How do I suppress the CapsLock warning on password edit controls?

One of the features added to version 6 of the shell common controls is a warning balloon that appears if CapsLock is on in a password control. Let's demonstrate. Take the scratch program, add a manifest that requests version 6 of the common controls (perhaps by using a Visual C++ extension), and add the following:

OnCreate(HWND hwnd, LPCREATESTRUCT lpcs)
    g_hwndChild = CreateWindow(TEXT("edit"), NULL,
            ES_PASSWORD | WS_CHILD | WS_VISIBLE, 0, 0,
            0, 0, hwnd, NULL, g_hinst, 0);
    if (!g_hwndChild) return FALSE;

    return TRUE;

Run this program and hit the CapsLock key. The warning balloon should appear. (If it doesn't, then your manifest is probably not working.)

Suppose you want to suppress this warning balloon. Why? I don't know. Maybe you want to confuse your user. Maybe you think it looks ugly. Whatever the reason, you can suppress the balloon by subclassing the edit control and swallowing the EM_SHOWBALLOONTIP message.

WNDPROC g_wpEdit;

                                  WPARAM wParam, LPARAM lParam)
  switch (uMsg) {
  return CallWindowProc(g_wpEdit, hwnd, uMsg, wParam, lParam);

OnCreate(HWND hwnd, LPCREATESTRUCT lpcs)
    g_hwndChild = CreateWindow(TEXT("edit"), NULL,
            ES_PASSWORD | WS_CHILD | WS_VISIBLE, 0, 0,
            0, 0, hwnd, NULL, g_hinst, 0);
    if (!g_hwndChild) return FALSE;

    g_wpEdit = SubclassWindow(g_hwndChild, NoBalloonWndProc);

    return TRUE;

When you run this modified program, you'll see that the balloon tip no longer appears because the subclass procedure intercepts all the balloon tips before the default edit control window procedure can see them.

[Raymond is currently away; this message was pre-recorded.]

Comments (25)
  1. Mark Steward says:

    Ignore that, any new balloons should be opt-in…

  2. John says:

    Only do this if you are an idiot.

  3. Pierre B. says:

    There is a legitimate use for this: some system don’t differentiate between lower-case and upper-case for passwords, mainly as a usability gesture for exactly this same reason.

    (And, the system has to work on all Windows revisions or on all OS, so they couldn’t rely on the balloon to help users.)

  4. There are segments of society that live with their Caps Lock key permanently on.

    I used to get email from some of them.

    But anyway, I could imagine a front end GUI to a system that only accepted numeric passwords (so you could call in from your phone, say).  The warning would be superfluous for such a GUI.

  5. AsmGuru62 says:

    All characters are allowed in password – Windows simply friendly reminding that password entered MAY not be a right one.

    Also, SubclassWindow macro only subclasses this box and not all boxes in the system.

  6. George Jansen says:

    @James Schwend: Oracle database passwords are case-insensitive. I don’t think that with the installed base they’re going to switch over to case-sensitive any time soon.

  7. Personally I think that Ballon Tooltips for password fields is the coolest feature ever added to Windows.  Why someone would need to be insane to disable such an amazing feature!  Whoever thought up that UI feature must be a genius. ;)

  8. Duke of New York says:

    [There are segments of society that live with their Caps Lock key permanently on. I used to get email from some of them.]

    Yeah, they’re called "parents."

  9. Ike says:

    AsmGuru62 – "Also, SubclassWindow macro only subclasses this box and not all boxes in the system."

    Correct, and I have a hard time understanding how people could think otherwise and express that thought without thinking again. They obviously have no experience in Win32-programming.

  10. Mark Steward says:

    Only do this if you definitely want to suppress all balloons.  Otherwise Windows 7 might add an extra IME balloon, which you’ll swallow against the will of the user.  And then we’ll have *another* workaround to deal with.

  11. SuperKoko says:

    @James Schend: What about credit card numbers?

    That seems to be a legitimate use of ES_PASSWORD.

  12. James Schend says:

    Pierre: Those systems are broken, and should be fixed. If they don’t allow lowercase/uppercase characters in password, they probably also don’t allow punctuation and most likely also have a really short maximum password length (like 8 chars.)

