If you’re a system administrator, you may have problems with your users running programs like iTunes or BitTorrent in your Microsoft Windows environment. Do you want to stop such programs from running? Read on to discover the best methods to prevent users from running specific apps on Windows 11, 10, 8, 7, Vista, etc.
Though you can create different user accounts for a Windows PC for different individuals, all of them can access the same apps available on the Windows computer. Hence, different user accounts don’t solve the problem of running unwanted programs on work, school, or home PCs. Thanks to the foresight of Microsoft, you can go deep into the Windows OS and stop specific apps from running.
That’s not all! You can control app installations as well. Here’s how to use Group Policy and the Registry Editor to prevent users from running certain programs. You’ll also explore other methods if you read it to the end.
How to Block Apps or Prevent Users From Running Certain Programs
There are a couple of ways to block apps on Windows 11 PCs like the ones mentioned below:
Option 1 – Apply Group Policy
You can go into the Group Policy Editor utility and perform the following steps to block select apps on Windows 11 and other Windows OSs:
- Hold down the Windows Key and press R to bring up the Run dialog box.
- Type gpedit.msc, then press Enter. The Group Policy Editor appears.
- Expand User Configuration > Administrative Templates, then select System.

- Open the policy Don’t run specified Windows applications.

- Set the policy to Enabled, then select Show.

- Add the programs you would like to prevent the user from running to the List of disallowed applications. Use the name of the application launching file such as itunes.exe, bittorent.exe, etc.
- On the Don’t run specified Windows applications dialog box, click Apply and select OK to apply the changes you just made.
From now on, if anyone tries to execute the above apps on your Windows 11 PC, the apps won’t run. Also, there won’t be any warning messages either.
Option 2 – Use the Registry Editor
The Registry Editor utility is another tool you can use to prevent users from running certain programs on your Windows PC. Here are the steps to try:
- Hold down the Windows Key and press R to bring up the Run dialog box.

- Type regedit, then press Enter. The Registry Editor appears.
- Expand the following:
- HKEY_CURRENT_USER
- SOFTWARE
- Microsoft
- Windows
- CurrentVersion
- Policies
- Explorer

- Right-click a blank area on the right side and add a new DWORD (32-bit) Value named DisallowRun.
- Open DisallowRun and give it a Value of 1.

- Right-click and add a new Key, also named DisallowRun. The folder is then created.
- Select the DisallowRun folder on the left pane.
- Right-click a blank area on the right side and add a new String Value and rename it to number 1.

- Open String Value number 1 and give it a Value with the application you would like to block, like itunes.exe.
- Repeat the new String Value creation steps with any additional applications you wish to block.
- Just increase the number used in the String Value each time (2, 3, 4, 5, etc.) and enter the EXE file name of the app to be blocked.
So if I wanted to block two applications, itunes.exe, and bittorrent.exe, my Registry Editor would look like this…

Option 3 – Disable App Installation From Settings
The above methods only block the apps you add to the block list. Users may download new apps to replace the blocked ones. Thus, you need to block third-party app installations as well. Here are the steps you need to try:
- Press Windows + I keys together to open Windows 11 Settings app.
- Select Apps from the left-side navigation pane and choose Advanced app settings on the right-side panel.

- Click the drop down list for the Choose where to get apps option and select The Microsoft Store Only.
- Whenever you need to install a third-party app yourself, switch the above feature to Anywhere.
Option 4 – Disable App Installation From Group Policy Editor
If you think anyone can modify the above app installation preference, you can use the Group Policy Editor to stop app installations by following these steps:
- Open the Group Policy editor and navigate to the Windows Installer folder through Computer Configuration > Administrative Templates > Windows Components.
- Inside the Windows Installer directory, you should find the Turn off Windows Installer setting.
- Double-click the setting and select the Enabled radio button.
- Under Options, select the drop down menu and choose Always.
- Select Apply and click OK to save the changes.
- Restart the system.
Option 5 – Block App Installation From Registry Editor
Follow these steps to use the Registry Editor tool to block app installations:
- Run Registry Editor from the Run dialog box.
- Enter the following address in the address bar and hit Enter:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Msi.Package\DefaultIcon
- Double-click the (Default) String Value to open its entry.
- You should see the following directory address:
C:\Windows\System32\msiexec.exe,0
- Erase the number zero (0) at the end of the address and replace it with the number 1.

