'Admin Policy' is a little-known feature of Microsoft PocketPC that was built mainly for security-aware corporate customers. It allows one to lock a PocketPC device in a mode that no longer display a 'run' dialog, disallows the addition of external programs via ActiveSync or through Internet Explorer, disallows renaming of files to .exe and disallows remote changes to the registry through 'RapiRegMod'.

To be able to play with 'Admin Policy', on most PPCs one has to rename the registry value 'Redirect' in the registry at '\HKLM\Controlpanel\AdminPassword' to something else. Then go to 'Settings' / 'System' and look for the 'Policy' applet.

To enter the 'Secure Mode' the user has to enter a password, and the same password needs to be entered if the user is to leave again. The unicode representation of this password (0x0000 appended) is hashed using MD5 and placed in the binary value 'AdminInfo' in '\HKLM\Security\Policies\Shell' (on WM2003) or '\HKCU\Software\Microsoft\Windows\CurrentVersion\P olicies\Shell' (on PPC2002).

However, they forgot to move the DWORD value 'NoExternalExes' (set to one when the Admin Policy is on) from the old to the new spot in the registry, and so the whole system just doesn't work on WM2003: you can still move binaries to the device and run them.

It still claims it works: it says:

Once enabled, users will not be able to download new programs via Pocket Internet Explorer, ActiveSync, or beaming to their mobile device. Users will not be able to rename programs to enable them to start on the device.

But that's Not True (tm) until you manually add the 'NoExternalExes' value.


This has been a public service announcement from XDA-developers.com.