Recommended Posts

Hi everyone

Here's the situation - a stand alone laptop (connected to ADSL via a router) with XP Pro SP2, CD/DVD and floppy attached, along with 2 USB 2.0 ports.

I would like to restrict users from accessing the command screen. I know that I can take <Run> from the Start menu and I can set the permissions of cmd.exe so that only Administrators can use it, but what if someone had a copy of cmd.exe on a floppy, CD or USB memory stick? Users need access to USB or floppy so disabling these (along with the CD) is not an option.

Basically, I'd like to prevent limited users from running cmd.exe, *whatever the source* of the file (i.e. they could e-mail a copy to themself). Can this be done? A lot of harm (and prying) can be done from the command screen and I'd like to prevent it. The situation is a stand alone at present, but I may increase the number of PCs to a small home network behing the router or a hub. I doubt that I'd get to the state of a large network with a server, MS Server 2003 etc.

Thank you for your time.

Link to comment
https://www.neowin.net/forum/topic/454369-prevent-users-from-using-cmdexe/
Share on other sites

  John said:

You can set permissions on cmd.exe itself (Y)

Yes, but that wouldn't stop a Limited user having a copy on a floppy or USB memory stick, or e-mailing another copy of cmd.exe to himself, would it?

I've been thinking about the earlier option of using a registry tweak, for instance DisallowRun or RestrictRun. If a user had another copy of cmd.exe (as above) and renamed it, I suspect that neither of these registry tweaks would prevent it from running.

I just wonder if cmd.exe accesses some other file(s) (such as a .dll) and, if so, would altering the permission of that file help in any way? I'm thinking aloud now.

This can be done through Group Policy. Click Start and then click run and type:"gpedit.msc" without quotes to launch Group Policy. Click System under Administrative Templates in User Configuration on the left pane and select "Prevent access to the command prompt" in the main window. Click on "Enabled" and then click OK and close Group Policy.

EDIT: betasp was faster than me.

Thanks to both of you. It works fine, bringing up the command screen and it gives a warning that the Administrator has disabled it (whether I'm logged in with Limited or Administrative privileges). However, is it possible to still allow someone with Administrative privileges access to it? I guess that I could go back into GPE, reset it, do what I have to with cmd.exe and then disable it again but that seems a bit fiddly. I'm not sure just how bespoke Policies can be and how I'd set it exactly as I'd need.

Personally I would just disable cmd full stop on the machine and use an alternative command line processor which isnt subject to such restrictions, however that wont stop your errant users accessing a similar utility. It might just delay them slightly if theyre not so techical.

  Tosca said:

Thanks to both of you. It works fine, bringing up the command screen and it gives a warning that the Administrator has disabled it (whether I'm logged in with Limited or Administrative privileges). However, is it possible to still allow someone with Administrative privileges access to it? I guess that I could go back into GPE, reset it, do what I have to with cmd.exe and then disable it again but that seems a bit fiddly. I'm not sure just how bespoke Policies can be and how I'd set it exactly as I'd need.

With the modification I suggested you, all users including those with administrative privileges can't use CMD.EXE, with the exception of Administrator. If you want to use CMD.EXE and have modified Group Policy as I suggested you, open Start menu, click "All Programs", navigate to "Command Prompt" then right click it and select "Run as..." from context menu. A new window will open: From here you can run CMD as Administrator providing you know the password.

Edited by MPH

That's great. In a way, I'm a little surprised that a Policy can't be set to do what I want. I was under the impression that the Group Policy Editor could be very flexible in creating Policies to fit with required circumstances. The suggestion that you've made regarding running it as Administrator works well.

I just came across command.com on my PC which works similar to cmd. I've not tried it yet, but I *hope* that the setting in Group Policy will disable this too. If not, I dare say that I'll be back asking if that can be disabled!

Thank you.

I prefer to avoid third party software. I understand that bespoke policies can be set, but I don't know how. It's a very powerful utility so, rather than floundering, can you give me a nudge in the right direction about setting a policy specifically to prevent command.com from running?

I've done some googling and have come across Software Restriction Policy (SRP). There are several ways to implement this - one uses the MD5 hash of the file. I think this should allow me to authorise only an Admin user to run command.com. I don't think there's any way to prevent a "foreign" copy of command.com or some other command.com-like utility being run.

