Prevent Users From Running Certain Programs on Windows 11

If you’re a system administrator, you may have problems with your users running programs like iTunes or BitTorrent in your Microsoft Windows environment. Do you want to stop such programs from running? Read on to discover the best methods to prevent users from running specific apps on Windows 11, 10, 8, 7, Vista, etc.

Though you can create different user accounts for a Windows PC for different individuals, all of them can access the same apps available on the Windows computer. Hence, different user accounts don’t solve the problem of running unwanted programs on work, school, or home PCs. Thanks to the foresight of Microsoft, you can go deep into the Windows OS and stop specific apps from running.

That’s not all! You can control app installations as well. Here’s how to use Group Policy and the Registry Editor to prevent users from running certain programs. You’ll also explore other methods if you read it to the end.

How to Block Apps or Prevent Users From Running Certain Programs

There are a couple of ways to block apps on Windows 11 PCs like the ones mentioned below:

Option 1 – Apply Group Policy

You can go into the Group Policy Editor utility and perform the following steps to block select apps on Windows 11 and other Windows OSs:

• Hold down the Windows Key and press R to bring up the Run dialog box.
• Type gpedit.msc, then press Enter. The Group Policy Editor appears.
• Expand User Configuration > Administrative Templates, then select System.

• Open the policy Don’t run specified Windows applications.

• Set the policy to Enabled, then select Show.

• Add the programs you would like to prevent the user from running to the List of disallowed applications. Use the name of the application launching file such as itunes.exe, bittorent.exe, etc.
• On the Don’t run specified Windows applications dialog box, click Apply and select OK to apply the changes you just made.

From now on, if anyone tries to execute the above apps on your Windows 11 PC, the apps won’t run. Also, there won’t be any warning messages either.

Option 2 – Use the Registry Editor

The Registry Editor utility is another tool you can use to prevent users from running certain programs on your Windows PC. Here are the steps to try:

• Hold down the Windows Key and press R to bring up the Run dialog box.

• Type regedit, then press Enter. The Registry Editor appears.
• Expand the following:
  • HKEY_CURRENT_USER
  • SOFTWARE
  • Microsoft
  • Windows
  • CurrentVersion
  • Policies
  • Explorer

• Right-click a blank area on the right side and add a new DWORD (32-bit) Value named DisallowRun.
• Open DisallowRun and give it a Value of 1.

• Right-click and add a new Key, also named DisallowRun. The folder is then created.
• Select the DisallowRun folder on the left pane.
• Right-click a blank area on the right side and add a new String Value and rename it to number 1.

• Open String Value number 1 and give it a Value with the application you would like to block, like itunes.exe.
• Repeat the new String Value creation steps with any additional applications you wish to block.
• Just increase the number used in the String Value each time (2, 3, 4, 5, etc.) and enter the EXE file name of the app to be blocked.

So if I wanted to block two applications, itunes.exe, and bittorrent.exe, my Registry Editor would look like this…

Option 3 – Disable App Installation From Settings

The above methods only block the apps you add to the block list. Users may download new apps to replace the blocked ones. Thus, you need to block third-party app installations as well. Here are the steps you need to try:

• Press Windows + I keys together to open Windows 11 Settings app.
• Select Apps from the left-side navigation pane and choose Advanced app settings on the right-side panel.

• Click the drop down list for the Choose where to get apps option and select The Microsoft Store Only.
• Whenever you need to install a third-party app yourself, switch the above feature to Anywhere.

Option 4 – Disable App Installation From Group Policy Editor

If you think anyone can modify the above app installation preference, you can use the Group Policy Editor to stop app installations by following these steps:

• Open the Group Policy editor and navigate to the Windows Installer folder through Computer Configuration > Administrative Templates > Windows Components.
• Inside the Windows Installer directory, you should find the Turn off Windows Installer setting.
• Double-click the setting and select the Enabled radio button.

• Under Options, select the drop down menu and choose Always.
• Select Apply and click OK to save the changes.
• Restart the system.

