• Skip to main content
  • Skip to primary sidebar

Technipages

Tutorials and fixes for smartphone, gadget, and computer problems

  • Topics
    • Android
    • Browsers
    • Gaming
    • Hardware
    • Internet
    • iPhone
    • Linux
    • macOS
    • Office
    • Reviews
    • Software
    • Windows
    • Definitions
  • Product Reviews
  • Downloads
  • About
Prevent Users From Running Certain Programs

Prevent Users From Running Certain Programs

December 12, 2015 by Mitch Bartlett 24 Comments

If you’re a system administrator, you may have problems with your users running programs like iTunes or BitTorrent in your Microsoft Windows environment? If you want to stop such programs from running, here’s how to use Group Policy or the Registry to prevent users from running certain programs.

Option 1 – Apply Group Policy

  1. Hold down the Windows Key and press “R” to bring up the Run dialog box.
  2. Type “gpedit.msc“, then press “Enter“. The Group Policy Editor appears.
  3. Expand “User Configuration” > “Administrative Templates“, then select “System“.
  4. Open the policy “Don’t run specified Windows applications“.
    Dont run specified selected
  5. Set the policy to “Enabled“, then select “Show…”
    Dont run specified Windows applications window
  6. Add the programs you would like to prevent the user from running to the List of disallowed applications. Use the name of the application launching file such as “itunes.exe“, “bittorent.exe“, etc.
    Windows list of disallowed applications

 

Option 2 – Apply Via Registry

  1. Hold down the Windows Key and press “R” to bring up the Run dialog box.
  2. Type “regedit“, then press “Enter“. The Registry Editor appears.
  3. Expand the following:
    • HKEY_CURRENT_USER
    • SOFTWARE
    • Microsoft
    • Windows
    • CurrentVersion
    • Policies
    • Explorer
  4. Right-click a blank area on the right side and add a new “DWORD (32-bit) Value” named “DisallowRun“.
  5. Open “DisallowRun” and give it a Value of “1“.
  6. Right-click and add a new “Key“, also named “DisallowRun“. The folder is then created.
    Registry disallow run DWORD
  7. Select the “DisallowRun” folder on the left pane.
  8. Right-click a blank area on the right side and add a new “DWORD (32-bit) Value” named “1“.
  9. Open “1” and give it a Value with the application you would like to block, like “itunes.exe“.
  10. Repeat steps 8 and 9 with any additional applications you wish to block, only increase the number used in the “DWORD (32-bit) Value” each time (2, 3, 4 ,5, etc)

So if I wanted to block two applications, “itunes.exe” and “bittorrent.exe“, my Registry Editor would look like this…
Block Windows app registry

 

From now on the user will get a message “This operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator.” when he tries to run the programs you added.

Windows software restrictions message

I should mention that if the user is smart enough to rename the program file, they will be able to run the program again.

If this tutorial does not meet your needs, you might be able to use Applocker for your needs. Using Applocker allows you to deny access to applications based on publisher, path, or file hash. See more info about Applocker at Microsoft Technet.

You Might Also Like

  • Android: Prevent Apps From Running at Startup
    Android: Prevent Apps From Running at Startup
  • How to Prevent Android Apps from Running in the Background
    How to Prevent Android Apps from Running in the Background
  • OneDrive: Prevent Users From Syncing Personal Accounts
    OneDrive: Prevent Users From Syncing Personal Accounts
  • Microsoft Teams: Prevent Users from Deleting Files
    Microsoft Teams: Prevent Users from Deleting Files
  • How to Edit Startup Programs in Windows 10
    How to Edit Startup Programs in Windows 10
  • How to Open Multiple Programs With 1 Shortcut
    How to Open Multiple Programs With 1 Shortcut

Filed Under: Windows Tagged With: Windows 10

Reader Interactions

Comments

  1. Raza says

    January 21, 2023 at 1:55 am

    If accidentally this GPO applied on all type of Local Account then how to recover Administrator account to run all application.

  2. A says

    October 15, 2022 at 8:47 pm

    worked perfectly!

  3. Mike says

    June 13, 2022 at 10:40 am

    Doesn’t work and there is a mistake in step 8, is not a DWORD (32-bit) Value, but string value. You can’t add a string into a DWORD (32-bit) Value

  4. Md Mithun says

    November 17, 2021 at 6:09 pm

    Thank you sir

  5. P. Ngamsom says

    September 19, 2021 at 12:56 am

    To remove the restriction, log in as admin. Then go to windows/system32/GroupPolicy, delete gpt.ini and all registry.pol files. Restart.

  6. Jay says

    September 16, 2021 at 2:48 am

    Is it possible to use names with wildcards? Situation: User is downloading an app everytime he needs to use it and the name is then meeting.exe, meeting(1).exe, meeting(2).exe and so on. Can I block “meeting*.exe” ?

  7. Icke says

    August 18, 2021 at 5:34 am

    Great and easy tutorial, thank you!

  8. Firas Najar says

    July 25, 2021 at 1:02 pm

    Thank you so much, I’ve just solved a problem that was annoying me for almost a year!
    THNKS!

