In Windows CE you can restrict the functionality of your device, by enabling something called the 'admin policy restrictions'.

to enable, delete the key 'Redirect' from 'HKEY_LOCAL_MACHINE\ControlPanel\AdminPassword'

this key controls what is restricted:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Shell
"NoRunDlg"=dword:00000001
"NoAutoRun"=dword:00000001
"NoRapiRegMod"=dword:00000001
"NoExternalExes"=dword:00000001
"AdminActive"=dword:00000001
"AdminInfo"=hex(3):27,f0,63,b2,62,f2,24,df,07,e7,8a,99,f2,5b,f4,74
"Restriction"=dword:00000001
"ActivePeriod"=dword:0000003C

or under [HKEY_LOCAL_MACHINE\Security\Policies\Shell] for pocketpc 2003.
note: somehow the 'NoExternalExes' key was forgotten in this registry key for ppc2003, causing the admin policy to have no effect. by adding this key value your self, you can make the admin policy work on ppc2003.

a few examples:

password md5 hashed password

a.000000 27,f0,63,b2,62,f2,24,df,07,e7,8a,99,f2,5b,f4,74

b.000000 6f,6f,e9,cf,6a,63,bb,a9,d6,ff,bd,cf,cc,ca,c0,96

ossvcs.dll function 90 is what does the encoding.

password	md5 hashed password
a.000000	27,f0,63,b2,62,f2,24,df,07,e7,8a,99,f2,5b,f4,74
b.000000	6f,6f,e9,cf,6a,63,bb,a9,d6,ff,bd,cf,cc,ca,c0,96

so does this:

	perl -MDigest::MD5(md5_hex) -e "print md5_hex(pack('v*', unpack('C*','a.000000'), 0))"

it is the md5 hash of the unicode string including its terminating zero .

how is it implemented

looking at where the string 'NoExternalExes' is referenced:

ossvcs.dll ordinal 29: called from cefobj.dll ceshell.dll cplmain.cpl rapisrv.exe shell32.exe
ossvcs.dll ordinal 91: called from cplmain.cpl
ossvcs.dll ordinal 117: called from syscsps.dll
coresecproviders.dll: referenced from the registry.