windows embedded standard 2009...

i

Windows Embedded Standard 2009

Not for resale.

Certification Exam PreparationPreparation Kit

CTSMExam 70-577

Automation

ii Table of Contents

Contents at a Glance

1 Creating and Customizing the Configuration

2 Managing the Development Environment

3 Integrating Embedded Enabling Features

4 Creating Components

5 Generating and Deploying an Image

6 Adding Windows Functionality

177

Chapter 6

Adding Windows Functionality

Microsoft® Windows® Embedded Standard 2009 enables you to add to the run-timeimage custom functionality that enhances security and the user experience. Forexample, you can customize a client shell to expose selected functionality of thedevice. You can also enable remote administration on your device, add multiplelanguages, and add multiple user accounts.

Exam objectives in this chapter:

■ Create a custom shell component

■ Configure multiple user accounts

■ Configure security

■ Add support for multiple languages

■ Add support for remote administration

Before You BeginTo complete the lessons in this chapter you need the following:

■ Windows Embedded Studio for Windows Embedded Standard 2009 installed.

■ Completed Chapters 1–5.

178 Chapter 6 Adding Windows Functionality

Lesson 1: Create a Custom Shell ComponentWindows Embedded Standard 2009 provides several shells, such as Explorer shell,Task Manger shell and Command shell. You can extend the functionality they provideby creating a custom shell that reflects your application and OS design functionality.For example, if your device monitors a car’s engine at a service garage, the display mayneed to present gauges that show engine condition and buttons to operate the device.Because the use of embedded devices is so specific, it is preferable that the user not beable to start applications, access the file system or interact in the way they usually dowith regular Windows XP client based computers. You can use a custom shell to limituser access to only specific functionality.

After this lesson, you will be able to:

■ Create a custom shell.

■ Create a component and add it to the component database.

■ Add the necessary components to run it.

Estimated lesson time: 30 minutes.

Shell DetailsA shell is a program that enables a user to access the services that the operatingsystem provides, such as kernel and file system services.

How to Create a Custom ShellCreating a custom shell entails designing and implementing an application. Thisapplication provides a coherent method for the user to access the functional servicesyou want them to use. Start by deciding the functional access you want to offer theuser. Next, decide how the user will view the device and how your device displaysthese functional options to the user. The Win32® API provides you with all the systemcalls you need to access the operating system services, such as file system access,process control, and authorization functions.

Programming ToolsFor best performance and small footprint, use a C compiler and the Win32 API.Although it is possible to use frameworks such as MFC or the .NET framework, youwould have to add the framework components to your configuration if you want touse them, which take up space and increase image size. Keep in mind that C is not a

Lesson 1: Create a Custom Shell Component 179

rapid application development (RAD) tool and requires some programming effort.Practice 1 shows you in detail how to create a simple shell application andcomponent.

Creating a Shell ComponentAfter you create your shell application, create a component to contain it. This willprovide you with a shell component that you can use in Target Designer to add to yourconfiguration. Creating a shell component is very much like creating any component forany application; however, you must associate it with the group of shell components.

The first thing that you have to do when you create the component is to prototype it usingthe Shell Prototype component. In the details pane, enter the Shell Prototype componentin the prototype field. Next, click Advanced. In the Advanced Properties dialog box, clickAdd. In the Extended Property dialog box, provide the following information:

Name: cmiShellPath Format: String Value: Name and path of your shell application.

For the value field use predefined system environment variables, For example:

%SystemRoot%\System32\PrimitiveShell.exe

To add your shell component to a dependency group, in Component Designer, underyour component, right-click Group Memberships and then choose Add GroupMembership. In the Add Component Group Memberships dialog box, expand theDependencies folder, select the Shell group, and then click OK. Next, add your shellcomponent to a category: in Component Designer, under your component, right-clickGroup Memberships and then select Add Group Membership. In the AddComponent Group Memberships dialog box, expand the Categories folder, navigateto Software>System>User Interface>Shells, and then click OK.

Create a directory where you store the executable and manifest files. Create a newrepository and associate it with this directory. Create a package so you can manageyour shell component efficiently, and associate the repository you just created withthe package by adding a group membership to the repository. In the Add RepositoryGroup Memberships dialog box, expand the Packages folder, select the package youjust created, and then click OK. Associate the repository with your component byselecting your component in Component Designer, and in the details pane add yournewly created repository in the Repository field. The last thing you do is associate thecomponent with the package by adding the package to the component groupmembership.


Lesson SummaryThis lesson discusses the possibility of creating your own customized shell. Itdescribes the process of creating a shell component and associating it to the shellgroup of components so that it will display as the user interface on a run-time.

Quick Check1. What is the purpose of a shell in an operating system?

2. Is a shell application different from any other application?

3. What makes an application component into a shell component?

Quick Check Answers

1. The shell provides the user access to kernel and file system services.

2. No, it is a straightforward Windows application. However it needs sufficient privileges to complete tasks that need authorization.

3. The two main aspects that turn a run of the mill application component into a shell component are that it is based on the Shell Prototype component and it is a member of the shell group.

