Login and Authentication
1. Automatic Logon to Windows 95, 98 and
Me (Windows
95/98/Me)
This setting allows
Windows clients to automatically logon without entering a user name or password,
therefore bypassing the logon box.
Create a new string value called "AutoAdminLogon" and set it to "1" to enable
automatic login.
Create a new string value called "DefaultUsername" and set it to username of
the default user.
Create a new string value called "DefaultPassword" and set it to match the
password of the default user.
Settings: | System Key:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Winlogon] | Name:
AutoAdminLogon, DefaultPassword, DefaultUserName | Type: REG_SZ
(String Value)
|
2. Automatic Logon to Windows NT, 2000 and
XP (Windows
NT/2000/XP/Vista/Window 7)
Windows includes a
feature that allows you to configure the computer to automatically logon to the
network, bypassing the Winlogon dialog box.
To enable this
function you need to add several new values to the key below.
- Add a new string value named 'DefaultUserName' and set it to the username
you wish to automatically logon as.
- Add a new string value named 'DefaultPassword' and set this to the password
for the user entered above.
- Add a new string value named 'DefaultDomainName' and set this to the domain
of the user. Ignore this value if the NT box is not participating in NT Domain
security.
- Add a new string value named 'AutoAdminLogon' and set it to either '1' to
enable auto logon or '0' to disable it.
- For Windows 2000 the additional ForceAutoLogon
setting must be enabled to stop the tweak from resetting on reboot.
Exit and restart, Windows should not ask for a password and
automatically show the desktop of the user.
Note: The password is stored in registry, which means anyone who has
access to the machine has access to the password.
Note: You can bypass this function by holding down the SHIFT key
during the boot or logoff process.
Note: It is also important to note that if the DontDisplayLastUserName value is enabled, the auto logon
feature does not function.
Settings: | System Key:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon] | Name:
AutoAdminLogon | Type: REG_SZ
(String Value) | Value:
(0=disable, 1=enable) |
3. Enable Shutdown from Authentication Dialog
Box (Windows NT/2000/XP/Vista/Window 7)
When this setting is
enabled a [Shutdown] button is displayed in authentication dialog box when the
system first starts. This allows you to shutdown a system without logging in.
The button is shown by default on a workstation and removed on a server
installation.
Create a new DWORD value, or modify the existing value called
'ShutdownWithoutLogon' using the settings below.
Settings: | System Key:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system] | Name:
ShutdownWithoutLogon
| Type: REG_DWORD
(DWORD Value)
| Value: (0 =
disabled, 1 = enabled)
|
4. Automatic Administrative Logon to Recovery
Console (Windows
2000/XP)
The recovery console is
a command line environment that is used to recover from system problems. This
setting controls whether the administrator account will be logged on
automatically or be required to enter a password when the recovery console is
invoked during startup.
Create a new DWORD value, or modify the existing value called 'SecurityLevel'
using the settings below.
Settings: | System Key:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Setup\RecoveryConsole] | Name:
SecurityLevel | Type: REG_DWORD
(DWORD Value)
| Value: (0 =
require password, 1 = no password) |
5. Disable Password Caching in Internet
Explorer (All Windows)
When you attempt to
view a password-protected site, you are normally prompted to type your username
and password with an option to "Save this password in your password list". This
tweak can be used to disable the ability for users to save passwords.
Create a new DWORD value, or modify the existing value called
'DisablePasswordCaching' using the settings below.
Settings: | User Key:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings] | Name:
DisablePasswordCaching | Type: REG_DWORD
(DWORD Value) | Value: (0 =
default, 1 = disable password cache)
|
6. Limit the Number of Automatic
Logins (Windows
NT/2000/XP/Vista/Window 7)
This setting is used to
limit the number of automatic logins, once the limit has been reached the auto
logon feature will be disabled and the system will display the standard
authentication box.
Create a new DWORD value, or modify the existing value called 'AutoLogonCount'
using the settings below.
Note: Each time the system is rebooted, the value of AutoLogonCount will
be decremented by one, until it reaches zero. When AutoLogonCount reaches zero,
no account will be logged on automatically, the AutoLogonCount and
DefaultPassword key values will be deleted from the registry, and AutoAdminLogon
will be set to zero.
Settings: | System Key:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon] | Name:
AutoLogonCount | Type: REG_DWORD
(DWORD Value) | Value: Number of
Automatic Logins |
7. Modify the Number of Cached Logins
(Windows NT/2000/XP/Vista/Window 7)
This value controls the
number of allowable cached login attempts when the network domain controller is
unavailable.
Create a new String value, or modify the existing value called
'CachedLogonsCount' using the settings below.
Note: With caching disabled or the maximum has been reached, the user is
prompted with this message: "The system cannot log you on now because the domain
[DOMAIN_NAME] is not available."
