Windows 7 Kiosk Build

I was recently asked to create some easy to use Kiosk machines for work that would be as locked down as possible, and provide a familiar and easy experience for our staff.

My first thought was Linux, and sure enough there were quite a few flavours out there to choose from when it came to pre-built ISO’s. I landed on what looked to be the cream of the crop, Proteus Kiosk. This was amazingly simple to customize with the startup config options, but in the end was lacking the latest Flash and Java versions that I needed. In order to customize it we would need to purchase a once-off customization ISO service, or donate to their project for a simple change (which this should be). However, I wanted to get this done for $0 and quick.

After half a day or so of searching on different ideas, I landed on building a stock Windows 7 machine and to lock it down with Group Policy and the registry.

Taking tips from here on the appropriate settings to look for, I began ripping in to the group policy and turning everything off that would cause trouble. Keyboard shortcuts, CTRL+ALT+DEL options etc.

The heart of the kiosk is Firefox. From the above page I altered the shell to be Firefox instead, which is running a plugin called R-Kiosk. By itself it works fine, but I made some adjustments for our staff.

Show the full nav bar
Create the file user.js under the following directory – C:\users\USERNAME\appdata\roaming\mozilla\firefox\profiles\PROFILEID

and add the following line
user_pref(“rkiosk.navbar”,true);

Hide the searchbar and step 1 of keeping nav bar visible (no auto-hide)
Create a folder called chrome in the same firefox profile directory as above, and create the file userChrome.css in there with the following lines

#searchbar { display: none !important; }

#navigator-toolbox[inFullscreen] #PersonalToolbar
{ visibility: visible !important; }

Additional configurations
– about:config
The above userChrome.css setting for making the navigator toolbox visible didn’t work by itself for me. I also had to load up the about:config settings pane and adjust the following settings

security.mixed_content.block_active_content;false
browser.fullscreen.autohide;false

– Privacy Settings
In order to prevent certain websites from blocking mixed content between sessions (and requiring staff to click on Firefox’s shield icon at the top-left of the browser and manually enabling the content every time) the following privacy settings were needed. These are set so everything is reset between sessions, but site preferences are kept (which works with the above about:config setting of security.mixed_content.block_active_content;false to ensure all content is displayed without a prompt)
FF-Privacy settings 1 FF-Privacy settings 2

Ensuring user sessions aren’t left for too long
The last bit of housekeeping to ensure users aren’t using websites with other staff members credentials was to regularly reopen Firefox when the computer was left idle for a period of time. It had to be long enough to cater for someone going to the toilet etc and wanting to return to their session, but short enough that it wasn’t there all day. I settled on 12 minutes.

Part 1 – Screensaver
At first it seemed easy, just enable all security logs on the system, and watch for the screensaver invoked ID 4802. When this ID was logged, the scheduled task would fire off a script that simply closes the Firefox process, and opens it again. While this worked, for some reason the screensaver would load, appear for about 1 second, and then the scheduled task would kick in, clearing the screensaver and taking us back to the Firefox home page. This meant the screensaver would never stay, and always be interrupted. I am not 100% sure on why this happens, but can only guess that the scheduled task firing counted as user activity, so cleared the screensaver. So, the method that worked in the end was to only fire the task when the screensaver had been cleared by a user. To do this I changed it to instead look for event ID 4803 (screensaver dismissed) which worked a treat. There is a brief 1 second period when Firefox is closed and reopened after moving the mouse, but this is acceptable.

@ECHO OFF
TASKILL /IM firefox.exe
ping 0.0.0.0 -n 2 >NUL
CD “C:\Program Files (x86)\Mozilla Firefox”
START firefox.exe
exit

task - restart FF

Part 2 – What if the user closes Firefox accidentally?
Solvable by another scheduled task, I simply used the following script and set the task to run every minute. It will check if Firefox is open, if so it does nothing. If Firefox is not open, it simply opens it once more, and so on and so forth.

On Error Resume Next
strComputer = “.”
Set objWMIService = GetObject(“winmgmts:\\” & strComputer & “\root\cimv2″)
Set colItems = objWMIService.ExecQuery(“Select * from Win32_Process where Name = ‘firefox.exe'”,,48)
Count = 0
For Each objItem in colItems
Count = Count + 1
Next
If Count = 0 then
Set OShell = CreateObject(“wscript.Shell”)
‘oShell.Run (chr(34) & “C:\Kiosk\IE Kiosk Mode.lnk” & chr(34))
oShell.Run (chr(34) & “C:\Program Files (x86)\Mozilla Firefox\firefox.exe” & chr(34))
End if

task - check FF

Gaming

It’s probably about time I satisfy the gaming portion of this site title.

For Christmas my most awesome girlfriend bought a PlayStation 4. We’ve been having a great time every day since playing The Lego Movie game and Little Big Planet 3 together, as well as me playing FarCry 4 and streaming my adventures on twitch using the PS4’s inbuilt share function.

Here are some details of where you can find me:

PlayStation Network

PlayStation ID

Twitch

twitch-to-livestream-the-e3-event

Activating Windows 7 on an OEM licensed desktop after a clean install

So I’ve been racking my brain and farting about on the web trying to find a way to activate our OEM machines at work which don’t contain a COA (Certificate Of Authenticity) on them.

Using the Magical Jelly Bean Keyfinder tool I was able to see the OEM cd key, but when trying to activate a fresh install of one of these machines (Lenovo M73 SFF) it just states that it couldn’t be activated.

After a bit more fluffing about I came across this thread on the Lenovo support forums.

Note post 15 from p1nh3a6. In it he describes success with using a tool to extract the activation certificate from the standard OEM installation, which can then be used on a fresh install of Windows 7 to reactivate using the same details.

So I went to his first suggestion of ABR.

Using this tool on a stock OEM machine from Lenovo I was able to create the backup files, then simply have them in the root of the ABR folder, and on the clean install run the restore executable and it automatically did it’s thing to import the certificate. The Windows install was activated after this was done.

Now on to creating a clean and shiny SOE!

NBN Ho!

One false start and a bit over one month after the initial install date, we’re finally online with NBN!

I’ve chosen to go with Exetel on a 100/40 500GB plan for $89/month, and managed to use over 100GB in updates and streaming in 2 days… might need to up that to unlimited for $10 more… hmmm….

speedtest

pingtest

IMG_20141006_142358

IMG_20141006_114249

New tent and location!

In continuing my completely ad-hoc use of this blog, here’s an update!

We bought a new tent. It’s going to be used for camping. Pretty revolutionary stuff. The tent is the best I’ve ever had. Bastard of a thing to get up at first, but then I pulled my head out and pinned all the corners down which made the process a hell of a lot easier.

Alice and I have also moved to Ballarat Victoria!

I’ve gotten myself a nice IT job here which I’m stoked about. Started today and my heads still spinning at all the possibilities :) Looking forward to the challenges ahead.

Here’s some happy snaps.

IMG_20141003_114806

IMG_20141003_105330

IMG_20141003_102714

IMG_20141002_135417

IMG_20141002_135403