Reputation: 153
how can i restrict access to certain programs in windows?
I am creating a time management software in C#. How can I ensure that when somebody has not entered time records the previous day, access to the system is restricted when he/she logs on to windows?
Ex. Block Internet or block the pc
Upvotes: 0
Views: 2069
Answers (2)
Reputation: 22291
There are multiple ways you could cause reduced functionality, with varying levels of complexity and functionality.
The Proxy
The easiest "clean" solution, in my opinion, would be to write a service which runs on the local computer, and functions as an HTTP proxy. Local browsers get configured to use the proxy, and at your behest, you return a static page saying that the user should enter punches to continue.
The user may be able to bypass the proxy by reconfiguring proxy settings, or using a browser other than system default. Both of these problems can be overcome by most IT departments through Group Policy.
Related: Open Source Proxy Library for .Net
Complexity: moderate Risk: moderate Eww factor: low Efficacy: moderate
Solitary confinement
In much the same way as a screensaver, you can create a secondary desktop and show your own window on the isolated desktop. Once you have collected the information you require, switch back to the default desktop, and destroy the one you created.
Related: Desktop Switching - CodeProject, Defrag Tools - Desktops
Complexity: moderate Risk: low Eww factor: low Efficacy: high
No, no, cannot have
If we are going for ease of implementation, perhaps the simplest thing to do would be to simply send WM_CLOSE to any new process we don't like which opens. You can use the WindowOpenedEvent to examine new windows, then call Process.CloseMainWindow if you find it to be a process which you don't like.
The user, meanwhile, can get around by just reading really quick, or by preventing window messages from pumping via opening a modal dialog or otherwise. If the application you don't like asks the user if they want to close, this approach is somewhat neutered.
Complexity: low Risk: moderate Eww factor: high Efficacy: low
Replacement Shell
If you specify an alternate value for the REG_SZ named Shell located at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, you can cause your program to run in lieu of explorer. You can then check whether the user has been naughty or nice, and then conditionally start explorer.
The user can still bypass your application by starting explorer himself using Task Manager or otherwise.
Complexity: low Risk: high Eww factor: moderate Efficacy: moderate
SRP or AppLocker
Group policy provides two methods for restricting what software gets run on a PC: Software Restriction Policies and AppLocker. Both have their merits and are both very different in what they seek to control. You could programmatically create policies for either using the HKCU\Software\Policies key by examining the admx files, or by using established APIs.
Group policy is only effective after a refresh occurs, which is typically at logon, so after the state is cleared, you would have to log off.
Related: How to modify local group policy setting programatically
Complexity: moderate Risk: high Eww factor: high Efficacy: high
The Log-in UI
You could use a custom login UI to prevent the user from ever even logging in if their hours are not submitted. This seems a bit heavy handed, but hey, that's your prerogative. GINA got replaced in Vista with a new architecture, but there is an excellent sample available on MSDN. You would be working in unmanaged code for this one.
If the user can login via another means (biometric or smartcard, for example), they may not see your dialog.
Complexity: high Risk: low Eww factor: low Efficacy: high
Active Directory
If you are working in a domain, you could also just disable the user's account via ADSI or LDAP. However, doing so may not be reversible in a reasonable time schedule, and in many installations be highly unadvisable due to integrations with other systems (door access controllers come to mind... no timecard = no access to building).
Furthermore, due to propagation delays in larger domains, any change may take minutes or hours until the user is affected.
Complexity: low Risk: high Eww factor: high Efficacy: low
Upvotes: 3
Reputation: 2753
If you are on a domain using Active Directory you could lock their account which would keep them from being able to log into the computer.
Upvotes: 0
Related Questions
- How Can I Enable and Disable Time by The time in C#
- Restrict internet access at specified times
- How to limit folder/file access to a program only?
- How to run a program and block its internet usage rights?
- Use SetSystemTime with limited user account
- How to make a countdown timer that only begins in certain programs
- How to add time based restrictions to prevent a Windows user from logging in?
- How do I restrict the usage of a C# application
- Prevent non-administrators from logging in on Windows for a specific period of time
- Block the user from changing the System Date/Time