| Date: | September 14, 2005 / year-entry #263 |
| Tags: | other |
| Orig Link: | https://blogs.msdn.microsoft.com/oldnewthing/20050914-16/?p=34203 |
| Comments: | 39 |
| Summary: | Most people who care about such things know that you can press Ctrl+Alt+Del twice from the Welcome screen and sometimes you will get a classic logon dialog. (Note: "Sometimes". It works only if the last operation was a restart or log-off, for complicated reasons that are irrelevant to this discussion.) The ability to do the... |
Most people who care about such things know that you can press Ctrl+Alt+Del twice from the Welcome screen and sometimes you will get a classic logon dialog. (Note: "Sometimes". It works only if the last operation was a restart or log-off, for complicated reasons that are irrelevant to this discussion.) The ability to do the double-Ctrl+Alt+Del was added as a fallback just in case there turned out to be some important logon scenario that the new Welcome screen failed to cover, but which the designers had failed to take into account by simple oversight. Scenarios such as smartcard or fingerprint logon. In other words, it's a kludge. In the time since Windows XP came out, the logon folks have kept an eye out to see if there indeed were any scenarios that weren't covered by the Welcome screen. I think the only one that came up was Kerberos authentication. Now that (once they fix the Kerberos problem) they have covered all the bases, the designers are probably going to feel more confident about the new logon design, and the double-Ctrl+Alt+Del panic button will likely be removed. So don't get too attached to it. This is why the Welcome screen shows that Administrator account if there are no other members of the Administrators group on the system: If it didn't show the Administrator account, you would be locked out of your own computer. "No I'm not. I can use the double-Ctrl+Alt+Del trick to log on as the Administrator." Well, okay, that works today, but you're relying on a panic button that might not be there tomorrow. [Raymond is currently away; this message was pre-recorded.] |
Comments (39)
Comments are closed. |
It’s a handy feature for bailing out less able users who’ve forgotten their passwords and not made a recovery disk, though. I’d keep it (or an alternate, less kludgy method) for those sorts of scenarios.
As an example, how about an option on the F8 startup menu
Raymond, so they’ve also made the Administrator account appear on the Welcome screen? If not, then there is indeed a situation that is not covered by the Welcome screen, logging on using the Administrator account.
I agree with Matt. I’ve seen cases where the only listed username was a service account with an unknown password. The end-user was devastated that their admin account had been removed.
To be honest, I think the whole Welcome screen is questionable, but I’m known to be a luddite… :-)
(Note: "Sometimes". It works only if the last operation was a restart or log-off, for complicated reasons that are irrelevant to this discussion.)
You can’t say that! We must know why it only works after restart or log-off! The world will end if the geeks don’t find out. :)
What Raymond said was that the Administrator shows on the welcome screen ONLY IF THERE IS NO OTHER MEMBER OF THE ADMINS GROUP ON THE SYSTEM. The problem with this is .. what if the profile of the one admin on the system is screwed? I always try to have 2 admin accounts on the system for cases such as this. One account (typically "administrator") is only ever used for maintenance. Since this acccount does not show on the Welcome screen, the only way to log in as that account is the double Ctrl+Alt+Del. Now what?
Safe Mode allows ‘Administrator’ to login. You can always use that.
As I understand it, CAD is an intentional feature before login because nobody can code a "false login prompt" application that responds to CAD.
How does this work with Welcome screen? Someone could create a false login screen and capture passwords. How can this be prevented?
Getting rid of the classic login screen makes no sense to me.
Suppose I have two accounts in the Administrators group, then the "Administrator" account is not shown. How can I log in as "Administrator" if I want to?
Isn’t security a concern here? I just cannot see the Welcome screen be the ONLY login screen.
The best way to secure an ID/Password combination (assuming nothing else like smart cards), is to force the hacker to know BOTH the ID and the Password. By using the Welcome screen, the hacker already knows half of the information needed to compromise the system.
I could see using only the Welcome screen in the Home editions of Windows, but to me it just does not make sense in the work environment where security is always a priority. That is why there is a group policy setting to disable showing the previous user id when using the standard CTRL+ALT+DELETE login screen (which I have no idea why it isn’t enabled by default… what happened to secure out of the box?).
What was wrong with the old login screen for corporate users?
I don’t see what’s wrong with the current system. The double Ctrl-Alt-Del is obscure enough that I doubt any regular user ever ends up accidently triggering the old login screen.
