Monday, September 12, 2011

Launch IE Window at Windows Login Prompt

If your in need to launch an Internet Explorer window (or pretty much any process) at the Windows login prompt (before any user logs in) here's a solution that I've helped implement and it's working great.

On Windows XP
Displaying an IE window at the login prompt in Windows XP is relatively easy. A simple VBscript run as a startup script is all that is needed.

Set objExplorer = CreateObject("InternetExplorer.Application")
Set WshShell = Wscript.CreateObject("WScript.Shell")
objExplorer.Navigate "http://yourintranetsite.com/"
objExplorer.Visible = true
objExplorer.ToolBar = false
objExplorer.MenuBar = false
objExplorer.StatusBar = false
objExplorer.AddressBar = false
objExplorer.Width = 340
objExplorer.Height = 560
objExplorer.Left = 0
objExplorer.Top = 0
objExplorer.Resizable = false
Wshshell.AppActivate ("Welcome to Windows")

The above VBscript will open an IE window, remove the toolbar, menu bar, status bar, and address bar, set the size of the window, and position it in the top left corner of the screen. The final line of the script, switches the "active window" back to the login prompt so that users are able to start typing without having to click in the username box. This script can be easily set to run on startup using Group Policy (Computer Configuration > Policies > Windows Settings > Scripts > Startup). For computers not in a domain, local group policy can be used to set this script as a startup item (see http://support.microsoft.com/kb/307882).

On Windows 7
Starting with Windows Vista, Microsoft has implemented the use of different user sessions in order to increase security, and this makes it a bit more difficult to launch an IE session at the login screen. Thus if you used the same process as explained above for Windows XP, the script would run, launching the IE window, but you wouldn't be able to see it because it would be running in the wrong user session. Through some research and a little luck I found that the SysInternal's tool, PsExec.exe (which I've used for years), provides a "-x" parameter that "displays the UI on the winlogon desktop." Again, as simple VBscript is used to launch the IE window in Windows 7, but the VBscript needs to be run by PsExec.exe with the "-x" parameter to make the IE window visible at the login screen.

Set objExplorer = CreateObject("InternetExplorer.Application")
objExplorer.Navigate "http://yourintranetsite.com/"
objExplorer.Visible = true
objExplorer.ToolBar = false
objExplorer.MenuBar = false
objExplorer.StatusBar = false
objExplorer.AddressBar = false
objExplorer.Width = 340
objExplorer.Height = 560
objExplorer.Left = 0
objExplorer.Top = 0

The above VBscript is the same as the XP script, minus the two lines specific for XP. In a domain environment, this can be easily set to run on startup using Group Policy (Computer Configuration > Policies > Windows Settings > Scripts > Startup) but instead of specifying the VBscript to be run, specify PsExec.exe to be run with the following parameters:
-x cscript.exe //nologo "\\<domain>\sysvol\<domain>\Policies\<policyguid>\Machine\Scripts\Startup\<scriptname>.vbs"
Note that the VBscript and the PsExec.exe files must be present in the correct directory for the GPO your using to apply this startup item. By default PsExec.exe requests for it's EULA to be accepted before it runs, which you would not want to pop up when applying this via GP to tens, hundreds, thousands of machines; so the solution to this is to apply the following registry value:
"HKEY_USERS\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted" set to "1"
This eliminates PsExec's EULA prompt on startup. For computers not in a domain, local group policy can be used in a similar fashion to launch the IE window on startup (see http://technet.microsoft.com/en-us/library/cc731745.aspx).

Hopefully this information comes in handy for someone...
Justin

4 comments:

  1. we are trying to run some digital signage software in front of the login screen to prevent users from tampering with the computer? how could you do this with an application?

    ReplyDelete
  2. I would assume you could use the PsExec.exe command same as my example above, except specify the application instead of the script.
    Possibly something like this: PsExec.exe -x "\\full\path\to\application.exe"
    You would have to test it, but I don't see why it wouldn't work.

    ReplyDelete
  3. Is there anyway to add a button on the log on screen to call this?

    Thanks

    ReplyDelete
  4. My guess is a "Custom Credential Provider" is what you would need to add some sort of button to the Windows 7 login screen. Something like this: http://blogs.technet.com/b/aho/archive/2009/11/15/custom-credential-provider-for-password-reset.aspx

    ReplyDelete