I suppose the other way around is to set SRP, based upon the MD5 hash, of those files to which I wish to grant a Limited user access. Everything else would be set to Deny for this group. I anticipate that this would prevent their using extenal applications, running batch files etc. I'm thinking aloud here so will have to try it to see how it works.

You really don't want people running a command window, huh? ;)

Consider the implications of restricting ALL programs except the ones you specify... A command prompt itself isn't that dangerous. The only thing you can do with it is launch other programs, and you're better off restricting those programs instead of the command prompt.

You can do a lot of damage with cmd.exe .

A lot of things that are restricted in the windows gui are not using cmd.exe.

I use software restriction policies on my network at work.

I dont go as bad as using hashes but I just block the exe. I use it to block chat and p2p programs.

I say try it its great.

Yes, but you're doing it differently from what he's suggesting. You block certain programs and allow everything else not specified. He's talking about blocking everything by default and specifying programs to allow. That list would fill up rather quickly.

^ if you are going to do that, besure that you set the program that you are using to be able to run... i did that once back in the day using Windows 98SE's "system policy editor" ... it was VERY powerful and i forgot to set it to run "poledit.exe" which was the name of that program... and then i couldnt run that program anymore in order to change settings, so i was stuck, lol.

  majortom1981 said:

You can do a lot of damage with cmd.exe. ........ I dont go as bad as using hashes but I just block the exe. I use it to block chat and p2p programs.

I know that command.com and cmd.exe aren't identical, but I want to be able to block both. I'm not keen on users, for instance, accessing any network commands.

I've not looked at simply blocking the .exe as you suggest. How exactly do you go about blocking chat and p2p programs?

  mujjuman said:

^ if you are going to do that, besure that you set the program that you are using to be able to run... i did that once back in the day using Windows 98SE's "system policy editor" ... it was VERY powerful and i forgot to set it to run "poledit.exe" which was the name of that program... and then i couldnt run that program anymore in order to change settings, so i was stuck, lol.

<LOL> I'd already thought about that - I'd be sure to leave myself a backdoor to apps such as gpedit.msc, regedit, cmd.exe, command.com etc.