- Click OK to save the Registry entry.
- Restart your Windows 11 PC to enforce the modification.
- When you need to allow installations again, simply replace the number 1 with 0.
Option 6 – Deactivate USB Ports
There are portable versions of Windows software that don’t need any installations or permissions from the Group Policy and Registry Editor tools. They can launch instantly if you double-click the EXE file. To stop employees or children to use such apps on your business or home computers, you must disable the USB ports. Here’s how it’s done:
- Press Windows + S to open the Windows Search tool and type Device.
- Click the Device Manager tool that shows up under the Best match section.
- Inside Device Manager, you get a list of hardware installed on the PC.
- At the bottom of the list, you should find Universal Serial Bus controllers (USB). Expand the list.

- Select the first option in the list, right-click, and select Disable device.
- Repeat the step for the rest of the entries in the list.
- Restart your PC so that USB blocking takes effect.
Option 7 – Use Local Security Policy
You can also enforce specific program blocking effortlessly from the Local Security Policy tool on Windows 11, 10, 8, 7, etc. Here are the steps to try:
- On the Windows Search tool, type Local and click on Local Security Policy.
- Now, double-click Software Restriction Policies.

- If you see the No Software Restriction Policies Defined message, click Action and select New Software Restriction Policies.
- Now, you get the Additional Rules setting. Click on it.
- On the right-side panel, right-click and select New Hash Rule.
- Select the Browse button and navigate to any software EXE file that you want to prevent executing on your device.

- Click Apply and select OK to save the changes.
- Restart the PC so that the changes take effect.
Option 8 – Enable SmartScreen From Windows Settings
Suppose you just don’t want to disable app execution and installation wholesale. You want to show a warning to the user that the IT admin, teacher, or parent doesn’t want the user to open the app. This is more like a soft warning and promotes safe computer use and browsing responsibilities. For this purpose, you can call the SmartScreen or Reputation-based protection feature on Windows 11 and 10 PCs. Here’s how it works:
- Open the System app by pressing Windows + I.
- In the Search bar, type App and.
- The App & browser control option will show up. Click on it.

- Click the Reputation-based protection settings link.
- The following features will activate automatically:
- Check apps and files
- SmartScreen for Microsoft Edge
- Phishing protection
- Potentially unwanted app blocking
- SmartScreen for Microsoft Store apps
- Close the open windows.
- Now, if anyone tries to open any app or install third-party apps, the SmartScreen warning will pop up.
- It’ll ask the user to stop opening the app if it’s not indispensable for work or school-related tasks.
Also read: Best Free Antivirus for Windows 11 for Enhanced Security
Option 9 – Disable Read & Execute Permission
There’s a way to remove Read & execute permissions from users to stop standard users from using certain apps on your home, school, or workplace computers. It involves removing EXE file permissions from user accounts. The process is a bit manual because you must perform the steps for each app you want to block. Here’s how it’s done:
- Go to the EXE file of the app you want to block.
- To do this, right-click on the app’s icon on Windows 11 Desktop and click Open file location.
- Once you see the software EXE file, right-click, and select Show more options.
- Then, choose Properties from the context menu.
- In the Properties dialog box, go to the Security tab.
- Click Edit near the Permissions option and select the user account for which you want to disable Read & execute permission.