Settings: | System Key:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon] | Name:
CachedLogonsCount | Type: REG_SZ
(String Value) | Value: 0 - 50 (0
= disabled, 10 = default) |
8. Legal Notice Dialog Box Before
Logon (All Windows)
Use these fields to
create a dialog box that will be presented to any user before logging onto the
system. This is useful where you are required by law to warn people that it is
illegal to attempt to logon without being an authorized user.
Windows 95, 98 and
Me: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Winlogon
Windows NT, 2000, XP, Vista, Window 7: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon
Modify the value named 'LegalNoticeCaption' to represent the caption on the
dialog box (e.g. 'WARNING!'). If this value doesn't already exist create it.
Modify the value named 'LegalNoticeText' to represent the body of the dialog
box (e.g. 'Do Not Attempt to Logon to this system unless you are an authorized
user!') Settings: | Name:
LegalNoticeCaption, LegalNoticeText | Type: REG_SZ
(String Value) |
9. Set the Minimum Password Length
(All Windows)
You can force Windows
to reject passwords that do not meet a minimum password length. Useful to help
stop people from using trivial passwords where security is an issue.
Create a new binary value named 'MinPwdLen', and set the data to the minimum
number of characters required for a password to be accepted.
Settings: | User Key:
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Network]
| System Key:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Network] | Name:
MinPwdLen | Type: REG_BINARY
(Binary Value) |
10. Customize the Windows Logon and Security
Dialog Title (Windows NT/2000/XP)
This setting allows you
to add additional text to the title of the standard Windows Logon and Windows
Security dialog boxes.
Create a new String value, or modify the existing value called 'Welcome' using
the settings below.
Settings: | System Key:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon]
| Name:
Welcome | Type: REG_SZ
(String Value) | Value: Text to
display
|
11. Show Verbose Security Status
Messages (Windows
2000/XP)
This setting allows you
to configure Windows so that you receive verbose startup, shutdown, logon, and
logoff status messages. This may be helpful to in troubleshooting slow startup,
shutdown, logon, or logoff behaviour.
To enable verbose status messages create a new DWORD value called
"verbosestatus" and set it to "1".
An additional value called "DisableStatusMessages" forces status messages to
be disabled, make sure this value does not exist or is set to "0".
Settings: | System Key:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System] | Name:
verbosestatus | Type: REG_DWORD
(DWORD Value)
| Value: (0 =
default, 1 = enable versbose status) |
12. Force the Use of Automatic Logon
(Windows
2000/XP)
Normally when a Windows
machine is configured to automatically logon to a specified account users can
bypass this and enter alternate account information. This tweak forces the
machine to auto logon and to ignore any bypass attempts.
Create a new string value called "ForceAutoLogon" and set it to equal "1" to
force automatic logons or "0" to allow alternate users.
Settings: | System Key:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon]
| Name:
ForceAutoLogon | Type: REG_SZ
(String Value)
| Value: (0 =
disabled, 1 = enabled) |
13. Disable Password Caching (All Windows)
Normally Windows caches
a copy of the users password on the local system to allow for additional
automation, this leads to a possible security threat on some systems. Disabling
caching means the users passwords are not cached locally. This setting also
removes the second Windows password screen and also remove the possibility of
networks passwords to get out of sync.
Create a new DWORD value, or modify the existing value called
'DisablePwdCaching' using the settings below.
Settings: | User Key:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Network] | System Key:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Network]
| Name:
DisablePwdCaching | Type: REG_DWORD
(DWORD Value) | Value: (0 =
disabled, 1=enabled) |
14. Require Alphanumeric Windows
Password (All Windows)
Windows by default will
accept anything as a password, including nothing. This setting controls whether
Windows will require a alphanumeric password, i.e. a password made from a
combination of alpha (A, B, C...) and numeric (1, 2 ,3 ...) characters.
Create a new DWORD value, or modify the existing value called 'AlphanumPwds'
using the settings below.
Settings: | User Key:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Network] | System Key:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Network] | Name:
AlphanumPwds | Type: REG_DWORD
(DWORD Value) | Value: (0 =
disabled, 1=enabled) |
15. Disable the Change Password Button
(Windows
NT/2000)
This setting disables
the 'Change Password' button on the Windows Security dialog box. Enabling this
setting stops casual users from being able to change the password.
Create a new DWORD value, or modify the existing value called
'DisableChangePassword' using the settings below.
Settings: | User Key:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System] | System Key:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System] | Name:
DisableChangePassword | Type: REG_DWORD
(DWORD Value) | Value: (0 =
disabled, 1 = enabled) |
16. Disable the Lock Workstation
Button (Windows NT/2000/XP/Vista/Window 7)
Add this setting to the
registry to stop unauthorized users from locking machines from the Windows
Security dialog box.
Create a new DWORD value, or modify the existing value called
'DisableLockWorkstation' using the settings below.
