What Are App Execution Aliases, and How Do You Use Them?
If you’re trying to open an app like Microsoft Paint in the Run Dialog and see an error message, it could be caused by your app aliases. But what exactly are App Execution Aliases, where do you find them, and how do you use them?
What Are App Execution Aliases?
An alias is an alternative name given to something. The most obvious example is the codename given to a spy or undercover agent. On Windows, aliases have nothing to do with spying. Instead, they are used for streamlining tasks, such as entering commands.
Windows 10 and 11 both allow aliases to be declared for some apps by default. The available apps vary but are often those commonly associated with command line tools. Giving an app an alias allows it to be executed using a shorter title rather than the full name or path.
App aliases can be used in several Windows Command Line Interfaces (CLI), including the Run Dialog, Command Prompt, and PowerShell. If you use these tools with any regularity, app aliases can help to streamline entering commands.
How to Enable App Execution Aliases in Settings
You can enable and disable aliases for compatible apps in the main settings in both Windows 10 and 11. If more than one app uses the same alias name, you can choose which has the alias applied to it.
In Windows 11:
Open Settings > Apps, and look for Advanced app settings.
In the advanced app settings, click App execution aliases to see the list of compatible apps.
Use the slider switches to enable or disable the alias for each app. You can see the alias name below each app.
In Windows 10:
If you’re using Windows 10, you’ll find the aliases in Settings > Apps & features.
Click the App execution aliases link near the top of the Apps & features page.
You can then enable and disable aliases using the switches.
By default, in both Windows 10 and 11, you can only enable or disable existing app aliases. But if you don’t mind editing the Registry, you can create new aliases for many other apps.
Create App Execution Aliases in Registry Editor
Before editing or creating registry keys, it is advisable to create a full backup of the Windows Registry. Of course, you should also ensure you understand how to restore the Registry from that backup.
The process below for creating app execution aliases in the Registry Editor should be the same in both Windows 10 and 11.
Open Windows Search, type Registry Editor, and click on the search result to open it.
In the editor, navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\App Paths.
Next, right-click on the App Paths key in the left-hand pane, and select New > Key.
Give the new key an alias name that relates to the app and ends with .exe. For example, if the alias is for Calendar, call it something like cal.exe.
With the alias selected, double-click the Default value in the right-hand pane.
In the Value data field, you will need to enter the full path to the app executable file. For example C:\Program Files (x86)\Calendar.exe.
Right-click in the right pane and select New > String value. Name the string path. The change the Value data to the same path as above, but without the app filename.
You can now close the Registry Editor. The new App Execution Alias will now be available to use in the Windows CLIs.
Using and Creating App Execution Aliases
Entering commands into tools such as Command Prompt and PowerShell can be laborious. You can streamline that process by enabling or creating aliases for apps that commonly feature in those commands. Why type out a full path to an executable file when you can point to it with a few keystrokes?
How do I change the local user account name in Windows 10?
Windows Key+R > Type netplwiz > Enter
In the User Accounts window, on the Users tab, select the user account you wish to change the name for and click Properties.
In the property sheet, on the General tab, edit the User name.
If you haven’t poked around inside Windows’ command line, you’re missing out. There are lots of handy tools you can use if you know the correct things to type.
Most files on Windows are associated with a specific program that is assigned to open the file by default. At times, remembering these associations can become confusing. You can remind yourself by entering the command assoc to display a full list of filename extensions and program associations.
You can also extend the command to change file associations. For example, assoc .txt= will change the file association for text files to whatever program you enter after the equal sign. The assoc command itself will reveal both the extension names and program names, which will help you properly use this command.
In Windows 10, you can view a more user-friendly interface that also lets you change file type associations on the spot. Head to Settings (Windows + I) > Apps > Default apps > Choose default app by file type.
Deleting files on a mechanical hard drive doesn’t really delete them at all. Instead, it marks the files as no longer accessible and the space they took up as free. The files remain recoverable until the system overwrites them with new data, which can take some time.
