LabVIEW

What is "the automation system" for you? Windows is no automation system and it usually doesn't run on what's commonly understood as automation system, such as a PLC. 

Next, if the app is created on Windows, you must use Window on that automation system or you gotta have a really good emulator.

If your automation system breaks, will it be dangerous to people or property?

Windows can be made somewhat safe-ish, but that is something that should be done by a Windows specialist. You don't want your freight crane to decide it's update-nap-time on its own in the middle of the work day.

Safety concerns aside, which you should definitely not dismiss but investigate very thoroughly, there are actually ways to make Windows startup any executable on launch instead of explorer.exe. How much control this program will give to the user is then mainly defined by that program alone.

This key defines what Windows will startup after the current user logs on:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

By adding such a key to a HKEY_LOCALE_MACHINE hive too, you can overwrite what any user will see when logging on unless there is a specific key in his user account.

It's a good idea to at least have one user with admin rights on the system that simply starts up the explorer.exe file. This will let you get in the machine and do some maintenance even if you brick the other accounts.

But Ctrl-Del is not so easy to get blocked, that needs some specific Windows API calls, and you really can lock out a system with these things that it is very hard to get into it for maintenance and such anymore.

Rolf Kalbermatter  My Blog DEMO, Electronic and Mechanical Support department, room 36.LB00.390

---

@constructionworker wrote:

Hello everyone.
I'd like to ask a question about a topic that doesn't have many forum posts on it.
I'm planning to use an application created with Labview in the Automation system. I don't want other applications other than this application to run. The reason for this is; I want to get rid of the extra CPU load and prevent the user from playing with windows settings.

 

-What is the probability of this being done?
-Which is the most suitable operating system for this (application was created on windows 10)?

-It can use kios mode and it looks like it can be done with windows 10 IoT enterprise. But is there a better or different way?
-and of course the obvious question is how?

 

 

 

Any opinion given is worthy of respect.

---

There are plenty of ways to "lock down" Windows, so end users can't mess with things, talk to your IT department or Google it.

Thanks everyone for their answers.

MaSta wrote:

---

What is "the automation system" for you? Windows is no automation system and it usually doesn't run on what's commonly understood as automation system, such as a PLC. 

 

Next, if the app is created on Windows, you must use Window on that automation system or you gotta have a really good emulator.

 

 

---

As I said, the application was created on windows 10 and it is an application that controls the automation system. It is the basic software that controls the PLC and similar components.Yes, basically there is an emulator problem right now.

llindenbauer wrote:

---

If your automation system breaks, will it be dangerous to people or property?

 

Windows can be made somewhat safe-ish, but that is something that should be done by a Windows specialist. You don't want your freight crane to decide it's update-nap-time on its own in the middle of the work day.

 

---

Yes it can be a big problem if the automation system breaks down.

Most importantly, windows applications running in the background should not be running. For example Edge, internet explorer paint, Notivations etc.

 rolfk wrote:

---

Safety concerns aside, which you should definitely not dismiss but investigate very thoroughly, there are actually ways to make Windows startup any executable on launch instead of explorer.exe. How much control this program will give to the user is then mainly defined by that program alone.

 

This key defines what Windows will startup after the current user logs on:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

 

By adding such a key to a HKEY_LOCALE_MACHINE hive too, you can overwrite what any user will see when logging on unless there is a specific key in his user account.

 

It's a good idea to at least have one user with admin rights on the system that simply starts up the explorer.exe file. This will let you get in the machine and do some maintenance even if you brick the other accounts.

 

 

 

 

---

 reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /t REG_SZ /d """"c:\Program Files (x86)\myapp\myapp.exe"""

I assume you are talking about a command like this, right?I think you're talking about a shell change here.What exactly are the advantages and disadvantages of this. What is the impact on performance?

---

But Ctrl-Del is not so easy to get blocked, that needs some specific Windows API calls, and you really can lock out a system with these things that it is very hard to get into it for maintenance and such anymore.