Lesson 2: Configure Multiple User Accounts 181

Lesson 2: Configure Multiple User AccountsWindows Embedded Standard 2009 includes several components for managing useraccount names, groups, and passwords. The first is the Administrator Accountcomponent, which enables you to specify the password for the local Administratoraccount. You can include only one Administrator Account component in yourconfiguration. Next, you can add the User Account component which enables you tospecify the user name, group, and password for a local user account. Your devicemight call for multiple user accounts. For example, your device may need separateaccounts for the operator of the device, and an account for a technician, with separategroups and distinct access privileges.


■ Add an administrator account.

■ Add user accounts.

■ Provide end user access to account management on the device.


Administrator AccountWhen you configure an image in Target Designer and then run a dependency checkbefore you build your configuration, a single Administrator Account component isadded to your configuration if Target Designer’s dependency checking is set tooperate in Auto-resolve mode. This account name is Administrator and the passwordis blank. However, if you want to password-protect this account, you must configurethe Administrator Account component. In the configuration editor, select theAdministrator Account component, and then enter a password string in the Passwordfield in the details pane. Apply strong password rules to the password you enter. Youcannot add another Administrator Account component to your configuration; thisdoes not mean that you cannot add other users with administrator privileges, onlythat an account named Administrator is unique.

Multiple User AccountsThe User Account component enables you to specify the user name, group, andpassword for a local user account. You must use a separate User Account componentfor each user in your configuration. The settings for the User Account componentrequire a user name and password set specifically for it.


Adding a User AccountThe User Account component is the last component displayed in the EmbeddedEnabling Features folder in component browser in Target Designer. In theconfiguration editor, select the User Account component, select Settings, and thenchoose the User Account Properties tab in the details pane. In the Username field,enter a username. In the Password field, specify a password for this user. The defaultis blank. You specify the User Type selection to assign the user to a user group bychecking one of the following radio buttons:

■ Administrator Has complete and unrestricted access to the computer/domain.

■ Power User Can change many system settings and install programs that donot affect Windows system files.

■ User (default) Can operate the computer and save documents, but cannotinstall programs or change system settings.

■ Guest Has the same access as members of the User group by default, exceptfor the Guest account, which is further restricted.

Strong PasswordsWhen you implement a user account strategy, consider the following strong passwordrules:

■ Strong passwords must be at least seven characters long. Because of the waypasswords are encrypted, the most secure passwords are seven or 14 characterslong.

■ Strong passwords should contain characters from each of the following threegroups:

■ Letters (A, B, C)

■ Numerals (0, 1, 2)

■ Symbols (~, !, @)

■ Strong passwords should include at least one symbol character in the secondthrough sixth positions.

■ Strong passwords must be significantly different from prior passwords.

■ Strong passwords must not contain your name or user name.

■ Strong passwords must not be a common word or name.

Lesson 2: Configure Multiple User Accounts 183

Access to User Account SettingsIf you want to enable end user access to the user accounts settings on the targetdevice, you need to add the Users Control Panel component to enable User Accountsin Control Panel.

Lesson SummaryThis lesson deals with user accounts. You can add as many user accounts to theconfiguration as you wish. However, you need to add a user account component foreach user account you add. The Administrator account is added by Target Designer toevery configuration and its password is set to blank, which you can change in theAdministrator Account component settings before you build your image. You cannotadd another Administrator Account component, but you can add other users to theAdministrators group of users. You should consider using the strong password ruleswhen setting user passwords. You have to add extra components to yourconfiguration if your design calls for end user access to user accounts settings in run-time.

Quick Check1. How many Administrator Account components can you add to your configu-

ration?

2. Is there a limit on the user accounts you can add to your configuration?

3. What is a strong password and why use it?

Quick Check Answers

1. Only one, because this is a user account named Administrator, but you can add other users with other user names that are local administrators.

2. No, but you must add a User Account component for each user account you want to add to your configuration.

3. A strong password is one that adheres to guidelines established for strong passwords. Using strong passwords lowers overall risk of a security breach, and the strength of the password determines how many trials an attacker will need to guess a password.


Lesson 3: Configure SecurityWindows Embedded Standard 2009 is a componentized version of the Windows XPProfessional operating system and, as such, supports the same configurable securityoptions. If you search for components in Target Designer using the word security, theresulting components show some of the possible security options. For example, youcan add Local Security Authority Subsystem (LSASS) (Software>System>SystemServ i ces>Base) , Secur i t y She l l Ex tens ions (So f tware>Sys tem>UserInterface>Shells>Windows Shell), IP Security Tools and User Interfaces(Software>System>Networking &Communications>Applications), IP SecurityServices (Software>System>Networking &Communications>Infrastructure), andother components under the Software>System>Security) node.


■ Understand how to secure your operating system.

■ Create security templates.

■ Create a custom security component.

■ Configure your image security.


Available Security Components to Add to Your ConfigurationTo enhance security on your device you can add additional components, such as thefollowing:

■ Enhanced Write Filter (EWF), when used with RAM or RAM REG overlays,removes any threats that might have been downloaded to the system when thesystem is simply powered down. EWF APIs will only run in an administratoraccount, which prevents other users from disabling EWF.