The cipher command, however, lets you wipe a directory on an NTFS-formatted volume by writing random data to it. To wipe your C drive, for example, you’d use the cipher /w:d command, which will wipe free space on the drive. The command does not overwrite undeleted data, so you will not wipe out the files you need by running this command.
When you run the cipher command by itself, it returns the encryption state of the current directory and the files it contains. Use cipher /e:<filename> to encrypt a file, cipher /c:<filename> to retrieve information about encrypted files, and cipher /d:<filename> to decrypt the selected file. Most of these commands are redundant with the Windows encryption tool BitLocker.
You can use this command to identify differences in text between two files. It’s particularly useful for writers and programmers trying to find small changes between two versions of a file. Simply type fc and then the directory path and file name of the two files you want to compare.
You can also extend the command in several ways. Typing /b compares only binary output, /c disregards the case of text in the comparison, and /l only compares ASCII text.
So, for example, you could use the following:
fc /l "C:\Program Files (x86)\example1.doc""C:\Program Files (x86)\example2.doc"
The above command compares ASCII text in two Word documents.
This command relays the IP address that your computer is currently using. However, if you’re behind a router (like most computers today), you’ll instead receive the local network address of the router.
Still, ipconfig is useful because of its extensions. ipconfig /release followed by ipconfig /renew can force your Windows PC into asking for a new IP address, which is useful if your computer claims one isn’t available. You can also use ipconfig /flushdns to refresh your DNS address. These commands are great if the Windows network troubleshooter chokes, which does happen on occasion.
Entering the command netstat -an will provide you with a list of currently open ports and related IP addresses. This command will also tell you what state the port is in; listening, established, or closed.
This is a great command for when you’re trying to troubleshoot devices connected to your PC or when you fear a Trojan infected your system and you’re trying to locate a malicious connection.
Sometimes, you need to know whether packets are making it to a specific networked device. That’s where ping comes in handy.
Typing ping followed by an IP address or web domain will send a series of test packets to the specified address. If they arrive and are returned, you know the device is capable of communicating with your PC; if it fails, you know that there’s something blocking communication between the device and your computer. This can help you decide if the root of the issue is an improper configuration or a failure of network hardware.
This is a more advanced version of ping that’s useful if there are multiple routers between your PC and the device you’re testing. Like ping, you use this command by typing pathping followed by the IP address, but unlike ping, pathping also relays some information about the route the test packets take.
The tracert command is similar to pathping. Once again, type tracert followed by the IP address or domain you’d like to trace. You’ll receive information about each step in the route between your PC and the target. Unlike pathping, however, tracert also tracks how much time (in milliseconds) each hop between servers or devices takes.
Powercfg is a very powerful command for managing and tracking how your computer uses energy. You can use the command powercfg hibernate on and powercfg hibernate off to manage hibernation, and you can also use the command powercfg /a to view the power-saving states currently available on your PC.
Another useful command is powercfg /devicequery s1_supported, which displays a list of devices on your computer that support connected standby. When enabled, you can use these devices to bring your computer out of standby, even remotely.
You can enable this by selecting the device in Device Manager, opening its properties, going to the Power Management tab, and then checking the Allow this device to wake the computer box.
Powercfg /lastwake will show you what device last woke your PC from a sleep state. You can use this command to troubleshoot your PC if it seems to wake from sleep at random.
You can use the powercfg /energy command to build a detailed power consumption report for your PC. The report saves to the directory indicated after the command finishes.
This report will let you know of any system faults that might increase power consumption, like devices blocking certain sleep modes, or poorly configured to respond to your power management settings.
Windows 8 added powercfg /batteryreport, which provides a detailed analysis of battery use, if applicable. Normally output to your Windows user directory, the report provides details about the time and length of charge and discharge cycles, lifetime average battery life, and estimated battery capacity.
This is, of course, redundant with the already easily accessed shutdown button, but what’s not redundant is the shutdown /r /o command, which restarts your PC and launches the Advanced Start Options menu, which is where you can access Safe Mode and Windows recovery utilities. This is useful if you want to restart your computer for troubleshooting purposes.
