2013-12-12

Top 3 ways to disable high contrast and accessibility features in Windows 7

BEFORE FOLLOWING THIS GUIDE, make sure your users don't actually need this feature. High-contrast mode is very useful for some people. If you disable it for them, they will be pissed (I noticed several visitors got mad at me for writing this tutorial).

Working as a system administrator (among other roles) in an international school, we've got a lot of computers to manage here and kids never miss a chance to mess up with them. The latest trend is to enable high-contrast mode, basically making the computer turn black and white along with a bunch of other fluorescent colors. I don't need to remind you how annoying this is and why a more permanent solution needs to be found for this problem. Tip: you can quickly enable or disable high contrast mode by pressing Left Alt+Left Shift+Print Screen.

In this article, I am providing three different ways to permanently disable high-contrast mode. All have their pros and their cons, feel free to try each of them and let me know how this goes. A brief summary:
1. Disabling accessibility settings via GPO
2. Permanently removing access to "Utilman.exe" (accessibility tools)
3. Deleting or disabling high-contrast theme files so that they can't be enabled at all

Before going for any of these solutions, I strongly recommend that you ensure that your students weren't actually using high-contrast mode for legitimate reasons. These accessibility settings exist for a reason; you don't want to disable them if they're actually useful to someone!

Fix 1: Disabing accessibility settings via GPO

The safest solution is to deploy proper settings via GPO (Group Policy Objects). This is actually a pretty long and complex process if you aren't a big fan of GPOs, so I'll link you to a detailed article by Pete Long:  Disable High Contrast with Group Policy and disable Accessibility Options with Group Policy. Let me elaborate a bit with what I think are the pros and cons of this solution.
Pros:

  • This is the proper way to do it and it will resist system updates
  • There's probably no way kids or anyone will be able to bypass this
  • Automated deployment provided you're on a Active Directory domain
Cons:
  • Requires your computers to be on an Active Directory domain managed via Windows Server 2008 (or above)
  • Relatively complex to achieve, thankfully the tutorial makes it easier
Note that the article also provides a registry fix that will disable accessibility settings, but remember that they're per-user settings, so if a new profile is created on the computer, it will have be able to access these settings again. If all of the above doesn't work out for you, take a look at the two solutions below. Much easier to achieve, but definitely not as clean.

Fix 2: Permanently removing access to "Utilman.exe"

Desperate times call for desperate measures! If you don't have a proper way to deploy GPOs, try this instead. First, let me explain: what is "Utilman.exe"? It is the application that is launched when you click the accessibility button on the logon screen:


Since there isn't a proper option to hide this button altogether from the logon screen, we're going to have to disable the "Utilman.exe" file. It is located in C:\Windows\system32. If you attempt to delete it, you'll notice that you don't have permissions to do so, and can't even change the file security settings. That's because the owner of the file is "TrustedInstaller", a system account. Here is how you should proceed:
  1. Right-click the file and select "Properties"
  2. In the "Security" tab, click "Advanced"
  3. In the "Owner" tab, click "Edit..."
  4. Select your user account as file owner, and then close all these windows
  5. Right-click the file again and select "Properties", go to "Security" and "Advanced" again
  6. Change file permissions to give yourself full control over the file
Once that is done, you can rename the file, delete it or do whatever you want with it. When someone clicks the accessibility button from the logon screen, nothing will happen at all (not even an error message). There are of course pros and cons, be aware of them before you attempt this.
Pros:
  • Easy to achieve
  • Relatively fool proof
Cons:
  • The file might come back if a system file scan and repair is launched, or through a system update
  • Might not go down too well with overly nervous anti-virus software
  • Due to file ownership and permissions, this can't really be deployed automatically on multiple computers (at least I wouldn't know how to)

Fix 3: deleting high-contrast themes from the computer

Finally, if none of the above solutions prove to be efficient for you, there's also the option to delete high-contrast theme files from the computer. The themes will no longer be available to be enabled with the key combination, or through the accessibility settings, or even via the Theme selection control panel applet.
The files are located in: C:\windows\resources\Ease of access themes. Similar to the Utilman fix, it requires you to take ownership of the files before you can do anything with them.
  1. Right-click the "Ease of access themes" folder and select "Properties"
  2. In the "Security" tab, click "Advanced"
  3. In the "Owner" tab, click "Edit..."
  4. Select your user account as file owner, make sure to tick the box "Replace owner on subcontainers and objects", and then close all these windows
  5. Right-click the folder again and select "Properties", go to "Security" and "Advanced" again
  6. Change file permissions to give yourself full control over the folder and its sub-elements
Once that is done, you can merely delete the high-contrast theme files. The themes won't be available anywhere after that. Here's what I think the pros and cons are.
Pros:
  • Easy to achieve
  • Relatively fool-proof
  • Doesn't disable all accessibility settings, some of the other settings might actually be useful (this could also be listed as a 'con' though)
  • The files will probably not come back through a system update or a file system scan
Cons:
  • Again, deployment issues; I don't think this can be deployed automatically via a script or anything
Personally I've opted for fix 2 and 3 during the preparation of the system image that will be deployed to all computers at the beginning of the year. But if needs be, I may also have to resort to fix 1 in the future.

Search This Blog