The ability to hide administrative or maintenance acounts from the login screen is helpful in keeping it clean. Having too many accounts listed there will cause it to scroll which looks horrible and confuses people.
Finally and unfortunately there are scenarios where a "Run as" won’t do the trick and you have to login as Administrator or an administrative account to perform certain actions.
I assume the classic login screen will remain because it’s the only easy way to do a network login so I really don’t understand the argument for getting rid of the ‘panic’ option.
We have an XP machine set up at my church (not in a domain environment; they only have 4 machines) that uses the welcome screen. There are two users: one for the secretary (an administrator account, because otherwise some program that she uses doesn’t work — and no, I don’t remember which one), and one (non-admin) for various people to put each week’s offerings into the accounting database.
The way we do backups (basically, we set up a scheduled task to xcopy the data files to a different directory on the hard drive, and then to a zip disk) requires that Administrator be logged in. Just the secretary logging in does not work; it MUST be Administrator. (If Administrator isn’t logged in, the scheduled tasks management program shows some 0x8XXXXXXX error code that I don’t remember right now whenever it tries to launch the task.)
Every time the machine needs to be rebooted, we need to go in and manually log in Administrator (nobody that works there knows the password for that account), then do a Switch User so the other accounts can be used.
So you’re telling me that we’re using a feature that may be removed? That’s unacceptable: we can’t make the secretary’s account a non-admin, and the xcopy task doesn’t even start unless Administrator is logged in. I suppose we could turn off the welcome screen, and people would be required to remember a username and password (instead of just their password), although I’m not sure how some of the technophobes there would deal with it. (The secretary probably wouldn’t have any issues, but some of the other people might.)
Kludge or not, why not just leave it? What is it hurting? Just because it’s not documented doesn’t mean people aren’t relying on it.
Bryan, I’m sorry, but relying on user switching to get a task to work is already a kludge. You should figure out why it’s not working, and then deal with it properly.
Personally, I think the double ctrl+alt+del should stay. It’s a pretty major convenience feature. It’s not technically necessary, but it simplifies things. Say the "extra" admin account gets corrupted, or that admin disappears, forgets the password, etc; Now you have to reboot in safe mode, log in as Administrator, turn on the classic login screen, and then reboot again to log in as Administratorn in non-safe mode. It’s a lot of hassle when you could just hit ctrl+alt+del twice and log in as Administrator.
Note that in Vista you can modify the logon username from the Welcome Screen. Just click on the name and type in "Administrator" and the password and you’re in. [At least I know this works when you’re in a Domain. I haven’t tried it without.]
As I noted in the article, all the bases have to be covered before the double-Ctrl+Alt+Del kludge is removed. As AC pointed out, Windows Vista just integrates the classic dialog into the Welcome screen.
Maybe the security team should peruse the newsgroups and find all the people who have NO USERS listed on the welcome screen.
Using google (and MS just recently purged their site of the phrase "google is your friend") at http://groups.google.com.au/groups?as_q=blank&num=100&scoring=r&hl=en&as_epq=welcome+screen&as_oq=&as_eq=&as_ugroup=microsoft.public.windowsxp.*&as_usubject=&as_uauthors=&lr=lang_en&as_drrb=q&as_qdr=&as_mind=1&as_minm=1&as_miny=1981&as_maxd=15&as_maxm=9&as_maxy=2005&safe=off
gives
Results 1 – 100 of 1,820 for blank "welcome screen" group:microsoft.public.windowsxp.*
I’m sure some people haven’t used blank so the figure would be higher.
In small businesses (without a domain controller) it’s a great feature. I set up the machine user as a regular user. Then (horrors) edit the registry to set administrator as a special login so it doesn’t appear. This way the machine owner only has one login visible on the screen and less confusion. Also, it doesn’t rub it in their face that they are not an administrator. When I need to do something requiring admin privs I just double-alt-del. It keeps the login screen from being confusing or cluttered.
Please keep a feature like this.
Wow. I remember putting this feature in all that time ago and I didn’t think that it would ever be used in these scenarios. How funny to read this. The only debated scenario at the time was Kerberos logon which the welcome screen was unable to handle.