■ Data Execution Prevention (DEP) helps to prevent malicious code fromattacking different memory locations by monitoring memory to see if programsare using system memory safely. You can enable DEP in the HAL component ofyour configuration.

■ NTFS uses the Encryption capability to encrypt files, but at a cost to the systemfootprint.

■ Windows Logon forces authentication of users at logon.

Lesson 3: Configure Security 185

■ If the device is connected to the Internet you should consider adding WindowsFirewall to provide a flexible interface and reporting solution.

■ Add the Internet Explorer® pop-up blocker feature, which prevents maliciousprograms and scripts from being downloaded to the device.

Security management features provide you with the tools to set the security levels ofyour device. These include setting group policies, as well as managing credentials andcertificates.

File System and Local Access Security ComponentsAdding file system security components helps protect local data from unauthorizedaccess. File system security options include encrypting and decrypting local files,authorizing file access with Access Control Lists (ACLs), and protecting system files.These security components include the NTFS file system which provides built in ACLsupport, and Encrypted File System (EFS) which encrypts files or directories with arandomly generated key.

Authentication and Authorization Security ComponentsAuthentication is the process by which the system validates a user's logoninformation. A user's name and password are compared against an authorized list,and if the system detects a match, access is granted to the extent specified in thepermission list for that user. Depending on your device design and functionality, youcan use components such as Digest Authentication Security Package, Windows NTLAN Manager (NTLM), Kerberos, Secure Channel and Smart Card.

Authorization is the right granted to an individual to use the system and the datastored on it. Authorization is typically set up by a system administrator and verified bythe computer based on some form of user identification, such as a code number orpassword. Depending on your device design and functionality you can usecomponents such as ACLs, Group Policy Object and auditing.

The Local Security Authority Subsystem component is required for all authenticationcomponents and ACL authorization.

Network Security ComponentsYou add network security components to your configuration to help protect yourdevice from external infringement. Network security components, such as InternetProtocol Security (IPSec) and Secure Socket Layer/Transport Layer Security (SSL/


TLS), can enhance security when accessing a device over the network. Secure RPCadds security to COM+, DCOM, and RPC. You should also disable unused ports,disable or remove unused services, such as Simple Network Management Protocol(SNMP), to reduce the risks.

Internet Connection Security ComponentsIf your device is connected to the Internet, you should add the Windows Firewallcomponent to protect system ports from external access. Add the Web Folderscomponent to encrypt files across a shared network for encrypted file systems. AddHTTPS to provide Secure Socket Layer/Transport Layer Security (SSL/TLS)encryption security. You must add the following components to add HTTPS: WininetLibrary, Local Security Authority Subsystem (LSASS), Primitive: Secur32, Primitive:Crypt32, Primitive: Cryptdll, Primitive: Netapi32, and Netlogon/NetJoin.

Secure API ComponentsAdd secure API components to your configuration if you include applications that callsecurity methods, such as those for cryptography and the Security Support ProviderInterface (SSPI). Crypto API functions are called for encoding and decoding fromAbstract Syntax Notation One (ASN.1), encrypting and decrypting data, andauthentication using digital certificates. SSPI functions are called for credentialmanagement, context management, message support, and package management.

Configuring Security on Your Run-Time ImageYou can manage auditing policies, user rights, event logging, and other security-related activities using security templates. You create a custom security template foryour run-time image by using Windows XP Professional or Windows Vista®, settingthe template defaults, and exporting the template to an .inf file.

Security TemplatesSecurity templates are text-based files that contain security settings for all of thesecurity regions that the Security Configuration tool supports. The SecurityConfiguration tool includes the Security Templates Microsoft Management Console(MMC) snap-in, the Security Configuration and Analysis snap-in, the Secedit.execommand-line utility and the Security Settings extension to Group Policy. You cancreate your own custom security template by adding a new template and configuringit. After you make modifications to the security template, you can apply the changes tothe system configuration.


Creating a Custom Security TemplateTo create a custom security template, start by running mmc.exe on a developmentcomputer that is running Windows XP Professional or Windows Vista. SelectFile>Add/Remove Snap-in, click Add, and then select the Security Templates snap-infrom the list. In the MMC main window, under the Console Root node, expand theSecurity Templates node, right-click the root templates folder, and then choose NewTemplate. Type in your desired name for the template and click OK. In the consoletree, expand the node for your new template, expand the Account Policies node, andthen select Password Policy where you can set options such as no expirations foraccount passwords. See Figure 6-1 for a visual depiction of this process. Next, browseto Local Policies, and then select Security Options. The MMC snap-in provides anyarray of settings that you can customize. For information about each setting, see theSecurity Options section of the Windows XP Professional or Windows Vista Helpsystem. After customizing the desired security settings, right-click the root node foryour new template, and then choose Save as and save this as an .inf file to a newdirectory that you designate. You will use it to create a custom security component.

Figure 6-1 Setting account policies


NOTE Windows XP Professional or Windows Vista

The UI of MMC.EXE look and feel slightly different in Windows XP Professional and WindowsVista, but the results are the same.

