Section 8.3. Logon Options

8.3. Logon Options

Here's the dilemma: you've set up multiple user accounts on a machine, and you've gone the extra mile to ensure that your data is properly protected by configuring permissions and employing encryption. Now you find Windows so locked down that you can't do anything without having to enter a password first. Fortunately, you can customize the logon process to suit your needs and tolerance for cumbersome logon procedures.

8.3.1. Use the Traditional Log On DialogInstead of the Welcome Screen

The new, friendly Welcome screen is the default interface used when logging on to Windows XP.

The traditional Log On dialog forces you to type both the username and password of a user account to log in. Since a list of active users is not shown, it's more secure than the default Welcome screen. Here's how to switch:

Open the User Accounts window in Control Panel.
Click Change the way users log on or off.
Turn off the Use the Welcome screen option, and click Apply Options.
This change will take effect the next time you log off or restart your computer.

When you switch from the Welcome screen to the Log On screen, several other aspects of the Windows interface will be affected. Table 8-2 shows the differences between these two options of this deceptively simple setting.

Table 8-2. How disabling the Welcome screen affects other features in Windows
	Welcome screen	Log On screen
Look and feel of Shut Down dialog:	Large, friendly, colorful buttons for Stand By,^[2] Turn Off, and Restart	A simple drop-down list, like the Shut Down dialog found in earlier versions of Windows
Start Menu command to shut down:	Turn Off Computer	Shut Down
What happens when you press Ctrl-Alt-Del:	Opens Task Manager; security features shown in Shut Downmenu (except for Change Password)	Opens the Windows Security dialog, from where you can log off, shut down, start Task Manager, change your password, or lock the computer
Access to hidden user accounts:	No access to hidden users	Log in to any user account by typing user name

^[2] Hold the Shift key to display a Hibernate button instead of Stand By on the Welcome screen.

8.3.2. Customize the Welcome Screen

Although you can easily customize the look and feel of your own account, it's not so easy to customize the Welcome screen. The following solutions allow you change a few things about the Welcome screen. Note that these solutions have no affect on the Log On screen (discussed in the next section).

8.3.2.1 Choose new pictures for users

When a new account is created in Windows XP, a picture is chosen at random from a collection including a Monopoly racecar, a soccer ball, a butterfly, and others. Here's how to change the picture for any account:

Open the User Accounts window in Control Panel, and then choose an account to modify in the list below.
Click Change my picture.
Choose a picture from the collection, or click Browse for more pictures to choose your own image. Windows supports .bmp, .jpg, .gif, and .png image files.
Note that the image you choose here will also be the one that appears at the top of the Start Menu (not applicable if you're using the Classic Start Menu).
Click Change picture when you're done. The new picture(s) will show up the next time you log off or restart Windows.

8.3.2.2 Create a new Welcome screen

Although changing the little picture for each user (as described earlier) is quite easy, it's an entirely different matter to customize the actual Welcome screen. The screen is embedded in a Windows .exe files, which means you'll need to extract the components of the screen to customize them.

Open Explorer, and navigate to your \Windows\System32 folder.
Place a copy of the file logonui.exe somewhere convenient, such as on your Desktop or in your My Documents folder. Then, make another copy of the file, to be used as a backup in case something goes wrong.
Download and install the free Resource Hacker utility (available at http://www.annoyances.org/). Resource Hacker allows you to modify the bitmaps embedded in certain types of files, including .exe and .dll files, and is also used in a few solutions in Chapter 2.

Start Resource Hacker, and drag-drop the newly created copy of logonui.exe onto the Resource Hacker window to open it (or use File

Expand the Bitmap branch to show the various images used on the Welcome page. For example, bitmap 100 is the blue gradient background, bitmap 125 is the horizontal line that appears above and below, and bitmaps 123 and 127 both contain the Windows logo.

Optional: you can export any of these bitmaps to .bmp files by selecting them in the tree, and then going to Action

Create new images or modify images you've extracted to your heart's content. Save your images as .bmp files.