Settings: | User Key:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System] | System Key:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System] | Name:
DisableLockWorkstation | Type: REG_DWORD
(DWORD Value) | Value: (0 =
disabled, 1 = enabled) |
17. Disable the Auto Logon Shift Override
Feature (Windows
NT/2000/XP)
When using the
automatic login feature it is possible for a user to hold the Shift key to
bypass the login sequence and enter a username and password. This feature
disables the ability to override the function.
Create a new String value, or modify the existing value called
'IgnoreShiftOverride' using the settings below.
Settings: | System Key:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon]
| Name:
IgnoreShiftOverride | Type: REG_SZ
(String Value)
| Value: (1 =
Ignore Shift) |
18. Require Users to Press Ctrl+Alt+Delete Before
Logon (Windows 2000/XP)
This setting controls
whether users are required to press Ctrl + Alt + Delete as a security precaution
before logging into the system.
Create a new DWORD value, or modify the existing value called 'DisableCAD' using
the settings below.
Settings: | System Key:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon] | Name:
DisableCAD | Type: REG_DWORD
(DWORD Value) | Value: (0 =
Require Ctrl+Alt+Delete, 1 = Disable) |
19. Restrict Showing the Last Username
(Windows 2000/XP)
This restriction
removes the ability to view which user was last logged onto a computer by
clearing the username box on the login screen.
Create a new DWORD value, or modify the existing value called
'DontDisplayLastUserName' using the settings below.
Settings: | User Key:
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System] | System Key:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System] | Name:
DontDisplayLastUserName | Type: REG_DWORD
(DWORD Value) | Value: (1 =
remove username) |
20. Use Active Authentication for Unlock and
Screen Saver (Windows
NT/2000/XP)
This setting controls
whether a full login should be performed when a workstation is unlocked or a
password is used with the screen saver. Normally Windows will not check some
settings such as whether the account has been locked out.
Create a new DWORD value, or modify the existing value called 'ForceUnlockLogon'
using the settings below.
Settings: | System Key:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon]
| Name:
ForceUnlockLogon | Type: REG_DWORD
(DWORD Value) | Value: 0 =
default authentication, 1 = online authentication
|
21. Change the Message Shown on the Logon
Box (Windows NT/2000/XP)
You can personalize (or
legalize) the message displayed on the logon box above the user name and
password.
Create a new string value named 'LogonPrompt' and enter the text you want to
display. The default message is: 'Enter a user name and password that is valid
for this system.'
Settings: | System Key:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon] | Name:
LogonPrompt | Type: REG_SZ
(String Value) |
22. Allow Portables to Undock Before
Logon (Windows XP)
This setting controls
whether users with portable computers have the option to undock the system
before they have logged onto the computer.
Create a new DWORD value, or modify the existing value called
'UndockWithoutLogon' using the settings below.
Settings: | User Key:
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System] | System Key:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System] | Name:
UndockWithoutLogon | Type: REG_DWORD
(DWORD Value)
| Value: (0 =
disabled, 1 = enabled) |
23. Start Windows Without Prompting for a
Password (Windows
95/98/Me)
Does Windows prompt
you for a password every time you boot up even though you're the only one using
the PC? Follow these instructions to make Windows automatically start up without
prompting you for a password.
Windows 9x passwords
are recorded in a Password List file, these files are stored in the Windows
directory and named according to your username, they can be recognized by their
.PWL extension.
For example, if your username was 'John' then your password file would
probably be 'c:\windows\john.pwl'
To remove the password prompt start by finding the PWL file relating to your
username and rename it to *.old (e.g. c:\windows\john.old).
If your running a network, you then need to open 'Control Panel ->
Network' and check that the 'Primary Network Logon' is set to 'Windows Logon'.
Now restart Windows and you'll be prompted for a password, leave the Password
box empty then click OK, you should now not be prompted for a password
again.
24. Force Users to Logon to Windows
(Windows
95/98/Me) Usually users can
simply press 'Cancel' at the Windows logon box to bypass the login process and
gain access to the local computer. This tweak will logout the user if the
authentication fails or the user clicks Cancel.
Like all registry
tweaks, this is for advanced users, please do not attempt to try this if you are
not confident with the Windows registry and recovering from any subsequent
problems.
Firstly, setup your computer for multiple users by using the 'Users' wizard
in the Control Panel. Create a new user in addition to any existing users, then
restart Windows and login as the new user (this will become your new default
account).
While you are logged in open your registry and expand the [HKEY_USERS] key,
there should be several sub-folders including ".DEFAULT", "Software" and a
folder corresponding to the new username you created above.
Open the key listed below (if the 'Run' key does not already exist then
create it), and create a new string value named "NoLogon", and set the value to
equal "RUNDLL32 shell32,SHExitWindowsEx 0".
Log-off and now when you login using the new username you should gain access
to the desktop, but when you press Cancel or enter the wrong password the
desktop should partially load, and then the computer should return to the login
screen.
|