Creating a Component for the Custom Security TemplateYou can create a component that includes security templates, and apply the templatesthrough an FBA generic command resource that calls the Windows SecurityConfiguration Editor (secedit.exe). Create a new component in Component Designer.Add a new repository and associate it to the folder where you stored the securitytemplate .inf file, and associate the repository to the component. See Figure 6-2 for anew component created for the security template.

Figure 6-2 Creating a new security component


Next, add your custom security template to the component as a file resource. Set thedestination path to the Windows\INF (%17%) directory. Add a componentdependency on the Security Configuration Engine Command Line Utilitycomponent. Last, create a new FBA generic command resource. In the ExtendedProperties box, set the following properties:

■ Arguments /configure /db sectemp.sdb /cfg %17%\SecuritySettings.inf (if thisis the name you saved your security templates file as).

■ FilePath %11%\secedit.exe.

■ Phase 4500.

See Figure 6-3 for the component resource editing tool. One last action before yousave your component is to add group membership to your component. In this case,add the Software:System:Security category, so you can easily find this component incomponent browser.

Figure 6-3 FBA generic command resource editor for the custom security component


Save the .sld file, import it to component database, add it to your configuration, buildyour configuration and run FBA to complete the build. After you deploy your run-timeimage, you can verify that the security template is applied to the system. On yourdevice running your run-time image, open a command prompt, and enter thefollowing command:

secedit /export /db sectemp.sdb /cfg SecTemplate.txt

Open the resulting file (in this example SecTemplate.txt) to view the security settings.

Lesson SummaryThis lesson discusses security capabilities of Windows Embedded Standard 2009.Windows Embedded Standard 2009 offers exactly the same security capabilities thatthe Windows XP client offers, but with some added capabilities provided byembedded enabling features such as EWF. Because Windows Embedded Standard2009 is an embedded operating system that you configure, build, and prepare formass deployment, you can configure security account policies, group policies andother security attributes during the build process. Using security templates andcomponents that contain and initialize them, you can pre-configure the securitypolicies in your image configuration.

Quick Check1. What is a security template?

2. What is an ACL?

3. What are the benefits of custom security policies?

Quick Check Answers

1. A security template is a text-based file that contains security settings for all security regions. It contains hundreds of possible settings that can control a computer through control areas such as user rights, permissions, and pass-word policies.

2. Access Control List. An ACL is a security descriptor attached to all files and directories on an NTFS file system.

3. Custom security policies increase the security of your run-time image. You can create custom security policies to control access to your system.

Lesson 4: Add Support for Multiple Languages 191

Lesson 4: Add Support for Multiple LanguagesWindows Embedded Standard 2009 supports many language packs. TheMultilingual User Interface (MUI) components switch the text and UI elements inWindows to the local language. The MUI components are not the same as thelanguage support components that focus on fonts and code pages. You can havemultiple MUI components in an image. Adding many MUI language components toan image, considerably impacts the time and performance of the build.


■ Create a multilingual version of your configuration.


Adding Multiple Languages Support to Your Run-Time ImageWindows Embedded Standard 2009 includes support for multiple languagesthrough the use of MUI packs. You can localize your device for multiple locales byadding MUI language packs to your run-time image. Each MUI pack must be installedseparately on the component database. Only the English language pack is included inthe component database by default. You can install the MUI packs during initialinstallation or use the Change option of the Windows Embedded Standard 2009setup process to install more language MUI packs.

Configuring a Run-Time Image to Support Multiple MUI Language Packs

A few support components should be included in the image. Add the Explorer Shellcomponent, International Control Panel component and Regional and LanguageOptions component. Then add, for example, the English MUI Resource, JapaneseMUI Resource, Japanese Shell MUI and the Japanese Language Support components.Configure the Regional and Language Options settings in the details pane, and selectthe appropriate settings for each of the following items:

■ User interface language.■ Standards and formats.■ Default input language.■ Default language for non-Unicode programs.■ Geographic location.


Expand the Language Support component of your language choice, and then chooseSettings. Select the default fonts, code page conversion tables, and default keyboardlayouts to use with the language. Check the Support all system locales for yourlanguage and Include Multilanguage user interface resources check boxes in theLanguage Support component settings in the details pane.

Lesson SummaryIn today’s world, you often have to create a multilingual device to cater tomultinational clients. This lesson discusses how to add a multilingual user interfacefor your operating system. You install specific MUI language packs for each languagethat is going to be supported by the operating system. However, adding multiplelanguages to the image increases its size. Because of this footprint issue, you shouldconsider creating multilingual versions of your image that include no more than threelanguage packs at most.

Quick Check1. What is MUI and what is the advantage of using this technology?

Quick Check Answers

1. Multilingual User Interface. The advantage of using MUIs over localized ver-sions is that each user on a computer can use a different language MUI with-out requiring different versions of the software. For example, using MUI technology, any version of Windows can host Windows applications in any other language.

