If you’re a system administrator, you may have problems with your users running programs like iTunes or BitTorrent in your Microsoft Windows environment? If you want to stop such programs from running, here’s how to use Group Policy or the Registry to prevent users from running certain programs.
Option 1 – Apply Group Policy
- Hold down the Windows Key and press “R” to bring up the Run dialog box.
- Type “gpedit.msc“, then press “Enter“. The Group Policy Editor appears.
- Expand “User Configuration” > “Administrative Templates“, then select “System“.
- Open the policy “Don’t run specified Windows applications“.
- Set the policy to “Enabled“, then select “Show…“
- Add the programs you would like to prevent the user from running to the List of disallowed applications. Use the name of the application launching file such as “itunes.exe“, “bittorent.exe“, etc.
Option 2 – Apply Via Registry
- Hold down the Windows Key and press “R” to bring up the Run dialog box.
- Type “regedit“, then press “Enter“. The Registry Editor appears.
- Expand the following:
- HKEY_CURRENT_USER
- SOFTWARE
- Microsoft
- Windows
- CurrentVersion
- Policies
- Explorer
- Right-click a blank area on the right side and add a new “DWORD (32-bit) Value” named “DisallowRun“.
- Open “DisallowRun” and give it a Value of “1“.
- Right-click and add a new “Key“, also named “DisallowRun“. The folder is then created.
- Select the “DisallowRun” folder on the left pane.
- Right-click a blank area on the right side and add a new “DWORD (32-bit) Value” named “1“.
- Open “1” and give it a Value with the application you would like to block, like “itunes.exe“.
- Repeat steps 8 and 9 with any additional applications you wish to block, only increase the number used in the “DWORD (32-bit) Value” each time (2, 3, 4 ,5, etc)
So if I wanted to block two applications, “itunes.exe” and “bittorrent.exe“, my Registry Editor would look like this…
From now on the user will get a message “This operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator.” when he tries to run the programs you added.
I should mention that if the user is smart enough to rename the program file, they will be able to run the program again.
If this tutorial does not meet your needs, you might be able to use Applocker for your needs. Using Applocker allows you to deny access to applications based on publisher, path, or file hash. See more info about Applocker at Microsoft Technet.
Josh says
Please put that this for windows 10 only and not for windows server, this just screwed me over so much because i restricted myself to all but one program. This just costed me so much money and time because i have to reset and reconfigure the whole server.
Stanley says
You can also use BrowseControl’s AppBlocker to block a program from running.
With BrowseControl, even if the end user changes the file name, the program will still be blocked.
Johan Hellström says
Thanks for the tutorial, But it seems that it’s possible to open app via cmd and powershell. When i use option 2.
Samuel says
Please ur tutorial is awesome but how can I change the warning massage “This operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator.” to “corupt” and so that the user will think the app is corrupted. Thanks… Will appreciate if you can help…
carlos says
you made a mistake in step 8, is not a DWORD (32-bit) Value, but string value.