The Command Prompt and the Run program are pretty powerful tools in the Windows world. If you’d rather specific users on a computer not have access to them, it’s not too hard to do.
Windows makes it pretty easy to open the Command Prompt, and there are all kinds of useful things you can do with it. It can also be a dangerous tool in the hands of the inexperienced, as it exposes a lot of power and it’s sometimes difficult to understand the full ramifications of a command. The Run program is similarly dangerous, as you can use it to perform many of the same commands you would at the Command Prompt. There are all kinds of reasons you might want to disable these features for certain users on a computer. Maybe you’ve got kids who share a family computer or you let guests use your computer when they stay with you. Or perhaps you’re running a business computer as a kiosk for customers and you need to lock it down. Whatever your reason, we’ve got the fix for you.
Home Users: Disable the Command Prompt and Run Program by Editing the Registry
If you have a Home edition of Windows, you will have to edit the Windows Registry to make these changes. You can also do it this way if you have Windows Pro or Enterprise, but just feel more comfortable working in the Registry. (If you have Pro or Enterprise, though, we recommend using the easier Local Group Policy Editor, as described in the next section.) Keep in mind, though, that when editing the Registry, you’ll need to be logged on as the user for which you want to disable shutdown.
Standard warning: Registry Editor is a powerful tool and misusing it can render your system unstable or even inoperable. This is a pretty simple hack and as long as you stick to the instructions, you shouldn’t have any problems. That said, if you’ve never worked with it before, consider reading about how to use the Registry Editor before you get started. And definitely back up the Registry (and your computer!) before making changes.
To get started, log in as the user for whom you want to make these changes. Open the Registry Editor by hitting Start and typing “regedit.” Press Enter to open Registry Editor and give it permission to make changes to your PC. First, you’re going to disable the Command Prompt. In the Registry Editor, use the left sidebar to navigate to the following key:
Next, you’re going to create a new value in that key. Right-click the System icon and choose New > DWORD (32-bit) Value. Name the new value
Now, you’re going to modify that value. Double-click the new
DisableCMD value and set the value to
1 in the “Value data” box and click OK.
Now that the Command Prompt itself is disabled, your next step is to disable the Run program. In Registry Editor, navigate to the following key:
Right-click the Explorer icon and choose New > DWORD (32-bit) Value. Name the new value
Double-click the new
NoRun value and set the “Value data” box to
Click OK, exit Registry Editor, restart your computer, and log in as the user for whom you made the change. That user should no longer have access to the Run program or the Command Prompt. If they try to access the Run command while it’s disabled they will see the following error message.
If you want to re-enable the Command Prompt or Run program, just log back in as that user, open up the Registry, and set either value back to 0.
Download Our One-Click Registry Hacks
If you don’t feel like diving into the Registry yourself, we’ve created some downloadable registry hacks you can use. There are hacks to disable and re-enable both the Command Prompt and Run program. All four hacks are included in the following ZIP file. Double-click the one you want to use and click through the prompts. When you’ve applied the hacks you want, restart your computer
These hacks are really just the applicable keys, stripped down to the values we talked about in the previous section and then exported to a .REG file. Running either of the enable hacks changes the that particular value to 1. Running either of the enable hacks sets that particular value back to 0. And if you enjoy fiddling with the Registry, it’s worth taking the time to learn how to make your own Registry hacks.
Pro and Enterprise Users: Disable the Command Prompt and Run Program with Local Group Policy Editor
If you’re using Windows Pro or Enterprise, the easiest way to disable the Command Prompt and Run program is by using the Local Group Policy Editor. It’s a pretty powerful tool, so if you’ve never used it before, it’s worth taking some time to learn what it can do. Also, if you’re on a company network, do everyone a favor and check with your admin first. If your work computer is part of a domain, it’s also likely that it’s part of a domain group policy that will supersede the local group policy, anyway. Also, since you’ll be creating policy tweaks for specific users, you’ll need to take the extra step of creating a policy console geared toward those users.
In Windows Pro or Enterprise, find the MSC file that you made for the users to whom you want to apply the policy, double-click to open it, and click Yes to allow it to make changes. In the Group Policy window for those users, in the left-hand pane, drill down to User Configuration > Administrative Templates > System. On the right, find the “Prevent access to the command prompt” item and double-click it.
Set the policy to Enabled and then click OK. Note also that there is a drop-down menu that lets you also disable Command Prompt scripting. This removes the ability for the user to run scripts and batch files. If you’re really trying to lock down the command line ability from a savvy user, go ahead and turn this setting on. If you’re just trying to remove easy access from the Command Prompt (or if you need Windows to still be able to run logoff, logon, or other batch files), leave the setting off.
Next, you’re going to disable the ability to access the Run program. Back in the Group Policy window for those users, find User Configuration > Administrative Templates > Start Menu and Taskbar. On the right, find the “Remove Run from Start Menu” item and double-click it.
Set the policy to Enabled and then click OK.
You can now exit the Group Policy Editor. If you want to test the new settings, log off and then log back on as the user (or a member of the user group) for which you made changes. If you want to re-enable the Command Prompt or Run program, just use the editor to set the items back Not Configured (or Disabled).
And that’s it. It takes a little doing, but it’s not too hard to lock down some of these more powerful tools from users.