- Now, checkmark the checkbox under the Deny column for Full control.
- Select Apply and click OK to enforce the changes you just made.
Conclusion
From now on the user will get a message “This operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator.” when he tries to run the programs you added.
I should mention that if the user is smart enough to rename the program file, they will be able to run the program again. Hence, you need to use different app-blocking methods to close all the loose ends. Don’t forget to comment below if you know any other techniques to block select app access on Windows 11 and earlier operating systems.
If this tutorial does not meet your needs, you might be able to use Applocker for your needs. Using Applocker allows you to deny access to applications based on publisher, path, or file hash. See more info about Applocker at Microsoft Technet.
Next up, adjusting Privacy Settings in Windows 10.
nick the greek says
Regedit solution doesn’t work if you have second drive, for instance i block firefox.exe on C:// where windows is stored
but if i install firefox on D:// (second drive) it will run normally
Raza says
If accidentally this GPO applied on all type of Local Account then how to recover Administrator account to run all application.
A says
worked perfectly!
Mike says
Doesn’t work and there is a mistake in step 8, is not a DWORD (32-bit) Value, but string value. You can’t add a string into a DWORD (32-bit) Value
Md Mithun says
Thank you sir
P. Ngamsom says
To remove the restriction, log in as admin. Then go to windows/system32/GroupPolicy, delete gpt.ini and all registry.pol files. Restart.
Jay says
Is it possible to use names with wildcards? Situation: User is downloading an app everytime he needs to use it and the name is then meeting.exe, meeting(1).exe, meeting(2).exe and so on. Can I block “meeting*.exe” ?
Icke says
Great and easy tutorial, thank you!
Firas Najar says
Thank you so much, I’ve just solved a problem that was annoying me for almost a year!
THNKS!
SpoofyChin says
You may use Windows applocker on Windows Enterprise edition to block apps from running:
https://www.tenforums.com/tutorials/123970-use-applocker-block-microsoft-store-apps-windows-10-a.html
Soham Sane says
This helped! Thank you!
Illuminait says
***WARNING*** Using method 1 may seem easier but will also block your account on the PC even if you are an administrator. To fix this, if you’ve already done it:
open C:\Windows\System32\GroupPolicy\ and delete all registry.pol files you find in this folder and any subfolder.
Open Control Panel > User Accounts add a new user and make it an administrator account.
What you’ve now done is create an administrator account without the group policy applied to it.
Log into that account.
Press Windows key + R, type in gpedit.msc
In the left pane select “Administrative Templates > System” under “User Configuration”
Double click ‘Dont run specified Windows Applications’
MAKE SURE to click DISABLED in the new window. and Apply the setting.
Restart your computer and you are now unblocked again.
Adrian says
Hi,
How can I disable this option? Now I can’t access Group Policy Editor or RegEdit. I’m the admin of the laptop.
Thanks.
Mitch Bartlett says
Sounds like a policy your system administrators enabled. Are you in a corporate environment?
Marilyn Lipton says
I get this “…..operation has been cancelled due to restrictions in effect…..” message when I try to open a link in an email message. This never happened before. How can I enable links in email messages?
Thank you.
Jeremy says
Right-click a blank area on the right side and add a new “DWORD (32-bit) Value” named “1“.
I think you mean “Right-click a blank area on the right side and add a new “String Value” named “1“.
Shrenik says
Can I write this in command line or in batch file or in shell cmd. if it is possible then please send me code in my email Id. please reply fast asap. Thanks you in advance
Tyler says
Are you able to use this for a file path applied through the registry? I’m trying to block any .exe’s running from the Downloads folder. I’ve tried using %Userprofile%\downloads and %Userprofile%\downloads\*.exe for the value but neither are working.
Phil says
Walter,
You can create a separate set of group policy rules that only applies to non administrators. I’ve done this in a library where the profile the public logs into has a set of rules to reduce mischief, but the administrator account that I use is is still open. Check out https://www.sevenforums.com/tutorials/101869-local-group-policies-apply-all-users-except-administrators.html to see what I’m talking about.
Walter says
This is great, when you want to block access to a specific program for EVERYBODY. However, I”m trying to setup a public facing machine but I want to be able to login with admin or other accounts and do things but block access to everything except , Log Off, Restart and access to Internet Explorer for a particular account, which will autologin ( I was able to find how to do that through the Registry).. How might I accomplish that? I already used the hidden attribute to hide everything under All Programs. . . or is the not included part of your instructions that you need to do the above under the account you want to block them for? e.g. log in as the account you want to block things for, run gpedit.msc and then Enable the blocks on whatever you want NOT to run?
Josh says
Please put that this for windows 10 only and not for windows server, this just screwed me over so much because i restricted myself to all but one program. This just costed me so much money and time because i have to reset and reconfigure the whole server.
Stanley says
You can also use BrowseControl’s AppBlocker to block a program from running.
With BrowseControl, even if the end user changes the file name, the program will still be blocked.
Johan Hellström says
Thanks for the tutorial, But it seems that it’s possible to open app via cmd and powershell. When i use option 2.
Samuel says
Please ur tutorial is awesome but how can I change the warning massage “This operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator.” to “corupt” and so that the user will think the app is corrupted. Thanks… Will appreciate if you can help…
carlos says
you made a mistake in step 8, is not a DWORD (32-bit) Value, but string value.