• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3014
  • Last Modified:

How do I fully block the command prompt including .bat files in Windows XP machines on domain?

Here is a question that I've been scratching my head on for the desktop/domain rights experts here. This is urgent, so I really appreciate quick answers!

In a Windows 2003 domain with Windows XP computers, how does an administrator effectively block the command prompt? Even though it is blocked by Group Policies, users can still access it from command.com, loadfix.com or creating a .bat text file with the word command in it.

If there is no way to block access to files mentioned above, are there are ways to block execution of specific commands such as net, netsh etc in the command prompt?
  • 5
  • 2
  • 2
  • +2
3 Solutions
Set a group policy to block the command prompt
User Configuration->Administrative Templates->System and ENABLE Prevent access to the command prompt

You can also use software restriction policies  http://support.microsoft.com/kb/324036

Hi there;

1) Open your registry and find or create the key below.
Create or modify the DWORD value "DisableCMD" and  and set it to a number from the list below.

0 - (default) enable command prompt and batch files
1 - disable command prompt and batch files
2 - disable command prompt but allow batch files

User Key: [HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System]
Value Name: DisableCMD
Data Type: REG_DWORD (DWORD Value)
Value Data: (0 = default, 1 = disabled, 2 = disabled but allow batch)

You know the below but let me write:

Click Start and in the Run box type: gpedit.msc and press enter.
In the Group Policy Window browse to the User Configuration\Administrative Templates\System folder.
In the System folder double-click "Prevent access to the command prompt."
Change the Setting to Enabled and then click Ok.

For netsh:

I think it's better to combine those above with a VB script...

Best regards...
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

blueplasticAuthor Commented:
KCTS, your solution is not valid, b/c I have already used group policies to restrict command prompt, usage and as I explained in my question, it is not enough to fully block it.

glen_1984 and jazzllllove,

The following registry does not exist on my Windows XP SP2 computer:


The "System" folder after Windows does not exist. Under Windows, I only see "Current Version" and under Current Version are two folders: "Internet Settings" and "Trusted Sites Settings".

Also, please check out this TechNet article:

According to the article, the DisableCMD key "stores the setting of the Disable the command prompt  Group Policy. Group Policy adds this entry to the registry when you enable the policy. If you disable the policy or set it to Not configured,  Group Policy deletes this entry from the registry."

So, using the DisableCMD key is not a valid solution, because even if the CMD prompt is disabled this way, a user can still create a text file with just the word command and then save that file as file.bat and launch it. This would launch a command prompt for the user. A user can still also use loadfix.com or command.com to get to the cmd prompt.
thanks for your response...very satisfactory for me...i reinvestigate the issue...
blueplasticAuthor Commented:
By the way, I exported my full registry to a text file and the only location where DisableCMD is mentioned is here:

Key Name:          HKEY_USERS\S-1-5-21-1242909238-215958010-794563710-237575\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{12CBB7A1-75A0-4B19-8770-EDCDD0F24C17}User\Software\Policies\Microsoft\Windows\System

Class Name:        <NO CLASS>
Last Write Time:   11/3/2008 - 7:13 PM
Value 0
  Name:            DisableCMD
  Type:            REG_DWORD
  Data:            0x1
blueplasticAuthor Commented:
jazzllllove and everyone else, I do really appreciate your responses and help and am bumping up the point value of this question from 300 to 400.

Thanks so much guys!
Have you try to deny use of those files with ACL's. Deny normal user's access to those files cmd.exe, command.com etc.
Software restriction policies has to be a better way   http://support.microsoft.com/kb/324036
blueplasticAuthor Commented:

What does #302 in the first link you sent me do?

Here is the reg key that site wants me to run to block cmd line:

Windows Registry Editor Version 5.00



blueplasticAuthor Commented:
Okay, thanks for everybody's help. The Software Restriction Policies with hash rules against command.com and cmd.exe seems to have effectively blocked the command prompt.

After you create a hash rule for command.com and cmd.exe in the C:\windows\system32 directory and activate the rule, if a user tries to run command.com, a Windows popup error will show: "Windows cannot open this program because it has been prevented by a software restriction policy."

Also, after the command.com hash rule is activated, if a user tries to create a txt file with the word command in it and renames the file to something.bat, when the user tries to run this file, the following error will show up in the cmd prompt and it will quickly disappear: "The system cannot execute the specified program."

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

  • 5
  • 2
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now