The reason the scheduled task does not run I suspect is because it’s looking for the user to be logged on to an interactive session (terminal server session). If you log on the administrator account on the machine and switch out from it the scheduled task should run under that account on the interactive desktop (WinSta0default) in that user session for that account. I cannot verify this information as I have long since forgotten the restrictions for user logon in XP and do not have access to Windows. Unfortunately I believe the administrator account will show up as a logged on user on the welcome screen.
What about when you’re writing your own custom Welcome screen and there’s a bug in it? It’s handy to be able to hit the panic button and get back in anyway.
Find out whoever proposed removing this, and hurt them. A lot.
8nnnnnnn codes are com errors and come from TS. If XCopy returned an error it will be in ST log (look on advanced menu). As they were last Documented in Dos 6 here they are
XCOPY exit codes
The following list shows each exit code and a brief description of its
meaning:
0
Files were copied without error.
1
No files were found to copy.
2
The user pressed CTRL+C to terminate XCOPY.
4
Initialization error occurred. There is not enough memory or disk space,
or you entered an invalid drive name or invalid syntax on the command
line.
5
Disk write error occurred.
But the log and error number will tell more. Here’s a little post I made yesterday
So
8nnnnnnn
means Error
0nnnnnnn
means sucess
8nn7nnnn
is Win 32 error codes. Type
net helpmsg <last 4 digits in decimal not hex>
8nn4nnnn
is programmer defined error codes
8nn3nnnn
these are file errors (Istream et al).
if nnnn < 256 = Dos error code –
I’m not sure exactly what is a dos error code. Disk functions return different codes to general dos errors.
HOLY CRAP!
James Moore is absolutely right!
At least in Windows XP you can revert to classic logon AND require CAD before the login prompt AND make CAD open the "windows security window" (in a secure window station) instead of task-manager.
The right thing to do!, since NT 3.1.
I hope that the security-guys will not alow the cool-3D-usability-fags ;] to remove this feature in Windows Vista.
If Administrator logs in and then does a partial logoff (choosing fast user switching instead of full logoff) then the Administrator account will be visible in the Welcome screen. If the Administrator didn’t do that before some other user chooses fast user switching then the Administrator account will not be visible in the Welcome screen.
And exactly as Mr. Chen said, this occurence of the Welcome screen is not one of the "sometimes" where double Ctrl+Alt+Del will work. So if Administrator wasn’t already logged in, there’s no way to get to Administrator.
There’s also no way to get a second login session for the user who was already logged in but who chose fast user switching. If you click the name of the user who was already logged in, you get restored to the same old session.
So when you need a second login session with administrative privileges, there’s no way to get it, unless you predicted in advance that the Windows shell was going to break today and you logged in as Administrator and switched out before starting today’s work.
By the way, when the Windows shell breaks, sometimes you can still get to the welcome screen (might take 20 minutes to get there) and then a new login session works. You might still be able to save whatever data you wanted to save before shutting down the machine. But when the new login session can’t be Administrator, you get screwed.
It may already be a kludge, but the fact remains that xcopy won’t start without it.
As for figuring out why it’s not working — I tried that, but the extreme lack of information provided by the scheduled tasks UI (was that 0x8whatever error code an exit status from xcopy itself? was it the return value of an API call that task scheduler made? if so, which API call? was it related to COM? if so, which interface and function? basically, what the heck is *going on*?) didn’t help one bit. After a week of searching for *anyone* else having the same problem (and coming up dry), I just had them revert to using fast user switching — kludge or no, it has the advantage of getting the backups created.
Maybe we should just call PSS — but then, that’s $245 or whatever, too. If we can talk to anyone that won’t just tell us to reinstall, or to "try to reproduce the problem with the Northwind database, after creating an exact duplicate of your replication topology" (which is, BTW, an actual response we’ve received here at work from PSS when trying to troubleshoot a mission-critical Jet replication problem with the developer support people), otherwise that won’t even help.
*shrug*
I always considered a new welcome screen as a kludge. (Don’t know what Vista does in these scenarios though)
1) If you log failed login attempts, you’ll have at least one failed attempt for each successful login. I know why, we don’t need to reiterate, but it’s such a lame excuse.
2) When there is some small text by the user name (like number of unread messages), clicking on it will not let you log in. No, it will display something stupid in some kind of popup. That’s against all good usability rules, but certainly designed by some brain damaged web designer. What bothers me is that this design was officially accepted. What’s next? Ads and banners on welcome screen? Boy, these will never be missed.