Option 5 – Block App Installation From Registry Editor

Follow these steps to use the Registry Editor tool to block app installations:

• Run Registry Editor from the Run dialog box.
• Enter the following address in the address bar and hit Enter:

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Msi.Package\DefaultIcon

• Double-click the (Default) String Value to open its entry.
• You should see the following directory address:

C:\Windows\System32\msiexec.exe,0

• Erase the number zero (0) at the end of the address and replace it with the number 1.

• Click OK to save the Registry entry.
• Restart your Windows 11 PC to enforce the modification.
• When you need to allow installations again, simply replace the number 1 with 0.

Option 6 – Deactivate USB Ports

There are portable versions of Windows software that don’t need any installations or permissions from the Group Policy and Registry Editor tools. They can launch instantly if you double-click the EXE file. To stop employees or children to use such apps on your business or home computers, you must disable the USB ports. Here’s how it’s done:

• Press Windows + S to open the Windows Search tool and type Device.
• Click the Device Manager tool that shows up under the Best match section.
• Inside Device Manager, you get a list of hardware installed on the PC.
• At the bottom of the list, you should find Universal Serial Bus controllers (USB). Expand the list.

• Select the first option in the list, right-click, and select Disable device.
• Repeat the step for the rest of the entries in the list.
• Restart your PC so that USB blocking takes effect.

Option 7 – Use Local Security Policy

You can also enforce specific program blocking effortlessly from the Local Security Policy tool on Windows 11, 10, 8, 7, etc. Here are the steps to try:

• On the Windows Search tool, type Local and click on Local Security Policy.
• Now, double-click Software Restriction Policies.

• If you see the No Software Restriction Policies Defined message, click Action and select New Software Restriction Policies.
• Now, you get the Additional Rules setting. Click on it.
• On the right-side panel, right-click and select New Hash Rule.
• Select the Browse button and navigate to any software EXE file that you want to prevent executing on your device.

• Click Apply and select OK to save the changes.
• Restart the PC so that the changes take effect.

Option 8 – Enable SmartScreen From Windows Settings

Suppose you just don’t want to disable app execution and installation wholesale. You want to show a warning to the user that the IT admin, teacher, or parent doesn’t want the user to open the app. This is more like a soft warning and promotes safe computer use and browsing responsibilities. For this purpose, you can call the SmartScreen or Reputation-based protection feature on Windows 11 and 10 PCs. Here’s how it works:

• Open the System app by pressing Windows + I.
• In the Search bar, type App and.
• The App & browser control option will show up. Click on it.

• Click the Reputation-based protection settings link.
•  The following features will activate automatically:
  • Check apps and files
  • SmartScreen for Microsoft Edge
  • Phishing protection
  • Potentially unwanted app blocking
  • SmartScreen for Microsoft Store apps
• Close the open windows.
• Now, if anyone tries to open any app or install third-party apps, the SmartScreen warning will pop up.
• It’ll ask the user to stop opening the app if it’s not indispensable for work or school-related tasks.

Also read: Best Free Antivirus for Windows 11 for Enhanced Security

Option 9 – Disable Read & Execute Permission

There’s a way to remove Read & execute permissions from users to stop standard users from using certain apps on your home, school, or workplace computers. It involves removing EXE file permissions from user accounts. The process is a bit manual because you must perform the steps for each app you want to block. Here’s how it’s done:

• Go to the EXE file of the app you want to block.
• To do this, right-click on the app’s icon on Windows 11 Desktop and click Open file location.
• Once you see the software EXE file, right-click, and select Show more options.
• Then, choose Properties from the context menu.
• In the Properties dialog box, go to the Security tab.
• Click Edit near the Permissions option and select the user account for which you want to disable Read & execute permission.

• Now, checkmark the checkbox under the Deny column for Full control.
• Select Apply and click OK to enforce the changes you just made.

Conclusion

From now on the user will get a message “This operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator.” when he tries to run the programs you added.

I should mention that if the user is smart enough to rename the program file, they will be able to run the program again. Hence, you need to use different app-blocking methods to close all the loose ends. Don’t forget to comment below if you know any other techniques to block select app access on Windows 11 and earlier operating systems.

If this tutorial does not meet your needs, you might be able to use Applocker for your needs. Using Applocker allows you to deny access to applications based on publisher, path, or file hash. See more info about Applocker at Microsoft Technet.

Next up, adjusting Privacy Settings in Windows 10.