Windows Kiosk Mode Alternative: Restrict User Accounts and Keep Apps Running
Last update: 11-21-2024
Windows provides a built-in kiosk mode, a feature designed to restrict user accounts to running a single application. This is especially useful in environments like public terminals, training systems, or kiosks where users should interact with only one app. However, there’s a significant limitation: kiosk mode only supports UWP (Universal Windows Platform) applications.
For those using standard .exe
applications, kiosk mode isn’t an option. This blog post presents an alternative solution
that works for any executable, allowing you to restrict a user account and ensure your app stays running. Here’s how you can achieve
a similar result step by step.
Step 1: Create a new user account
This is an account for the new, restricted user.- Open Computer Management:
- Right-click on the Windows Start icon and select Computer Management.
- In the left-hand menu, expand System Tools and then Local Users and Groups.
- Right-click on Users and select New User.
-
Set up the new account:
- Provide a username and password for the account.
- Optionally, uncheck User must change password at next logon to simplify the process.
- Click Create to finalize the account.
- Log in with the new account:
- Log out from your current account and log in to Windows using the newly created account.
Step 2: Create a Keep-Alive Script
-
Create a folder and script:
- Create a new folder (e.g.,
C:\keepalive
). - Inside the folder, create a file named
keepalive.ps1
with the following content:
# Define the name of the program to monitor (without the .exe extension) $programName = "ExampleApp" # Change to your program's name # Define the full path to the executable $programPath = "C:\path\to\app\ExampleApp.exe" while ($true) { try { # Check if the program is running $process = Get-Process -Name $programName -ErrorAction SilentlyContinue if (-not $process) { Start-Process -FilePath $programPath } # Wait for a few seconds before checking again Start-Sleep -Seconds 5 } catch {} }
- Create a new folder (e.g.,
-
Update program details:
- Replace
ExampleApp
in$programName
with your app’s executable name (excluding.exe
). - Replace
C:\path\to\app\ExampleApp.exe
with the full path to your app.
- Replace
Step 3: Convert the Script to an Executable
- Set Execution Policy: Open PowerShell as Administrator and run:
Set-ExecutionPolicy Unrestricted
- Install the ps2exe Module: Use the following command to install the required module:
Install-Module -Name ps2exe -RequiredVersion 1.0.13
- Convert the Script: Run this command to convert the PowerShell script into an executable:
ps2exe .\keepalive.ps1 -noConsole keeper.exe
- Revert execution policy: After converting the script to executable, prevent scripts from running:
Set-ExecutionPolicy restricted
Step 4: Restrict the User Account
- Switch to Admin Account: Log in to an administrator account.
- Open MMC:
- Press
Win + R
, typemmc
, and press Enter. - Go to File > Add/Remove Snap-in.
- Select Group Policy Object Editor and click Add.
- Press
- Target the User Account:
- In the wizard, click Browse, switch to the Users tab, select the user account to restrict, and click Finish.
- Apply Restrictions:
-
Disable Task Manager:
- Navigate to Administrative Templates > System.
- Enable Don’t run specified Windows applications, and add
taskmgr.exe
to the list.
-
Restrict Drive Access:
- Navigate to Administrative Templates > Windows Components > File Explorer.
- Enable Prevent access to drives from My Computer, and choose Restrict all drives.
-
Set Custom User Interface:
- Navigate to Administrative Templates > System.
- Enable Custom User Interface and set the path to
keeper.exe
(e.g.,C:\keepalive\keeper.exe
).
-
Restrict App Switching:
- Navigate to Administrative Templates > Windows Components > Multitasking.
- Enable Configure the inclusion of app tabs and set it to Open windows only.
-
Disable Task Manager:
Step 5: Test the Configuration
Log in to the restricted user account and confirm the following:
- The app starts and remains running, relaunching if it’s closed.
- System access is limited per the restrictions you’ve applied.
Conclusion
While Windows kiosk mode is a great solution for UWP applications, this method offers a flexible alternative for .exe
applications.
By following these steps, you can effectively restrict user access and maintain a controlled environment with your app running continuously.
This is ideal for kiosks, shared systems, or any setup requiring strict app focus.