3) When we’re at it, I don’t want to see the number of unread messages on the welcome screen anyway. It is a kind of leaking the unnecessary information. For example, why should my girlfriend know, when she wants to use the computer, that I’ve got a new e-mail?
Does anybody know if any of these is fixed in Vista?
Thanks to Dr. Tan and David Candy re: the xcopy stuff — I’ll have to take another look at it sometime, and get the real error code.
You are right that Administrator shows up on the welcome screen after I do a "fast user switch" away from the session. But this isn’t too big of a problem, because nobody knows the password for that account anyway, and it does ask before bringing the session back up.
Anyway, again, thanks!
AC: The event log for failed logins was explicitly noted as one of the things that had to be fixed.
http://blogs.msdn.com/oldnewthing/archive/2003/11/21/55799.aspx
I’m away from an XP machine so I don’t know about the popup text, but as I recall it’s a "What’s this?" type of popup. You click on your picture to log in.
If you don’t want to see the number of unread messages, you can turn it off. The purpose of that was to save you the trouble of logging on to check whether you have any new messages.
Raymond mentioned that it’s possible to disable the "new mail" message on the welcome screen. So I’ve just opened msn search, typed "welcome screen new mail" and saw… nothing interesting. Switched to Google. I’ve typed the same, and immediately received (I feel lucky)
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q304148
where Microsoft nicely writes: "You cannot disable this feature in the user interface, nor can you configure the Welcome screen to populate the unread message count from only a particular e-mail program. For example, you might not want your e-mail messages from UserID@hotmail.com displayed on the Welcome screen. To work around this behavior, you can set the permissions on the following registry key to read-only for the System account."
Once again — major failure.
How about "Disable uninformational popups in the welcome screen" secret registry key hidden in the next XP fix?
The second worth the effort would be "Show no messages about mail in for all users on Welcome screen". As I understand, now it’s impossible to disable it by default, only each time the new account is created. Kluuudge.
I’m sorry the knowledge base failed you. It’s a setting in Tweak UI.
Don’t you *have* to log in (and run your email client) to update the unread messages number on the welcome screen?
If I click on the name, I log in. Very near by the name is the underlined text, e.g. "2 programs running", or "2 unread mail messages". Now I want to log in and read these e-mail messages. I click. Oh no, I clicked on the underlined text, right under the name, and not on the name! And the thing doesn’t let me log in. It displays a popup. It says: "AC has 2 unread mail messages". And it stays there. Wow. Well that’s a new information, well worth the freaking popup. Definitely worth preventing me to log in? Actually it’s worse, there’s one line more, with the exact name of the e-mail account on which the message arrived. In Vista I expect there my credit card number too, just for a good measure.
OK, what’s about the second? If I click on the "2 programs running" it says "AC has 2 programs running. Running to many programs is not good for your computer. It can make it slower. If you noticed that something is slower, try running less programs." Hello? Two programs! Using 50 MB on the 1 GB machine, and 0% CPU. And the popup on the welcome screen is really the best place to give me that lecture. In Vista, it will probably show more clever tips like "if you save to much to your hard disk it will become fuller. Try to learn to save less to your hard disk. When some program asks you ‘Do you want to save?’ answer ‘no’." Etc.
As it is now, it’s still a major design failure, most probably invented by some lame web designer. I really hope that somebody from Vista team will read this and start to *think*.
I would consider many of the items in TweakUI to be undocumented registry hacks. I know you worked on it (and it’s the second or third thing I install when I build a machine) – but it is also explicitly unsupported
A lot of the items in TweakUI really ought to be in one or another control-panel applet (this one in the Users one).
Which brings me to another point – if I have "Prevent application from stealign focus" set – how come I can still lose focus to other apps? I’ve had some small Bad Things happen because of this…
Administrator should be shown even is some has admin priv on the account. The person with admin priv may not be available when someone that needs to use the admin account.
Ive always wondered how the XP tablet pc users would be able to ctrl +alt +del with the slate vresion of the tablet :P
(Note: "Sometimes". It works only if the last operation was a restart or log-off, for complicated reasons that are irrelevant to this discussion.)
Does anybody know some details about this "complicated reasons"? I am interested in them but can’t find any related information :-(
It’s Windows… what do you expect? Windows has been creating back-door features forever just no1 has noticed it..
The Windows Tidbit For the Day
PingBack from http://codescrub.com/ctrlaltdel-twice