Useful Windows XP Logon Strategies : Customizing the Logon

3/3/2011 11:14:13 AM

The default logon is fine for most users, but there are many ways to change Windows XP’s logon behavior. The rest of this section looks at a few tips and techniques for altering the way you log on to Windows XP.

Switching Between the Welcome Screen and the Classic Logon

Many people prefer the Classic Windows XP logon because the initial step of pressing Ctrl+Alt+Delete adds an extra level of security. It prevents automatic logons and it thwarts any malicious program—such as a password-stealing program—that might have been activated at startup. If your computer uses the Welcome screen logon, you switch to the Classic logon by using any of the following techniques:

Launch the Control Panel’s User Accounts icon, click Change the Way Users Log On or Off, and then deactivate the Use Welcome Screen check box.
In the Group Policy editor , open Computer Configuration, Administrative Templates, System, Logon, and then enable the Always Use Classic Logon policy.
In the Registry , set the following value to 1 (reset this to 0 to revert to the Welcome screen):
```
   HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\LogonType
```

Caution

If your computer is part of a domain, you can’t change the logon from the Classic method to the Welcome screen.

Setting Up an Automatic Logon

If you’re using a standalone computer that no one else has access to (or that will be used by people you trust), you can save some time at startup by not having to type a username and password. In this scenario, the easiest way to do this is to set up Windows XP with just a single user account, which means Windows XP will log on that user automatically at startup. If you have multiple user accounts (for testing purposes, for example) or if you want the Administrator account to be logged on automatically, you need to set up Windows XP for automatic logons.

Caution

Setting up an automatic logon is generally not a good idea for notebook computers because they’re easily lost or stolen. By leaving the logon prompt in place, the person who finds or steals your notebook will at least be unlikely to get past the logon, so your data won’t be compromised.

If you have Tweak UI, open the Logon, Autologon setting and activate the Log On Automatically at System Startup check box. Type the username and click Set Password to enter the account password. When you click OK, Tweak UI makes some changes in the following Registry key:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\

The AutoAdminLogon value is set to 1, your username appears in the DefaultUserName setting, and your password appears in the DefaultPassword setting. Note that your password appears as plain text, so anyone can read it or even change it.

Tip

You can temporarily suspend the automatic logon by holding down the Shift key while Windows XP starts up.

If you only want the automatic logon to occur a set number of times, open the following Registry key:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\

Create a new string setting named AutoLogonCount and set its value to the number of times you want the automatic logon to occur. With each logon, Windows XP decrements this setting until it reaches zero, at which point Windows XP sets AutoAdminLogon to 0 to disable the automatic logon.

Accessing the Administrator Account

Another chore you performed during the Windows XP setup routine was to specify an Administrator password. One of the confusing aspects about Windows XP is that, after the setup is complete, the Administrator account seems to disappear. The secret is that Administrator is actually a hidden account that appears only in a limited set of circumstances, such as when you boot Windows XP in Safe mode or when there are no other administrative-level accounts defined on your system. Outside of these scenarios, there are several ways to log on to Windows XP using the Administrator account:

If you’re using the Welcome screen, press Ctrl+Alt+Delete twice.
If you’re using the classic logon, type Administrator in the User Name text box.
Set up an automatic logon using the Administrator (see the next section).
Tweak Windows XP to make the Administrator account visible in the Welcome screen. To do this, open the Registry Editor and navigate to the following key:
Code View: Scroll / Show All
```
   HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList

					  
```

Add a new DWORD value named Administrator and set its value to 1. (To hide Administrator in the Welcome screen, set this value to 0.)

Tip

The UserList Registry key is also useful for hiding accounts. If you have a user account defined but you don’t want other users to see that name in the Welcome screen, add a DWORD value to the UserList key, give it the same name as the user, and set its value to 0. You can access this account using the same methods that I outlined in this section for the Administrator account.

Setting Logon Policies

Windows XP Professional defines a number of security policies related to the logon process. You can get to these policies in two ways:

In the Group Policy editor, select Computer Configuration, Windows Settings, Security Settings, Local Policies, Security Options.
In the Local Security Settings editor, select Security Settings, Local Policies, Security Options.

