How would I prevent users from logging in a PC while software is installing?

So I currently am looking for a solution to keeping users logged out while software is installing or activating a pop-up message that cannot be moved, closed, and is always on top, because sometimes when we deploy software to users (via SCCM), the parameters of the install require the user to be logged out for the duration of the installation. I've looked at trying to customize the group policy for account lockout but with no luck. Anyone know of any programs or scripts that do this?

Thank you!

Gawndy

Posted 2014-06-13T14:53:18.893

Reputation: 31

Answers

I just wanted to let anyone who ended up seeing this question to know that I solved my problem a different way. Basically, I ended up using PSTools, and AutoIt3 scripting.

I first wrote a script in powershell to display an HTA splash screen on the login screen informing the user that there was an installation going on like so:

#Set-ExecutionPolicy -ExecutionPolicy Bypass -Force
#$ErrorActionPreference = 0
$args = @('-accepteula', '-s', '-h', '-x', 'mshta.exe "c:\temp\splash.hta"')
$thisfolder = Split-Path -Parent $MyInvocation.MyCommand.Definition #Get's the folder you are currently in
$installpath = "C:\GOOGLE_SKETCHUP_PRO_14p0p4900\Install-Sketchup2014.cmd" #path to install (msi, exe, cmd, etc...)

Copy-Item $thisfolder\* C:\temp -Exclude *.ps1 -Recurse -Force
start-process -file c:\temp\pstools\psexec.exe  -ArgumentList $args -WindowStyle Minimized #opens login splash screen
#Start-process $installpath -NoNewWindow -Wait -WindowStyle Hidden #starts the install and waits until its finished to close the splash screen
Start-Sleep 10 #To simulate an installation.. 
Get-Process mshta | Stop-Process -Force #closes the splash screen
Get-Process PSEXESVC | Stop-Process -Force #closes the PSExec
cmd.exe /c "rd C:\TEMP\PSTools /s /q" #removes pstools from computer
cmd.exe /c "del C:\TEMP\splash.hta /q /f" #removes splash screen files from computer

Then I used an autoIt3 script to lock the mouse and keyboard for the duration of the install by using the BlockInput() function of AutoIt3. I turned the script into an EXE so that it could be ran without autoit being installed on the machine.

Hope that helps anyone else looking for a solution to preventing user logon.

Gawndy

Posted 2014-06-13T14:53:18.893

Reputation: 31

You can look at changing the following registry value:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

This value controls what happens when a user logons to a system. By default it typically has a value like the following:

C:\windows\system32\userinit.exe

but it can be changed to do just about anything you want. For example we have some systems which we want to act as dump terminals connecting to our Citrix terminal server farm. we do this by changing this value to be the following:

c:\\windows\\system32\\wscript.exe c:\\someFolder\\somescript.vbs

this doesn't prevent the user from logging onto the system, but instead stops the user's environment from being initiated after they'e logged on. You could do something similar where a script would rename the current Userinit value to something like Original_Userinit and then create a new one which would point to a script which would just log them back off once they logged back on. Then once you are done doing what ever you are doing you rename this value to something else like Logoff_Userinit, and then rename the original back.

Again this won t prevent the user from logging on, but it will prevent the logon session from being being initiated and immediately log them back off.

mrTomahawk

Posted 2014-06-13T14:53:18.893

Reputation: 326

Thank you, will give this a try! Update: So I tried this on a test vm (thank god..!) and I put my computer into an infinite restart loop. What I did was basically change the userinit value to C:\temp\test.cmd and test.cmd basically just changed the background, then changed the userinit value back to C:\windows\system32\userinit.exe then logged off. But I don't think the part where it changed the value back worked. Any idea why? :\ Also, do you know if its possible to log them out, then run a script while logged out? Some installations require the user to be logged out to run. – Gawndy – 2014-06-17T14:00:03.707

My script looks something like this:

reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\photos\image1.bmp /f reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "userinit" /t REG_SZ /d "c:\test.cmd" shutdown /r – Gawndy – 2014-06-17T14:07:29.813

Update2: Now that I think about it, I think it's because the cmd isn't being started as an Admin therefore the script cannot edit the registry.. How would I tell the computer to start the cmd as an admin on login...? – Gawndy – 2014-06-17T14:18:02.210

The registry key changes is something that should be done from an admin account executing the change remotely, and is probably not a good fit to be part of the script that you place in the userinit value. I've never used SCCM, but if I would think you could wrap these scripts around your installer, which then gets deployed to a system. – mrTomahawk – 2014-06-17T14:50:56.090