You will need to run the command prompt with administrator privileges and enter the command sfc /scannow. If SFC finds any corrupt or missing files, it will automatically replace them using cached copies kept by Windows for this purpose alone. The command can require a half-hour to run on older notebooks.
You can use the tasklist command to provide a current list of all tasks running on your PC. Though somewhat redundant with Task Manager, the command may sometimes find tasks hidden from view in that utility.
There’s also a wide range of modifiers. Tasklist -svc shows services related to each task, use tasklist -v to obtain more detail on each task, and tasklist -m will locate DLL files associated with active tasks. These commands are useful for advanced troubleshooting.
Our reader Eric noted that you can “get the name of the executable associated with the particular process ID you’re interested in.” The command for that operation is tasklist | find [process id].
Tasks that appear in the tasklist command will have an executable and process ID (a four- or five-digit number) associated with them. You can force stop a program using taskkill -im followed by the executable’s name, or taskkill -pid followed by the process ID. Again, this is a bit redundant with Task Manager, but you can use it to kill otherwise unresponsive or hidden programs.
Windows automatically marks your drive for a diagnostic chkdsk scan when symptoms indicate that a local drive has bad sectors, lost clusters, or other logical or physical errors.
If you suspect your hard drive is failing, you can manually initiate a scan. The most basic command is chkdsk c:, which will immediately scan the C: drive, without a need to restart the computer. If you add parameters like /f, /r, /x, or /b, such as in chkdsk /f /r /x /b c:, chkdsk will also fix errors, recover data, dismount the drive, or clear the list of bad sectors, respectively. These actions require a reboot, as they can only run with Windows powered down.
If you see chkdsk run at startup, let it do its thing. If it gets stuck, however, refer to our chkdsk troubleshooting article.
Schtasks is your command prompt access to the Task Scheduler, one of many underrated Windows administrative tools. While you can use the GUI to manage your scheduled tasks, the command prompt lets you copy&paste complex commands to set up multiple similar tasks without having to click through various options. Ultimately, it’s much easier to use, once you’ve committed key parameters to memory.
For example, you could schedule your computer to reboot at 11pm every Friday:
When you need to format a drive, you can either use the Windows File Explorer GUI or you can turn to the command prompt. You’ll need Administrator rights to use this command. Be sure you specify the volume you want to format, followed by the desired parameters.
The command below will quick-format the D drive with the exFAT file system, with an allocation unit size of 2048 bytes, and rename the volume to “label” (without the quotes).
format D: /Q /FS:exFAT /A:2048 /V:label
You can also use this command to dismount a volume (/X) or, if it’s formatted with NTFS, make file compression the default setting (/R). If you’re stuck, use format /? to summon help.
This command will give you a detailed configuration overview of your computer. The list covers your operating system and hardware. For example, you can look up the original Windows installation date, the last boot time, your BIOS version, total and available memory, installed hotfixes, network card configurations, and more.
Use systeminfo /s followed by the hostname of a computer on your local network, to remotely grab the information for that system. This may require additional syntax elements for the domain, user name, and password, like this:
Drivers remain among the most important software installed on a PC. Improperly configured, missing, or old Windows drivers can cause all sorts of trouble, so it’s good to have access to a list of drivers on your PC.
That’s exactly what the driverquery command does. You can extend it to driverquery -v to obtain more information, including the directory in which the driver is installed. Unfortunately, this command isn’t relevant post Windows 8 or Windows Server 2012.
Virtually all Windows 8/8.1 computers ship from the factory with a recovery image, but the image may include bloatware you’d rather not have re-installed. Once you’ve uninstalled the software you can create a new image using the recimg command. Entering this command presents a very detailed explanation of how to use it.
You must have administrator privileges to use the recimg command, and you can only access the custom recovery image you create via the Windows 8 refresh feature.
In Windows 10, system recovery has changed. Windows 10 systems don’t come with a recovery partition, which makes it more important than ever to back up your data.