Try to make your replacement images the same size (width height) as the default images in this file. If you need to change the size of an image, you'll need a working knowledge of XML. See Step 10, below, for the additional modifications you'll need to make if your images have different sizes than the ones they're replacing.

When you're ready, go to Action Select bitmap to replace list, then click Open file with new bitmap, and then locate the .bmp file you've created or modified.
Repeat this for all the images you wish to replace.
Next, to customize any of the text shown in the Welcome screen, such as "To begin, click your user name," open the String Table branch, and choose one of the five categories shown. When you've found the text you want to change, just click in the right pane and start typing.

It's important that you keep the formatting of the text intact. For example, quotation marks, commas, and curly braces are used to separate and organize strings. Make sure you don't mess them up.

Here are some tips for modifying the text strings here:
- To include a line break, type \n.
- To include a double-quotation mark, type \" (necessary, since a quotation mark without the slash will be interpreted as the closing quotes that mark the end of the string).
- To insert the username of the selected user, type %s.
- Some of the strings have names of fonts; as you might expect, you can modify these to change the fonts used in the Welcome screen.
When you're done typing, click the Compile Script button.
The last component that can be modified is the actual layout of the Welcome page. This can be found in the UIFILE\1000 branch. The beginning of the text in this branch is blank, but if you scroll down (in the right-hand pane), you'll see the content. This, essentially, is an XML file, and unless you are familiar with XML (similar to HTML), you won't want to touch it.
However, you may need to modify one or more of the entries here if any of your new bitmaps have different dimensions than the ones they're replacing. Start by locating the <element . . . > tag that corresponds to the image you wish to resize; for image 100, for example, it will be the one that has this attribute:
```
content=rcbmp(100,0,0,219rp,207rp,1,0)
```
Here, the first number is the image number, and the numbers ending in "rp" are the dimensions.
When you're done editing, go to File

If you are wise, you will take this opportunity to make sure you have a safe backup of the original logonui.exe before you replace it. That way, if the modified version is corrupted in any way, you'll be able to repair your system without having to reinstall.

The last step is to replace the in-use version of logonui.exe with the one you've just modified. You should be able to just drag the modified version right into your \Windows\System32 folder, replacing the one that's there.

If Windows complains that the file is in use and can't be replaced, you'll have to follow the steps outlined in Section 2.2.6.

The new logo should appear the next time you start Windows. If, for some reason, the Welcome screen is corrupted or won't load at all, the problem is most likely caused by a corrupt logonui.exe file. This can be repaired by using the instructions in the previous step to replace The modified version with the original version you backed up you did back it up, didn't you?

See Section 2.3.5 for a related solution.

8.3.2.3 Turn off the mail notification

By default, Windows will display the number of unread messages underneath each name on the Welcome screen, but only if you're using Outlook or Outlook Express to retrieve your email. To turn off this notification, follow this procedure:

Open the Registry Editor (discussed in Chapter 3).
Expand the branches to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\UnreadMail.
Double-click the MessageExpiryDays value in this key.
If it's not there, go to Edit
Type 0 for its value data, click OK, and then close the Registry Editor when you're done. You'll have to log off and then log back on for the change to take effect.

Instead of disabling the feature, you can merely adjust how far back Windows will "look" for unread messages, if you like. For example, change the MessageExpiryDays value to 5 to ignore any unread messages more than five days old. The default is 3.

This feature has been known to stop working if two or more email accounts have been configured in Outlook for a single user account.

8.3.3. Customize the Log On Screen

Although you can easily customize the look and feel of your own account, it's not so easy to customize the Log On screen. The following solutions allow you to customize various aspects of this window and the desktop that appears in the background. Note that these solutions have no affect on the Welcome screen (discussed in the previous section).

