If you’re a system administrator, you may have problems with your users running programs like iTunes or BitTorrent in your Microsoft Windows environment? If you want to stop such programs from running, here’s how to use Group Policy or the Registry to prevent users from running certain programs.
Option 1 – Apply Group Policy
- Hold down the Windows Key and press “R” to bring up the Run dialog box.
- Type “gpedit.msc“, then press “Enter“. The Group Policy Editor appears.
- Expand “User Configuration” > “Administrative Templates“, then select “System“.
- Open the policy “Don’t run specified Windows applications“.
- Set the policy to “Enabled“, then select “Show…”
- Add the programs you would like to prevent the user from running to the List of disallowed applications. Use the name of the application launching file such as “itunes.exe“, “bittorent.exe“, etc.
Option 2 – Apply Via Registry
- Hold down the Windows Key and press “R” to bring up the Run dialog box.
- Type “regedit“, then press “Enter“. The Registry Editor appears.
- Expand the following:
- HKEY_CURRENT_USER
- SOFTWARE
- Microsoft
- Windows
- CurrentVersion
- Policies
- Explorer
- Right-click a blank area on the right side and add a new “DWORD (32-bit) Value” named “DisallowRun“.
- Open “DisallowRun” and give it a Value of “1“.
- Right-click and add a new “Key“, also named “DisallowRun“. The folder is then created.
- Select the “DisallowRun” folder on the left pane.
- Right-click a blank area on the right side and add a new “DWORD (32-bit) Value” named “1“.
- Open “1” and give it a Value with the application you would like to block, like “itunes.exe“.
- Repeat steps 8 and 9 with any additional applications you wish to block, only increase the number used in the “DWORD (32-bit) Value” each time (2, 3, 4 ,5, etc)
So if I wanted to block two applications, “itunes.exe” and “bittorrent.exe“, my Registry Editor would look like this…
From now on the user will get a message “This operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator.” when he tries to run the programs you added.
I should mention that if the user is smart enough to rename the program file, they will be able to run the program again.
If this tutorial does not meet your needs, you might be able to use Applocker for your needs. Using Applocker allows you to deny access to applications based on publisher, path, or file hash. See more info about Applocker at Microsoft Technet.
Raza says
If accidentally this GPO applied on all type of Local Account then how to recover Administrator account to run all application.
A says
worked perfectly!
Mike says
Doesn’t work and there is a mistake in step 8, is not a DWORD (32-bit) Value, but string value. You can’t add a string into a DWORD (32-bit) Value
Md Mithun says
Thank you sir
P. Ngamsom says
To remove the restriction, log in as admin. Then go to windows/system32/GroupPolicy, delete gpt.ini and all registry.pol files. Restart.
Jay says
Is it possible to use names with wildcards? Situation: User is downloading an app everytime he needs to use it and the name is then meeting.exe, meeting(1).exe, meeting(2).exe and so on. Can I block “meeting*.exe” ?
Icke says
Great and easy tutorial, thank you!
Firas Najar says
Thank you so much, I’ve just solved a problem that was annoying me for almost a year!
THNKS!
SpoofyChin says
You may use Windows applocker on Windows Enterprise edition to block apps from running:
https://www.tenforums.com/tutorials/123970-use-applocker-block-microsoft-store-apps-windows-10-a.html
Soham Sane says
This helped! Thank you!
Illuminait says
***WARNING*** Using method 1 may seem easier but will also block your account on the PC even if you are an administrator. To fix this, if you’ve already done it:
open C:\Windows\System32\GroupPolicy\ and delete all registry.pol files you find in this folder and any subfolder.
Open Control Panel > User Accounts add a new user and make it an administrator account.
What you’ve now done is create an administrator account without the group policy applied to it.
Log into that account.
Press Windows key + R, type in gpedit.msc
In the left pane select “Administrative Templates > System” under “User Configuration”
Double click ‘Dont run specified Windows Applications’
MAKE SURE to click DISABLED in the new window. and Apply the setting.
Restart your computer and you are now unblocked again.
Adrian says
Hi,
How can I disable this option? Now I can’t access Group Policy Editor or RegEdit. I’m the admin of the laptop.
Thanks.
Mitch Bartlett says
Sounds like a policy your system administrators enabled. Are you in a corporate environment?
Marilyn Lipton says
I get this “…..operation has been cancelled due to restrictions in effect…..” message when I try to open a link in an email message. This never happened before. How can I enable links in email messages?
Thank you.
Jeremy says
Right-click a blank area on the right side and add a new “DWORD (32-bit) Value” named “1“.
I think you mean “Right-click a blank area on the right side and add a new “String Value” named “1“.
Shrenik says
Can I write this in command line or in batch file or in shell cmd. if it is possible then please send me code in my email Id. please reply fast asap. Thanks you in advance
Tyler says
Are you able to use this for a file path applied through the registry? I’m trying to block any .exe’s running from the Downloads folder. I’ve tried using %Userprofile%\downloads and %Userprofile%\downloads\*.exe for the value but neither are working.
Phil says
Walter,
You can create a separate set of group policy rules that only applies to non administrators. I’ve done this in a library where the profile the public logs into has a set of rules to reduce mischief, but the administrator account that I use is is still open. Check out https://www.sevenforums.com/tutorials/101869-local-group-policies-apply-all-users-except-administrators.html to see what I’m talking about.
Walter says
This is great, when you want to block access to a specific program for EVERYBODY. However, I”m trying to setup a public facing machine but I want to be able to login with admin or other accounts and do things but block access to everything except , Log Off, Restart and access to Internet Explorer for a particular account, which will autologin ( I was able to find how to do that through the Registry).. How might I accomplish that? I already used the hidden attribute to hide everything under All Programs. . . or is the not included part of your instructions that you need to do the above under the account you want to block them for? e.g. log in as the account you want to block things for, run gpedit.msc and then Enable the blocks on whatever you want NOT to run?
Josh says
Please put that this for windows 10 only and not for windows server, this just screwed me over so much because i restricted myself to all but one program. This just costed me so much money and time because i have to reset and reconfigure the whole server.
Stanley says
You can also use BrowseControl’s AppBlocker to block a program from running.
With BrowseControl, even if the end user changes the file name, the program will still be blocked.
Johan Hellström says
Thanks for the tutorial, But it seems that it’s possible to open app via cmd and powershell. When i use option 2.
Samuel says
Please ur tutorial is awesome but how can I change the warning massage “This operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator.” to “corupt” and so that the user will think the app is corrupted. Thanks… Will appreciate if you can help…
carlos says
you made a mistake in step 8, is not a DWORD (32-bit) Value, but string value.