Lesson 5: Add Support for Remote Administration 193

Lesson 5: Add Support for Remote AdministrationEmbedded devices benefit from many remote management capabilities that areavailable for Windows Embedded Standard 2009 designs. These capabilities includeTelnet Server, which is particularly useful for headless devices, Remote Desktop,Windows Management Instrumentation (WMI) and Simple Network ManagementProtocol (SNMP).


■ Describe the different mechanisms available for remote management.

■ Add these various means to your configuration.


Telnet ServerThe Windows Embedded Standard 2009 component database provides a TelnetServer component, which is a gateway for Telnet clients. To configure the settings forthis component you can check the Enable NTLM Authentication check box to specifywhether to use NTLM authentication. You can check the Enable PasswordAuthentication check box to specify whether to use password authentication. Thedefault settings enable both NTLM and password authentication. Select theOperation mode, either Console or Stream. Console mode is useful for runningscreen-oriented programs. Stream mode is useful for running command-lineapplications. Set the Maximum number of connections value to a number rangingfrom 0 to 2147483647, which specifies the maximum number of simultaneousconnections that can exist to the Telnet server. Last, set the Telnet port. The defaultvalue is port 23.

Remote DesktopThe Terminal Services Remote Desktop component provides remote access for thedesktop of a computer that is running Terminal Services. This is a useful feature if thetarget is running without a monitor or if you need to remotely log in and establish a usersession. You need to add the Terminal Server Remote Desktop, Terminal Services CoreManagement Tools, Terminal Services Web Control Extension, and Terminal ServicesWMI Provider components to your configuration in addition to the Terminal ServicesRemote Desktop component for the image to provide this service. You also need to havea user account with a password configured on the device in order to remote into it.


Windows Management InstrumentationWindows Management Instrumentation (WMI) provides management informationand control in an enterprise environment. WMI enables you to query and setinformation on desktop systems, applications, networks, and other enterprisecomponents. Developers can use WMI to create event-monitoring applications thatalert users when important incidents occur. To add this capability to yourconfiguration, add the Windows Management Instrumentation Technologies macrocomponent and configure its settings to match your design.

File Transfer ProtocolThe IIS FTP Server component is used to copy files to and from remote computersystems on a network using Transmission Control Protocol/Internet Protocol (TCP/IP). The service also enables users to use FTP commands to work with files, forexample listing files and directories on the remote system. The FTP service workswith IIS, enabling you to transfer files via a Web Browser.

Simple Network Management ProtocolYou can use the Microsoft Windows implementation of SNMP to configure remotedevices, monitor network performance, audit network usage, and detect networkfaults or inappropriate access.

Remote Management with the Computer Management ToolWindows Embedded Standard 2009 includes the Computer Management tool(Compmgmt.msc) in the Administration Support Tools component. You can use theComputer Management tool to remotely manage a Windows Embedded Standard2009 device. Remote management capabilities can be especially helpful fordebugging applications and services on a remote device.

Lesson SummaryThis lesson discusses the various methods you can employ to manage your deviceremotely. Windows Embedded Standard 2009 provides all the capabilities found inWindows XP operating system. The best way to add various remote managementoptions to your configuration is to add the Enterprise Features macro component.

Lesson 5: Add Support for Remote Administration 195

Quick Check1. What would you add to your configuration if you want to open a command

prompt to your device remotely?

Quick Check Answers

1. You add the Telnet Server component and connect to it as a client.


Lab 6: Creating a Custom Shell and Customizing the ImageIn this lab you practice the features discussed in this chapter. You create a customshell from scratch, create a multilingual operating system, and create a customsecurity component.

Practice 1: Creating a Shell ComponentIn this practice, you will create a component for a custom shell for a simple Windowsapplication called PrimitiveShell.exe, which was built using Visual Studio®. ThePrimitiveShell application is a very simple, three-button application that opens acommand window by clicking on the Command Prompt button, and either shutsdown or restarts the operating system, as shown in Figure 6-4. The application doesnot have an installation utility, but the application has file resources which call intoother Windows files, so a utility called Dependency Walker will be used in thisexercise to find these file dependencies.

Figure 6-4 PrimitiveShell Application

Lab 6: Creating a Custom Shell and Customizing the Image 197

� Create the Shell Application

1. Open a new Win32 C++ application project in Visual Studio 2005 (or 2008).

2. In the main window procedure enter the following code:

LRESULT CALLBACK WndProc(HWND hWnd, UINT message,

WPARAM wParam, LPARAM lParam)

{

int wmId, wmEvent;

PAINTSTRUCT ps;

HDC hdc;

TCHAR MsgBuf[256];

TCHAR szBuf[80];

DWORD dw;

STARTUPINFO strt;

PROCESS_INFORMATION prinfo;

DEVMODE dvmd;

int nTopLeft, nTop;

switch (message)

{

case WM_CREATE:

{

EnumDisplaySettings(NULL, ENUM_CURRENT_SETTINGS, &dvmd);

nTopLeft = dvmd.dmPelsWidth / 2 - 275;

nTop = dvmd.dmPelsHeight / 2 - 75;

CreateWindow(_T("BUTTON"), _T("Command Prompt"),

WS_CHILD | WS_VISIBLE, nTopLeft, nTop, 150, 150, hWnd,

(HMENU)ID_BTN_COMMAND, hInst, NULL);

nTopLeft = nTopLeft + 200;

