So there I was, installing Windows on my nephews computer for the umpteenth time and I thought to myself : what if I do it correctly this time and see how long it will last. Usually I had just thrown windows on it, updated it, installed the bare essentials and thrown it back to the wolves. This time I was going all in I thought, doing all the standard BOFH (Bastard Operator From Hell) things; revoking his admin privileges, enabling remote access, automatic updates and so much more. The biggest pro being that without him having admin privileges he/or whoever is using his computer can’t stop the antivirus from running hopefully preventing his computer from getting bloated with bunch of crap. This will most assuredly result in him bothering me more (to type in the administrator password) but in the long run I think it’s for the better.

Since his user would not have admin privileges I needed to have a seperate administrative user account on the computer, and since he would probably dislike having multiple users on the welcome screen I needed a way to prevent the admin user from being shown on the login screen window. The (only?) method I found that did not involve going back to interactive login/windows 2000-esque login box (where you type the username and password) was editing the registry and setting the user to be hidden as special (if you are not familiar with the registry I advise you to tread lightly and reevaluate your need to hide a user with this method, messing with the registry is entirely at your own risk). So to begin we need to open Regedit, go to Start -> Run : regedit and browse to

HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon

From there create a new key called “SpecialAccounts”, select it and create another key called “UserList” . Now you should have a path like this:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList

Now with UserList selected create a dword attribute named after your admin username and set the value to 0,  change the value to 1 if you want to show the user again. Now the user is “special” and thus hidden from the welcome screen.

However (this is important so read on!),  this method has a slight downside. The user is now “hidden” from the UAC prompt as well, in other words if a UAC prompt comes up and this is the only administrative user on the machine there will be NO user and password fields in the UAC prompt effectively rendering it useless and you without elevated privileges. If you accidentally closed regedit and logged out and find yourself now without a working UAC prompt for your limited user do not panic, there are many ways to revert the changes. I will list 3 of them, the last one being the one I went with.

Method A) This works if you have enabled remote desktop access on the machine,  if you try to connect to the locked out computer via remote desktop from another computer you have to type in the username/password before you connect and as such you can login with your administrative user.  Once logged in you can open regedit and change the dword attribute to 1 to disable the changes.

Method B) As the limited user go to Start -> Run and type in “runas /u:admin cmd” where admin is the name of your admin user.  This will open a command prompt with your privileges and you can type regedit to open the registry and you should be greeted with a yes/no UAC prompt that does not need a user/pass combination.  Now you can navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList and change the dword attribute for your administrative user to 1 and everything should be as it was.

Method C) I edited the permission for the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList key and added the limited user with full control. This will make it so that the limited user can edit any attributes under that key, then I created two registry files that change the dword attribute effectively hiding or showing the admin user. Since the limited user has full control to the key there will be no UAC prompt and the hassle of the Method A won’t be needed.  Now when I need my user I just run show.reg file and do my business and when I’m done I run the hide.reg file. Simple. The contents of my 2 reg files are below.

show.reg :

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]
“admin”=dword:00000001

hide.reg :

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]
“admin”=dword:00000000

Tagged with:
 

One Response to How to hide users from the welcome screen (windows 7)

  1. Thanks a lot for this post! You really got me out of a jam. I had accidentally disabled the only admin account, and Method C worked perfectly.