Removing Screen Resolution and Personalize shell extensions from a users desktop session.

While working in a XenApp 6 proof of concept I came accross this little feature and decided its time to share it!

When a user right clicks on the desktop, by default they get access to commands to manipulate the appearance of the desktop. As I restricted access to the control panel, the two options below were generating errors in the users sessions:

The error generated is your standard group policy restrictions error message as below:

While digging into this further I found the following registry key that corresponds to the two prompts we see above.

HKEY_CLASSES_ROOTDesktopBackground

Under this key, you can see both entries that appear on the shell extension menu;

The problem with this key is, its owned by the TrustedInstaller account, and by default administrators cannot modify it. To modify this  key and hide this menu from users (but maintain it for administators) please follow the below steps.

Please note, any hotfixes from microsoft may remove your hard work, so be prepared to redo this work if Microsoft decide to work with this key in future.

  1. Take a backup of this key, you’ll thank me if you get it wrong!
  2. Browse down to desktopbackgroundshelldisplay
  3. right click this key, choose permissions, click advanced then owner
  4. Select administrators from the list, then choose “Apply”.
  5. browse to the permissions tab and remove the “users” group.
  6. Click “apply”, then “ok”.
  7. The “screen resolution” menu should now disappear from any current and future sessions.
  8. Repeat step 2 to 8 on DesktopBackgroundShellPersonalize.
  9. Tada! go grab a coffee to celebrate your domination over the windows operating system.

And that’s it, you should now have a lean, clean and  error free shell extension menu when right clicking on the desktop.

Pedantic, begrudging scripters note:

Now if you’re a pedantic scripting so and so like me, you wont be satisfied to leave this job as a manual task. And despite spending more time than I’d like to admit, I couldn’t perform this work in powershell despite what I tried. Luckily the task was extremely easy to do with Helge Klein‘s setacl program.

Below is an example of a script to achieve this:

setacl.exe -on HKLMsoftwareclassesDesktopBackground -ot reg -actn setprot -op dacl:p_nc;sacl:p_nc -rec yes

SetACL.exe -on HKLMsoftwareclassesDesktopBackground -ot reg -actn ace -ace “n:system;p:read” -ace “n:administrators;p:read” -actn clear -clr “dacl,sacl” -actn rstchldrn -rst “dacl,sacl” -rec yes

Related Posts

Creating an automated VMware Horizon RDS Pool with...   So VMware Horizon 6.2 was announced at VMworld just a week ago and the one feature I sorely wanted to see was automated provisioning (golden...
New Free Tool: Citrix Director Notification Servic... Citrix Director for XenApp and XenDesktop can be a great utility for information about your Application / Desktop virtualisation environment. In Direc...
Update to Caffeine for Receiver Just a quick note to say I've finally updated Caffeine for Receiver to support receiver 4.2. I had neglected to update this tool for a while, until...

11 Comments About “Removing Screen Resolution and Personalize shell extensions from a users desktop session.

  1. Pingback: Take ownership of a registry key in PowerShell

  2. Bruce

    The first setacl.exe command you list here is giving me an error, suggesting -op needs a parameter? I am using the 64 bit 2.0.3.0 version. After some searching I think I found the parameter we need: -op “dacl:p_c;sacl:p_c”

    Reply
    1. Bruce

      You know what .. you do have that there but I don’t see it on the page. I see it in the pages html code though. I cannot even copy and paste that line. Weird!

      -op dacl:p_nc;sacl:p_nc -rec yes

      Reply
  3. Pingback: Removing Screen Resolution and Personalize shell extensions from a users desktop session. « Thincomputing.net

  4. Pingback: Removing users access to “Devices and Printers” in a Server 2008 R2 / Win 7 Environment. « AndrewMorgan.ie

  5. Yahoo Serious

    A REALLY pedantic scripter would not use any 3rd party tool, but stick with the tools the OS provides:

    With WScript.CreateObject(“ADsSecurityUtility”)
    Set objSD = .GetSecurityDescriptor(“”, ADS_PATH_REGISTRY, ADS_SD_FORMAT_IID)

    Reply

Leave a Reply