Link to home
Start Free TrialLog in
Avatar of blueplastic
blueplasticFlag for United States of America

asked on

How do I fully block the command prompt including .bat files in Windows XP machines on domain?

Here is a question that I've been scratching my head on for the desktop/domain rights experts here. This is urgent, so I really appreciate quick answers!

In a Windows 2003 domain with Windows XP computers, how does an administrator effectively block the command prompt? Even though it is blocked by Group Policies, users can still access it from command.com, loadfix.com or creating a .bat text file with the word command in it.

If there is no way to block access to files mentioned above, are there are ways to block execution of specific commands such as net, netsh etc in the command prompt?
Avatar of Brian Pierce
Brian Pierce
Flag of United Kingdom of Great Britain and Northern Ireland image

Set a group policy to block the command prompt
User Configuration->Administrative Templates->System and ENABLE Prevent access to the command prompt

You can also use software restriction policies  http://support.microsoft.com/kb/324036

SOLUTION
Avatar of jazzIIIlove
jazzIIIlove
Flag of Sweden image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of blueplastic

ASKER

KCTS, your solution is not valid, b/c I have already used group policies to restrict command prompt, usage and as I explained in my question, it is not enough to fully block it.

glen_1984 and jazzllllove,

The following registry does not exist on my Windows XP SP2 computer:

HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System

The "System" folder after Windows does not exist. Under Windows, I only see "Current Version" and under Current Version are two folders: "Internet Settings" and "Trusted Sites Settings".

Also, please check out this TechNet article:
http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/93465.mspx?mfr=true

According to the article, the DisableCMD key "stores the setting of the Disable the command prompt  Group Policy. Group Policy adds this entry to the registry when you enable the policy. If you disable the policy or set it to Not configured,  Group Policy deletes this entry from the registry."

So, using the DisableCMD key is not a valid solution, because even if the CMD prompt is disabled this way, a user can still create a text file with just the word command and then save that file as file.bat and launch it. This would launch a command prompt for the user. A user can still also use loadfix.com or command.com to get to the cmd prompt.
thanks for your response...very satisfactory for me...i reinvestigate the issue...
By the way, I exported my full registry to a text file and the only location where DisableCMD is mentioned is here:

Key Name:          HKEY_USERS\S-1-5-21-1242909238-215958010-794563710-237575\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{12CBB7A1-75A0-4B19-8770-EDCDD0F24C17}User\Software\Policies\Microsoft\Windows\System

Class Name:        <NO CLASS>
Last Write Time:   11/3/2008 - 7:13 PM
Value 0
  Name:            DisableCMD
  Type:            REG_DWORD
  Data:            0x1
jazzllllove and everyone else, I do really appreciate your responses and help and am bumping up the point value of this question from 300 to 400.

Thanks so much guys!
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Have you try to deny use of those files with ACL's. Deny normal user's access to those files cmd.exe, command.com etc.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Glenn_1984,

What does #302 in the first link you sent me do?

Here is the reg key that site wants me to run to block cmd line:

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\.cmd]
@="cmdfile"

[HKEY_CLASSES_ROOT\.cmd\PersistentHandler]
@="{5e941d80-bf96-11cd-b579-08002b30bfeb}"

Okay, thanks for everybody's help. The Software Restriction Policies with hash rules against command.com and cmd.exe seems to have effectively blocked the command prompt.

After you create a hash rule for command.com and cmd.exe in the C:\windows\system32 directory and activate the rule, if a user tries to run command.com, a Windows popup error will show: "Windows cannot open this program because it has been prevented by a software restriction policy."

Also, after the command.com hash rule is activated, if a user tries to create a txt file with the word command in it and renames the file to something.bat, when the user tries to run this file, the following error will show up in the cmd prompt and it will quickly disappear: "The system cannot execute the specified program."