Enforce a maximum interactive Windows session length for compliance — Curfew warns each user as the limit nears, then forces a clean sign-out. Its companion tray app quietly snapshots every open window and restores your desktop at next login, so the policy costs no lost work.
Curfew automatically signs users out after a maximum session length you define — the exact control your auditors look for under NIST SP 800-171 (3.1.11), NIST 800-53 (AC-12), and CMMC Level 2. It warns each person before the deadline, can't be turned off by end users, and logs every action for your audit trail. A clean, supportable replacement for fragile homegrown logoff scripts.
Forced sign-outs usually mean reopening everything by hand. Curfew quietly remembers each person's open windows, apps, and documents, and puts the desktop back exactly as it was at next login. You get the compliance posture without the productivity hit — or the support calls that come with it.
Capabilities
One per-seat license covers both halves of the solution: automatic, tamper-proof enforcement that satisfies your session-termination control, and seamless session recovery that keeps your people productive. Deployed centrally, managed by policy, and built to pass an audit.
Signs users out once they hit a maximum session length you set — the real AC-12 / 3.1.11 session-termination control, not just an idle screen lock. Every active session's age is tracked accurately, even across disconnects and reconnects.
EnforcementUsers get a heads-up on a schedule you choose (e.g. 30, 15, 5, 1 minutes out). You control
the popup title and message — with a live countdown — and can preview the exact wording with one click
before it ever reaches a desktop.
Ships in a log-only mode that records exactly who would be signed out — straight to the Windows Event Log — without ending anyone's session. Switch to enforcement once you've confirmed the policy behaves on your fleet.
EnforcementRuns as a protected system service that standard users can't stop, disable, or reconfigure. Settings are password-protected, and Group Policy always wins — so the policy you set centrally is the policy that sticks.
EnforcementRemembers each person's open windows — which apps, where they sat, and their size and state. After a sign-out they pick a recovery point and their workspace is rebuilt exactly as they left it.
RecoveryGoes beyond window positions: reopens the actual Office documents and files people had open, brings
back browser tabs, and reconnects .rdp Remote Desktop sessions — nothing to dig back up
by hand.
Each recovery point includes a thumbnail of every monitor, so users can see exactly what their desktop looked like at that moment and choose what to bring back.
Recovery · v1.1Everything stays on the endpoint — encrypted at rest and keyed to the Windows user, with no cloud, network calls, or telemetry. Capturing file paths is optional, and history auto-expires on a retention schedule you set — useful wherever CUI is in scope.
SecurityA per-machine service plus a lightweight per-user app, managed entirely by Group Policy or registry — no extra runtimes to package. Hidden from end users' Add/Remove list, with removal locked behind an admin code.
Deployment
Authenticated interactive sessions shouldn't linger and go stale. Curfew enforces
automatic session termination after an organization-defined maximum length — the real,
auditable NIST control, distinct from inactivity session lock (NIST 3.1.10 / AC-11). Policy is
delivered by GPO/ADMX, MSI, or registry, and a Group Policy under …\Policies\Curfew always
overrides local values. Everything is written to the Windows Event Log for your audit trail.
App preview
A native Windows experience that stays out of the way. From the system tray, users see a clear countdown to sign-out and can recover their last session in a couple of clicks. On the right, the recovery window — pick a recovery point, review what was open, and bring the desktop back. No training required.
System-tray menu (left- or right-click)
A live countdown shows time left before sign-out. The Curfew section (admin password-protected) holds the policy settings; the Session Snapshot section is where users recover their work.
Off = more private: records window layout only, no file paths.
%LOCALAPPDATA%\Curfew
Enforces a maximum interactive Windows session length — it warns as the limit
nears, then forces a sign-out at the limit. A clean, deployable replacement for the
legacy GPO "NIST auto-logoff" (a hidden scheduled task plus loose System32 scripts).
Curfew Enterprise pairs the session-limit service with an all-users tray app: the service ends the session at the limit; the tray app restores the user's windows on next sign-in and triggers a final snapshot right before logoff.
PollSeconds it enumerates interactive sessions and computes each session's
age from LSA logon-session data — accurate and
locale-independent (no quser text parsing).WTSSendMessage);
at the limit it (optionally snapshots via the tray app, then) signs the session out
(WTSLogoffSession).Curfew).Policy key HKLM\SOFTWARE\Policies\Curfew overrides local
HKLM\SOFTWARE\Curfew. Keys include LimitMinutes (default 1440),
WarnOffsetsMinutes (30,15,5,1), Mode
(DryRun / Enforce), PollSeconds,
ExcludeUsers, and TriggerReinstate. Tray changes are applied by the
service after PBKDF2 password verification — the tray never writes these keys directly.
winsqlite3.dll (both present
on a stock install) — no external dependencies, no NuGet, no .NET SDK.Illustrative preview of the Windows app — sample recovery point, window list, and countdown shown for reference.
Release notes
The visible face of Curfew Enterprise. Selected highlights from the changelog.
Earlier releases added the tabbed main window, named manual snapshots, the vertical tray banner, command-line & Office-document capture, MMC/Explorer restore fixes, and the distinct "C" tray icon. See the full CHANGELOG.