Adding Parental Controls Support to Your Application

Windows Vista provides Parental Controls (Microsoft 2006a) functionality to monitor and/or limit exposure of selected computer users to inappropriate content. A parent or guardian can restrict what Web sites children can visit, what games titles and games ratings they can use, and what times the children are allowed to log on to the computer.

Parental Controls is available only in the consumer-focused versions of Windows Vista:

• Windows Vista Starter Edition

• Windows Vista Home Basic Edition

• Windows Vista Home Premium Edition

• Windows Vista Ultimate Edition

Also note that Parental Controls feature is not enabled by default for domain-joined computers, but you can enable it by following these steps:

1. Open MMC.exe.

2. Click File and then Add or Remove Snapins.

3. Double-click Group Policy Object Editor.

4. Click Finish and then click OK.

5. Expand the following nodes: Local Computer Policy, Computer Configuration, Administrative Templates, Windows Components.

6. Click Parental Controls.

7. Double-click the Make Parental Controls control panel visible in a domain setting.

8. Click Enabled.

9. Click OK.

Another important point is that Parental Controls are only effective when the users under Parental Control policy are not administrators.

The Code

To add Windows Parental Controls (WPC) functionality to your application, you must include <wpc.h>, and because WPC is implemented as a COM object, there is no need to link with a library.

You will find the following code at the start of all applications that support WPC:

 CComPtr<IWindowsParentalControls> piWPC = NULL; HRESULT hr = piWPC.CoCreateInstance(__uuidof(WindowsParentalControls)); if (SUCCEEDED(hr)) {     // cool! }

Next, get the user settings; note the first argument to GetUserSettings can either be NULL to get the settings for the current user, or a textual SID (of the S-1-5-21-xxx ilk) for a specific user. Two functions, WpcuSidStringForCurrentUser and WpcuSidStringFromUserName in the Windows Software Development Kit (Microsoft 2006b) sample code contained in a file named Security\ParentalControls\Utilities\Utilities.cpp show how to create textual SIDs.

 IWPCSettings* piWPCUserSettings = NULL; hr = piWPC->GetUserSettings(pwszSid,&piWPCUserSettings); if (E_ACCESSDENIED == hr) {     // user is probably an admin } else if (SUCCEEDED(hr)){     // Cool! }

Accessing user settings will fail with an E_ACCESSDENIED error when calling the IWPC-Settings:: GetUserSettings method if the user is an administrator because parental controls do not apply to administrators.

Time Limits

Windows Parental Controls includes time limits that allow a user access to the computer only at predetermined times. If a user’s time is up, they are logged off and cannot log back on until the time limit policy determined by the parent or guardian allows them to log back on. Use the following code to determine if the user has time restrictions:

 // Determine if time limits are in effect for this user DWORD dwRestrictions = 0; hr = piWPCUserSettings->GetRestrictions(&dwRestrictions); if (SUCCEEDED(hr)) {     if (dwRestrictions & WPCFLAG_HOURS_RESTRICTED)         wprintf(L"Hour Restriction"); }

Fifteen minutes before a forced logoff, appropriately registered applications will receive a WMI event. There is sample code in the Samples\Security\ParentalControls\ComplianceApp folder of the Windows SDK that demonstrates how to register and handle these WMI events.

When the application receives this WMI event, your application should probably inform the user that they will soon be logged off and had better save their work soon.