There is an old axiom that goes something like “If an enemy has physical access to your box, it is no longer your box”. With enough time, and baring well-implemented cryptography, someone will get to the data on the system eventually. This axiom definitely applies to public kiosks and in some cases point of sale systems (also known as POS, Point Of Interaction, electronic registers, etc.) depending on how much you trust your employees. The captive kiosk/POS software is normally meant to only allow users to do a set number of tasks and to limit the data that is viewable. If someone can freely look around the hard drive, all sorts of things that an attacker might find useful can be found, like autologon credentials, private data, backend connection strings, etc. Opening the case and pulling the drive, or even just booting from your own media can of course get around the shell level software protections of POS/kiosk software. That said, sometimes an attacker will not have time to dismantle a machine and take its hard drive since it would look too suspicious, or the system may need to stay powered on. To that end, I decided to collect and note common Windows keyboard shortcuts you can use to bypass, escape, or kill kiosk/POS software and get at the data goodies. https://www.youtube.com/watch?v=5BPbqnG-Kus If you don’t have any Kiosk/POS software around to test against I recommend setting up Internet Explorer in kiosk mode using the -k option:
iexplore -k https://www.trustedsec.com
To save space, I will continue to refer back to three basic methods of escaping a captive shell like you will encounter on POS systems: Method 1: Get Task Manager (taskmgr.exe) up and use File ->New Task (Run…) File menu item to run the program you want. Method 2: Bring up Windows Explorer in Windows (if it happens to be to an Internet Explorer window, just type in C:\ in the URL bar), then find an EXE you want to run (C:\Windows\System32\ is a good place to look for CMD.exe, Explorer.exe, Taskmgr.exe, regedt32.exe, etc.) and double click it. Method 3: This method uses the fact that by default if you can get to a File Save/Open dialog, you can right click an EXE, then select Open from the right click drop down menu (Do not click Open or Save on the dialog window itself or you may corrupt a file, only on the menu that comes up from right clicking). You may have to set the File Name input box to *.* or *.EXE and hit enter to see the files you want to Right Click->Open and run. You could also click somewhere in the file selection pane and hit CTRL+N to make a new Explorer window so you don’t have to Right Click->Open. If you can’t right click, try CTRL+Left Click as a substitute or dragging an EXE onto cmd.exe to make it run.With no further ado, here is my list. If you know more, please contact me. Some of the title descriptions are copied from Microsoft’s knowledge base article http://support.microsoft.com/kb/126449. ALT+F4: Quit program Killing POS/Kiosk software may drop you to normal desktop. I believe this only works if HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Shell Has not been set to run something other than Explorer as the shell. ALT+SPACE: System Menu Displays the main window’s System menu as if you clicked on the icon in the top left of the window. Minimizing or resizing may let you get at what is behind the POS/Kiosk window.ALT+TAB: Switch between open programs The current window may not have a way to escape, but if other software is running in the background you may find an escape there. CTRL+ALT+DEL: Task Manager or Windows Security Screen Brings up a dialog on which one option is to start Task manager. From there use File ->New Task (Run…) (Method 1). CTRL+B: Open Book Marks Menu From here you may be able to right click, open, and get an explorer menu (Method 2). CTRL+ESC: Opens start menu From the start menu you may be able to get to someplace else, assuming Explorer is even running as the shell. CTRL+F4: Closes the current Multiple Document Interface (MDI) window This way, you may see what is behind the main window. CTRL+P: May bring up print dialog. From here, you can click the “Find Printer” button, go to help, and break out via file Menu or Right Click “View Source”. You could also right click on an installed printer and view its help (Method 3, and see F1 section below). CTRL+SHIFT+ESC: Opens Windows Task Manager Much like CTRL+ALT+DEL, but skips the step of clicking Task Manager on the security screen. See Method 1. CTRL+Tab: May close current windows or tab This way, you may see what is behind the main