Recommended Posts

Hi everyone

Here's the situation - a stand alone laptop (connected to ADSL via a router) with XP Pro SP2, CD/DVD and floppy attached, along with 2 USB 2.0 ports.

I would like to restrict users from accessing the command screen. I know that I can take <Run> from the Start menu and I can set the permissions of cmd.exe so that only Administrators can use it, but what if someone had a copy of cmd.exe on a floppy, CD or USB memory stick? Users need access to USB or floppy so disabling these (along with the CD) is not an option.

Basically, I'd like to prevent limited users from running cmd.exe, *whatever the source* of the file (i.e. they could e-mail a copy to themself). Can this be done? A lot of harm (and prying) can be done from the command screen and I'd like to prevent it. The situation is a stand alone at present, but I may increase the number of PCs to a small home network behing the router or a hub. I doubt that I'd get to the state of a large network with a server, MS Server 2003 etc.

Thank you for your time.

Link to comment
https://www.neowin.net/forum/topic/454369-prevent-users-from-using-cmdexe/
Share on other sites

  John said:

You can set permissions on cmd.exe itself (Y)

Yes, but that wouldn't stop a Limited user having a copy on a floppy or USB memory stick, or e-mailing another copy of cmd.exe to himself, would it?

I've been thinking about the earlier option of using a registry tweak, for instance DisallowRun or RestrictRun. If a user had another copy of cmd.exe (as above) and renamed it, I suspect that neither of these registry tweaks would prevent it from running.

I just wonder if cmd.exe accesses some other file(s) (such as a .dll) and, if so, would altering the permission of that file help in any way? I'm thinking aloud now.

This can be done through Group Policy. Click Start and then click run and type:"gpedit.msc" without quotes to launch Group Policy. Click System under Administrative Templates in User Configuration on the left pane and select "Prevent access to the command prompt" in the main window. Click on "Enabled" and then click OK and close Group Policy.

EDIT: betasp was faster than me.

Thanks to both of you. It works fine, bringing up the command screen and it gives a warning that the Administrator has disabled it (whether I'm logged in with Limited or Administrative privileges). However, is it possible to still allow someone with Administrative privileges access to it? I guess that I could go back into GPE, reset it, do what I have to with cmd.exe and then disable it again but that seems a bit fiddly. I'm not sure just how bespoke Policies can be and how I'd set it exactly as I'd need.

Personally I would just disable cmd full stop on the machine and use an alternative command line processor which isnt subject to such restrictions, however that wont stop your errant users accessing a similar utility. It might just delay them slightly if theyre not so techical.

  Tosca said:

Thanks to both of you. It works fine, bringing up the command screen and it gives a warning that the Administrator has disabled it (whether I'm logged in with Limited or Administrative privileges). However, is it possible to still allow someone with Administrative privileges access to it? I guess that I could go back into GPE, reset it, do what I have to with cmd.exe and then disable it again but that seems a bit fiddly. I'm not sure just how bespoke Policies can be and how I'd set it exactly as I'd need.

With the modification I suggested you, all users including those with administrative privileges can't use CMD.EXE, with the exception of Administrator. If you want to use CMD.EXE and have modified Group Policy as I suggested you, open Start menu, click "All Programs", navigate to "Command Prompt" then right click it and select "Run as..." from context menu. A new window will open: From here you can run CMD as Administrator providing you know the password.

Edited by MPH

That's great. In a way, I'm a little surprised that a Policy can't be set to do what I want. I was under the impression that the Group Policy Editor could be very flexible in creating Policies to fit with required circumstances. The suggestion that you've made regarding running it as Administrator works well.

I just came across command.com on my PC which works similar to cmd. I've not tried it yet, but I *hope* that the setting in Group Policy will disable this too. If not, I dare say that I'll be back asking if that can be disabled!

Thank you.

I prefer to avoid third party software. I understand that bespoke policies can be set, but I don't know how. It's a very powerful utility so, rather than floundering, can you give me a nudge in the right direction about setting a policy specifically to prevent command.com from running?

I've done some googling and have come across Software Restriction Policy (SRP). There are several ways to implement this - one uses the MD5 hash of the file. I think this should allow me to authorise only an Admin user to run command.com. I don't think there's any way to prevent a "foreign" copy of command.com or some other command.com-like utility being run.