 

---

Since I do not connect a keyboard to the computer, it may not be such a problem.

-------------------------------------------------------------------------------------------------------------

I have already set the application to run in full screen programmatically. When the application runs, the taskbar in the windows is not visible, the application runs in the full screen.If it works in full screen and the keyboard is not connected, it is probably not possible for the user to do anything.

Actually, my goal here is to put an end to unnecessary background applications and feedback that affects the performance of the computer, and I only want the application I created to run directly. Also, nothing reminding of Windows should appear. Because in this way, the user will not realize that he is using the windows system and there will be no need for tampering 🙂

---

@RTSLVU wrote:

 

There are plenty of ways to "lock down" Windows, so end users can't mess with things, talk to your IT department or Google it.

 

---

Can you give some examples for this?

/////

Does anyone have information about the use of labview for Windows 10 Iot Enterprise?

If you add that key to HKLM or HKCU or any other specific user registry hive will determine when this change happens.

Basically the executable defined here will be started by the Windows logon shell as soon as a user logs on the system. And this program gets control of everything. If this is not defined or points to an invalid executable, the logon shell will resolve to startup explorer.exe.

And if explorer.exe is not started, any shortcuts and other things explorer normally intercepts and acts on will simply not be handled, unless your program handles them. Ctrl-Alt-Del however is not an explorer shortcut but is handled deep down in the Windows kernel together with one or two other similar shortcuts. So it will still be available but if you have no keyboard you should be fine with these. However you definitely should plan some way to get out of this somewhere. The few times I locked down a machine like this (based on requirements from the client) I always had a password secured button somewhere that would allow to enter a special screen where one could have the registry key reset to its default value as well as launch Task Manager and/or Explorer.

And I know of at least one case where the customer eventually required this to be completely disabled as they found it to cumbersome to maintain their PCs since they were really locked out from anything as I had also disabled Ctrl-Alt-Del (on their request in the requirements specification). A typical case of think not only twice but at least three times about what you wish when making a software requirements specification. 😁

Needless to say that testing that application was a real pitta, even with secret application shortcuts to enable and disable that security lockout.

Rolf Kalbermatter  My Blog DEMO, Electronic and Mechanical Support department, room 36.LB00.390

How did you disable Ctrl-Alt-Del if it is hidden deep down in the Windows kernel?

---

@constructionworker wrote:

 

Most importantly, windows applications running in the background should not be running. For example Edge, internet explorer paint, Notivations etc.

 

---

---

I would disagree that these are the most important problems, but are indicative of an underlying issue: Windows is optimized for consumers. Getting it from "consumer grade" to "industrial grade" requires intimate knowledge about Windows itself.

You say your device is critical, which is a good start-off point. Do you have a threat model? What happens when your users want to stop the freight train, but they only see this: https://devrant.com/rants/368655/i-just-wanted-some-water? I get that you probably just want to get this done, but there are no shortcuts to a secure system. You will have to weigh the risks and ask yourself who will be responsible in case of failure.

If you want to go ahead with this: When you use the correct search terms, you will note that the Microsoft documentation on this is quite extensive. What you are trying to do is called "Kiosk Mode": https://learn.microsoft.com/en-us/windows/iot/iot-enterprise/kiosk-mode/kiosk-mode and "Device Lockdown": https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/iot-ent-device-lockdown-featu...

"Shell replacement" will help you get rid of most of the things that you describe (not all of them, though). There are "device lockdown tools" that will help you to set these things on Windows and they are very easy to find using a simple web search. You can also find very useful information in system-administration-related forums, e.g.: https://stackoverflow.com/search?q=windows+shell+replacement

---

@bienieck wrote:

How did you disable Ctrl-Alt-Del if it is hidden deep down in the Windows kernel?

---

Windows offers a "Keyboard Filter": https://learn.microsoft.com/en-us/windows-hardware/customize/enterprise/keyboardfilter

(Most lockdown tools do, too - they just help you set the registry keys)