”.  

 

The end user still has access to the CTRL + ALT + DEL function, to be able to open the Task Manager and access the Windows OS. 

 

Let’s tackle Problem 2 – Disabling CTRL + ATL + DEL for restricted access 

Apply the following registry changes to disable access to the CTRL + ALT + DEL options: 

 

 

 

After applying the above changes in the registry, the end user can see only the Restart and Shutdown options in the CTRL + ALT + DEL screen. Most of the embedded devices have Display with touch screen support so we can enhance security by disabling the keyboard and mouse. 

 

Let’s tackle Problem 3 – Disabling the Keyboard and Mouse access 

Most of the embedded devices have USB access to export data and can back up the system or system updates. USB interface also enables access to the keyboard and mouse for regular users, who can access the system and data. However, it causes security issues. 

Let’s understand Windows 10 IoT boot-up sequence for embedded devices before disabling the keyboard and mouse. 

Upon powering on the device, U-Boot starts and initializes all the hardware interfaces. After initializing the hardware, U-Boot then initiates the loading of the Unified Extensible Firmware Interface (UEFI). UEFI takes control of the hardware interface from U-Boot and updates the required hardware settings and performs the Power on Self-Test (POST). UEFI then loads the Boot Manager (Bootmgr). The Boot Manager is responsible for loading the Windows OS. Bootmgr reads the Boot Configuration Data (BCD) store that contains boot configuration parameters. These parameters determine the OS to be loaded. The Windows Boot Loader (winload) is executed that loads the essential kernel drivers, the Windows kernel (ntoskrnl.exe), and the hardware abstraction layer (HAL). Then it starts initializing the user mode driver, the class driver (responsible for keyboard and mouse), and services.  

So, if we must disable the keyboard and mouse, we must do that before the class driver initializing starts. The KMDF (Kernel-Mode Driver Framework) driver is a good option to disable the keyboard and mouse. Let’s create a KMDF driver to do so. 

  

  • Now let’s disable the keyboard and mouse. 

 

 

 

Please note: 

  • If you would like to re-enable the keyboard or mouse you can remove “__” from the data buffer value. 

  • After installing the KMDF driver, it loads during the OS boot-up and enforces restrictions on the keyboard, mouse, and CTRL + ALT + DEL. The advantage of applying these settings through the KMDF driver is that if a user modifies the registry settings, the KMDF driver reapplies the restrictions during the OS boot, preventing the user from gaining access to the OS. 

  

  • Apply CTRL + ALT + DEL setting from the KMDF driver 

  • The user registry setting is a bit trickier than the KMDF approach. First, you need to obtain the “User SID” to access the registry. 

  • Let’s get the “User SID” from the KMDF driver. 

 

  • Now we can prepare the registry path for the users from KMDF. 

 

 

 

  • As you can see, now we have the User SID. We can set different registry values like DisableTaskMgr, DisableLockWorkstation, DisableLogoff, DisableChangePassword, HideFastUserSwitching, and NoLogoff.

  • Please note:  

  • The registry data type must be “REG_DWORD”. 

  • If you would like to disable all the settings, then set the DWORD as 1 and 0 to re-enable those settings.  

  • We have configured the “Custom” Kiosk mode and applied the security settings. Now, a secure system is ready for regular users. 

 

Conclusion: 

Windows IoT is designed for robust equipment used in different industries like medical, automative, industrial automation, banking, and point-of-sales terminal. Windows 10 IoT operating system provides full enterprise management capability, enterprise-class power, and security. The implementation of Custom Kiosk Mode in Windows 10 IoT Enterprise involves creating a controlled and secure environment by developing a startup application and modifying registry keys from the Windows OS as well as the KMDF driver to restrict user access and disable potentially insecure options. This is an important feature that Windows 10 developers can implement while dealing with Windows 10 IoT devices. 

 

References: 

  1. https://learn.microsoft.com/en-us/windows/iot/iot-enterprise 
  2. https://learn.microsoft.com/en-us/windows-hardware/drivers/gettingstarted/writing-a-very-small-kmdf--driver 
  3. https://learn.microsoft.com/en-us/windows/iot/iot-enterprise/customize/kiosk-mode 

 

Author Bio: 

Gaurav Dhol is a seasoned Technical Architect with over 14 years of experience in Windows 10 IoT, C++, embedded devices, QT, and Windows drivers. He has led numerous projects integrating IoT solutions with Windows systems and optimizing hardware performance with custom drivers. Gaurav is skilled in C++ and QT, developing high-performance applications and user interfaces. A mentor and thought leader, he is known for his problem-solving ability and strategic vision, driving innovation and operational efficiency across teams. 

 


That the contents of third-party articles/blogs published here on the website, and the interpretation of all information in the article/blogs such as data, maps, numbers, opinions etc. displayed in the article/blogs and views or the opinions expressed within the content are solely of the author's; and do not reflect the opinions and beliefs of NASSCOM or its affiliates in any manner. NASSCOM does not take any liability w.r.t. content in any manner and will not be liable in any manner whatsoever for any kind of liability arising out of any act, error or omission. The contents of third-party article/blogs published, are provided solely as convenience; and the presence of these articles/blogs should not, under any circumstances, be considered as an endorsement of the contents by NASSCOM in any manner; and if you chose to access these articles/blogs , you do so at your own risk.


eInfochips, an Arrow company, is a leading global provider of product engineering and semiconductor design services. With over 500+ products developed and 40M deployments in 140 countries, eInfochips continues to fuel technological innovations in multiple verticals. The company’s service offerings include digital transformation and connected IoT solutions across various cloud platforms, including AWS and Azure. Visit- https://www.einfochips.com/

© Copyright nasscom. All Rights Reserved.