I suppose the other way around is to set SRP, based upon the MD5 hash, of those files to which I wish to grant a Limited user access. Everything else would be set to Deny for this group. I anticipate that this would prevent their using extenal applications, running batch files etc. I'm thinking aloud here so will have to try it to see how it works.

You really don't want people running a command window, huh? ;)

Consider the implications of restricting ALL programs except the ones you specify... A command prompt itself isn't that dangerous. The only thing you can do with it is launch other programs, and you're better off restricting those programs instead of the command prompt.

You can do a lot of damage with cmd.exe .

A lot of things that are restricted in the windows gui are not using cmd.exe.

I use software restriction policies on my network at work.

I dont go as bad as using hashes but I just block the exe. I use it to block chat and p2p programs.

I say try it its great.

Yes, but you're doing it differently from what he's suggesting. You block certain programs and allow everything else not specified. He's talking about blocking everything by default and specifying programs to allow. That list would fill up rather quickly.

^ if you are going to do that, besure that you set the program that you are using to be able to run... i did that once back in the day using Windows 98SE's "system policy editor" ... it was VERY powerful and i forgot to set it to run "poledit.exe" which was the name of that program... and then i couldnt run that program anymore in order to change settings, so i was stuck, lol.

  majortom1981 said:

You can do a lot of damage with cmd.exe. ........ I dont go as bad as using hashes but I just block the exe. I use it to block chat and p2p programs.

I know that command.com and cmd.exe aren't identical, but I want to be able to block both. I'm not keen on users, for instance, accessing any network commands.

I've not looked at simply blocking the .exe as you suggest. How exactly do you go about blocking chat and p2p programs?

  mujjuman said:

^ if you are going to do that, besure that you set the program that you are using to be able to run... i did that once back in the day using Windows 98SE's "system policy editor" ... it was VERY powerful and i forgot to set it to run "poledit.exe" which was the name of that program... and then i couldnt run that program anymore in order to change settings, so i was stuck, lol.

<LOL> I'd already thought about that - I'd be sure to leave myself a backdoor to apps such as gpedit.msc, regedit, cmd.exe, command.com etc.