window. CTRL+Windows Key+F: Find computer Brings up an Explorer dialog you can break out of via Method 2. F1: Starts Windows Help “Microsoft Windows Help” Classic windows help has File Open menu. “Microsoft HTML Help” based windows might have the option to right click and view source on the selected help. Either way, use Method 3. F3: May bring up Windows search Another potential Explorer window to escape from. SHIFT five times: Toggles Sticky Keys on and off On newer versions of Windows, this brings you a few clicks away from a help dialog and escape (Method 3). Even if you can’t get to a Help dialog, this feature is still useful. If all you have is remote access, it can be hard to send the proper keystrokes without your host OS interpreting them first. This accessibility feature in Windows allows Sticky Keys (Ctrl, Alt, Shift, Windows Logo) to be pressed once, but have the OS considered the key to be held down. This makes it easier to make some of the other keystroke combinations listed in this article without your host system interpreting the keystrokes first. For example, if you want to try to type CTRL+SHIFT+ESC, your host OS will likely interpret it first, not sending it to your remote session. However, if you hit SHIFT 5 time real fast, the Sticky Keys popup should show up on both your host OS, and in your remote session. Enable Sticky Keys on the remote OS by hitting the OK/Yes button (wording depends on Windows version) on the remote OS but Cancel/No on the host OS. You can then type CTRL (release key), SHIFT (release key), and finally ESC (release key) to have the same effect as CTRL+SHIFT+ESC on the remote system without the host system interpreting the combination first. Another option for remote testers is On Screen Keyboard (osk.exe) but not all keyboard shortcuts work with it. SHIFT+RIGHT CLICK: Open Command Prompt Here Only for Vista and newer unless the registry has be modified. Let’s you right click in a folder, on the Desktop, or even a File Open/Save dialog and launch a command prompt using the “Open command window here” option in the drop down. Windows Logo+Break (AKA:Pause): System Properties dialog box From here use Method 2. Windows Logo+D: Minimizes all open windows and displays the desktop This way, you may see what is behind the main window. Windows Logo+E: Windows Explorer Method 2 in a nutshell. Windows Logo+F1: Windows OS Help This is the Windows help, not the applications. Use Method 3. Windows Logo+R: Run dialog box Run what you want. Windows Logo+T: Select active application on taskbar Sort of like ALT+TAB, you may see what is behind the main window this way. Windows Logo+U: Accessibility Utility Manager Let you fire up On Screen Keyboard (and other utilities like screen magnifier and narrator), from which you can bring up a help dialog, then break out via Right Click ->View Source then use Notepad to find and EXE, Right Click it and Open (Method 3). You can also use “About” links on each of the apps to fire up a web browser, then use it as an Explorer Window to find an EXE you want to run via Method 1 Windows Logo: Start menu From the Start menu, you can run what you want. If you have a Microsoft keyboard and the IntelliType Software Installed you may be able to break out using a help dialog or an Explorer window with these keys: Windows Logo+P: Starts Print Manager Windows Logo+C: Opens Control Panel Windows Logo+V: Starts Clipboard Windows Logo+K: Opens Keyboard Properties dialog box Windows Logo+I: Opens Mouse Properties dialog box Windows Logo+A: Starts Accessibility Options (if installed) Windows Logo+SPACEBAR: Displays the list of Microsoft IntelliType shortcut keys That’s it for now, If you know more shortcut/ways to escape kiosk and POS software, please contact me. In a future article I may give a list of recommendations for Windows settings to disable keys. For now, here are some Registry keys to be aware of when locking down a system, in the form of a REG file: Windows Registry Editor Version 5.00 ;Not for the keyboard, but keeps people from using Right Click->Open (does not stop drag and drop) [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] “NoViewContextMenu”=dword:00000001 ;Disable Tasksk Manage via CTRL+SHIFT+ESC and CTRL+ALT+DEL [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System] “DisableTaskMgr”=dword:00000001 ;Disable most Windows Key functions [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer] “NoWinKeys”=dword:00000001 ;Disable Windows key, as NoWinKeys gets some but not all [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout] “Scancode