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Posts

    • Microsoft 365 Word gets SharePoint eSignature, now you can ditch third-party signing tools by Paul Hill Microsoft has just announced that it will be rolling out an extremely convenient feature for Microsoft 365 customers who use Word throughout this year. The Redmond giant said that you’ll now be able to use SharePoint’s native eSignature service directly in Microsoft Word. The new feature allows customers to request electronic signatures without converting the documents to a PDF or leaving the Word interface, significantly speeding up workflows. Microsoft’s integration of eSignatures also allows you to create eSignature templates which will speed up document approvals, eliminate physical signing steps, and help with compliance and security in the Microsoft 365 environment. This change has the potential to significantly improve the quality-of-life for those in work finding themselves adding lots of signatures to documents as they will no longer have to export PDFs from Word and apply the signature outside of Word. It’s also key to point out that this feature is integrated natively and is not an extension. The move is quite clever from Microsoft, if businesses were using third-party tools to sign their documents, they would no longer need to use these as it’s easier to do it in Word. Not only does it reduce reliance on other tools, it also makes Microsoft’s products more competitive against other office suites such as Google Workspace. Streamlined, secure, and compliant The new eSignature feature is tightly integrated into Word. It lets you insert signature fields seamlessly into documents and request other people’s signatures, all while remaining in Word. The eSignature feature can be accessed in Word by going to the Insert ribbon. When you send a signature request to someone from Word, the recipient will get an automatically generated PDF copy of the Word document to sign. The signed PDF will then be kept in the same SharePoint location as the original Word file. To ensure end-to-end security and compliance, the document never leaves the Microsoft 365 trust boundary. For anyone with a repetitive signing process, this integration allows you to turn Word documents into eSignature templates so they can be reused. Another feature that Microsoft has built in is audit trail and notifications. Both the senders and signers will get email notifications throughout the entire signing process. Additionally, you can view the activity history (audit trail) in the signed PDF to check who signed it and when. Finally, Microsoft said that administrators will be able to control how the feature is used in Word throughout the organization. They can decide to enable it for specific users via an Office group policy or limit it to particular SharePoint sites. The company said that SharePoint eSignature also lets admins log activities in the Purview Audit log. A key security measure included by Microsoft, which was mentioned above, was the Microsoft 365 trust boundary. By keeping documents in this boundary, Microsoft ensures that all organizations can use this feature without worry. The inclusion of automatic PDF creation is all a huge benefit to users as it will cut out the step of manual PDF creation. While creating a PDF isn’t complicated, it can be time consuming. The eSignature feature looks like a win-win-win for organizations that rely on digital signatures. Not only does it speed things along and remain secure, but it’s also packed with features like tracking, making it really useful and comprehensive. When and how your organization gets it SharePoint eSignature has started rolling out to Word on the M365 Beta and Current Channels in the United States, Canada, the United Kingdom, Europe, and Australia-Pacific. This phase of the rollout is expected to be completed by early July. People in the rest of the world will also be gaining this time-saving feature but it will not reach everyone right away, though Microsoft promises to reach everybody by the end of the year. To use the feature, it will need to be enabled by administrators. If you’re an admin who needs to enable this, just go to the M365 Admin Center and enable SharePoint eSignature, ensuring the Word checkbox is selected. Once the service is enabled, apply the “Allow the use of SharePoint eSignature for Microsoft Word” policy. The policy can be enabled via Intune, Group Policy manager, or the Cloud Policy service for Microsoft 365 Assuming the admins have given permission to use the feature, users will be able to access SharePoint eSignatures on Word Desktop using the Microsoft 365 Current Channel or Beta Channel. The main caveats include that the rollout is phased, so you might not get it right away, and it requires IT admins to enable the feature - in which case, it may never get enabled at all. Overall, this feature stands to benefit users who sign documents a lot as it can save huge amounts of time cumulatively. It’s also good for Microsoft who increase organizations’ dependence on Word.
    • It's always good to have an option to secure your stuff to another medium. I did that with DVD/CD collection, and run my own media server now. It's more convenient that way and no need for separate players anymore.
    • Google Search AI Mode gets support for data visualization and custom charts by Aditya Tiwari Google announced it is rolling out support for data visualizations and graphs for finance-related queries in Google Search's AI Mode. Introduced last month at the Google I/O 2025 keynote, the feature lets you analyze complex datasets and create custom charts simply using natural language prompts. The updated AI Mode lets you compare and analyze information over a specific period, Google explained. It generates interactive graphs and provides a comprehensive explanation for your questions. AI Mode utilizes Gemini's multimodal capabilities and multi-step reasoning approach to comprehend the question's intent while accessing historical and real-time information relevant to the question. For instance, instead of manually researching individual companies and their stock prices, you can use AI Mode to compare the stock performance of different companies for a specific year. Once the graph is generated, you can choose the desired time period using the mouse cursor and ask follow-up questions based on the data presented. These new data visualizations for finance queries are available to users who have enabled the AI Mode experiment in Labs. AI Mode was introduced earlier this year as an experimental feature in the US. The feature is an upgraded version of AI Overviews, and Google closely worked with AI power users through the initial development process. It uses the “query fan-out” technique to perform multiple related searches across subtopics and different data sources, then combines them to come up with a comprehensive response. Google updated AI Mode last month to use a custom version of the latest Gemini 2.5 model. It added several new features, including Deep Search, live capabilities, agentic capabilities of Project Mariner, a new shopping experience, and the ability to add personal context by linking Google apps. The search giant is planning to turn AI Mode into its bread and butter. It has begun testing ads for the feature, which will appear below and be integrated into AI Mode responses where relevant.
    • Guys, you should find another way to promote your deals... It's the third article in the last months that promote this deal for an upgrade from 10. Considering that upgrade from 10 to 11 is free it's a total non-sense.
    • Store should be a shrine of useful applications, vetted and verified. Easily sorted by publisher. Windows should start with not much installed and have things as options in the store. Not the wild west mess that it is. You could delete 95%+ of the crap on there and no one would notice. They need to add a better UI to the updates, it's awful right now.
  • Recent Achievements

    • Week One Done
      luxoxfurniture earned a badge
      Week One Done
    • First Post
      Uranus_enjoyer earned a badge
      First Post
    • Week One Done
      Uranus_enjoyer earned a badge
      Week One Done
    • Week One Done
      jfam earned a badge
      Week One Done
    • First Post
      survivor303 earned a badge
      First Post
  • Popular Contributors

    1. 1
      +primortal
      432
    2. 2
      +FloatingFatMan
      239
    3. 3
      snowy owl
      213
    4. 4
      ATLien_0
      211
    5. 5
      Xenon
      157
  • Tell a friend

    Love Neowin? Tell a friend!