Most of the logon options are listed in the Interactive Logon grouping. Here’s a list of the most useful options (note that all of these options apply to the Classic logon):

Do Not Display Last User Name	Enable this option to clear the User Name text box each time the Log On to Windows dialog box appears. Although it adds a bit of inconvenience to the logon, this is a good security feature because it denies an intruder an important piece of information: a legitimate system username. This policy modifies the following Registry key (0 = disable; 1 = enable): HKLM\Software\Microsoft\Windows\ CurrentVersion\policies\system\ dontdisplaylastusername
Do Not Require CTRL+ALT+DEL	Enable this policy to bypass the initial Welcome to Windows dialog box (the one that prompts you to press Ctrl+Alt+Delete) and go directly to the Log On to Windows dialog box. This can save you a startup step, but it decreases the security of the logon. The main concern here is that your system might get infected with a virus or Trojan horse program that displays a fake Log On to Windows dialog box as a ruse to capture your username and password. If you decide to enable this policy, make sure that you have a good anti-virus program and that you use it often. This policy modifies the following Registry key (0 = disable; 1 = enable): HKLM\Software\Microsoft\Windows\ CurrentVersion\policies\system\ DisableCAD
Message Text for User Attempting to Log On	Use this option to specify a text message that appears in a dialog box after any user presses Ctrl+Alt+Delete (but before the Log On to Windows dialog box appears). This policy modifies the following Registry setting: HKLM\Software\Microsoft\Windows\CurrentVersion\ policies\system\legalnoticetext
Message Title for Users Attempting to Log On	Use this option to set the title of the dialog box that contains the message to the user that you specified in the previous setting. This policy modifies the following Registry setting: HKLM\Software\Microsoft\Windows\CurrentVersion\ policies\system\legalnoticecaption
Number of Previous Logons to Cache (In Case Domain Controller Is Not Available)	Use this option to set the number of previous domain logons (username, password, and domain) that Windows XP will retain.
	By retaining a logon, Windows XP enables that user to log on to Windows XP even if a domain controller isn’t present (for example, on a notebook that isn’t always connected to the network at startup). This policy modifies the following Registry setting: HKLM\Software\Microsoft\Windows NT\ CurrentVersion\Winlogon\cachedlogonscount
Prompt User to Change Password Before Expiration	Use this option to set the number of days before which a user’s password expires that a warning message to that effect is displayed. This policy modifies the following Registry setting: HKLM\Software\Microsoft\Windows NT\ CurrentVersion\Winlogon\passwordexpirywarning

More Logon Registry Tweaks

As you saw in the previous section, the logon security policies are stored in the Registry. Windows XP has a number of other Registry-related logon settings that you’ll learn about in this section:

Controlling the Shift Key Override of an Automatic Logon—Use the following string value to determine whether the user can override an automatic logon by holding down the Shift key during startup (0 = enable Shift override; 1 = disable Shift override):
```
   HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
   IgnoreShiftOverride
```
Forcing an Automatic Logon—This is similar to overriding the Shift key at startup. That is, the following string setting determines whether the user can bypass an automatic logon (0 = bypass possible; 1 = bypass not possible):
```
   HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
   ForceAutoLogon
```
Disabling Logon Options—The Log On to Windows dialog box (Classic logon) has an Options button that toggles on and off the Log On To list, the Log On Using Dial-Up Connection check box, and the Shut Down button. Use the following DWORD value to control whether these options appear (0 = disable; 1 = enable):
```
   HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
   ShowLogonOptions
```
Adding Text to the Logon Dialog Box—Specify text in the following string setting to display a message in the Log On to Windows dialog box above the User Name text box:
```
   HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
   LogonPrompt
```
Disabling the Dial-Up Logon—If you don’t want users to attempt a dial-up connection to log on, use the following string setting to disable the Log On Using Dial-Up Connection check box in the Log On to Windows dialog box (0 = disable; 1 = enable):
```
   HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
   RASDisable
```

Other -----------------

- Custom Startups with BOOT.INI