CreateWindow(_T("BUTTON"), _T("Shutdown"),


(HMENU)ID_BTN_SHUTDOWN, hInst, NULL);

nTopLeft = nTopLeft + 200;

CreateWindow(_T("BUTTON"), _T("Restart"),


(HMENU)ID_BTN_RESTART, hInst, NULL);

SetPrivilege();

break;

case WM_COMMAND:

wmId = LOWORD(wParam);

wmEvent = HIWORD(wParam);

// Parse the menu selections:

switch (wmId)

{

case IDM_ABOUT:

DialogBox(hInst, MAKEINTRESOURCE(IDD_ABOUTBOX), hWnd, About);

break;

case IDM_EXIT:

DestroyWindow(hWnd);

break;


case ID_BTN_COMMAND:

{

ZeroMemory(&strt, sizeof(STARTUPINFO));

strt.cb = sizeof(STARTUPINFO);

ZeroMemory(&prinfo, sizeof(PROCESS_INFORMATION));

GetSystemDirectory(MsgBuf, 256);

BOOL bRC = SetCurrentDirectory(MsgBuf);

bRC = CreateProcess(_T("cmd.exe"), _T("/k cd c:\\"),

NULL, NULL, FALSE, CREATE_NEW_CONSOLE, NULL,

_T("C:\\"), &strt, &prinfo);

if (!bRC)

{

dw = GetLastError();

FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER |

FORMAT_MESSAGE_FROM_SYSTEM, NULL,

dw, MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),

(LPTSTR) MsgBuf, 0, NULL );

wsprintf(szBuf, _T("%s failed with error %d: %s"),

_T("CreateProcess"), dw, MsgBuf);

}

}

break;

case ID_BTN_SHUTDOWN:

{

//Shut down the system and force all applications to close.

BOOL bRC = InitiateSystemShutdownEx(NULL, NULL, 0, TRUE,

FALSE, SHTDN_REASON_FLAG_PLANNED);

if (!bRC)

{



FORMAT_MESSAGE_FROM_SYSTEM, NULL,

dw,MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),

(LPTSTR) &MsgBuf, 0, NULL );


_T("InitiateSystemShutdownEx"), dw, MsgBuf);

}

}

break;

case ID_BTN_RESTART:

{

// Shut down the system and force all applications to

// close and restart.

BOOL bRC = InitiateSystemShutdownEx(NULL, NULL, 0, TRUE, TRUE,

SHTDN_REASON_FLAG_PLANNED);

if (!bRC)

{



FORMAT_MESSAGE_FROM_SYSTEM, NULL, dw,

MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),


(LPTSTR) &MsgBuf, 0, NULL );


_T("InitiateSystemShutdownEx"), dw, MsgBuf);

}

}

break;

default:

return DefWindowProc(hWnd, message, wParam, lParam);

}

break;}}}

3. Add values for ID_BTN_COMMAND, ID_BTN_SHUTDOWN andID_BTN_RESTART by defining these in the resource.h file of your project. Forexample:

#define ID_BTN_COMMAND 1000

#define ID_BTN_SHUTDOWN 1001

#define ID_BTN_RESTART 1002

4. Add this function to authorize this process to shut down and reset. Note thisfunction has been called from the WM_CREATE block.

bool SetPrivilege(void)

{

HANDLE hToken;

TOKEN_PRIVILEGES tkp;

// Get a token for this process.

if (!OpenProcessToken(GetCurrentProcess(),

TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))

{

return false;

}

// Get the LUID for the shutdown privilege.

LookupPrivilegeValue(NULL, SE_SHUTDOWN_NAME,

&tkp.Privileges[0].Luid);

tkp.PrivilegeCount = 1; // one privilege to set

tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;

// Get the shutdown privilege for this process.

AdjustTokenPrivileges(hToken, FALSE, &tkp, 0,

(PTOKEN_PRIVILEGES)NULL, 0);

if (GetLastError() != ERROR_SUCCESS)

{

return false;

}

}

5. In the project properties make the active configuration Release.


6. Expand the Configuration Properties folder and go to the Manifest Tool>Inputand Output node in the details pane on the right edit the Output Manifest Filefield to contain the following string:

$(TargetPath).manifest

7. Build the application in release mode.

8. After you build you will find under \Projects\PrimitiveShell\release the two filesthat you need to add to your shell component, PrimitiveShel.exe andPrimitiveShel.exe.manifest.

� Create a Directory Structure

1. In Explorer, under C:\WESFILES create a new directory called PrimitiveShell.

2. Under C:\WESFILES\PrimitiveShell create a new directory called Files.

3. Copy the PrimitiveShell.exe application and PrimitiveShel.exe.manifest to theFiles folder.

� To Create a New Component Object

1. Open Component Designer.

2. Create a new .sld file. On the File menu, click New.

3. Save the .sld file as PrimitiveShell.sld to the c:\WESFILES\PrimitiveShell folder.

4. In the new .sld file, expand the Windows XP Embedded Client (x86) platform.

5. Create the new custom shell component. Right-click Components and click AddComponent.

6. Name the component PrimitiveShell.

7. Create a new Repository called PrimitiveShell.

8. Create a new Package called PrimitiveShell.

9. Make the new repository a member of the new package. Under groupmembership for PrimitiveShell, add PrimitiveShell.

10. Make the new component a member of the new package. Under groupmembership for the PrimitiveShell component add PrimitiveShell Package.