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Posts

    • Amazon lays off more staff across Goodreads and Kindle divisions by Hamid Ganji Dozens of Amazon employees working on the retailer's book divisions have been laid off. As reported by Reuters, Amazon confirmed that it's cutting jobs across the Goodreads review site and Kindle units, which impacts fewer than 100 workers. Amazon says the recent layoffs across Goodreads and Kindle divisions are meant to improve efficiency and streamline operations. The giant retailer has constantly reduced staff across various divisions over the past few years. According to CEO Andy Jassy, reducing headcounts helps the company to eliminate bureaucracy. "As part of our ongoing work to make our teams and programs operate more efficiently and to better align with our business roadmap, we've made the difficult decision to eliminate a small number of roles within the Books organization," an Amazon spokesperson said. Layoffs recently impacted employees in Amazon's Wondery podcast division, devices and services units, communications, and in-store staff. However, Amazon's Q1 results show the retailer has added about 4,000 jobs compared to Q4 2024. After the Covid pandemic settled down, many companies began laying off thousands of staff they hired during the pandemic to respond to growing demands. The layoff trend among tech firms still exists today, and AI has amplified it. The latest data shows that in 2025, about 62,832 tech employees were laid off across 141 tech companies. Also, 152,922 tech employees across 551 companies were laid off in 2024. More layoffs are expected to occur due to declining economic growth, tariffs, and the expansion of AI across companies. Amazon is also gearing up to double down in AI investments and robotics. The company has recently announced the forming of a new agentic AI team to develop an agentic AI framework for use in robotics. Also, a new report by The Information indicates that Amazon has begun testing humanoid robots for package delivery.
    • Major Privacy 0.98.1.1 Beta by Razvan Serea MajorPrivacy is a cutting-edge privacy and security tool for Windows, offering unparalleled control over process behavior, file access, and network communication. It is a continuation of the PrivateWin10 project. By leveraging advanced kernel-level protections, MajorPrivacy creates a secure environment where user data and system integrity are fully safeguarded. Unlike traditional tools, MajorPrivacy introduces innovative protection methods that ensure mounted encrypted volumes are only accessible by authorized applications, making it the first and only encryption solution of its kind. MajorPrivacy – Ultimate Privacy & Security for Windows key features Process Protection – Isolate processes to block interference from unauthorized apps, even with admin privileges. Software Restriction – Block unwanted apps and DLLs to ensure only trusted software runs. Revolutionary Encrypted Volumes Secure Storage – Create encrypted disk images for sensitive data. Exclusive Access – Unlike traditional tools, only authorized apps can access mounted volumes—blocking all unauthorized processes. File & Folder Protection – Lock down sensitive files and prevent unauthorized access or modifications. Advanced Network Firewall – Control which apps can send or receive data online. DNS Monitoring & Filtering – Track domain access and block unwanted sites (Pi-hole compatible filtering coming soon). Tweak Engine – Disable telemetry, cloud integration, and invasive Windows features for better privacy. Why MajorPrivacy? Kernel-Level Security – Protects at the deepest system level. Unmatched Encryption Protection – Keeps mounted volumes safe from all unauthorized access. Full System Control – Block, isolate, or restrict processes as needed. Enhanced Privacy – Stops Windows & apps from collecting unnecessary data. Perfect for privacy-conscious users, IT pros, and anyone who wants total system control. Major Privacy 0.98.1.1 Beta changelog: The 0.98.1 release of MajorPrivacy introduces significant enhancements and a number of critical fixes aimed at improving usability, localization, and system integration. A major new feature is the introduction of full translation support, allowing the application interface and tweaks to be localized into multiple languages. Initial translations include AI-assisted German and Polish versions, a community-contributed Turkish translation, and Simplified Chinese. Users interested in contributing translations or adding new languages are encouraged to participate via the forum. This version also improves compatibility and deployment by bundling the Microsoft Visual C++ Redistributable with the installer, which is required for the ImDisk user interface. Several important bugs have been resolved. The installer now correctly removes the driver during uninstallation. Tweak definitions have been cleaned up for better consistency. A number of networking issues were addressed, including failures related to network shares and incorrect handling of mapped drive letters. It is now required to use full UNC paths for defining rules involving shared resources. Additionally, configuration persistence issues on system shutdown have been fixed, as well as problems affecting protected folder visibility and rule precedence involving enclave conditions. Finally, the underlying driver code has been refactored, laying the groundwork for better maintainability and future enhancements. MajorPrivacy-v0.98.1.1.exe (0.98.1a) hotfix for #71 Download: Major Privacy 0.98.1.1 Beta | 47.4 MB (Open Source) View: MajorPrivacy Home Page | Github Project page | Screenshot Get alerted to all of our Software updates on Twitter at @NeowinSoftware
    • OpenAI responds to The New York Times' ChatGPT data demands by Pradeep Viswanathan The New York Times has sued OpenAI for the unauthorized use of its news articles to train large language models. As part of the ongoing lawsuit, the NYT recently asked the court to require OpenAI to retain all ChatGPT user content indefinitely. The NYT's argument is that they may find something in the data that supports their case. Brad Lightcap, COO of OpenAI, wrote the following regarding the NYT's sweeping demand: OpenAI has already filed a motion asking the Magistrate Judge to reconsider the preservation order, since indefinite retention of user data breaches industry norms and its own policies. Additionally, OpenAI has also appealed this order with the District Court Judge. Until OpenAI wins its appeal, it will be complying with the court order. The content defined by the court order will be stored separately in a secure system and will be accessed or used only for meeting legal obligations. Only a small, audited OpenAI legal and security team will be able to access this data as necessary to comply with our legal obligations. As of early 2025, ChatGPT has over 400 million weekly active users, and this data retention order will affect a significant number of them. OpenAI confirmed that ChatGPT Free, Plus, Pro, and Teams subscription users, and developers who use the OpenAI API (without a Zero Data Retention agreement) will be affected by this order. ChatGPT Enterprise, ChatGPT Edu, and API customers who are using Zero Data Retention endpoints will not be affected by this court change.
  • Recent Achievements

    • First Post
      Uranus_enjoyer earned a badge
      First Post
    • Week One Done
      Uranus_enjoyer earned a badge
      Week One Done
    • Week One Done
      jfam earned a badge
      Week One Done
    • First Post
      survivor303 earned a badge
      First Post
    • Week One Done
      CHUNWEI earned a badge
      Week One Done
  • Popular Contributors

    1. 1
      +primortal
      428
    2. 2
      +FloatingFatMan
      239
    3. 3
      ATLien_0
      212
    4. 4
      snowy owl
      211
    5. 5
      Xenon
      157
  • Tell a friend

    Love Neowin? Tell a friend!