How do I fully block the command prompt including .bat files in Windows XP machines on domain?

Here is a question that I've been scratching my head on for the desktop/domain rights experts here. This is urgent, so I really appreciate quick answers!

In a Windows 2003 domain with Windows XP computers, how does an administrator effectively block the command prompt? Even though it is blocked by Group Policies, users can still access it from command.com, loadfix.com or creating a .bat text file with the word command in it.

If there is no way to block access to files mentioned above, are there are ways to block execution of specific commands such as net, netsh etc in the command prompt?
blueplasticAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Brian PiercePhotographerCommented:
Set a group policy to block the command prompt
User Configuration->Administrative Templates->System and ENABLE Prevent access to the command prompt

You can also use software restriction policies  http://support.microsoft.com/kb/324036

jazzIIIloveCommented:
Hi there;

1) Open your registry and find or create the key below.
Create or modify the DWORD value "DisableCMD" and  and set it to a number from the list below.

0 - (default) enable command prompt and batch files
1 - disable command prompt and batch files
2 - disable command prompt but allow batch files

User Key: [HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System]
Value Name: DisableCMD
Data Type: REG_DWORD (DWORD Value)
Value Data: (0 = default, 1 = disabled, 2 = disabled but allow batch)

You know the below but let me write:

Click Start and in the Run box type: gpedit.msc and press enter.
In the Group Policy Window browse to the User Configuration\Administrative Templates\System folder.
In the System folder double-click "Prevent access to the command prompt."
Change the Setting to Enabled and then click Ok.

For netsh:
http://support.microsoft.com/kb/262265/en-us/

I think it's better to combine those above with a VB script...

Best regards...
Active Protection takes the fight to cryptojacking

While there were several headline-grabbing ransomware attacks during in 2017, another big threat started appearing at the same time that didn’t get the same coverage – illicit cryptomining.

blueplasticAuthor Commented:
KCTS, your solution is not valid, b/c I have already used group policies to restrict command prompt, usage and as I explained in my question, it is not enough to fully block it.

glen_1984 and jazzllllove,

The following registry does not exist on my Windows XP SP2 computer:

HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System

The "System" folder after Windows does not exist. Under Windows, I only see "Current Version" and under Current Version are two folders: "Internet Settings" and "Trusted Sites Settings".

Also, please check out this TechNet article:
http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/93465.mspx?mfr=true

According to the article, the DisableCMD key "stores the setting of the Disable the command prompt  Group Policy. Group Policy adds this entry to the registry when you enable the policy. If you disable the policy or set it to Not configured,  Group Policy deletes this entry from the registry."

So, using the DisableCMD key is not a valid solution, because even if the CMD prompt is disabled this way, a user can still create a text file with just the word command and then save that file as file.bat and launch it. This would launch a command prompt for the user. A user can still also use loadfix.com or command.com to get to the cmd prompt.
jazzIIIloveCommented:
thanks for your response...very satisfactory for me...i reinvestigate the issue...
blueplasticAuthor Commented:
By the way, I exported my full registry to a text file and the only location where DisableCMD is mentioned is here:

Key Name:          HKEY_USERS\S-1-5-21-1242909238-215958010-794563710-237575\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{12CBB7A1-75A0-4B19-8770-EDCDD0F24C17}User\Software\Policies\Microsoft\Windows\System

Class Name:        <NO CLASS>
Last Write Time:   11/3/2008 - 7:13 PM
Value 0
  Name:            DisableCMD
  Type:            REG_DWORD
  Data:            0x1
blueplasticAuthor Commented:
jazzllllove and everyone else, I do really appreciate your responses and help and am bumping up the point value of this question from 300 to 400.

Thanks so much guys!
glenn_1984Commented:

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
MEDMIKCommented:
Have you try to deny use of those files with ACL's. Deny normal user's access to those files cmd.exe, command.com etc.
Brian PiercePhotographerCommented:
Software restriction policies has to be a better way   http://support.microsoft.com/kb/324036
blueplasticAuthor Commented:
Glenn_1984,

What does #302 in the first link you sent me do?

Here is the reg key that site wants me to run to block cmd line:

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\.cmd]
@="cmdfile"

[HKEY_CLASSES_ROOT\.cmd\PersistentHandler]
@="{5e941d80-bf96-11cd-b579-08002b30bfeb}"

blueplasticAuthor Commented:
Okay, thanks for everybody's help. The Software Restriction Policies with hash rules against command.com and cmd.exe seems to have effectively blocked the command prompt.

After you create a hash rule for command.com and cmd.exe in the C:\windows\system32 directory and activate the rule, if a user tries to run command.com, a Windows popup error will show: "Windows cannot open this program because it has been prevented by a software restriction policy."

Also, after the command.com hash rule is activated, if a user tries to create a txt file with the word command in it and renames the file to something.bat, when the user tries to run this file, the following error will show up in the cmd prompt and it will quickly disappear: "The system cannot execute the specified program."
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server OS

From novice to tech pro — start learning today.