Preventing Programs from Running
- From: "Registry Answers" <regtips@xxxxxxxxxx>
- To: "Registry Answers" <regtips@xxxxxxxxxxxxx>
- Date: Sun, 1 Aug 2004 13:51:57 -0400
Registry Answers
August 1, 2004 - Issue 10
Registry Answers assumes a basic understanding of the Registry. If you do not
feel confident working in the registry or
would like to learn it from the ground up in plain english, then I recommend
the ebook, Registry for Newbies.
http://newbieclub.com/rfncopy/?vic
For other Windows tips, subscribe to Wintips&Tricks
Most recent issue which will be sent out to new subscribers till release of
next issue is:
Disabling Services - Windows XP
//www.freelists.org/webpage/wintips
For computer magazines, see here for the most popular.
http://www.angelfire.com/va3/wintips/pcmags.html
I also write for ABC and TechTrax where you may see expanded html versions of
select Registry Answers and Wintips&Tricks articles, as well as
other articles not included in the newsletters.
Most recent articles are video related and written with the newbie in mind.
Splitting an AVI file with VirtualDub
http://personal-computer-tutor.com/abc4/v37/vic37a.htm
Splitting an MPEG video file using TMPGEnc
http://personal-computer-tutor.com/abc4/v37/vic37b.htm
Preventing Programs from Running
by Vic Ferri
Question: Is there anyway with the registry that I can prevent programs from
running?
I would like to be able to prevent users from running programs like Internet
Explorer and Outlook Express and if possible the option
to control other programs can be run too. I am using Windows XP and it is my
computer - I am adminisrtrator.
Answer: Yes, with a little registry editing you can disable, with some
limitations, any executable from running when double clicked.
We can do this by creating a DisallowRun entry for specific programs you wish
ro disable. This would work in Windows Me, 2000 and XP.
A related value is RestrictRun which allows you to specify the programs you
wish to allow and which works in all versions of Windows, from 95 and up.
It is very important to note the difference between these two values. With
RestrictRun, the applications you specify are
the only ones ALLOWED to run, whereas with DisallowRun, the applications
specified are the ones NOT ALLOWED to run.
The RestrictRun value is the more risky of the two if applied incorrectly. Any
application NOT listed will be restricted - including access to the registry!
You should also be aware that these two values are sometimes used malicioulsly
by hackers and in trojans, worms or viruses. So, if you ever find that you
cannot run a certain application, it would be worth checking for the existence
of those two values in your registry.
DisallowRun - Windows ME, 2000 and XP
Specifying the programs you wish to disable.
Click Start>Run, type regedit, click Ok and make your way to this Policy key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies
In the right hand pane of the Policies key, create a new DWORD value and name
it:
DisallowRun Double click it and give it a value of 1
Next, go to the Explorer subkey
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Right click the Explorer key and choose New>Key.
Name it DisallowRun
Now it's time to specify the applications you wish to deny access to.
In the right hand pane for the new DisallowRun key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
create a String value for each program you wish to disable. Name the string
values with simple descriptive names to identify the programs you are blocking.
For example, OE for Outlook Express and IE for Internet Explorer.
Note that it makes no difference what you name the String value and contrary to
what you might have read elsewhere, you do not have
to name the values with consecutive numbers.
Then double click each string value you created and enter the name of the
actual exe you wish to disable.
Examples:
For Outlook Express it would be msimn.exe
For Internet Explorer it would iexplore.exe
For Microsoft Word it would be winword.exe
For Notepad it would be notepad.exe
Exit the registry and reboot to make sure the changes take effect.
Now when anyone double clicks one of the programs you restricted, an error
message will result stating something like
"due to restrictions placed on this computer, this action has been cancelled"
As for limitations, this only prevents the running of programs that are
started by explorer.exe.
This does not prevent running the program in DOS (via cmd.exe) or other
processes.
It will, however, prevent access to the program if someone tries to run it from
the Start>Run box.
****
RestrictRun - Windows 95 and up
Run only allowed applications
As already mentioned, with RestrictRun, you specify the programs you wish to
ALLOW. If nothing is specified, nothing needing Windows explorer
to start will run - including regedit! This value requires more thinking since
you have to list every single program you wish to keep enabled.
Go to
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
In the right hand pane, create a new DWORD value named RestrictRun and set the
value to 1 to enable the policy you will be making.
Next create a subkey under the Explorer key and name it RestrictRun, as well.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
\Policies\Explorer\RestrictRun
Now you're ready to add the programs you wish to allow.
In the right hand pane, create a new string value for each program you wish to
enable.
Name the string whatever you prefer and then double click it and enter the name
of the exe.
(the same method used for the DisallowRun value)
Make sure to include regedit.exe or else you will be blocked out of the
registry!
Reboot to make sure the changes take effect. If you come accross any non
working programs that you didn't mean to restrict,
just go back to the registry to add the program to your RestrictRun list.
NOTES:
1. The RestrictRun value taked precedence over the DisallowRun value. If both
values exist and are enabled (set to 1), the DisallowRun
entries will be ignored.
2. In Windows 2000 and XP Pro, both methods described in this article can also
be implemented by using the Group Policy Editor.
***
If you have any feedback or questions or tips you would like to have considered
for submission. email them to:
regtips@xxxxxxxxxx?Subject=feedback
You can show your support for these newsletters by ordering your inkjet
cartridges from this page
http://www.personal-computer-tutor.com/printersupplies.htm
Look for complete satisfaction guarantee - refund or replacement.
Most popular recently are Mr.InkMan, All You Can Ink and FreeCartridges
Thanks for your support!
vic
Wintips&Tricks
//www.freelists.org/webpage/wintips
Yahoo Support group
http://groups.yahoo.com/group/WinTips-Tricks/
Registry Answers
//www.freelists.org/webpage/regtips
ABC
http://www.personal-computer-tutor.com/abc/
TechTrax
http://pubs.logicalexpressions.com/Pub0009/LPMIssue.asp?ISI=0
To unsubscribe, click here and hit Send
wintips-request@xxxxxxxxxxxxx?Subject=unsubscribe
Other related posts:
- » Preventing Programs from Running