    I hate those programs, because, gasp, I actually *want* to use strong passwords. They should let me.

  13. Angus says:

    The balloon I *really* want to suppress is the "You can continue to work while I download your update" one. I know that, I don’t need to be reminder for every update. Now, can I have a checkbox that says "don’t show this dialog again?"

  14. Shinobu says:

    I think that the control should convert all characters to uppercase when the balloon gets swallowed. The only good reason to disable the balloon is because your passwords are case insensitive. If you don’t remove the case information when the balloon is swallowed, some programmer somewhere will create a case-sensitive password box without warning balloon, yielding frustrated users whose passwords don’t work because they didn’t get warned about their capslock as expected.

  15. Dean says:

    Shinobu: How would the control know it’s been subclassed to prevent the balloon showing up?

  16. Ens says:

    Even if it could tell it was subclassed, I wouldn’t want it.  What if the password itself you’re entering is lowercase or mixed-case?  Generally I don’t like when changing one little thing changes a bunch of seemingly unrelated styles (see also:  the way that the button style on tab controls changes the way that keyboard focus works — I would have thought it was just a visual change).  And anyway, that’s got poor localization.  Some languages have multiple lowercase letters that map to a single uppercase letter.  Making them unconditionally uppercase would reduce the security of such passwords (lowercase-only has similar difficulties).

    Maybe the programmer has some other affordance for caps lock — a status bar or something else.  Maybe even their own custom balloon tip that’s themed to fit their app (having decided that, for whatever reason, the standard Windows style guidelines do not apply to them — maybe they want to add a "do not show me again" checkbox to the tooltip like mentioned above).  Maybe it’s just part of one of those strange shareware minigames (in which case it probably falls under Raymond’s "perhaps you want to confuse your user").  Maybe the shift key is broken and you don’t want to clue anybody looking over the shoulder into what characters are capitals because you can afford programmer time but not a new keyboard.  Hmm…I’m having trouble stretching further than that.

  17. steveg says:

    How about some jackass user doing UAT complains about your application behaving differently and refuses to sign the cheque? I’ve seen that before (with other things), and had to code around it despite protesting "but that’s standard behaviour".

  18. manicmarc says:

    I could quite see myself omitting the balloon tip for the word "CAPS" next to the text box being shown, as the balloon tip is quite distracting, and too long-winded for what it needs to communicate.

  19. Steve D says:

    What I want to know is why the option to cancel Caps Lock by pressing shift is no longer available.  Am I the only one who likes caps lock to be disabled whenever a shift key is pressed?

  20. Dean Harding says:

    Steve D: On Vista, go to Control Panel -> Regional and Language Options, then on the Keyboards and Languages tab, click the "Change keyboards…" button. Then, on the Advanced Key Settings tab, under "To turn off Caps Lock" check "Press the SHIFT key".

    It’s pretty buried and non-intuitive, but the option is there. I’m pretty sure it was always off by default, as well…

  21. Wound says:

    But what if I have a password where I WANT everything to be in caps? For a time I did, and hitting caps lock as the first and last key strokes was effectively part of my password. It would disguise what I was typing from anyone watching, but the giant balloon gave away the secret, besides being utterly annoying.

  22. Curious Observer says:

    @Wound-Most keyboards I’ve seen have a LED indicator that lights up when you press CAPS. How did you get around that? If someone really wanted your password that wouldn’t be too difficult to notice. I guess there is always tape. :-)

  23. JM says:

    I answered this question once in the same way, but I added that you probably don’t want to do this even if your system uses case-insensitive passwords. It’s just a good idea to drill it into users that passwords are case-sensitive, and just because you’ve got one of those 70s holodover systems where they’re not doesn’t mean that suppressing the message is a good idea. Just pretend passwords *are* case-sensitive; if enough people believe it and act like it you’ve got a better chance of making it a reality some day.

  24. Worf says:

    @Curious Observer: That LED is software controlled – it in no way indicates the true status of caps lock – just what software believes it to be.

    There is software out there that lets you blink whatever you want on those LEDs…

  25. Larry Lard says:

    I don’t even want to *think* about what happens to case-insensitive-password systems in Turkey.

Comments are closed.

Skip to main content