  9. SpoofyChin says

    February 2, 2021 at 7:21 am

    You may use Windows applocker on Windows Enterprise edition to block apps from running:
    https://www.tenforums.com/tutorials/123970-use-applocker-block-microsoft-store-apps-windows-10-a.html

  10. Soham Sane says

    November 28, 2020 at 7:36 am

    This helped! Thank you!

  11. Illuminait says

    April 3, 2020 at 6:16 pm

    ***WARNING*** Using method 1 may seem easier but will also block your account on the PC even if you are an administrator. To fix this, if you’ve already done it:

    open C:\Windows\System32\GroupPolicy\ and delete all registry.pol files you find in this folder and any subfolder.

    Open Control Panel > User Accounts add a new user and make it an administrator account.

    What you’ve now done is create an administrator account without the group policy applied to it.

    Log into that account.

    Press Windows key + R, type in gpedit.msc

    In the left pane select “Administrative Templates > System” under “User Configuration”

    Double click ‘Dont run specified Windows Applications’

    MAKE SURE to click DISABLED in the new window. and Apply the setting.

    Restart your computer and you are now unblocked again.

  12. Adrian says

    April 3, 2020 at 2:19 am

    Hi,
    How can I disable this option? Now I can’t access Group Policy Editor or RegEdit. I’m the admin of the laptop.

    Thanks.

  13. Mitch Bartlett says

    June 27, 2019 at 12:36 pm

    Sounds like a policy your system administrators enabled. Are you in a corporate environment?

  14. Marilyn Lipton says

    June 26, 2019 at 4:08 pm

    I get this “…..operation has been cancelled due to restrictions in effect…..” message when I try to open a link in an email message. This never happened before. How can I enable links in email messages?
    Thank you.

  15. Jeremy says

    January 23, 2019 at 3:56 pm

    Right-click a blank area on the right side and add a new “DWORD (32-bit) Value” named “1“.
    I think you mean “Right-click a blank area on the right side and add a new “String Value” named “1“.

  16. Shrenik says

    December 22, 2018 at 6:14 am

    Can I write this in command line or in batch file or in shell cmd. if it is possible then please send me code in my email Id. please reply fast asap. Thanks you in advance

  17. Tyler says

    October 31, 2018 at 2:32 pm

    Are you able to use this for a file path applied through the registry? I’m trying to block any .exe’s running from the Downloads folder. I’ve tried using %Userprofile%\downloads and %Userprofile%\downloads\*.exe for the value but neither are working.

  18. Phil says

    October 31, 2018 at 8:38 am

    Walter,

    You can create a separate set of group policy rules that only applies to non administrators. I’ve done this in a library where the profile the public logs into has a set of rules to reduce mischief, but the administrator account that I use is is still open. Check out https://www.sevenforums.com/tutorials/101869-local-group-policies-apply-all-users-except-administrators.html to see what I’m talking about.

  19. Walter says

    October 24, 2018 at 12:34 pm

    This is great, when you want to block access to a specific program for EVERYBODY. However, I”m trying to setup a public facing machine but I want to be able to login with admin or other accounts and do things but block access to everything except , Log Off, Restart and access to Internet Explorer for a particular account, which will autologin ( I was able to find how to do that through the Registry).. How might I accomplish that? I already used the hidden attribute to hide everything under All Programs. . . or is the not included part of your instructions that you need to do the above under the account you want to block them for? e.g. log in as the account you want to block things for, run gpedit.msc and then Enable the blocks on whatever you want NOT to run?

  20. Josh says

    August 30, 2018 at 4:09 pm

    Please put that this for windows 10 only and not for windows server, this just screwed me over so much because i restricted myself to all but one program. This just costed me so much money and time because i have to reset and reconfigure the whole server.

  21. Stanley says

    June 21, 2018 at 7:34 am

    You can also use BrowseControl’s AppBlocker to block a program from running.

    With BrowseControl, even if the end user changes the file name, the program will still be blocked.

  22. Johan Hellström says

    November 24, 2017 at 3:39 am

    Thanks for the tutorial, But it seems that it’s possible to open app via cmd and powershell. When i use option 2.

  23. Samuel says

    May 10, 2017 at 3:22 am

    Please ur tutorial is awesome but how can I change the warning massage “This operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator.” to “corupt” and so that the user will think the app is corrupted. Thanks… Will appreciate if you can help…

  24. carlos says

    April 25, 2017 at 3:01 am

    you made a mistake in step 8, is not a DWORD (32-bit) Value, but string value.

Did this help? Let us know!

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Primary Sidebar

Recent Posts

  • How to Print Labels from Excel Using MS Word Mail Merge
  • What Is NVMe Over TCP (NVMe/TCP)
  • Android Mobile Hotspot: How to Change the Password and Name
  • Windows 10: How to Force Quit and App
  • What is Dumpster Diving?
  • How to Download iOS 16 Beta 3 on iPhone or iPad
  • What is a Security Compromise?
  • Mastodon: How to DM Someone

Who’s Behind Technipages?

Baby and Daddy My name is Mitch Bartlett. I've been working in technology for over 20 years in a wide range of tech jobs from Tech Support to Software Testing. I started this site as a technical guide for myself and it has grown into what I hope is a useful reference for all.

© Copyright 2023 Guiding Tech Media · All Rights Reserved · Privacy