8.3.3.1 Customize the appearance of the Log On dialog and the desktop background

Follow these steps to customize the colors used by the Log On dialog, as well as the colors and (optionally) the wallpaper of the desktop that appears behind it:

Open the Registry Editor (discussed in Chapter 3).
Expand the branches to HKEY_USERS\.DEFAULT\Control Panel\Colors.
Each of the values in this key represents the color of a different screen element. Each value has three numbersthe red, green, and blue values, respectivelythat indicate the color of the corresponding object.
For example, double-click the Background value and type 255 0 128 (note the spaces between the numbers) to have a hot-pink background behind the Log On dialog.
To determine the RGB values for your favorite colors, open a Color dialog by going to Control Panel
While you're here, you can also turn on the ClearType feature for the Log On screen. ClearType helps make text more readable on laptop and flat-panel displays. Double-click the FontSmoothingType value and change its value data to 2 to enable ClearType. A setting of one (1) will enable standard font smoothing, and a setting of zero (0) will turn it off entirely.
If you wish to use wallpaper on the Log On desktop instead of a solid color, expand the branches to HKEY_USERS\.DEFAULT\Control Panel\Desktop. Double-click the Wallpaper value, and type the full path and filename of a .bmp or .jpg file to use as the wallpaper. To tile the wallpaper, set the TileWallpaper value to 1, or to stretch the wallpaper, set the WallpaperStyle value to 2.
Close the Registry Editor when you're done. The change will take effect the next time you log off or restart Windows.

8.3.3.2 Hide the last-typed username

By default, the username of the previously logged-in user is shown in the Log On screen. To disable this, follow these steps:

Open the Registry Editor (discussed in Chapter 3).
Expand the branches to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon. (Note the Windows NT branch here, as opposed to the more common Windows branch).
Create a new string value here by going to Edit
Double-click the new value, type 1 for its value data, and click OK.

Note that hiding the last-typed username will disable the automatic login, described in the next section, "Logging on Automatically."

8.3.3.3 Customize the logon message (Log On screen only)

The following solution allows you to place your own message above the User name and Password fields in the Log On dialog:

Open the Registry Editor (discussed in Chapter 3).
Expand the branches to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon. (Note the Windows NT branch here, as opposed to the more common Windows branch).
Create a new string value here by going to Edit
Double-click the new value, type the message you'd like to appear, and click OK.

8.3.4. Logging on Automatically

Depending on your settings, you may or may not see the Welcome screen or the Log On to Windows dialog when Windows first starts. For example, if your computer only has one user account (in addition to the Administrator account, discussed in previous solution), and you haven't specified a password for that account, Windows will log you in automatically.

But it's never a good idea to have any accounts on your system set up without passwords, not so much because someone could break into your computer while sitting at your desk, but because if you're connected to a network or the Internet, an account any account without a password is a big security hole. See Section 7.6.1 for more information.

The problem with setting up a password, however, is that Windows will then prompt you for the password every time you turn on your computer, which can be a pain if you're the only person who uses the machine. Fortunately, there is a rather easy way to password-protect your computer and not be bothered with the Log On screen.

Open the alternate User Accounts window (described at the beginning of this chapter) by going to Start OK.
Select the username from the list that you'd like to be your primary login, and then turn off the Users must enter a username and password to use this computer option.
The Automatically Log On dialog will appear, prompting you to enter (and confirm) the password for the selected user.
Click OK when you're done. The change will take effect the next time you restart your computer.

Note that this solution will not disable your ability to log out and then log into another user account (see below). Furthermore, logging out and then logging back in will not disable the automatic login; the next time you restart Windows, you'll be logged in automatically to the user account you specified.

8.3.4.1 Prevent users from bypassing the automatic login

Automatic logins are also good for machines you wish to use in public environments (typically called "kiosks"), but you'll want to take steps to ensure that visitors can't log in as more privileged users. There are two ways for a user to skip the automatic login and log into another user account:

Hold the Shift key while Windows is logging in.
Once Windows has logged in, log out by selecting Log Off from the Start Menu or pressing Ctrl-Alt-Del and selecting Log Off.

This next solution eliminates both of these back doors:

Open the Registry Editor (discussed in Chapter 3).
Expand the branches to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon. (Note the Windows NT branch here, as opposed to the more common Windows branch).
Create a new string value here by going to Edit OK. (This disables the Shift key during the automatic login.)
Create a new DWORD value here by going to Edit OK. (This automatically logs back in if the user tries to log out.)
Close the Registry Editor when you're done. The change will take effect immediately.