Map”=hex:00,00,00,00,00,00,00,00,03,00,00,00,00,00,5B,E0,00,00,5C,E0,00,00,00,00 The above is by no means a complete list, and many items may be dependent on the shell you use. Look into the “Scancode Map” one especially, as you can remap or disable any key you like. Keymapper (http://justkeepswimming.net/keymapper/) from Stuart Dunkeld is especially useful for figuring out the codes to use with “Scancode Map”. If you want to find out more about bypassing captive shells, POS systems or kiosks, here are some other good articles on the subject: If you have a captive web browser you want to escape out of and have access to type in a URL, check out iKat: http://ikat.ha.cked.net Paul Craig’s talk from Defcon 16 is a good resource: https://www.youtube.com/watch?v=DSu8z3vrfcY My article focused on keyboard input, for something more general check out Scott Sutherland’s article on breaking out of Kiosks: https://www.netspi.com/blog/entryid/180/breaking-out-of-applications-deployed-via-terminal-services-citrix-and-kiosks If you are interested in hacking POS hardware, see Mick Douglas’ “Pwning the POS!” talk from Notacon 11: http://www.irongeek.com/i.php?page=videos/notacon11/pwning-the-pos-mick-douglas Thanks to some fine folks on Twitter for suggestions and avenues of research: @huliosstudio@Securithid@sambowne@ZeroCoolRanch @DELICIOUSKEK @ThemsonMester@fjhackett
With no further ado, here is my list. If you know more, please contact me. Some of the title descriptions are copied from Microsoft’s knowledge base article http://support.microsoft.com/kb/126449. ALT+F4: Quit program Killing POS/Kiosk software may drop you to normal desktop. I believe this only works if HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Shell Has not been set to run something other than Explorer as the shell. ALT+SPACE: System Menu Displays the main window’s System menu as if you clicked on the icon in the top left of the window. Minimizing or resizing may let you get at what is behind the POS/Kiosk window.
ALT+TAB: Switch between open programs The current window may not have a way to escape, but if other software is running in the background you may find an escape there. CTRL+ALT+DEL: Task Manager or Windows Security Screen Brings up a dialog on which one option is to start Task manager. From there use File ->New Task (Run…) (Method 1). CTRL+B: Open Book Marks Menu From here you may be able to right click, open, and get an explorer menu (Method 2). CTRL+ESC: Opens start menu From the start menu you may be able to get to someplace else, assuming Explorer is even running as the shell. CTRL+F4: Closes the current Multiple Document Interface (MDI) window This way, you may see what is behind the main window. CTRL+P: May bring up print dialog. From here, you can click the “Find Printer” button, go to help, and break out via file Menu or Right Click “View Source”. You could also right click on an installed printer and view its help (Method 3, and see F1 section below). CTRL+SHIFT+ESC: Opens Windows Task Manager Much like CTRL+ALT+DEL, but skips the step of clicking Task Manager on the security screen. See Method 1. CTRL+Tab: May close current windows or tab This way, you may see what is behind the main window. CTRL+Windows Key+F: Find computer Brings up an Explorer dialog you can break out of via Method 2. F1: Starts Windows Help “Microsoft Windows Help” Classic windows help has File Open menu. “Microsoft HTML Help” based windows might have the option to right click and view source on the selected help. Either way, use Method 3. F3: May bring up Windows search Another potential Explorer window to escape from. SHIFT five times: Toggles Sticky Keys on and off On newer versions of Windows, this brings you a few clicks away from a help dialog and escape (Method 3). Even if you can’t get to a Help dialog, this feature is still useful. If all you have is remote access, it can be hard to send the proper keystrokes without your host OS interpreting them first. This accessibility feature in Windows allows Sticky Keys (Ctrl, Alt, Shift, Windows Logo) to be pressed once, but have the OS considered the key to be held down. This makes it easier to make some of the other keystroke combinations listed in this article without your host system interpreting the keystrokes first. For example, if you want to try to type CTRL+SHIFT+ESC, your host OS will likely interpret it first, not sending it to your remote session. However, if you hit SHIFT 5 time real fast, the Sticky Keys popup should show up on both your host OS, and in your remote session. Enable Sticky Keys on the