11. Under the PrimitiveShell repository, set the source path toC:\WESFILES\PrimitiveShell\Files. The resulting path should be .\Files, if youhave saved the SLD to the C:\WESFILES\PrimitiveShell directory.

12. In the details for the PrimitiveShell component, add PrimitiveShell as therepository.


13. Save the .sld file.

Figure 6-5 Selecting the Shell prototype component

� Fill in the Basic Component Structure

1. Configure the component to be a shell component and set the Prototype field toShell prototype component. Click the Browse button next to Prototype, and thendrill down to Software>System>User Interface>Shells> Windows Shell andselect Shell prototype component. Click OK. See Figure 6-5 for details.

2. You must specify the location of the custom shell executable. This is done bysetting the cmiShellPath extended property.

a. Click the Advanced button at the bottom of the Component Propertiespage.

b. To add an extended property, click Add.

c. Name the extended property cmiShellPath of the format type String withthe value: %Systemroot%\System32\PrimitiveShell.exe.

d. Click OK.


e. Click OK to close the Advanced Properties dialog box.

3. For the custom shell component to be visible in the same location of thedatabase as the other shell components, add a shell group membership to thecomponent.

a. Right-click Group Memberships and select Add Group Membership.

b. Expand Categories, double-click Software, double-click System, double-click User Interface, and select Shells. Click OK. This will place our newcomponent at the Shells level.

Figure 6-6 Adding Shell dependency group

4. To be sure that another shell component is not added to the build when the newshell component is used, create a Shell dependency, so that the dependencycheck will identify a shell component as exclusive.

a. Right-click Group Memberships and select Add Group Membership.


b. Expand Dependencies and select Shell from the list of Dependency groups.You may have to scroll down the list a bit or use Find. See Figure 6-6 formore details.

c. Click OK. This group membership requires the new shell component to beexclusive from other shells.

5. Under the PrimitiveShell component’s File resources, add PrimitiveShell.exe.

6. Change the destination to %11%. This changes the effective path toC:\WINDOWS\system32\PrimitiveShell.exe.

7. Under the PrimitiveShell component’s File resources, add thePrimitiveShell.exe.manifest

8. Change the destination to %11%.

9. Click OK.


� Finding the Resources through Dependency Walker

1. PrimitiveShell opens a command window so we need to add support for this toPrimitiveShell component. Under PrimitiveShell’s Component or GroupDependency, add CMD – Windows Command Processor component.

2. Go to www.dependencywalker.com and download Dependency Walker.

3. Open Dependency Walker.

4. From the file menu select Open, and open the PrimitiveShell.EXE. The analysisof the application begins immediately.

5. The upper left pane tree view lists DLLs on which the application depends.

6. Collapse all tree branches so only the first tier dependencies are displayed.These are the DLLs required to run the PrimitiveShell application. See Figure 6-7 for more details.


Figure 6-7 Dependency Walker

7. Open Component Database Manager, and use the component filter under theComponent tab to search for a component that includes MSVCR80.DLL.

8. If you completed Practice 3 of Chapter 4 you should find this component. Addit to the configuration. To ensure that this component is always included in yourconfiguration, add a component dependency from the PrimitiveShell on it. Thiscomponent is needed because the MSVCR80.DLL has to work side by side withother C runtimes of different versions.


� Importing the SLD File

1. To open Component Database Manager, click Start, point to All Programs, pointto Microsoft Windows Embedded Studio, and then click Component DatabaseManager.

2. In the Database tab, click Import, navigate to the C:\WESFILES\PrimitiveShellfolder on the desktop and select PrimitiveShell.sld.


3. Click Open.

4. Click Import.

5. When the import has successfully completed, close the Import SLD dialog box.

6. Close Component Database Manager.

� Test the Component

1. Open Target Designer.

2. Create a new configuration called PrimitiveShell.slx.

3. Add the platform macro component to the new configuration. Add the followingcomponents:

■ PrimitiveShell.

■ FAT.

■ NTFS.

■ NT Loader.

■ MinLogon.

■ English Language Support.

■ Task Manager.

■ NT Hardware Detect.

■ VC80-CRT component (created in Practice 3 of Chapter 4).

4. On the Configuration menu, click Check Dependencies.

5. Resolve any tasks that occur as a result of Check Dependencies and re-run theCheck Dependencies.

6. Click Close.

7. On the Configuration menu, click Build Target Image, and then click Build.

8. You are prompted to confirm the deletion of all the contents of the folder. ClickYes.

9. Save the configuration, and exit Target Designer.

10. Deploy the image to the target system. Boot the Windows Embedded Standardoperating system. After FBA has completed, the PrimitiveShell should appear.