To remove either or both of these restrictions, just delete the corresponding registry values.

8.3.4.2 Limit automatic logins

It's possible to limit the automatic login feature, so that the Log On dialog (or Welcome screen) reappears after a specified number of boots:

Open the Registry Editor (discussed in Chapter 3).
Expand the branches to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon. (Note the Windows NT branch here, as opposed to the more common Windows branch).
Create a new DWORD value here by going to Edit
Type AutoLogonCount for the name of the new value.
Double-click the new AutoLogonCount value, and type the number of system boots for which you'd like the automatic login to remain active.

Every successive time Windows starts, it will decrease this value by one. When the value is zero, the username and password entered at the beginning of this topic are forgotten, and the AutoLogonCount value is removed.

8.3.5. Logging in as the Administrator

When you first install Windows XP, Setup walks you through the process of setting up two separate user accounts. First, you're asked to choose an Administrator password, which is used for an actual account called "Administrator." Setup then requires you to enter the name of at least one user that will be using the computer; that second username is what is used to subsequently log you into Windows XP.

Although the second user has administrator privileges, it's not the true Administrator account, which is occasionally required for advanced solutions. What makes things more difficult is that the Administrator account is hidden from the Welcome screen and the User Accounts window. If you wish to log into the Administrator account, either to complete some solution or just to use it as your primary login, you should follow these instructions:

Get to the traditional Log On dialog, which requires you to type a username rather than simply clicking it. Not only is this window more secure than the Welcome screen, it's the only way to get to the Administrator account. There are two ways to open the Log On dialog:
1. If you're currently logged in, select Log Off from the Start Menu. When the Welcome screen appears, press Ctrl-Alt-Del twice.
2. To make the traditional Log On dialog your default, see Section 8.3.2, earlier in this chapter.
When the old-style Log On to Windows dialog appears, type Administrator into the User name field, and your administrator password into the Password field.
If, after logging in as the Administrator, you wish to delete the secondary account created during Setup, use the alternate User Accounts window by launching control userpasswords2, as described at the beginning of this chapter.

8.3.5.1 Notes

Despite the fact that the Administrator account is hidden by default, it's perfectly acceptable to use it as your primary login. You may wish to do this simply if you've gotten tired of seeing your name in huge, blazing letters in the Start Menu.
If you wish to use the Administrator account as your primary login, but don't wish to enter the password every time you turn on your computer, see the previous solution, "Logging on Automatically."
After you log in to the Administrator account a few times, it will start showing up on the Welcome screen, at which point you can re-enable the Use the Welcome screen option if you so desire.

8.3.6. Hiding User Accounts

By default, several user accounts are hidden from the User Accounts window and the Welcome screen. Although you can access these accounts using the alternate User Accounts dialog as well as the Local Users and Groups window (both described at the beginning of this chapter), you can also simply unhide these accounts. Naturally, you can also hide additional accounts with this procedure.

Open the Registry Editor (discussed in Chapter 3).
Expand the branches to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList. (Note the Windows NT branch here, as opposed to the more common Windows branch).
In this key, there's a DWORD value named for each hidden user. To unhide a user account, simply delete a corresponding value here.
To hide a user, start by creating a new DWORD value by going to Edit
Setting any of these values to zero (0) will hide the corresponding accounts from both the standard User Accounts window and the alternate User Accounts window, enabling access only through the Local Users and Groups window.
However, if a value is set to 65536 (hex 10000), it will only be hidden from the User Accounts window, allowing access through either the alternate User Accounts dialog or Local Users and Groups.
Close the Registry Editor when you're done. The change should take effect the next time any of the user-account dialogs are opened.

8.3.7. Prevent Users from Shutting Down

Among the restrictions you may want to impose on others who use your computer is one on shutting down Windows. For instance, if you're logging in remotely, as described in "Controlling Another Computer Remotely (Just Like in the Movies)" in Chapter 7, you'll want to make sure that your PC is always on. Or, if you're setting up a system to be used by the public, you won't want to allow anyone to shut down or reboot the system in an effort to compromise it. Here's how to do it:

Open the Registry Editor (discussed in Chapter 3).
Expand the branches to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer.
Create a new DWORD value (Edit
Double-click the new value and type 1 for its data.
Close the Registry Editor when you're done. You'll need to restart Windows for this change to take effect.