remote OS by hitting the OK/Yes button (wording depends on Windows version) on the remote OS but Cancel/No on the host OS. You can then type CTRL (release key), SHIFT (release key), and finally ESC (release key) to have the same effect as CTRL+SHIFT+ESC on the remote system without the host system interpreting the combination first. Another option for remote testers is On Screen Keyboard (osk.exe) but not all keyboard shortcuts work with it. SHIFT+RIGHT CLICK: Open Command Prompt Here Only for Vista and newer unless the registry has be modified. Let’s you right click in a folder, on the Desktop, or even a File Open/Save dialog and launch a command prompt using the “Open command window here” option in the drop down. Windows Logo+Break (AKA:Pause): System Properties dialog box From here use Method 2. Windows Logo+D: Minimizes all open windows and displays the desktop This way, you may see what is behind the main window. Windows Logo+E: Windows Explorer Method 2 in a nutshell. Windows Logo+F1: Windows OS Help This is the Windows help, not the applications. Use Method 3. Windows Logo+R: Run dialog box Run what you want. Windows Logo+T: Select active application on taskbar Sort of like ALT+TAB, you may see what is behind the main window this way. Windows Logo+U: Accessibility Utility Manager Let you fire up On Screen Keyboard (and other utilities like screen magnifier and narrator), from which you can bring up a help dialog, then break out via Right Click ->View Source then use Notepad to find and EXE, Right Click it and Open (Method 3). You can also use “About” links on each of the apps to fire up a web browser, then use it as an Explorer Window to find an EXE you want to run via Method 1 Windows Logo: Start menu From the Start menu, you can run what you want. If you have a Microsoft keyboard and the IntelliType Software Installed you may be able to break out using a help dialog or an Explorer window with these keys: Windows Logo+P: Starts Print Manager Windows Logo+C: Opens Control Panel Windows Logo+V: Starts Clipboard Windows Logo+K: Opens Keyboard Properties dialog box Windows Logo+I: Opens Mouse Properties dialog box Windows Logo+A: Starts Accessibility Options (if installed) Windows Logo+SPACEBAR: Displays the list of Microsoft IntelliType shortcut keys That’s it for now, If you know more shortcut/ways to escape kiosk and POS software, please contact me. In a future article I may give a list of recommendations for Windows settings to disable keys. For now, here are some Registry keys to be aware of when locking down a system, in the form of a REG file: Windows Registry Editor Version 5.00 ;Not for the keyboard, but keeps people from using Right Click->Open (does not stop drag and drop) [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] “NoViewContextMenu”=dword:00000001 ;Disable Tasksk Manage via CTRL+SHIFT+ESC and CTRL+ALT+DEL [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System] “DisableTaskMgr”=dword:00000001 ;Disable most Windows Key functions [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer] “NoWinKeys”=dword:00000001 ;Disable Windows key, as NoWinKeys gets some but not all [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout] “Scancode Map”=hex:00,00,00,00,00,00,00,00,03,00,00,00,00,00,5B,E0,00,00,5C,E0,00,00,00,00 The above is by no means a complete list, and many items may be dependent on the shell you use. Look into the “Scancode Map” one especially, as you can remap or disable any key you like. Keymapper (http://justkeepswimming.net/keymapper/) from Stuart Dunkeld is especially useful for figuring out the codes to use with “Scancode Map”. If you want to find out more about bypassing captive shells, POS systems or kiosks, here are some other good articles on the subject: If you have a captive web browser you want to escape out of and have access to type in a URL, check out iKat: http://ikat.ha.cked.net Paul Craig’s talk from Defcon 16 is a good resource: https://www.youtube.com/watch?v=DSu8z3vrfcY My article focused on keyboard input, for something more general check out Scott Sutherland’s article on breaking out of Kiosks: https://www.netspi.com/blog/entryid/180/breaking-out-of-applications-deployed-via-terminal-services-citrix-and-kiosks If you are interested in hacking POS hardware, see Mick Douglas’ “Pwning the POS!” talk from Notacon 11: http://www.irongeek.com/i.php?page=videos/notacon11/pwning-the-pos-mick-douglas Thanks to some fine folks on Twitter for suggestions and avenues of research: @huliosstudio@Securithid@sambowne@ZeroCoolRanch @DELICIOUSKEK @ThemsonMester@fjhackett