Practice 2: Creating a Multilingual Operating SystemIn this practice you create a multilingual operating system image that can display theUI either in English or in Japanese. This practice can be applied to any language andJapanese is used as an example only.

� Install the Japanese Language Pack

1. If you have not installed the Japanese MUI language pack, run WindowsEmbedded Standard 2009 setup.

2. Select Install and click on the Change button.

3. Select the Database>MUIs node and expand it.

4. Click the down arrow on the Japanese Language Pack node and select the Entirefeature will be installed on local hard drive menu item, as shown in Figure 6-8.

5. Complete setup.

Figure 6-8 Japanese MUI language pack setup

� Create a Multilingual Configuration

1. Open Target Designer and create a new configuration called MUIOSImage.

2. Add the platform macro component to the new configuration.

3. Add the following components:


1. Runtime Quick Start Helper Macro.

a. English MUI Resource.

b. Japanese MUI Resource.

c. Japanese Shell MUI.

d. Japanese Language Support.

e. International Control Panel.

2. Make sure that Auto-Resolve is enabled and run a dependency check and resolveany errors.

3. In the Regional Language Options component, make sure the User InterfaceLanguage is set for Japanese. See Figure 6-9 for the Japanese example.

Figure 6-9 Regional Language Options: Japanese

� Build the Image and Test It

1. Re-run Check Dependencies again until all errors are resolved.

2. Save the configuration.


3. Build the image and deploy it to the target device.

4. Start the Target system. Explorer shell will appear after FBA completes. Themenus are in Japanese.

5. Go to control panel and you will see all of the applets in Japanese. See the resultsin Figure 6-10.

Figure 6-10 Japanese UI of Windows Embedded Standard MUI image

Practice 3: Create a Custom Security ComponentIn this practice you create a Security template and a component to contain it.

� Create a Security Template

1. To open MMC, click Start on the development command bar, and then selectRun.

2. Type mmc in the Open box, and then choose OK.

3. From the File menu, choose Add/Remove Snap-in. Click Add.


4. In the Add/Remove Snap-in dialog box locate and select Security Templates, then inthe list of available snap-ins, click the Add button, and then click OK. See Figure 6-11.

5. In the MMC main window, under the Console Root node, expand the SecurityTemplates node, right-click the root templates folder, and then choose NewTemplate.

6. Type a name and description for the template, and then click OK. This savesyour template as an .inf file in the Windows\Security\Templates folder.

7. In the console tree, expand the node for your new template, browse to AccountPolicies, and then select Password Policy. Set account passwords to never expire.

8. In the console tree, expand the node for your new template, expand the LocalPolicies node, and then double-click Security Options.

9. The MMC snap-in provides several settings that you can customize. Forinformation about each setting, see the Security Options section of the WindowsXP Professional product Help.

Figure 6-11 Adding Security Templates snap-in


10. After customizing the desired security settings, right-click the root node for yournew template, and then choose Save As.

11. Create a directory CustSec under \WESFILES and save the .inf file to thisdirectory using the name SecuritySettings.inf.

� Create a Component for the Custom Security Template

1. In Component Designer, create a new component and set the appropriate groupmemberships.

2. Add your custom security template to the component as a file resource. Set thedestination path to the Windows\INF (%17%) directory.

3. Add an FBA Generic Command resource to your component. In the ExtendedProperties box, set the following properties (omitting the quotation marks):

Arguments: /configure /db sectemp.sdb /cfg %17%\ SecuritySettings.inf

FilePath: %11%\secedit.exe

Phase: 4500

4. Add a component dependency to the Security Configuration Engine Command-Line Utility component.

5. Create a repository for your custom security template.

6. In the details pane, select the repository you just created for your component,and then save your component.

7. Import the component to the component database.

� Add the Component to Your Configuration

1. Add the security component to your configuration.

2. Build and deploy your run-time image.

3. From a command line, use the secedit command to export the current securitytemplate.

secedit /export /db sectemp.sdb /cfg SecuritySettings.txt

Chapter 6 Review 211

Chapter ReviewIn this final chapter you added Windows functionality such as a custom shell to yourimage. A custom shell is particularly useful for embedded devices because these areoften used for specific tasks. Because of this, you may want to prevent the user fromaccessing operating system objects that may harm your system. You added multipleuser accounts to cater to different user functionality, for example operators andservice persons, because of their different duties. However, having added useraccounts, you had to add security settings such as group policies and user accountpolicies. You added multilingual support to your image so it can operate in many partsof the world with no language support issues. Embedded devices quite often arephysically inaccessible and therefore need remote management.

Windows Embedded Standard 2009 offers all the capabilities that the Windows XPProfessional operating system offers, such as:

■ MUI language packs.

■ Security capabilities.

■ Secure multiple user accounts management.

■ Remote management.

■ Custom shells.

Key TermsDo you know what these key terms mean? You can check your answers by looking upthe terms in the glossary at the end of the book.

■ Custom shell.

■ Security Templates.

■ MUI.

■ WMI.

■ SNMP.

■ Telnet.

■ Remote Desktop.

windows embedded standard 2009...

Documents