Keep in mind that this isn't a bulletproof solution. For instance, anyone will be able to shut down windows by pressing Ctrl-Alt-Del and clicking Shut Down there. Also, someone with ready access to your computer's on/off switch, reset button, or power cord will be able to circumvent this restriction. At the very least, though, it'll provide some reasonable assurance that your PC will remain powered on.

8.3.8. Working with User Folders

Every user account on your system has its own profile (home) folder, stored, by default, in the \Documents and Settings folder. In this folder are such special user folders as Desktop, Send To, Start Menu, My Documents, and Application Data, among others. Files placed in the Desktop folder appear as icons on the user's desktop, shortcuts placed in the Start Menu folder appear as Start menu items, and so on. This arrangement lets each user have her own Desktop, Start Menu, etc.

There's also an All Users folder, used, for example, to store icons that appear on all users' Desktops. Likewise, the Default User folder is a template of sorts, containing files and settings copied for each newly created user. All in all, the use of these folders is pretty self-explanatory.

See "Backing Up the Registry" in Chapter 3 for more information on the NTUSER.DAT file found in each user folder.

8.3.8.1 Modifying folder locations

You can change the default locations for any user's special folders, but the process is different for different folder types:

Home folder

To change the location of any user's home folder, start the Local Users and Groups window (lusrmgr.msc, described at the beginning of this chapter). Open the Users category, double-click a user, and choose the Profile tab.

Documents, Send To, etc.

To change the location of any system folder in a user's home folder, such as the My Documents folder or the Send To folder, you must be logged in as that user. Start TweakUI (see Appendix A), open the My Computer category branch, select Special Folders, and choose the folder to relocate from the Folder list. Note that this only changes the place that Windows looks for the associated files; you'll have to create the folder and place the appropriate files in it yourself.

For folders not listed in TweakUI, you'll need to edit the Registry. Most user folders are specified in these two Registry keys:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\    Explorer\Shell Folders HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\    Explorer\User Shell Folders

One of the exceptions is the Application Data folder, which is defined by the DefaultDir value in:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\    ProfileReconciliation\AppData.

You'll need to log out and then log back in for any these changes to take effect.

Program Files

The Program Files and Common Files folders (shared by all users) are both defined in:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion

For Program Files, you'll need to change both the ProgramFilesDir and ProgramFilesPath values; for Common Files, just change the CommonFilesDir value.

When relocating system folders, keep in mind that there can be hundreds of references to them throughout the Registry, especially Program Files and Common Files. You'll probably need to use a program like Registry Search and Replace (available at http://www.annoyances.org ) to easily get them all.

8.3.8.2 Consolidating user folders

To effectively remove a user's system folder, the best thing to do is simply to consolidate it with another system folder. After specifying the new location, as described earlier, just drag-drop the contents of one into the other, and then restart Windows.

The benefits of doing this are substantial. For example, Windows XP comes with the My Documents folder, which helps to enforce a valuable strategy for keeping track of personal documents by providing a single root for all documents, regardless of the application that created them (see Section 2.2.8 for details). The problem is that this design is seriously undermined by the existence of other system folders with similar uses, such as My Pictures, Favorites, Personal, Received Files, and My Files.^[3] Consolidating all of these system folders so that they all point to the same place, such as c:\Documents or c:\Projects, causes several positive things to happen. Not only does it provide a common root for all personal documents, making your stuff much easier to find and keep track of, it also allows you to open any document quickly by using the Favorites menu in the Start Menu.

^[3] My Files is the counterpart to My Documents that is used by some older versions of WordPerfect and other non-Microsoft application suites. The Personal folder was used by Microsoft Office 95, but not so much in subsequent releases. Depending on which programs you've installed or have used in the past, these folders may or may not appear on your system.